search

ansible-collections / community.windows

Windows community collection for Ansible
https://galaxy.ansible.com/community/windows
GNU General Public License v3.0
193 stars 152 forks source link

lookup('laps_password') doesn't work with new version of laps #527

Closed RandJV closed 5 months ago

RandJV commented 11 months ago
SUMMARY

When connecting to a windows host, I use the lookup('laps_password') module, which takes the attribute "ms-Mcs-AdmPwd" from ldap, but in the new version of laps, the name of the attribute has changed to "msLAPS-Password" in unencrypted form and "msLAPS-EncryptedPassword" in encrypted form. I tried to change the name of the attribute in the laps_password.py script, but he can't get it.

ISSUE TYPE
COMPONENT NAME

lookup('laps_password')

ANSIBLE VERSION
ansible [core 2.13.3]
  config file = /home/user/.ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/user/venv/lib/python3.9/site-packages/ansible
  ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/user/venv/bin/ansible
  python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110]
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
ansible.windows                           2.0.0
community.general                         5.1.1
community.windows                         2.0.0
CONFIGURATION
ANSIBLE_NOCOWS(/home/user/.ansible.cfg) = True
DEFAULT_HOST_LIST(/home/user/.ansible.cfg) = ['/home/user/ansible/inventories/hosts.yml']
DEFAULT_REMOTE_USER(/home/user/.ansible.cfg) = user
DEFAULT_VAULT_PASSWORD_FILE(/home/user/.ansible.cfg) = /home/user/.vault_pass
DIFF_ALWAYS(/home/user/.ansible.cfg) = True
DIFF_CONTEXT(/home/user/.ansible.cfg) = 5
HOST_KEY_CHECKING(/home/user/.ansible.cfg) = False
RETRY_FILES_ENABLED(/home/user/.ansible.cfg) = False
OS / ENVIRONMENT

Debian GNU/Linux 11 (bullseye)

STEPS TO REPRODUCE
ansible_connection: winrm
ansible_user: administrator
ansible_password: "{{ lookup('laps_password', '{{ inventory_hostname }}',
  domain='test.com',
  auth='simple',
  scheme='ldaps',
  username='user',
  password='password'"
ansible_winrm_server_cert_validation: validate
ansible_winrm_ca_trust_path: /usr/share/ca-certificates/cert.crt

ansible hostname -m win_ping

EXPECTED RESULTS
hostname | SUCCESS => {
"changed": false,
"ping": "pong"
}
ACTUAL RESULTS
hostname | UNREACHABLE! => {
    "changed": false,
    "msg": "ssl: the specified credentials were rejected by the server",
    "unreachable": true
}
jborean93 commented 11 months ago

While not officially deprecated yet the LAPS functionality of this lookup has been migrated to the new microsoft.ad.ldap inventory plugin. It supports password lookups for both the legacy and new LAPS. It even supports the encrypted format if an extra library is installed. There are some examples in there that show you how to set the user and password for hosts it retrieves with the inventory plugin.

There are no plans on migrating those changes to the laps_password lookup at this stage, the main reason is around how the lookup plugin will be run on every task slowing things down.