Closed jborean93 closed 4 months ago
Thank you for contribution!✨
The docsite for this PR is available for download as an artifact from this run: https://github.com/ansible-collections/microsoft.ad/actions/runs/9295601203
You can compare to the docs for the main
branch here:
https://ansible-collections.github.io/microsoft.ad/branch/main
File changes:
A
collections/microsoft/ad/docsite/guide_ad_module_authentication.htmlM
collections/microsoft/ad/computer_module.htmlM
collections/microsoft/ad/docsite/guide_attributes.htmlM
collections/microsoft/ad/docsite/guide_ldap_connection.htmlM
collections/microsoft/ad/docsite/guide_migration.htmlM
collections/microsoft/ad/group_module.htmlM
collections/microsoft/ad/index.htmlM
collections/microsoft/ad/object_module.htmlM
collections/microsoft/ad/ou_module.htmlM
collections/microsoft/ad/user_module.html
The principal objects that the current AD object can trust for delegation to either add, remove or set.
-The values for each sub option must be specified as a distinguished name CN=shenetworks,CN=Users,DC=ansible,DC=test
Each subkey value is a list of values in the form of a distinguishedName
, objectGUID
, objectSid
, sAMAccountName
, or userPrincipalName
string or a dictionary with the name and optional server key.
This is the value set on the msDS-AllowedToActOnBehalfOfOtherIdentity
LDAP attribute.
This is a highly sensitive attribute as it allows the principals specified to impersonate any account when authenticating with the AD computer object being managed.
To clear all principals, use set with an empty list.
+See DN Lookup Attributes for more information on how DN lookups work.
See Setting list option values for more information on how to add/remove/set list options.
The AD objects by their DistinguishedName
to add as a principal allowed to delegate.
Adds the principals specified as principals allowed to delegate to.
Any existing principals not specified by add will be untouched unless specified by remove or not in set.
The AD objects by their DistinguishedName
to remove as a principal allowed to delegate.
Any existing pricipals not specified by remove will be untouched unless set is defined.
+Control the action to take when the lookup fails to find the DN.
+fail
will cause the task to fail.
ignore
will ignore the value and continue.
warn
will ignore the value and display a warning.
Choices:
+"fail"
← (default)
"ignore"
"warn"
Removes the principals specified as principals allowed to delegate to.
+Any existing pricipals not specified by remove will be untouched unless set is defined.
+The AD objects by their DistinguishedName
to set as the only principals allowed to delegate.
Sets the principals specified as principals allowed to delegate to.
This will remove any existing principals if not specified in this list.
Specify an empty list to remove all principals allowed to delegate.
Specifies the credentials that should be used when using the server specified by name.
+To specify credentials for the default domain server, use an entry without the name key or use the domain_username and domain_password option.
+This can be set under the play’s module defaults under the group/microsoft.ad.domain
group.
See AD authentication in modules for more information.
+Default: []
The name of the server these credentials are for.
+This value should correspond to the value used in other options that specify a custom server to use, for example an option that references an AD identity located on a different AD server.
+This key can be omitted in one entry to specify the default credentials to use when a server is not specified instead of using domain_username and domain_password.
+The password to use when connecting to the server specified by name.
+The username to use when connecting to the server specified by name.
+The password for domain_username.
+The domain_credentials sub entry without a name key can also be used to specify the credentials for the default domain authentication.
This can be set under the play’s module defaults under the group/microsoft.ad.domain
group.
Specified the Active Directory Domain Services instance to connect to.
Can be in the form of an FQDN or NetBIOS name.
If not specified then the value is based on the default domain of the computer running PowerShell.
+Custom credentials can be specified under a domain_credentials entry without a name key or through domain_username and domain_password.
This can be set under the play’s module defaults under the group/microsoft.ad.domain
group.
The username to use when interacting with AD.
If this is not set then the user that is used for authentication will be the connection user.
Ansible will be unable to use the connection user unless auth is Kerberos with credential delegation or CredSSP, or become is used on the task.
+The domain_credentials sub entry without a name key can also be used to specify the credentials for the default domain authentication.
This can be set under the play’s module defaults under the group/microsoft.ad.domain
group.
CN={{ name }},{{ path }}
. If path is not defined, the defaultNamingContext
is used instead.
The user or group that manages the object.
-The value can be in the form of a distinguishedName
, objectGUID
, objectSid
, or sAMAccountName).
The value can be in the form of a distinguishedName
, objectGUID
, objectSid
, sAMAccountName
, or userPrincipalName
string or a dictionary with the name and optional server key.
This is the value set on the managedBy
LDAP attribute.
See DN Lookup Attributes for more information on how DN lookups work.
spn
aliases: spns
@@ -474,7 +530,7 @@ see Setting list option values for more information on how to add/remove/set list options.The SPNs to add to servicePrincipalName
.
The SPNs to remove from servicePrincipalName
.
set
list / elements=string
@@ -500,7 +556,7 @@ seeSome attributes in Active Directory are stored as a Distinguished Name (DN
) value that references another AD object. Some modules expose a way to lookup the DN using a more human friendly value, such as managed_by
. These option values must either be a string or a dictionary with the key name
and optional key server
. The string value or the value of name
is the identity to lookup while server
is the domain server to lookup the identity on. The lookup identity value can be specified as a distinguishedName
, objectGUID
, objectSid
, sAMAccountName
, or userPrincipalName
. The below is an example of how to lookup a DN using the sAMAccountName
using a string value or in the dictionary form:
- name: Find managed_by using string value
+ microsoft.ad.group:
+ name: My Group
+ scope: global
+ managed_by: Domain Admins
+
+- name: Find managed_by using dictionary value with a server
+ microsoft.ad.group:
+ name: My Group
+ scope: global
+ managed_by:
+ name: Domain Admins
+ server: OtherDC
+
There are also module options that can set a list of DN values for an attribute. The list values for these options are the same as the single value attributes where each DN lookup is set as a string or a dictionary with the name
and optional server
key.
- name: Specify a list of DNs to set
+ microsoft.ad.computer:
+ identity: TheComputer
+ delegates:
+ set:
+ - FileShare
+ - name: ServerA
+ server: OtherDC
+
For list attributes with the add/remove/set
subkey options, the lookup_failure_action
option can also be set to fail
(default), ignore
, or warn
. The fail
option will fail the task if any of the lookups fail, ignore
will ignore any invalid lookups, and warn
will emit a warning but still continue on a lookup failure.
- name: Specify a list of DNs to set - ignoring lookup failures
+ microsoft.ad.computer:
+ identity: TheComputer
+ delegates:
+ lookup_failure_action: ignore
+ set:
+ - FileShare
+ - MissingUser
+
When a server
key is provided, the lookup will be done using the server value specified. It is possible to also provide explicit credentials just for that server using the domain_credentials
option.
- name: Set member with lookup on different server
+ microsoft.ad.group:
+ name: MyGroup
+ state: present
+ members:
+ add:
+ - GroupOnDefaultDC
+ - name: GroupOnDefaultDC2
+ - name: GroupOnOtherDC
+ server: OtherDC
+ domain_credentials:
+ - username: UserForDefaultDC
+ password: PasswordForDefaultDC
+ - name: OtherDC
+ username: UserForOtherDC
+ password: PasswordForOtherDC
+
In the above, the GroupOnOtherDC
will be done with OtherDC
with the username UserForOtherDC
.
The documentation for the module option will identify if the option supports the lookup behaviour or whether a DN value must be explicitly provided.
+
SUMMARY
Add a way to specify a custom server to lookup an AD identity on when using module options that accept a list of identities for an attribute. For example the microsoft.ad.group members option.
Also adds the domain_credentials option that is common to add AD based modules to specify credentials for the extra AD servers being contacted in case the default credentials do not work.
I need to find a good way to add a test for this, will most likely come under the tests done outside of CI as it will require multiple DC servers.
Fixes: https://github.com/ansible-collections/microsoft.ad/issues/56 Fixes: https://github.com/ansible-collections/microsoft.ad/issues/104
ISSUE TYPE
COMPONENT NAME
microsoft.ad.*