cisco.ise.active_directory – Resource module for Active Directory

Note

This plugin is part of the cisco.ise collection (version 2.1.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install cisco.ise.

To use it in a playbook, specify: cisco.ise.active_directory.

New in version 1.0.0: of cisco.ise

Synopsis

  • Manage operations create and delete of the resource Active Directory.

Note

This module has a corresponding action plugin.

Requirements

The below requirements are needed on the host that executes this module.

  • ciscoisesdk >= 1.3.0

  • python >= 3.5

Parameters

Parameter Choices/Defaults Comments
adAttributes
dictionary
Holds list of AD Attributes.
attributes
list / elements=string
List of Attributes.
defaultValue
string
Required for each attribute in the attribute list. Can contain an empty string. All characters are allowed except <%".
internalName
string
Required for each attribute in the attribute list. All characters are allowed except <%".
name
string
Required for each attribute in the attribute list with no duplication between attributes. All characters are allowed except <%".
type
string
Required for each group in the group list. Allowed values STRING, IP, BOOLEAN, INT, OCTET_STRING.
adgroups
dictionary
Holds list of AD Groups.
groups
list / elements=string
List of Groups.
name
string
Required for each group in the group list with no duplication between groups. All characters are allowed except %.
sid
string
Cisco ISE uses security identifiers (SIDs) for optimization of group membership evaluation. SIDs are useful for efficiency (speed) when the groups are evaluated. All characters are allowed except %.
type
string
No character restriction.
adScopesNames
string
String that contains the names of the scopes that the active directory belongs to. Names are separated by comma. Alphanumeric, underscore (_) characters are allowed.
advancedSettings
dictionary
Active Directory's advancedSettings.
agingTime
integer
Range 1-8760 hours.
authProtectionType
string
Enable prevent AD account lockout. Allowed values - WIRELESS, - WIRED, - BOTH.
country
string
User info attribute. All characters are allowed except %.
department
string
User info attribute. All characters are allowed except %.
email
string
User info attribute. All characters are allowed except %.
enableCallbackForDialinClient
boolean
    Choices:
  • no
  • yes
EnableCallbackForDialinClient flag.
enableDialinPermissionCheck
boolean
    Choices:
  • no
  • yes
EnableDialinPermissionCheck flag.
enableFailedAuthProtection
boolean
    Choices:
  • no
  • yes
Enable prevent AD account lockout due to too many bad password attempts.
enableMachineAccess
boolean
    Choices:
  • no
  • yes
EnableMachineAccess flag.
enableMachineAuth
boolean
    Choices:
  • no
  • yes
EnableMachineAuth flag.
enablePassChange
boolean
    Choices:
  • no
  • yes
EnablePassChange flag.
enableRewrites
boolean
    Choices:
  • no
  • yes
EnableRewrites flag.
failedAuthThreshold
integer
Number of bad password attempts.
firstName
string
User info attribute. All characters are allowed except %.
identityNotInAdBehaviour
string
Allowed values REJECT, SEARCH_JOINED_FOREST, SEARCH_ALL.
jobTitle
string
User info attribute. All characters are allowed except %.
lastName
string
User info attribute. All characters are allowed except %.
locality
string
User info attribute. All characters are allowed except %.
organizationalUnit
string
User info attribute. All characters are allowed except %.
plaintextAuth
boolean
    Choices:
  • no
  • yes
PlaintextAuth flag.
rewriteRules
list / elements=string
Identity rewrite is an advanced feature that directs Cisco ISE to manipulate the identity before it is passed to the external Active Directory system. You can create rules to change the identity to a desired format that includes or excludes a domain prefix and/or suffix or other additional markup of your choice.
rewriteMatch
string
Required for each rule in the list with no duplication between rules. All characters are allowed except %".
rewriteResult
string
Required for each rule in the list. All characters are allowed except %".
rowId
integer
Required for each rule in the list in serial order.
schema
string
Allowed values ACTIVE_DIRECTORY, CUSTOM. Choose ACTIVE_DIRECTORY schema when the AD attributes defined in AD can be copied to relevant attributes in Cisco ISE. If customization is needed, choose CUSTOM schema. All User info attributes are always set to default value if schema is ACTIVE_DIRECTORY. Values can be changed only for CUSTOM schema.
stateOrProvince
string
User info attribute. All characters are allowed except %.
streetAddress
string
User info attribute. All characters are allowed except %.
telephone
string
User info attribute. All characters are allowed except %.
unreachableDomainsBehaviour
string
Allowed values PROCEED, DROP.
description
string
No character restriction.
domain
string
The AD domain. Alphanumeric, hyphen (-) and dot (.) characters are allowed.
enableDomainWhiteList
boolean
    Choices:
  • no
  • yes
EnableDomainWhiteList flag.
id
string
Id path parameter.
ise_debug
boolean
    Choices:
  • no ←
  • yes
Flag for Identity Services Engine SDK to enable debugging.
ise_hostname
string / required
The Identity Services Engine hostname.
ise_password
string / required
The Identity Services Engine password to authenticate.
ise_username
string / required
The Identity Services Engine username to authenticate.
ise_uses_api_gateway
boolean
added in 1.1.0 of cisco.ise
    Choices:
  • no
  • yes ←
Flag that informs the SDK whether to use the Identity Services Engine's API Gateway to send requests.
If it is true, it uses the ISE's API Gateway and sends requests to https://{{ise_hostname}}.
If it is false, it sends the requests to https://{{ise_hostname}}:{{port}}, where the port value depends on the Service used (ERS, Mnt, UI, PxGrid).
ise_verify
boolean
    Choices:
  • no
  • yes ←
Flag to enable or disable SSL certificate verification.
ise_version
string
Default:
"3.1.1"
Informs the SDK which version of Identity Services Engine to use.
ise_wait_on_rate_limit
boolean
    Choices:
  • no
  • yes ←
Flag for Identity Services Engine SDK to enable automatic rate-limit handling.
name
string
Resource Name. Maximum 32 characters allowed. Allowed characters are alphanumeric and .-_/\\ characters.

Notes

Note

  • Does not support check_mode

  • The plugin runs on the control node and does not use any ansible connection plugins, but instead the embedded connection manager from Cisco ISE SDK

  • The parameters starting with ise_ are used by the Cisco ISE Python SDK to establish the connection

See Also

See also

Active Directory reference

Complete reference of the Active Directory object model.

Examples

- name: Delete by id
  cisco.ise.active_directory:
    ise_hostname: "{{ise_hostname}}"
    ise_username: "{{ise_username}}"
    ise_password: "{{ise_password}}"
    ise_verify: "{{ise_verify}}"
    state: absent
    id: string

- name: Create
  cisco.ise.active_directory:
    ise_hostname: "{{ise_hostname}}"
    ise_username: "{{ise_username}}"
    ise_password: "{{ise_password}}"
    ise_verify: "{{ise_verify}}"
    state: present
    adAttributes:
      attributes:
      - defaultValue: string
        internalName: string
        name: string
        type: string
    adScopesNames: string
    adgroups:
      groups:
      - name: string
        sid: string
        type: string
    advancedSettings:
      agingTime: 0
      authProtectionType: string
      country: string
      department: string
      email: string
      enableCallbackForDialinClient: true
      enableDialinPermissionCheck: true
      enableFailedAuthProtection: true
      enableMachineAccess: true
      enableMachineAuth: true
      enablePassChange: true
      enableRewrites: true
      failedAuthThreshold: 0
      firstName: string
      identityNotInAdBehaviour: string
      jobTitle: string
      lastName: string
      locality: string
      organizationalUnit: string
      plaintextAuth: true
      rewriteRules:
      - rewriteMatch: string
        rewriteResult: string
        rowId: 0
      schema: string
      stateOrProvince: string
      streetAddress: string
      telephone: string
      unreachableDomainsBehaviour: string
    description: string
    domain: string
    enableDomainWhiteList: true
    id: string
    name: string

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
ise_response
dictionary
always
A dictionary or list with the response returned by the Cisco ISE Python SDK

Sample:
{ "id": "string", "name": "string", "description": "string", "domain": "string", "enableDomainWhiteList": true, "enableDomainAllowedList": true, "adgroups": { "groups": [ { "name": "string", "sid": "string", "type": "string" } ] }, "advancedSettings": { "enablePassChange": true, "enableMachineAuth": true, "enableMachineAccess": true, "agingTime": 0, "enableDialinPermissionCheck": true, "enableCallbackForDialinClient": true, "plaintextAuth": true, "enableFailedAuthProtection": true, "authProtectionType": "string", "failedAuthThreshold": 0, "identityNotInAdBehaviour": "string", "unreachableDomainsBehaviour": "string", "enableRewrites": true, "rewriteRules": [ { "rowId": 0, "rewriteMatch": "string", "rewriteResult": "string" } ], "firstName": "string", "department": "string", "lastName": "string", "organizationalUnit": "string", "jobTitle": "string", "locality": "string", "email": "string", "stateOrProvince": "string", "telephone": "string", "country": "string", "streetAddress": "string", "schema": "string" }, "adAttributes": { "attributes": [ { "name": "string", "type": "string", "internalName": "string", "defaultValue": "string" } ] }, "adScopesNames": "string", "link": { "rel": "string", "href": "string", "type": "string" } }


Authors

  • Rafael Campos (@racampos)