From 79bd6830bcab07c80abc24b0e3b82d6530ae7d57 Mon Sep 17 00:00:00 2001 From: aravindmani-1 Date: Fri, 12 Jul 2024 17:13:52 +0530 Subject: [PATCH 1/7] LDAPS security profile ansible support --- plugins/module_utils/network/sonic/argspec/ldap/ldap.py | 1 + plugins/module_utils/network/sonic/config/ldap/ldap.py | 5 +++-- plugins/module_utils/network/sonic/facts/ldap/ldap.py | 1 + plugins/modules/sonic_ldap.py | 7 +++++++ tests/regression/roles/sonic_ldap/defaults/main.yml | 4 ++++ 5 files changed, 16 insertions(+), 2 deletions(-) diff --git a/plugins/module_utils/network/sonic/argspec/ldap/ldap.py b/plugins/module_utils/network/sonic/argspec/ldap/ldap.py index 248ae9158..bbce77e3e 100644 --- a/plugins/module_utils/network/sonic/argspec/ldap/ldap.py +++ b/plugins/module_utils/network/sonic/argspec/ldap/ldap.py @@ -147,6 +147,7 @@ def __init__(self, **kwargs): 'type': 'list' }, 'source_interface': {'type': 'str'}, + 'security_profile': {'type': 'str'}, 'ssl': { 'choices': ['on', 'off', 'start_tls'], 'type': 'str' diff --git a/plugins/module_utils/network/sonic/config/ldap/ldap.py b/plugins/module_utils/network/sonic/config/ldap/ldap.py index 3521a4337..9c3e3f579 100644 --- a/plugins/module_utils/network/sonic/config/ldap/ldap.py +++ b/plugins/module_utils/network/sonic/config/ldap/ldap.py @@ -76,7 +76,7 @@ 'nss_base_shadow', 'nss_base_sudoers', 'nss_initgroups_ignoreusers'] ONLY_PAM_ATTRIBUTES = ['pam_filter', 'pam_group_dn', 'pam_login_attribute', 'pam_member_attribute'] -GLOBAL_ATTRIBUTES = COMMON_ATTRIBUTES + ['servers', 'idle_timelimit', 'nss_skipmembers', 'map', 'source_interface', 'scope', 'sudoers_base', +GLOBAL_ATTRIBUTES = COMMON_ATTRIBUTES + ['servers', 'idle_timelimit', 'nss_skipmembers', 'map', 'source_interface', 'security_profile', 'scope', 'sudoers_base', 'sudoers_search_filter', 'vrf'] + ONLY_NSS_ATTRIBUTES + ONLY_PAM_ATTRIBUTES NSS_ATTRIBUTES = COMMON_ATTRIBUTES + ONLY_NSS_ATTRIBUTES + ['idle_timelimit', 'scope'] PAM_ATTRIBUTES = COMMON_ATTRIBUTES + ONLY_PAM_ATTRIBUTES + ['nss_base_passwd', 'scope'] @@ -323,7 +323,6 @@ def _state_replaced_or_overridden(self, want, have): if len(mod_requests) > 0: commands.extend(update_states(add_config, self._module.params['state'])) requests.extend(mod_requests) - return commands, requests def _state_merged(self, want, have): @@ -526,6 +525,7 @@ def get_create_ldap_requests(self, commands): if name == 'global': ATTRIBUTES = { 'vrf': 'vrf-name', + 'security_profile': 'security_profile', 'nss_skipmembers': 'nss-skipmembers' } attribute = attribute or ATTRIBUTES.get(attr) @@ -645,6 +645,7 @@ def get_delete_ldap_requests(self, commands, have, is_delete_all): if name == 'global': ATTRIBUTES = { 'vrf': 'vrf-name', + 'security_profile': 'security_profile', 'nss_skipmembers': 'nss-skipmembers' } attribute = attribute or ATTRIBUTES.get(attr) diff --git a/plugins/module_utils/network/sonic/facts/ldap/ldap.py b/plugins/module_utils/network/sonic/facts/ldap/ldap.py index 98d32ddf6..f61972113 100644 --- a/plugins/module_utils/network/sonic/facts/ldap/ldap.py +++ b/plugins/module_utils/network/sonic/facts/ldap/ldap.py @@ -183,6 +183,7 @@ def get_ldap(self): def get_ldap_global_config(self, ldap_config, servers): ATTRIBUTES = { "vrf-name": "vrf", + "security_profile": "security_profile", "nss-skipmembers": "nss_skipmembers" } global_config, map_config = {}, {} diff --git a/plugins/modules/sonic_ldap.py b/plugins/modules/sonic_ldap.py index 7a121e240..5cc29ea13 100644 --- a/plugins/modules/sonic_ldap.py +++ b/plugins/modules/sonic_ldap.py @@ -297,6 +297,11 @@ - Applicable only for global. - Full name of the Layer 3 interface, i.e. Eth1/1. type: str + security_profile: + description: + - Configure security profile for LDAP. + - Applicable only for global. + type: str ssl: description: - Configure TLS configuration. @@ -654,6 +659,7 @@ config: - name: "global" source_interface: "Eth1/1" + security_profile: "default" vrf: "Vrf_1" servers: - address: "client.com" @@ -682,6 +688,7 @@ #ldap-server pam ssl off #ldap-server pam scope base #ldap-server source-interface Eth1/1 +#ldap-server security-profile default #ldap-server vrf Vrf_1 #ldap-server host client.com #ldap-server host host.com use-type sudo_pam diff --git a/tests/regression/roles/sonic_ldap/defaults/main.yml b/tests/regression/roles/sonic_ldap/defaults/main.yml index f61bdf491..3b94eca71 100644 --- a/tests/regression/roles/sonic_ldap/defaults/main.yml +++ b/tests/regression/roles/sonic_ldap/defaults/main.yml @@ -109,6 +109,7 @@ tests: retry: 3 scope: one - name: global + security_profile: "default" map: map_remote_groups_to_sonic_roles: - remote_group: "user1" @@ -120,6 +121,7 @@ tests: state: deleted input: - name: global + security_profile: "default" vrf: '{{ vrf2 }}' map: map_remote_groups_to_sonic_roles: @@ -196,6 +198,7 @@ tests: ssl: 'start_tls' binddn: "CN=example.com" source_interface: "{{ interface5 }}" + security_profile: "default" map: default_attribute: - from: "attr1" @@ -261,6 +264,7 @@ tests: state: overridden input: - name: global + security_profile: "default" servers: - address: 89.0.142.85 ssl: 'off' From 8652d364d95618540187a7cf10425de9173ab888 Mon Sep 17 00:00:00 2001 From: aravindmani-1 Date: Fri, 12 Jul 2024 17:16:47 +0530 Subject: [PATCH 2/7] LDAPS security profile ansible support --- changelogs/fragments/413-ldap-security-profile | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 changelogs/fragments/413-ldap-security-profile diff --git a/changelogs/fragments/413-ldap-security-profile b/changelogs/fragments/413-ldap-security-profile new file mode 100644 index 000000000..a4359bccf --- /dev/null +++ b/changelogs/fragments/413-ldap-security-profile @@ -0,0 +1,2 @@ +minor_changes: + - sonic_ldap - Add support ldap security profile for sonic_ldap module (https://github.com/ansible-collections/dellemc.enterprise_sonic/pull/413). From 5e560d6b2bf202e40a44b68acc27dbb636e21f4c Mon Sep 17 00:00:00 2001 From: aravindmani-1 Date: Fri, 12 Jul 2024 17:21:07 +0530 Subject: [PATCH 3/7] LDAPS security profile ansible support --- changelogs/fragments/414-ldap-security-profile | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 changelogs/fragments/414-ldap-security-profile diff --git a/changelogs/fragments/414-ldap-security-profile b/changelogs/fragments/414-ldap-security-profile new file mode 100644 index 000000000..0f39268dd --- /dev/null +++ b/changelogs/fragments/414-ldap-security-profile @@ -0,0 +1,2 @@ +minor_changes: + - sonic_ldap - Add support ldap security profile for sonic_ldap module (https://github.com/ansible-collections/dellemc.enterprise_sonic/pull/414). From 4fe06519a84bc738c0ed86dcb3db17f397334fdd Mon Sep 17 00:00:00 2001 From: aravindmani-1 Date: Fri, 12 Jul 2024 17:21:56 +0530 Subject: [PATCH 4/7] remove fragment --- changelogs/fragments/413-ldap-security-profile | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 changelogs/fragments/413-ldap-security-profile diff --git a/changelogs/fragments/413-ldap-security-profile b/changelogs/fragments/413-ldap-security-profile deleted file mode 100644 index a4359bccf..000000000 --- a/changelogs/fragments/413-ldap-security-profile +++ /dev/null @@ -1,2 +0,0 @@ -minor_changes: - - sonic_ldap - Add support ldap security profile for sonic_ldap module (https://github.com/ansible-collections/dellemc.enterprise_sonic/pull/413). From 723ab90e231f5f217327bc1ba5f0efeea6519779 Mon Sep 17 00:00:00 2001 From: aravindmani-1 Date: Fri, 12 Jul 2024 17:27:16 +0530 Subject: [PATCH 5/7] add fragment --- changelogs/fragments/414-ldap-security-profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelogs/fragments/414-ldap-security-profile b/changelogs/fragments/414-ldap-security-profile index 0f39268dd..d94351f2e 100644 --- a/changelogs/fragments/414-ldap-security-profile +++ b/changelogs/fragments/414-ldap-security-profile @@ -1,2 +1,2 @@ minor_changes: - - sonic_ldap - Add support ldap security profile for sonic_ldap module (https://github.com/ansible-collections/dellemc.enterprise_sonic/pull/414). + - sonic_ldap - Add ldap security profile support for sonic_ldap module (https://github.com/ansible-collections/dellemc.enterprise_sonic/pull/414). From c78d2442e3a1ca128f2b18dc33b049dff4954d16 Mon Sep 17 00:00:00 2001 From: aravindmani-1 Date: Fri, 12 Jul 2024 17:31:40 +0530 Subject: [PATCH 6/7] add fragment --- changelogs/fragments/414-ldap-security-profile | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 changelogs/fragments/414-ldap-security-profile diff --git a/changelogs/fragments/414-ldap-security-profile b/changelogs/fragments/414-ldap-security-profile deleted file mode 100644 index d94351f2e..000000000 --- a/changelogs/fragments/414-ldap-security-profile +++ /dev/null @@ -1,2 +0,0 @@ -minor_changes: - - sonic_ldap - Add ldap security profile support for sonic_ldap module (https://github.com/ansible-collections/dellemc.enterprise_sonic/pull/414). From 12ebeff072bd1f1c0b5a5520472d13035939448e Mon Sep 17 00:00:00 2001 From: aravindmani-1 Date: Fri, 12 Jul 2024 17:32:54 +0530 Subject: [PATCH 7/7] add fragment --- changelogs/fragments/414-ldap-security-profile.yaml | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 changelogs/fragments/414-ldap-security-profile.yaml diff --git a/changelogs/fragments/414-ldap-security-profile.yaml b/changelogs/fragments/414-ldap-security-profile.yaml new file mode 100644 index 000000000..d94351f2e --- /dev/null +++ b/changelogs/fragments/414-ldap-security-profile.yaml @@ -0,0 +1,2 @@ +minor_changes: + - sonic_ldap - Add ldap security profile support for sonic_ldap module (https://github.com/ansible-collections/dellemc.enterprise_sonic/pull/414).