Hii,
I am trying to remove an attribute from an LDAP entry, in this case the
password that was put in during installation of the slapd package.
Initially I have this:
root@dick-dev1:~# ldapsearch -Q -LLL -Y EXTERNAL -b cn=config
olcDatabase={1}mdb
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=geant,dc=org
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by *
none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=geant,dc=org
olcRootPW: {SSHA}tRU7YUk8WUdcA04ZbYAv1985nUcMrjRZ
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
This LDIF:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcRootPW
can be successfully used with ldapmodify:
root@dick-dev1:~# ldapmodify -Y EXTERNAL -f bar.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"
After which the entry looks like this:
root@dick-dev1:~# ldapsearch -Q -LLL -Y EXTERNAL -b cn=config
olcDatabase={1}mdb
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=geant,dc=org
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by *
none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=geant,dc=org
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
I.e., the olcRootPW attribute is now gone. Great.
I want to use ansible to achieve the same thing, but I can't figure out how
to do that.
I can't use ldap_entry because that can only remove entire entries.
According to
https://docs.ansible.com/ansible/latest/collections/community/general/ldap_attrs_module.html,
this is to "Add or remove multiple LDAP attribute values".
That seems like what I need.
But according to
https://docs.ansible.com/ansible/latest/collections/community/general/ldap_attrs_module.html#parameter-attributes
:
The attribute(s) and value(s) to add or remove.
That works, but I need to supply both the attribute AND its value.
I cannot seem to remove just the attribute, regardless of its value.
Any idea how to do that? I.e. without adding helper tasks to first check if
the attribute exists, and if so, get its value?
thx :)
thx
Dick
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAF8BbLZJ%3DU2fmN1Y3%3DhhveBzD8_e%3DOtN6tmByNDnfJdbRWjSSw%40mail.gmail.com.
