laps_password – Retrieves the LAPS password for a server¶
New in version 2.8.
Synopsis¶
- This lookup returns the LAPS password set for a server from the Active Directory database.
- See https://github.com/jborean93/ansible-lookup-laps_password for more information around installing pre-requisites and testing.
Requirements¶
The below requirements are needed on the local master node that executes this lookup.
- python-ldap
Parameters¶
Notes¶
Note
- If a host was found but had no LAPS password attribute ms-Mcs-AdmPwd, the lookup will fail.
- Due to the sensitive nature of the data travelling across the network, it is highly recommended to run with either auth=gssapi,scheme=ldaps, orstart_tls=yes.
- Failing to run with one of the above settings will result in the account credentials as well as the LAPS password to be sent in plaintext.
- Some scenarios may not work when running on a host with an older OpenLDAP install like MacOS. It is recommended to install the latest OpenLDAP version and build python-ldap against this, see https://keathmilligan.net/python-ldap-and-macos/ for more information.
Examples¶
# This isn't mandatory but it is a way to call kinit from within Ansible before calling the lookup
- name: call kinit to retrieve Kerberos token
  expect:
    command: kinit username@ANSIBLE.COM
    responses:
      (?i)password: SecretPass1
  no_log: True
- name: Get the LAPS password using Kerberos auth, relies on kinit already being called
  set_fact:
    ansible_password: "{{ lookup('laps_password', 'SERVER', domain='dc01.ansible.com') }}"
- name: Specific the domain host using an explicit LDAP URI
  set_fact:
    ansible_password: "{{ lookup('laps_password', 'SERVER', domain='ldap://ansible.com:389') }}"
- name: Use Simple auth over LDAPS
  set_fact:
    ansible_password: "{{ lookup('laps_password', 'server',
                                 domain='dc01.ansible.com',
                                 auth='simple',
                                 scheme='ldaps',
                                 username='username@ANSIBLE.COM',
                                 password='SuperSecret123') }}"
- name: Use Simple auth with LDAP and StartTLS
  set_fact:
    ansible_password: "{{ lookup('laps_password', 'app01',
                                 domain='dc01.ansible.com',
                                 auth='simple',
                                 start_tls=True,
                                 username='username@ANSIBLE.COM',
                                 password='SuperSecret123') }}"
- name: Narrow down the search base to a an OU
  set_fact:
    ansible_password: "{{ lookup('laps_password', 'sql10',
                                 domain='dc01.ansible.com',
                                 search_base='OU=Databases,DC=ansible,DC=com') }}"
- name: Set certificate file to use when validating the TLS certificate
  set_fact:
    ansible_password: "{{ lookup('laps_password', 'windows-pc',
                                 domain='dc01.ansible.com',
                                 start_tls=True,
                                 ca_cert='/usr/local/share/certs/ad.pem') }}"
Return Values¶
Common return values are documented here, the following are the fields unique to this lookup:
| Key | Returned | Description | 
|---|---|---|
| _raw 
                  string
                                       | The LAPS password(s) for the host(s) requested. | 
Status¶
- This lookup is not guaranteed to have a backwards compatible interface. [preview]
- This lookup is maintained by the Ansible Community. [community]
Authors¶
- Jordan Borean (@jborean93)
Hint
If you notice any issues in this documentation, you can edit this document to improve it.
Hint
Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.
