lookup('laps_password') doesn't work with new version of laps

[RandJV]

SUMMARY

When connecting to a windows host, I use the lookup('laps_password') module, which takes the attribute "ms-Mcs-AdmPwd" from ldap, but in the new version of laps, the name of the attribute has changed to "msLAPS-Password" in unencrypted form and "msLAPS-EncryptedPassword" in encrypted form. I tried to change the name of the attribute in the laps_password.py script, but he can't get it.

ISSUE TYPE

• Bug Report

COMPONENT NAME

lookup('laps_password')

ANSIBLE VERSION

ansible [core 2.13.3]
  config file = /home/user/.ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/user/venv/lib/python3.9/site-packages/ansible
  ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/user/venv/bin/ansible
  python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110]
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

ansible.windows                           2.0.0
community.general                         5.1.1
community.windows                         2.0.0

CONFIGURATION

ANSIBLE_NOCOWS(/home/user/.ansible.cfg) = True
DEFAULT_HOST_LIST(/home/user/.ansible.cfg) = ['/home/user/ansible/inventories/hosts.yml']
DEFAULT_REMOTE_USER(/home/user/.ansible.cfg) = user
DEFAULT_VAULT_PASSWORD_FILE(/home/user/.ansible.cfg) = /home/user/.vault_pass
DIFF_ALWAYS(/home/user/.ansible.cfg) = True
DIFF_CONTEXT(/home/user/.ansible.cfg) = 5
HOST_KEY_CHECKING(/home/user/.ansible.cfg) = False
RETRY_FILES_ENABLED(/home/user/.ansible.cfg) = False

OS / ENVIRONMENT

Debian GNU/Linux 11 (bullseye)

STEPS TO REPRODUCE

ansible_connection: winrm
ansible_user: administrator
ansible_password: "{{ lookup('laps_password', '{{ inventory_hostname }}',
  domain='test.com',
  auth='simple',
  scheme='ldaps',
  username='user',
  password='password'"
ansible_winrm_server_cert_validation: validate
ansible_winrm_ca_trust_path: /usr/share/ca-certificates/cert.crt

ansible hostname -m win_ping

EXPECTED RESULTS

hostname | SUCCESS => {
"changed": false,
"ping": "pong"
}

ACTUAL RESULTS

hostname | UNREACHABLE! => {
    "changed": false,
    "msg": "ssl: the specified credentials were rejected by the server",
    "unreachable": true
}

[jborean93]

While not officially deprecated yet the LAPS functionality of this lookup has been migrated to the new microsoft.ad.ldap inventory plugin. It supports password lookups for both the legacy and new LAPS. It even supports the encrypted format if an extra library is installed. There are some examples in there that show you how to set the user and password for hosts it retrieves with the inventory plugin.

There are no plans on migrating those changes to the laps_password lookup at this stage, the main reason is around how the lookup plugin will be run on every task slowing things down.