Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add identity server lookup #117

Merged
merged 2 commits into from
May 30, 2024

Conversation

jborean93
Copy link
Collaborator

@jborean93 jborean93 commented May 27, 2024

SUMMARY

Add a way to specify a custom server to lookup an AD identity on when using module options that accept a list of identities for an attribute. For example the microsoft.ad.group members option.

Also adds the domain_credentials option that is common to add AD based modules to specify credentials for the extra AD servers being contacted in case the default credentials do not work.

I need to find a good way to add a test for this, will most likely come under the tests done outside of CI as it will require multiple DC servers.

Fixes: #56
Fixes: #104

ISSUE TYPE
  • Feature Pull Request
COMPONENT NAME

microsoft.ad.*

Copy link

github-actions bot commented May 27, 2024

Docs Build 📝

Thank you for contribution!✨

The docsite for this PR is available for download as an artifact from this run:
https://github.com/ansible-collections/microsoft.ad/actions/runs/9295601203

You can compare to the docs for the main branch here:
https://ansible-collections.github.io/microsoft.ad/branch/main

File changes:

  • A collections/microsoft/ad/docsite/guide_ad_module_authentication.html
  • M collections/microsoft/ad/computer_module.html
  • M collections/microsoft/ad/docsite/guide_attributes.html
  • M collections/microsoft/ad/docsite/guide_ldap_connection.html
  • M collections/microsoft/ad/docsite/guide_migration.html
  • M collections/microsoft/ad/group_module.html
  • M collections/microsoft/ad/index.html
  • M collections/microsoft/ad/object_module.html
  • M collections/microsoft/ad/ou_module.html
  • M collections/microsoft/ad/user_module.html
Click to see the diff comparison.

NOTE: only file modifications are shown here. New and deleted files are excluded.
See the file list and check the published docs to see those files.

The diff output was truncated because it exceeded the maximum size.

diff --git a/home/runner/work/microsoft.ad/microsoft.ad/docsbuild/base/collections/microsoft/ad/computer_module.html b/home/runner/work/microsoft.ad/microsoft.ad/docsbuild/head/collections/microsoft/ad/computer_module.html
index df9668e..afde04b 100644
--- a/home/runner/work/microsoft.ad/microsoft.ad/docsbuild/base/collections/microsoft/ad/computer_module.html
+++ b/home/runner/work/microsoft.ad/microsoft.ad/docsbuild/head/collections/microsoft/ad/computer_module.html
@@ -232,42 +232,60 @@ see <a class="reference internal" href="#ansible-collections-microsoft-ad-comput
 <p class="ansible-option-type-line"><span class="ansible-option-type">dictionary</span></p>
 </div></td>
 <td><div class="ansible-option-cell"><p>The principal objects that the current AD object can trust for delegation to either add, remove or set.</p>
-<p>The values for each sub option must be specified as a distinguished name <code class="docutils literal notranslate"><span class="pre">CN=shenetworks,CN=Users,DC=ansible,DC=test</span></code></p>
+<p>Each subkey value is a list of values in the form of a <code class="docutils literal notranslate"><span class="pre">distinguishedName</span></code>, <code class="docutils literal notranslate"><span class="pre">objectGUID</span></code>, <code class="docutils literal notranslate"><span class="pre">objectSid</span></code>, <code class="docutils literal notranslate"><span class="pre">sAMAccountName</span></code>, or <code class="docutils literal notranslate"><span class="pre">userPrincipalName</span></code> string or a dictionary with the <em>name</em> and optional <em>server</em> key.</p>
 <p>This is the value set on the <code class="docutils literal notranslate"><span class="pre">msDS-AllowedToActOnBehalfOfOtherIdentity</span></code> LDAP attribute.</p>
 <p>This is a highly sensitive attribute as it allows the principals specified to impersonate any account when authenticating with the AD computer object being managed.</p>
 <p>To clear all principals, use <em>set</em> with an empty list.</p>
+<p>See <a class="reference internal" href="docsite/guide_attributes.html#ansible-collections-microsoft-ad-docsite-guide-attributes-dn-lookup-attributes"><span class="std std-ref">DN Lookup Attributes</span></a> for more information on how DN lookups work.</p>
 <p>See <a class="reference internal" href="docsite/guide_list_values.html#ansible-collections-microsoft-ad-docsite-guide-list-values"><span class="std std-ref">Setting list option values</span></a> for more information on how to add/remove/set list options.</p>
 </div></td>
 </tr>
 <tr class="row-odd"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-delegates/add"></div>
 <div class="ansibleOptionAnchor" id="parameter-principals_allowed_to_delegate/add"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-principals-allowed-to-delegate-add"><span id="ansible-collections-microsoft-ad-computer-module-parameter-delegates-add"></span><strong>add</strong></p>
-<a class="ansibleOptionLink" href="#parameter-delegates/add" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">list</span> / <span class="ansible-option-elements">elements=string</span></p>
+<a class="ansibleOptionLink" href="#parameter-delegates/add" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">list</span> / <span class="ansible-option-elements">elements=any</span></p>
 </div></td>
-<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The AD objects by their <code class="docutils literal notranslate"><span class="pre">DistinguishedName</span></code> to add as a principal allowed to delegate.</p>
+<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>Adds the principals specified as principals allowed to delegate to.</p>
 <p>Any existing principals not specified by <em>add</em> will be untouched unless specified by <em>remove</em> or not in <em>set</em>.</p>
 </div></td>
 </tr>
 <tr class="row-even"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
-<div class="ansibleOptionAnchor" id="parameter-delegates/remove"></div>
-<div class="ansibleOptionAnchor" id="parameter-principals_allowed_to_delegate/remove"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-principals-allowed-to-delegate-remove"><span id="ansible-collections-microsoft-ad-computer-module-parameter-delegates-remove"></span><strong>remove</strong></p>
-<a class="ansibleOptionLink" href="#parameter-delegates/remove" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">list</span> / <span class="ansible-option-elements">elements=string</span></p>
+<div class="ansibleOptionAnchor" id="parameter-delegates/lookup_failure_action"></div>
+<div class="ansibleOptionAnchor" id="parameter-principals_allowed_to_delegate/lookup_failure_action"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-principals-allowed-to-delegate-lookup-failure-action"><span id="ansible-collections-microsoft-ad-computer-module-parameter-delegates-lookup-failure-action"></span><strong>lookup_failure_action</strong></p>
+<a class="ansibleOptionLink" href="#parameter-delegates/lookup_failure_action" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
 </div></td>
-<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The AD objects by their <code class="docutils literal notranslate"><span class="pre">DistinguishedName</span></code> to remove as a principal allowed to delegate.</p>
-<p>Any existing pricipals not specified by <em>remove</em> will be untouched unless <em>set</em> is defined.</p>
+<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>Control the action to take when the lookup fails to find the DN.</p>
+<p><code class="docutils literal notranslate"><span class="pre">fail</span></code> will cause the task to fail.</p>
+<p><code class="docutils literal notranslate"><span class="pre">ignore</span></code> will ignore the value and continue.</p>
+<p><code class="docutils literal notranslate"><span class="pre">warn</span></code> will ignore the value and display a warning.</p>
+<p class="ansible-option-line"><strong class="ansible-option-choices">Choices:</strong></p>
+<ul class="simple">
+<li><p><code class="ansible-option-default-bold docutils literal notranslate"><strong><span class="pre">&quot;fail&quot;</span></strong></code> <span class="ansible-option-choices-default-mark">← (default)</span></p></li>
+<li><p><code class="ansible-option-choices-entry docutils literal notranslate"><span class="pre">&quot;ignore&quot;</span></code></p></li>
+<li><p><code class="ansible-option-choices-entry docutils literal notranslate"><span class="pre">&quot;warn&quot;</span></code></p></li>
+</ul>
 </div></td>
 </tr>
 <tr class="row-odd"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
+<div class="ansibleOptionAnchor" id="parameter-delegates/remove"></div>
+<div class="ansibleOptionAnchor" id="parameter-principals_allowed_to_delegate/remove"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-principals-allowed-to-delegate-remove"><span id="ansible-collections-microsoft-ad-computer-module-parameter-delegates-remove"></span><strong>remove</strong></p>
+<a class="ansibleOptionLink" href="#parameter-delegates/remove" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">list</span> / <span class="ansible-option-elements">elements=any</span></p>
+</div></td>
+<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>Removes the principals specified as principals allowed to delegate to.</p>
+<p>Any existing pricipals not specified by <em>remove</em> will be untouched unless <em>set</em> is defined.</p>
+</div></td>
+</tr>
+<tr class="row-even"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-delegates/set"></div>
 <div class="ansibleOptionAnchor" id="parameter-principals_allowed_to_delegate/set"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-principals-allowed-to-delegate-set"><span id="ansible-collections-microsoft-ad-computer-module-parameter-delegates-set"></span><strong>set</strong></p>
-<a class="ansibleOptionLink" href="#parameter-delegates/set" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">list</span> / <span class="ansible-option-elements">elements=string</span></p>
+<a class="ansibleOptionLink" href="#parameter-delegates/set" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">list</span> / <span class="ansible-option-elements">elements=any</span></p>
 </div></td>
-<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The AD objects by their <code class="docutils literal notranslate"><span class="pre">DistinguishedName</span></code> to set as the only principals allowed to delegate.</p>
+<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>Sets the principals specified as principals allowed to delegate to.</p>
 <p>This will remove any existing principals if not specified in this list.</p>
 <p>Specify an empty list to remove all principals allowed to delegate.</p>
 </div></td>
 </tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-description"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-description"><strong>description</strong></p>
 <a class="ansibleOptionLink" href="#parameter-description" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
 </div></td>
@@ -275,7 +293,7 @@ see <a class="reference internal" href="#ansible-collections-microsoft-ad-comput
 <p>This is the value set on the <code class="docutils literal notranslate"><span class="pre">description</span></code> LDAP attribute.</p>
 </div></td>
 </tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-display_name"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-display-name"><strong>display_name</strong></p>
 <a class="ansibleOptionLink" href="#parameter-display_name" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
 </div></td>
@@ -283,7 +301,7 @@ see <a class="reference internal" href="#ansible-collections-microsoft-ad-comput
 <p>This is the value of the <code class="docutils literal notranslate"><span class="pre">displayName</span></code> LDAP attribute.</p>
 </div></td>
 </tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-dns_hostname"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-dns-hostname"><strong>dns_hostname</strong></p>
 <a class="ansibleOptionLink" href="#parameter-dns_hostname" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
 </div></td>
@@ -291,35 +309,72 @@ see <a class="reference internal" href="#ansible-collections-microsoft-ad-comput
 <p>This is the value set on the <code class="docutils literal notranslate"><span class="pre">dNSHostName</span></code> LDAP attribute.</p>
 </div></td>
 </tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
+<div class="ansibleOptionAnchor" id="parameter-domain_credentials"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-domain-credentials"><strong>domain_credentials</strong></p>
+<a class="ansibleOptionLink" href="#parameter-domain_credentials" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">list</span> / <span class="ansible-option-elements">elements=dictionary</span></p>
+</div></td>
+<td><div class="ansible-option-cell"><p>Specifies the credentials that should be used when using the server specified by <em>name</em>.</p>
+<p>To specify credentials for the default domain server, use an entry without the <em>name</em> key or use the <em>domain_username</em> and <em>domain_password</em> option.</p>
+<p>This can be set under the <a class="reference external" href="https://docs.ansible.com/ansible/devel/playbook_guide/playbooks_module_defaults.html#module-defaults-groups" title="(in Ansible vdevel)"><span class="xref std std-ref">play’s module defaults</span></a> under the <code class="docutils literal notranslate"><span class="pre">group/microsoft.ad.domain</span></code> group.</p>
+<p>See <a class="reference internal" href="docsite/guide_ad_module_authentication.html#ansible-collections-microsoft-ad-docsite-guide-ad-module-authentication"><span class="std std-ref">AD authentication in modules</span></a> for more information.</p>
+<p class="ansible-option-line"><strong class="ansible-option-default-bold">Default:</strong> <code class="ansible-option-default docutils literal notranslate"><span class="pre">[]</span></code></p>
+</div></td>
+</tr>
+<tr class="row-odd"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
+<div class="ansibleOptionAnchor" id="parameter-domain_credentials/name"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-domain-credentials-name"><strong>name</strong></p>
+<a class="ansibleOptionLink" href="#parameter-domain_credentials/name" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
+</div></td>
+<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The name of the server these credentials are for.</p>
+<p>This value should correspond to the value used in other options that specify a custom server to use, for example an option that references an AD identity located on a different AD server.</p>
+<p>This key can be omitted in one entry to specify the default credentials to use when a server is not specified instead of using <em>domain_username</em> and <em>domain_password</em>.</p>
+</div></td>
+</tr>
+<tr class="row-even"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
+<div class="ansibleOptionAnchor" id="parameter-domain_credentials/password"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-domain-credentials-password"><strong>password</strong></p>
+<a class="ansibleOptionLink" href="#parameter-domain_credentials/password" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span> / <span class="ansible-option-required">required</span></p>
+</div></td>
+<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The password to use when connecting to the server specified by <em>name</em>.</p>
+</div></td>
+</tr>
+<tr class="row-odd"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
+<div class="ansibleOptionAnchor" id="parameter-domain_credentials/username"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-domain-credentials-username"><strong>username</strong></p>
+<a class="ansibleOptionLink" href="#parameter-domain_credentials/username" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span> / <span class="ansible-option-required">required</span></p>
+</div></td>
+<td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The username to use when connecting to the server specified by <em>name</em>.</p>
+</div></td>
+</tr>
+<tr class="row-even"><td><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-domain_password"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-domain-password"><strong>domain_password</strong></p>
 <a class="ansibleOptionLink" href="#parameter-domain_password" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
 </div></td>
 <td><div class="ansible-option-cell"><p>The password for <em>domain_username</em>.</p>
+<p>The <em>domain_credentials</em> sub entry without a <em>name</em> key can also be used to specify the credentials for the default domain authentication.</p>
 <p>This can be set under the <a class="reference external" href="https://docs.ansible.com/ansible/devel/playbook_guide/playbooks_module_defaults.html#module-defaults-groups" title="(in Ansible vdevel)"><span class="xref std std-ref">play’s module defaults</span></a> under the <code class="docutils literal notranslate"><span class="pre">group/microsoft.ad.domain</span></code> group.</p>
 </div></td>
 </tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-domain_server"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-domain-server"><strong>domain_server</strong></p>
 <a class="ansibleOptionLink" href="#parameter-domain_server" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
 </div></td>
 <td><div class="ansible-option-cell"><p>Specified the Active Directory Domain Services instance to connect to.</p>
 <p>Can be in the form of an FQDN or NetBIOS name.</p>
 <p>If not specified then the value is based on the default domain of the computer running PowerShell.</p>
+<p>Custom credentials can be specified under a <em>domain_credentials</em> entry without a <em>name</em> key or through <em>domain_username</em> and <em>domain_password</em>.</p>
 <p>This can be set under the <a class="reference external" href="https://docs.ansible.com/ansible/devel/playbook_guide/playbooks_module_defaults.html#module-defaults-groups" title="(in Ansible vdevel)"><span class="xref std std-ref">play’s module defaults</span></a> under the <code class="docutils literal notranslate"><span class="pre">group/microsoft.ad.domain</span></code> group.</p>
 </div></td>
 </tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-domain_username"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-domain-username"><strong>domain_username</strong></p>
 <a class="ansibleOptionLink" href="#parameter-domain_username" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
 </div></td>
 <td><div class="ansible-option-cell"><p>The username to use when interacting with AD.</p>
 <p>If this is not set then the user that is used for authentication will be the connection user.</p>
 <p>Ansible will be unable to use the connection user unless auth is Kerberos with credential delegation or CredSSP, or become is used on the task.</p>
+<p>The <em>domain_credentials</em> sub entry without a <em>name</em> key can also be used to specify the credentials for the default domain authentication.</p>
 <p>This can be set under the <a class="reference external" href="https://docs.ansible.com/ansible/devel/playbook_guide/playbooks_module_defaults.html#module-defaults-groups" title="(in Ansible vdevel)"><span class="xref std std-ref">play’s module defaults</span></a> under the <code class="docutils literal notranslate"><span class="pre">group/microsoft.ad.domain</span></code> group.</p>
 </div></td>
 </tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-enabled"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-enabled"><strong>enabled</strong></p>
 <a class="ansibleOptionLink" href="#parameter-enabled" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
 </div></td>
@@ -332,7 +387,7 @@ see <a class="reference internal" href="#ansible-collections-microsoft-ad-comput
 </ul>
 </div></td>
 </tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-identity"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-identity"><strong>identity</strong></p>
 <a class="ansibleOptionLink" href="#parameter-identity" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
 </div></td>
@@ -342,7 +397,7 @@ see <a class="reference internal" href="#ansible-collections-microsoft-ad-comput
 <p>If omitted, the AD object to manage is selected by the <code class="docutils literal notranslate"><span class="pre">distinguishedName</span></code> using the format <code class="docutils literal notranslate"><span class="pre">CN={{</span> <span class="pre">name</span> <span class="pre">}},{{</span> <span class="pre">path</span> <span class="pre">}}</span></code>. If <em>path</em> is not defined, the <code class="docutils literal notranslate"><span class="pre">defaultNamingContext</span></code> is used instead.</p>
 </div></td>
 </tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-kerberos_encryption_types"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-kerberos-encryption-types"><strong>kerberos_encryption_types</strong></p>
 <a class="ansibleOptionLink" href="#parameter-kerberos_encryption_types" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">dictionary</span></p>
 </div></td>
@@ -353,7 +408,7 @@ see <a class="reference internal" href="#ansible-collections-microsoft-ad-comput
 <p>See <a class="reference internal" href="docsite/guide_list_values.html#ansible-collections-microsoft-ad-docsite-guide-list-values"><span class="std std-ref">Setting list option values</span></a> for more information on how to add/remove/set list options.</p>
 </div></td>
 </tr>
-<tr class="row-odd"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-kerberos_encryption_types/add"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-kerberos-encryption-types-add"><strong>add</strong></p>
 <a class="ansibleOptionLink" href="#parameter-kerberos_encryption_types/add" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">list</span> / <span class="ansible-option-elements">elements=string</span></p>
 </div></td>
@@ -368,7 +423,7 @@ see <a class="reference internal" href="#ansible-collections-microsoft-ad-comput
 </ul>
 </div></td>
 </tr>
-<tr class="row-even"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-kerberos_encryption_types/remove"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-kerberos-encryption-types-remove"><strong>remove</strong></p>
 <a class="ansibleOptionLink" href="#parameter-kerberos_encryption_types/remove" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">list</span> / <span class="ansible-option-elements">elements=string</span></p>
 </div></td>
@@ -383,7 +438,7 @@ see <a class="reference internal" href="#ansible-collections-microsoft-ad-comput
 </ul>
 </div></td>
 </tr>
-<tr class="row-odd"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-kerberos_encryption_types/set"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-kerberos-encryption-types-set"><strong>set</strong></p>
 <a class="ansibleOptionLink" href="#parameter-kerberos_encryption_types/set" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">list</span> / <span class="ansible-option-elements">elements=string</span></p>
 </div></td>
@@ -399,7 +454,7 @@ see <a class="reference internal" href="#ansible-collections-microsoft-ad-comput
 </ul>
 </div></td>
 </tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-location"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-location"><strong>location</strong></p>
 <a class="ansibleOptionLink" href="#parameter-location" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
 </div></td>
@@ -407,16 +462,17 @@ see <a class="reference internal" href="#ansible-collections-microsoft-ad-comput
 <p>This is the value set on the <code class="docutils literal notranslate"><span class="pre">location</span></code> LDAP attribute.</p>
 </div></td>
 </tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-managed_by"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-managed-by"><strong>managed_by</strong></p>
-<a class="ansibleOptionLink" href="#parameter-managed_by" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
+<a class="ansibleOptionLink" href="#parameter-managed_by" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">any</span></p>
 </div></td>
 <td><div class="ansible-option-cell"><p>The user or group that manages the object.</p>
-<p>The value can be in the form of a <code class="docutils literal notranslate"><span class="pre">distinguishedName</span></code>, <code class="docutils literal notranslate"><span class="pre">objectGUID</span></code>, <code class="docutils literal notranslate"><span class="pre">objectSid</span></code>, or sAMAccountName).</p>
+<p>The value can be in the form of a <code class="docutils literal notranslate"><span class="pre">distinguishedName</span></code>, <code class="docutils literal notranslate"><span class="pre">objectGUID</span></code>, <code class="docutils literal notranslate"><span class="pre">objectSid</span></code>, <code class="docutils literal notranslate"><span class="pre">sAMAccountName</span></code>, or <code class="docutils literal notranslate"><span class="pre">userPrincipalName</span></code> string or a dictionary with the <em>name</em> and optional <em>server</em> key.</p>
 <p>This is the value set on the <code class="docutils literal notranslate"><span class="pre">managedBy</span></code> LDAP attribute.</p>
+<p>See <a class="reference internal" href="docsite/guide_attributes.html#ansible-collections-microsoft-ad-docsite-guide-attributes-dn-lookup-attributes"><span class="std std-ref">DN Lookup Attributes</span></a> for more information on how DN lookups work.</p>
 </div></td>
 </tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-name"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-name"><strong>name</strong></p>
 <a class="ansibleOptionLink" href="#parameter-name" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
 </div></td>
@@ -425,7 +481,7 @@ see <a class="reference internal" href="#ansible-collections-microsoft-ad-comput
 <p>This must be specified if <em>identity</em> is not set.</p>
 </div></td>
 </tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-path"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-path"><strong>path</strong></p>
 <a class="ansibleOptionLink" href="#parameter-path" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
 </div></td>
@@ -436,7 +492,7 @@ see <a class="reference internal" href="#ansible-collections-microsoft-ad-comput
 <p>This can be set to the literal value <code class="docutils literal notranslate"><span class="pre">microsoft.ad.default_path</span></code> which will equal the default value used when creating a new object.</p>
 </div></td>
 </tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-protect_from_deletion"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-protect-from-deletion"><strong>protect_from_deletion</strong></p>
 <a class="ansibleOptionLink" href="#parameter-protect_from_deletion" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
 </div></td>
@@ -450,7 +506,7 @@ see <a class="reference internal" href="#ansible-collections-microsoft-ad-comput
 </ul>
 </div></td>
 </tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-sam_account_name"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-sam-account-name"><strong>sam_account_name</strong></p>
 <a class="ansibleOptionLink" href="#parameter-sam_account_name" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
 </div></td>
@@ -462,7 +518,7 @@ see <a class="reference internal" href="#ansible-collections-microsoft-ad-comput
 <p>If <code class="docutils literal notranslate"><span class="pre">$</span></code> is omitted, it will be added to the end.</p>
 </div></td>
 </tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-spn"></div>
 <div class="ansibleOptionAnchor" id="parameter-spns"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-spns"><span id="ansible-collections-microsoft-ad-computer-module-parameter-spn"></span><strong>spn</strong></p>
 <a class="ansibleOptionLink" href="#parameter-spn" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-aliases">aliases: spns</span></p>
@@ -474,7 +530,7 @@ see <a class="reference internal" href="#ansible-collections-microsoft-ad-comput
 <p>See <a class="reference internal" href="docsite/guide_list_values.html#ansible-collections-microsoft-ad-docsite-guide-list-values"><span class="std std-ref">Setting list option values</span></a> for more information on how to add/remove/set list options.</p>
 </div></td>
 </tr>
-<tr class="row-odd"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-spn/add"></div>
 <div class="ansibleOptionAnchor" id="parameter-spns/add"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-spns-add"><span id="ansible-collections-microsoft-ad-computer-module-parameter-spn-add"></span><strong>add</strong></p>
 <a class="ansibleOptionLink" href="#parameter-spn/add" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">list</span> / <span class="ansible-option-elements">elements=string</span></p>
@@ -482,7 +538,7 @@ see <a class="reference internal" href="#ansible-collections-microsoft-ad-comput
 <td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The SPNs to add to <code class="docutils literal notranslate"><span class="pre">servicePrincipalName</span></code>.</p>
 </div></td>
 </tr>
-<tr class="row-even"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-spn/remove"></div>
 <div class="ansibleOptionAnchor" id="parameter-spns/remove"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-spns-remove"><span id="ansible-collections-microsoft-ad-computer-module-parameter-spn-remove"></span><strong>remove</strong></p>
 <a class="ansibleOptionLink" href="#parameter-spn/remove" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">list</span> / <span class="ansible-option-elements">elements=string</span></p>
@@ -490,7 +546,7 @@ see <a class="reference internal" href="#ansible-collections-microsoft-ad-comput
 <td><div class="ansible-option-indent-desc"></div><div class="ansible-option-cell"><p>The SPNs to remove from <code class="docutils literal notranslate"><span class="pre">servicePrincipalName</span></code>.</p>
 </div></td>
 </tr>
-<tr class="row-odd"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-indent"></div><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-spn/set"></div>
 <div class="ansibleOptionAnchor" id="parameter-spns/set"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-spns-set"><span id="ansible-collections-microsoft-ad-computer-module-parameter-spn-set"></span><strong>set</strong></p>
 <a class="ansibleOptionLink" href="#parameter-spn/set" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">list</span> / <span class="ansible-option-elements">elements=string</span></p>
@@ -500,7 +556,7 @@ see <a class="reference internal" href="#ansible-collections-microsoft-ad-comput
 <p>Set to an empty list to clear all SPNs on the AD object.</p>
 </div></td>
 </tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-state"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-state"><strong>state</strong></p>
 <a class="ansibleOptionLink" href="#parameter-state" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
 </div></td>
@@ -515,7 +571,7 @@ see <a class="reference internal" href="#ansible-collections-microsoft-ad-comput
 </ul>
 </div></td>
 </tr>
-<tr class="row-odd"><td><div class="ansible-option-cell">
+<tr class="row-even"><td><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-trusted_for_delegation"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-trusted-for-delegation"><strong>trusted_for_delegation</strong></p>
 <a class="ansibleOptionLink" href="#parameter-trusted_for_delegation" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">boolean</span></p>
 </div></td>
@@ -529,7 +585,7 @@ see <a class="reference internal" href="#ansible-collections-microsoft-ad-comput
 </ul>
 </div></td>
 </tr>
-<tr class="row-even"><td><div class="ansible-option-cell">
+<tr class="row-odd"><td><div class="ansible-option-cell">
 <div class="ansibleOptionAnchor" id="parameter-upn"></div><p class="ansible-option-title" id="ansible-collections-microsoft-ad-computer-module-parameter-upn"><strong>upn</strong></p>
 <a class="ansibleOptionLink" href="#parameter-upn" title="Permalink to this option"></a><p class="ansible-option-type-line"><span class="ansible-option-type">string</span></p>
 </div></td>
@@ -658,7 +714,7 @@ see <a class="reference internal" href="#ansible-collections-microsoft-ad-comput
 <span class="w">    </span><span class="nt">delegates</span><span class="p">:</span>
 <span class="w">      </span><span class="nt">set</span><span class="p">:</span>
 <span class="w">        </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">CN=FileShare,OU=Computers,DC=domain,DC=test</span>
-<span class="w">        </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">CN=DC,OU=Domain Controllers,DC=domain,DC=test</span>
+<span class="w">        </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">OtherServer$</span><span class="w">  </span><span class="c1"># Lookup by sAMAaccountName</span>
 </pre></div>
 </div>
 </section>
diff --git a/home/runner/work/microsoft.ad/microsoft.ad/docsbuild/base/collections/microsoft/ad/docsite/guide_attributes.html b/home/runner/work/microsoft.ad/microsoft.ad/docsbuild/head/collections/microsoft/ad/docsite/guide_attributes.html
index 665f3f1..7d38890 100644
--- a/home/runner/work/microsoft.ad/microsoft.ad/docsbuild/base/collections/microsoft/ad/docsite/guide_attributes.html
+++ b/home/runner/work/microsoft.ad/microsoft.ad/docsbuild/head/collections/microsoft/ad/docsite/guide_attributes.html
@@ -24,7 +24,7 @@
     <script src="../../../../_static/js/theme.js"></script>
     <link rel="search" title="Search" href="../../../../search.html" />
     <link rel="next" title="LDAP Connection guide" href="guide_ldap_connection.html" />
-    <link rel="prev" title="Microsoft.Ad" href="../index.html" /><!-- extra head elements for Ansible beyond RTD Sphinx Theme -->
+    <link rel="prev" title="AD Authentication in Modules" href="guide_ad_module_authentication.html" /><!-- extra head elements for Ansible beyond RTD Sphinx Theme -->
 
 
 
@@ -138,6 +138,7 @@
 <li><p><a class="reference internal" href="#ldap-attributes" id="id1">LDAP Attributes</a></p></li>
 <li><p><a class="reference internal" href="#setting-attributes" id="id2">Setting Attributes</a></p></li>
 <li><p><a class="reference internal" href="#attribute-types" id="id3">Attribute Types</a></p></li>
+<li><p><a class="reference internal" href="#dn-lookup-attributes" id="id4">DN Lookup Attributes</a></p></li>
 </ul>
 </nav>
 <section id="ldap-attributes">
@@ -405,6 +406,68 @@ The common types are:</p>
 </div>
 </section>
 </section>
+<section id="dn-lookup-attributes">
+<span id="ansible-collections-microsoft-ad-docsite-guide-attributes-dn-lookup-attributes"></span><h2><a class="toc-backref" href="#id4" role="doc-backlink">DN Lookup Attributes</a><a class="headerlink" href="#dn-lookup-attributes" title="Link to this heading"></a></h2>
+<p>Some attributes in Active Directory are stored as a Distinguished Name (<code class="docutils literal notranslate"><span class="pre">DN</span></code>) value that references another AD object. Some modules expose a way to lookup the DN using a more human friendly value, such as <code class="docutils literal notranslate"><span class="pre">managed_by</span></code>. These option values must either be a string or a dictionary with the key <code class="docutils literal notranslate"><span class="pre">name</span></code> and optional key <code class="docutils literal notranslate"><span class="pre">server</span></code>. The string value or the value of <code class="docutils literal notranslate"><span class="pre">name</span></code> is the identity to lookup while <code class="docutils literal notranslate"><span class="pre">server</span></code> is the domain server to lookup the identity on. The lookup identity value can be specified as a <code class="docutils literal notranslate"><span class="pre">distinguishedName</span></code>, <code class="docutils literal notranslate"><span class="pre">objectGUID</span></code>, <code class="docutils literal notranslate"><span class="pre">objectSid</span></code>, <code class="docutils literal notranslate"><span class="pre">sAMAccountName</span></code>, or <code class="docutils literal notranslate"><span class="pre">userPrincipalName</span></code>. The below is an example of how to lookup a DN using the <code class="docutils literal notranslate"><span class="pre">sAMAccountName</span></code> using a string value or in the dictionary form:</p>
+<div class="highlight-yaml notranslate"><div class="highlight"><pre><span></span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Find managed_by using string value</span>
+<span class="w">  </span><span class="nt">microsoft.ad.group</span><span class="p">:</span>
+<span class="w">    </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">My Group</span>
+<span class="w">    </span><span class="nt">scope</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">global</span>
+<span class="w">    </span><span class="nt">managed_by</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Domain Admins</span>
+
+<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Find managed_by using dictionary value with a server</span>
+<span class="w">  </span><span class="nt">microsoft.ad.group</span><span class="p">:</span>
+<span class="w">    </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">My Group</span>
+<span class="w">    </span><span class="nt">scope</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">global</span>
+<span class="w">    </span><span class="nt">managed_by</span><span class="p">:</span>
+<span class="w">      </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Domain Admins</span>
+<span class="w">      </span><span class="nt">server</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">OtherDC</span>
+</pre></div>
+</div>
+<p>There are also module options that can set a list of DN values for an attribute. The list values for these options are the same as the single value attributes where each DN lookup is set as a string or a dictionary with the <code class="docutils literal notranslate"><span class="pre">name</span></code> and optional <code class="docutils literal notranslate"><span class="pre">server</span></code> key.</p>
+<div class="highlight-yaml notranslate"><div class="highlight"><pre><span></span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Specify a list of DNs to set</span>
+<span class="w">  </span><span class="nt">microsoft.ad.computer</span><span class="p">:</span>
+<span class="w">    </span><span class="nt">identity</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">TheComputer</span>
+<span class="w">    </span><span class="nt">delegates</span><span class="p">:</span>
+<span class="w">      </span><span class="nt">set</span><span class="p">:</span>
+<span class="w">      </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">FileShare</span>
+<span class="w">      </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ServerA</span>
+<span class="w">        </span><span class="nt">server</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">OtherDC</span>
+</pre></div>
+</div>
+<p>For list attributes with the <code class="docutils literal notranslate"><span class="pre">add/remove/set</span></code> subkey options, the <code class="docutils literal notranslate"><span class="pre">lookup_failure_action</span></code> option can also be set to <code class="docutils literal notranslate"><span class="pre">fail</span></code> (default), <code class="docutils literal notranslate"><span class="pre">ignore</span></code>, or <code class="docutils literal notranslate"><span class="pre">warn</span></code>. The <code class="docutils literal notranslate"><span class="pre">fail</span></code> option will fail the task if any of the lookups fail, <code class="docutils literal notranslate"><span class="pre">ignore</span></code> will ignore any invalid lookups, and <code class="docutils literal notranslate"><span class="pre">warn</span></code> will emit a warning but still continue on a lookup failure.</p>
+<div class="highlight-yaml notranslate"><div class="highlight"><pre><span></span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Specify a list of DNs to set - ignoring lookup failures</span>
+<span class="w">  </span><span class="nt">microsoft.ad.computer</span><span class="p">:</span>
+<span class="w">    </span><span class="nt">identity</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">TheComputer</span>
+<span class="w">    </span><span class="nt">delegates</span><span class="p">:</span>
+<span class="w">      </span><span class="nt">lookup_failure_action</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">ignore</span>
+<span class="w">      </span><span class="nt">set</span><span class="p">:</span>
+<span class="w">      </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">FileShare</span>
+<span class="w">      </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">MissingUser</span>
+</pre></div>
+</div>
+<p>When a <code class="docutils literal notranslate"><span class="pre">server</span></code> key is provided, the lookup will be done using the server value specified. It is possible to also provide explicit credentials just for that server using the <code class="docutils literal notranslate"><span class="pre">domain_credentials</span></code> option.</p>
+<div class="highlight-yaml notranslate"><div class="highlight"><pre><span></span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Set member with lookup on different server</span>
+<span class="w">  </span><span class="nt">microsoft.ad.group</span><span class="p">:</span>
+<span class="w">    </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">MyGroup</span>
+<span class="w">    </span><span class="nt">state</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">present</span>
+<span class="w">    </span><span class="nt">members</span><span class="p">:</span>
+<span class="w">      </span><span class="nt">add</span><span class="p">:</span>
+<span class="w">      </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">GroupOnDefaultDC</span>
+<span class="w">      </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">GroupOnDefaultDC2</span>
+<span class="w">      </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">GroupOnOtherDC</span>
+<span class="w">        </span><span class="nt">server</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">OtherDC</span>
+<span class="w">    </span><span class="nt">domain_credentials</span><span class="p">:</span>
+<span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">username</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">UserForDefaultDC</span>
+<span class="w">      </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PasswordForDefaultDC</span>
+<span class="w">    </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">OtherDC</span>
+<span class="w">      </span><span class="nt">username</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">UserForOtherDC</span>
+<span class="w">      </span><span class="nt">password</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">PasswordForOtherDC</span>
+</pre></div>
+</div>
+<p>In the above, the <code class="docutils literal notranslate"><span class="pre">GroupOnOtherDC</span></code> will be done with <code class="docutils literal notranslate"><span class="pre">OtherDC</span></code> with the username <code class="docutils literal notranslate"><span class="pre">UserForOtherDC</span></code>.</p>
+<p>The documentation for the module option will identify if the option supports the lookup behaviour or whether a DN value must be explicitly provided.</p>
+</section>
 </section>
 
 
@@ -413,7 +476,7 @@ The common types are:</p>
           
 
 <footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
-        <a href="../index.html" class="btn btn-neutral float-left" title="Microsoft.Ad" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
+        <a href="guide_ad_module_authentication.html" class="btn btn-neutral float-left" title="AD Authentication in Modules" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
         <a href="guide_ldap_connection.html" class="btn btn-neutral float-right" title="LDAP Connection guide" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
     </div>
 
diff --git a/home/runner/work/microsoft.ad/microsoft.ad/docsbuild/base/collections/microsoft/ad/docsite/guide_ldap_connection.html b/home/runner/work/microsoft.ad/microsoft.ad/docsbuild/head/collections/microsoft/ad/docsite/guide_ldap_connection.html
index d1aaf14..98093bc 100644
--- a/home/runner/work/microsoft.ad/microsoft.ad/docsbuild/base/collections/microsoft/ad/docsite/guide_ldap_connection.html
+++ b/home/runner/work/microsoft.ad/microsoft.ad/docsbuild/head/collections/microsoft/ad/docsite/guide_ldap_connection.html
@@ -135,7 +135,7 @@
 <p>This guide covers information about communicating with an LDAP server, like Microsoft Active Directory, from the Ansible host. Unlike Windows hosts, there are no builtin mechanisms to communicate and authenticate with an LDAP server, so the plugins that run on the Ansible host require some extra configuration to get working.</p>
 <div class="admonition note">
 <p class="admonition-title">Note</p>
-<p>This guide covers LDAP communication from the Ansible host. This does not apply to the modules that run on the remote Windows hosts.</p>
+<p>This guide covers LDAP communication from the Ansible host. This does not apply to the modules that run on the remote Windows hosts. See <a class="reference internal" href="guide_ad_module_authentication.html#ansible-collections-microsoft-ad-docsite-guide-ad-module-authentication"><span class="std std-ref">AD Authentication in Modules</span></a> for information on how modules authentication can be configured.</p>
 </div>
 <nav class="contents local" id="contents">
 <ul class="simple">
diff --git a/home/runner/work/microsoft.ad/microsoft.ad/docsbuild/base/collections/microsoft/ad/docsite/guide_migration.html b/home/runner/work/microsoft.ad/microsoft.ad/docsbuild/head/collections/microsoft/ad/docsite/guide_migration.html
index 126058d..b6ef559 100644
--- a/home/runner/work/microsoft.ad/microsoft.ad/docsbuild/base/collections/microsoft/ad/docsite/guide_migration.html
+++ b/home/runner/work/microsoft.ad/microsoft.ad/docsbuild/head/collections/microsoft/ad/docsite/guide_migration.html
@@ -224,6 +224,27 @@
 <span id="ansible-collections-microsoft-ad-docsite-guide-migration-migrated-modules-win-domain-group-membership"></span><h3>Module <code class="docutils literal notranslate"><span class="pre">win_domain_group_membership</span></code><a class="headerlink" href="#module-win-domain-group-membership" title="Link to this heading"></a></h3>
 <p>Migrated to <a class="reference internal" href="../group_module.html#ansible-collections-microsoft-ad-group-module"><span class="std std-ref">microsoft.ad.group</span></a>.</p>
 <p>The functionality of this module has been merged with <code class="docutils literal notranslate"><span class="pre">microsoft.ad.group</span></code>. Use the <code class="docutils literal notranslate"><span class="pre">members</span></code> option to <code class="docutils literal notranslate"><span class="pre">add</span></code>, <code class="docutils literal notranslate"><span class="pre">remove</span></code>, or <code class="docutils literal notranslate"><span class="pre">set</span></code> to add, remove, or set group members respectively.</p>
+<p>One change is <code class="docutils literal notranslate"><span class="pre">win_domain_group_membership</span></code> could specify the server to lookup the member using the <code class="docutils literal notranslate"><span class="pre">SERVER\member-name</span></code> format. This member format is not supported in <code class="docutils literal notranslate"><span class="pre">microsoft.ad.group</span></code> but since v1.6.0 of this collection the same can be achieved by using a dictionary as the member value. For example:</p>
+<div class="highlight-yaml notranslate"><div class="highlight"><pre><span></span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Add a domain user/group from another Domain in the multi-domain forest to a domain group</span>
+<span class="w">  </span><span class="nt">community.windows.win_domain_group_membership</span><span class="p">:</span>
+<span class="w">    </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">GroupinDomainAAA</span>
+<span class="w">    </span><span class="nt">domain_server</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">DomainAAA.cloud</span>
+<span class="w">    </span><span class="nt">members</span><span class="p">:</span>
+<span class="w">      </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">DomainBBB.cloud\UserInDomainBBB</span>
+<span class="w">    </span><span class="nt">state</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">present</span>
+
+<span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Add a domain user/group from another Domain in the multi-domain forest to a domain group</span>
+<span class="w">  </span><span class="nt">microsoft.ad.group</span><span class="p">:</span>
+<span class="w">    </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">GroupinDomainAAA</span>
+<span class="w">    </span><span class="nt">domain_server</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">DomainAAA.cloud</span>
+<span class="w">    </span><span class="nt">members</span><span class="p">:</span>
+<span class="w">      </span><span class="nt">add</span><span class="p">:</span>
+<span class="w">        </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">UserInDomainBBB</span>
+<span class="w">          </span><span class="nt">server</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">DomainBBB.cloud</span>
+<span class="w">    </span><span class="nt">state</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">present</span>
+</pre></div>
+</div>
+<p>See <a class="reference internal" href="guide_attributes.html#ansible-collections-microsoft-ad-docsite-guide-attributes-dn-lookup-attributes"><span class="std std-ref">DN Lookup Attributes</span></a> for more information.</p>
 </section>
 <section id="module-win-domain-object-info">
 <span id="ansible-collections-microsoft-ad-docsite-guide-migration-migrated-modules-win-domain-object-info"></span><h3>Module <code class="docutils literal notranslate"><span class="pre">win_domain_object_info</span></code><a class="headerlink" href="#module-win-domain-object-info" title="Link to this heading"></a></h3>
diff --git a/home/runner/work/microsoft.ad/microsoft.ad/docsbuild/base/collections/microsoft/ad/group_module.html b/home/runner/work/microsoft.ad/microsoft.ad/docsbuild/head/collections/microsoft/ad/group_module.html
index cfc6190..39808a0 100644
--- a/home/runner/work/microsoft.ad/microsoft.ad/docsbuild/base/collection

Copy link

Copy link

Copy link

Copy link

Copy link

Copy link

Add a way to specify a custom server to lookup an AD identity on when
using module options that accept a list of identities for an attribute.
For example the microsoft.ad.group members option.

Also adds the domain_credentials option that is common to add AD based
modules to specify credentials for the extra AD servers being contacted
in case the default credentials do not work.

Migrates existing options that accept a distinguishedName to the new
lookup code to align the behaviour across the modules.
Copy link

Copy link

@jborean93 jborean93 merged commit fd15a22 into ansible-collections:main May 30, 2024
21 checks passed
@jborean93 jborean93 deleted the identity-lookup branch May 30, 2024 02:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

microsoft.ad.group module : Set members to an empty list Add AD member to group in multidomain env fails
1 participant