cisco.ise.active_directory module – Resource module for Active Directory
Note
This module is part of the cisco.ise collection (version 2.4.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install cisco.ise
.
To use it in a playbook, specify: cisco.ise.active_directory
.
New in version 1.0.0: of cisco.ise
Synopsis
Manage operations create and delete of the resource Active Directory.
This API creates an AD join point in Cisco ISE.
This API deletes an AD join point from Cisco ISE.
Note
This module has a corresponding action plugin.
Requirements
The below requirements are needed on the host that executes this module.
ciscoisesdk >= 2.0.1
python >= 3.5
Parameters
Parameter |
Comments |
---|---|
Holds list of AD Attributes. |
|
List of Attributes. |
|
Required for each attribute in the attribute list. Can contain an empty string. All characters are allowed except <%”. |
|
Required for each attribute in the attribute list. All characters are allowed except <%”. |
|
Required for each attribute in the attribute list with no duplication between attributes. All characters are allowed except <%”. |
|
Required for each group in the group list. Allowed values STRING, IP, BOOLEAN, INT, OCTET_STRING. |
|
Holds list of AD Groups. |
|
List of Groups. |
|
Required for each group in the group list with no duplication between groups. All characters are allowed except %. |
|
Cisco ISE uses security identifiers (SIDs) for optimization of group membership evaluation. SIDs are useful for efficiency (speed) when the groups are evaluated. All characters are allowed except %. |
|
No character restriction. |
|
String that contains the names of the scopes that the active directory belongs to. Names are separated by comma. Alphanumeric, underscore (_) characters are allowed. |
|
Active Directory’s advancedSettings. |
|
Range 1-8760 hours. |
|
Enable prevent AD account lockout. Allowed values - WIRELESS, - WIRED, - BOTH. |
|
User info attribute. All characters are allowed except %. |
|
User info attribute. All characters are allowed except %. |
|
User info attribute. All characters are allowed except %. |
|
EnableCallbackForDialinClient flag. Choices:
|
|
EnableDialinPermissionCheck flag. Choices:
|
|
Enable prevent AD account lockout due to too many bad password attempts. Choices:
|
|
EnableMachineAccess flag. Choices:
|
|
EnableMachineAuth flag. Choices:
|
|
EnablePassChange flag. Choices:
|
|
EnableRewrites flag. Choices:
|
|
Number of bad password attempts. |
|
User info attribute. All characters are allowed except %. |
|
Allowed values REJECT, SEARCH_JOINED_FOREST, SEARCH_ALL. |
|
User info attribute. All characters are allowed except %. |
|
User info attribute. All characters are allowed except %. |
|
User info attribute. All characters are allowed except %. |
|
User info attribute. All characters are allowed except %. |
|
PlaintextAuth flag. Choices:
|
|
Identity rewrite is an advanced feature that directs Cisco ISE to manipulate the identity before it is passed to the external Active Directory system. You can create rules to change the identity to a desired format that includes or excludes a domain prefix and/or suffix or other additional markup of your choice. |
|
Required for each rule in the list with no duplication between rules. All characters are allowed except %”. |
|
Required for each rule in the list. All characters are allowed except %”. |
|
Required for each rule in the list in serial order. |
|
Allowed values ACTIVE_DIRECTORY, CUSTOM. Choose ACTIVE_DIRECTORY schema when the AD attributes defined in AD can be copied to relevant attributes in Cisco ISE. If customization is needed, choose CUSTOM schema. All User info attributes are always set to default value if schema is ACTIVE_DIRECTORY. Values can be changed only for CUSTOM schema. |
|
User info attribute. All characters are allowed except %. |
|
User info attribute. All characters are allowed except %. |
|
User info attribute. All characters are allowed except %. |
|
Allowed values PROCEED, DROP. |
|
No character restriction. |
|
The AD domain. Alphanumeric, hyphen (-) and dot (.) characters are allowed. |
|
EnableDomainWhiteList flag. Choices:
|
|
Id path parameter. |
|
Flag for Identity Services Engine SDK to enable debugging. Choices:
|
|
The Identity Services Engine hostname. |
|
The Identity Services Engine password to authenticate. |
|
The Identity Services Engine username to authenticate. |
|
Flag that informs the SDK whether to use the Identity Services Engine’s API Gateway to send requests. If it is true, it uses the ISE’s API Gateway and sends requests to https://{{ise_hostname}}. If it is false, it sends the requests to https://{{ise_hostname}}:{{port}}, where the port value depends on the Service used (ERS, Mnt, UI, PxGrid). Choices:
|
|
Flag that informs the SDK whether we send the CSRF token to ISE’s ERS APIs. If it is True, the SDK assumes that your ISE CSRF Check is enabled. If it is True, it assumes you need the SDK to manage the CSRF token automatically for you. Choices:
|
|
Flag to enable or disable SSL certificate verification. Choices:
|
|
Informs the SDK which version of Identity Services Engine to use. Default: “3.1.1” |
|
Flag for Identity Services Engine SDK to enable automatic rate-limit handling. Choices:
|
|
Resource Name. Maximum 32 characters allowed. Allowed characters are alphanumeric and .-_/\ characters. |
Notes
Note
SDK Method used are active_directory.ActiveDirectory.create_active_directory, active_directory.ActiveDirectory.delete_active_directory_by_id,
Paths used are post /ers/config/activedirectory, delete /ers/config/activedirectory/{id},
Does not support
check_mode
The plugin runs on the control node and does not use any ansible connection plugins, but instead the embedded connection manager from Cisco ISE SDK
The parameters starting with ise_ are used by the Cisco ISE Python SDK to establish the connection
Examples
- name: Delete by id
cisco.ise.active_directory:
ise_hostname: "{{ise_hostname}}"
ise_username: "{{ise_username}}"
ise_password: "{{ise_password}}"
ise_verify: "{{ise_verify}}"
state: absent
id: string
- name: Create
cisco.ise.active_directory:
ise_hostname: "{{ise_hostname}}"
ise_username: "{{ise_username}}"
ise_password: "{{ise_password}}"
ise_verify: "{{ise_verify}}"
state: present
adAttributes:
attributes:
- defaultValue: string
internalName: string
name: string
type: string
adScopesNames: string
adgroups:
groups:
- name: string
sid: string
type: string
advancedSettings:
agingTime: 0
authProtectionType: string
country: string
department: string
email: string
enableCallbackForDialinClient: true
enableDialinPermissionCheck: true
enableFailedAuthProtection: true
enableMachineAccess: true
enableMachineAuth: true
enablePassChange: true
enableRewrites: true
failedAuthThreshold: 0
firstName: string
identityNotInAdBehaviour: string
jobTitle: string
lastName: string
locality: string
organizationalUnit: string
plaintextAuth: true
rewriteRules:
- rewriteMatch: string
rewriteResult: string
rowId: 0
schema: string
stateOrProvince: string
streetAddress: string
telephone: string
unreachableDomainsBehaviour: string
description: string
domain: string
enableDomainWhiteList: true
id: string
name: string
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
A dictionary or list with the response returned by the Cisco ISE Python SDK Returned: always Sample: “{\n \”id\”: \”string\”,\n \”name\”: \”string\”,\n \”description\”: \”string\”,\n \”domain\”: \”string\”,\n \”enableDomainWhiteList\”: true,\n \”enableDomainAllowedList\”: true,\n \”adgroups\”: {\n \”groups\”: [\n {\n \”name\”: \”string\”,\n \”sid\”: \”string\”,\n \”type\”: \”string\”\n }\n ]\n },\n \”advancedSettings\”: {\n \”enablePassChange\”: true,\n \”enableMachineAuth\”: true,\n \”enableMachineAccess\”: true,\n \”agingTime\”: 0,\n \”enableDialinPermissionCheck\”: true,\n \”enableCallbackForDialinClient\”: true,\n \”plaintextAuth\”: true,\n \”enableFailedAuthProtection\”: true,\n \”authProtectionType\”: \”string\”,\n \”failedAuthThreshold\”: 0,\n \”identityNotInAdBehaviour\”: \”string\”,\n \”unreachableDomainsBehaviour\”: \”string\”,\n \”enableRewrites\”: true,\n \”rewriteRules\”: [\n {\n \”rowId\”: 0,\n \”rewriteMatch\”: \”string\”,\n \”rewriteResult\”: \”string\”\n }\n ],\n \”firstName\”: \”string\”,\n \”department\”: \”string\”,\n \”lastName\”: \”string\”,\n \”organizationalUnit\”: \”string\”,\n \”jobTitle\”: \”string\”,\n \”locality\”: \”string\”,\n \”email\”: \”string\”,\n \”stateOrProvince\”: \”string\”,\n \”telephone\”: \”string\”,\n \”country\”: \”string\”,\n \”streetAddress\”: \”string\”,\n \”schema\”: \”string\”\n },\n \”adAttributes\”: {\n \”attributes\”: [\n {\n \”name\”: \”string\”,\n \”type\”: \”string\”,\n \”internalName\”: \”string\”,\n \”defaultValue\”: \”string\”\n }\n ]\n },\n \”adScopesNames\”: \”string\”,\n \”link\”: {\n \”rel\”: \”string\”,\n \”href\”: \”string\”,\n \”type\”: \”string\”\n }\n}\n” |