diff --git a/changelogs/fragments/ldap-msa.yml b/changelogs/fragments/ldap-msa.yml new file mode 100644 index 0000000..42b8cc2 --- /dev/null +++ b/changelogs/fragments/ldap-msa.yml @@ -0,0 +1,4 @@ +bugfixes: + - >- + ldap - Filter out managed service accounts in the default LDAP filter used. The ``filter_without_computer`` can be + used to disable the default filter if needed. diff --git a/plugins/inventory/ldap.py b/plugins/inventory/ldap.py index ce77a5e..56b9a18 100644 --- a/plugins/inventory/ldap.py +++ b/plugins/inventory/ldap.py @@ -41,13 +41,13 @@ description: - The LDAP filter string used to query the computer objects. - By default, this will be combined with the filter - "(objectClass=computer)". Use I(filter_without_computer) to override + "(objectCategory=computer)". Use I(filter_without_computer) to override this behavior and have I(filter) be the only filter used. type: str filter_without_computer: description: - - Will not combine the I(filter) value with the filter - "(objectClass=computer)". + - Will not combine the I(filter) value with the default filter + "(objectCategory=computer)". - In most cases this should be C(false) but can be set to C(true) to have the I(filter) value specified be the only filter used. type: bool @@ -293,7 +293,7 @@ def parse( "subtree": sansldap.SearchScope.SUBTREE, }[search_scope] - computer_filter = sansldap.FilterEquality("objectClass", b"computer") + computer_filter = sansldap.FilterEquality("objectCategory", b"computer") final_filter: sansldap.LDAPFilter if ldap_filter: ldap_filter_obj = sansldap.LDAPFilter.from_string(ldap_filter) @@ -324,22 +324,24 @@ def parse( # These options are in ../doc_fragments/ldap_connection.py template_fields = { - 'auth_protocol', - 'ca_cert', - 'cert_validation', - 'certificate', - 'certificate_key', - 'certificate_password', - 'connection_timeout', - 'encrypt', - 'password', - 'port', - 'server', - 'tls_mode', - 'username', + "auth_protocol", + "ca_cert", + "cert_validation", + "certificate", + "certificate_key", + "certificate_password", + "connection_timeout", + "encrypt", + "password", + "port", + "server", + "tls_mode", + "username", } for option_name, option_value in connection_options.items(): - if option_name in template_fields and self.templar.is_template(option_value): + if option_name in template_fields and self.templar.is_template( + option_value + ): self.display.vvv(f"Templating option {option_name}") connection_options[option_name] = self.templar.template( variable=option_value, diff --git a/tests/integration/targets/inventory_ldap/main.yml b/tests/integration/targets/inventory_ldap/main.yml index 14b4ae3..8e10a9d 100644 --- a/tests/integration/targets/inventory_ldap/main.yml +++ b/tests/integration/targets/inventory_ldap/main.yml @@ -14,6 +14,19 @@ dc_name: '{{ setup_domain_info.output[0].dnsHostName }}' cert_path: /tmp/microsoft.ad-{{ inventory_hostname }} + - name: create KDS root key if not present + ansible.windows.win_powershell: + error_action: stop + script: | + $Ansible.Changed = $false + if (-not (Get-KdsRootKey)) { + Add-KdsRootKey -EffectiveTime ((Get-Date).AddHours(-10)) + $Ansible.Changed = $true + } + become: true + become_method: runas + become_user: SYSTEM + - name: run tests import_role: name: test diff --git a/tests/integration/targets/inventory_ldap/roles/test/tasks/main.yml b/tests/integration/targets/inventory_ldap/roles/test/tasks/main.yml index 7e0bb2e..7664de9 100644 --- a/tests/integration/targets/inventory_ldap/roles/test/tasks/main.yml +++ b/tests/integration/targets/inventory_ldap/roles/test/tasks/main.yml @@ -285,6 +285,9 @@ 'msDS-AllowedToDelegateTo' = 'dns 2' } + New-ADServiceAccount -Name MyGMSA -DNSHostName MyGMSA -Path $adParams.Path + New-ADServiceAccount -Name MySMSA -RestrictToSingleComputer -Path $adParams.Path + Add-ADGroupMember -Identity $group1 -Members $comp1, $comp2 Add-ADGroupMember -Identity $group2 -Members $comp1