W3cubDocs

/Ansible

community.general.ldap_passwd module – Set passwords in LDAP

Note

This module is part of the community.general collection (version 10.7.3).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: community.general.ldap_passwd.

Synopsis
Requirements
Parameters
Attributes
Notes
Examples
Return Values

Synopsis

Set a password for an LDAP entry. This module only asserts that a given password is valid for a given entry. To assert the existence of an entry, see community.general.ldap_entry.

Requirements

The below requirements are needed on the host that executes this module.

python-ldap

Parameters

Parameter	Comments
bind_dn string	A DN to bind with. Try to use a SASL bind with the EXTERNAL mechanism as default when this parameter is omitted. Use an anonymous bind if the parameter is blank.
bind_pw string	The password to use with `bind_dn`. Default: `""`
ca_path path added in community.general 6.5.0	Set the path to PEM file with CA certs.
client_cert path added in community.general 7.1.0	PEM formatted certificate chain file to be used for SSL client authentication. Required if `client_key` is defined.
client_key path added in community.general 7.1.0	PEM formatted file that contains your private key to be used for SSL client authentication. Required if `client_cert` is defined.
dn string / required	The DN of the entry to add or remove.
passwd string	The (plaintext) password to be set for `dn`.
referrals_chasing string added in community.general 2.0.0	Set the referrals chasing behavior. `anonymous` follow referrals anonymously. This is the default behavior. `disabled` disable referrals chasing. This sets `OPT_REFERRALS` to off. Choices: `"disabled"` `"anonymous"` ← (default)
sasl_class string added in community.general 2.0.0	The class to use for SASL authentication. Choices: `"external"` ← (default) `"gssapi"`
server_uri string	The `server_uri` parameter may be a comma- or whitespace-separated list of URIs containing only the schema, the host, and the port fields. The default value lets the underlying LDAP client library look for a UNIX domain socket in its default location. Note that when using multiple URIs you cannot determine to which URI your client gets connected. For URIs containing additional fields, particularly when using commas, behavior is undefined. Default: `"ldapi:///"`
start_tls boolean	Use the START_TLS LDAP extension if set to `true`. Choices: `false` ← (default) `true`
validate_certs boolean	If set to `false`, SSL certificates will not be validated. This should only be used on sites using self-signed certificates. Choices: `false` `true` ← (default)
xorder_discovery string added in community.general 6.4.0	Set the behavior on how to process Xordered DNs. `enable` will perform a `ONELEVEL` search below the superior RDN to find the matching DN. `disable` will always use the DN unmodified (as passed by the `dn` parameter). `auto` will only perform a search if the first RDN does not contain an index number (`{x}`). Choices: `"enable"` `"auto"` ← (default) `"disable"`

Attributes

Attribute	Support	Description
check_mode	Support: full	Can run in `check_mode` and return changed status prediction without modifying target.
diff_mode	Support: none	Will return details on what has changed (or possibly needs changing in `check_mode`), when in diff mode.

Notes

Note

The default authentication settings will attempt to use a SASL EXTERNAL bind over a UNIX domain socket. This works well with the default Ubuntu install for example, which includes a cn=peercred,cn=external,cn=auth ACL rule allowing root to modify the server configuration. If you need to use a simple bind to access your server, pass the credentials in bind_dn and bind_pw.

Examples

- name: Set a password for the admin user
  community.general.ldap_passwd:
    dn: cn=admin,dc=example,dc=com
    passwd: "{{ vault_secret }}"

- name: Setting passwords in bulk
  community.general.ldap_passwd:
    dn: "{{ item.key }}"
    passwd: "{{ item.value }}"
  with_dict:
    alice: alice123123
    bob: "|30b!"
    admin: "{{ vault_secret }}"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Description
modlist list / elements=string	List of modified parameters. Returned: success Sample: `[[2, "olcRootDN", ["cn=root,dc=example,dc=com"]]]`

Authors

Keller Fuchs (@KellerFuchs)

Collection links

© 2012–2018 Michael DeHaan
© 2018–2025 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/community/general/ldap_passwd_module.html