cisco.ise.activedirectory module – Resource module for Activedirectory

Note

This module is part of the cisco.ise collection (version 3.0.0).

To install it, use: ansible-galaxy collection install cisco.ise. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: cisco.ise.activedirectory.

New in cisco.ise 1.0.0

Synopsis

  • Manage operation create of the resource Activedirectory.

Note

This module has a corresponding action plugin.

Requirements

The below requirements are needed on the host that executes this module.

  • ciscoisesdk >= 2.0.1

  • python >= 3.5

Parameters

Parameter

Comments

adAttributes

dictionary

Activedirectory’s adAttributes.

attributes

list / elements=dictionary

List of Attributes.

adgroups

dictionary

Activedirectory’s adgroups.

groups

list / elements=dictionary

List of Groups.

adScopesNames

string

String that contains the names of the scopes that the active directory belongs to. Names are separated by comma.

advancedSettings

dictionary

Activedirectory’s advancedSettings.

agingTime

float

Activedirectory’s agingTime.

authProtectionType

string

Enable prevent AD account lockout for WIRELESS/WIRED/BOTH.

country

string

User info attribute.

department

string

User info attribute.

email

string

User info attribute.

enableCallbackForDialinClient

boolean

EnableCallbackForDialinClient flag.

Choices:

enableDialinPermissionCheck

boolean

EnableDialinPermissionCheck flag.

Choices:

enableFailedAuthProtection

boolean

Enable prevent AD account lockout due to too many bad password attempts.

Choices:

enableMachineAccess

boolean

EnableMachineAccess flag.

Choices:

enableMachineAuth

boolean

EnableMachineAuth flag.

Choices:

enablePassChange

boolean

EnablePassChange flag.

Choices:

enableRewrites

boolean

EnableRewrites flag.

Choices:

failedAuthThreshold

float

Number of bad password attempts.

firstName

string

User info attribute.

identityNotInAdBehaviour

dictionary

Allowed values REJECT, SEARCH_JOINED_FOREST, SEARCH_ALL.

jobTitle

string

User info attribute.

lastName

string

User info attribute.

locality

string

User info attribute.

organizationalUnit

string

User info attribute.

plaintextAuth

boolean

PlaintextAuth flag.

Choices:

rewriteRules

list / elements=dictionary

List of Rewrite rules.

schema

dictionary

Allowed values ACTIVE_DIRECTORY, CUSTOM.

stateOrProvince

string

User info attribute.

streetAddress

string

User info attribute.

telephone

string

User info attribute.

unreachableDomainsBehaviour

dictionary

Allowed values PROCEED, DROP.

description

string

Description.

domain

string

The AD domain.

enableDomainAllowedList

boolean

EnableDomainAllowedList flag.

Choices:

ERSActiveDirectoryDomains

dictionary

Activedirectory’s ERSActiveDirectoryDomains.

domains

list / elements=dictionary

List of Domains.

id

string

Id.

ise_debug

boolean

Flag for Identity Services Engine SDK to enable debugging.

Choices:

ise_hostname

string / required

The Identity Services Engine hostname.

ise_password

string / required

The Identity Services Engine password to authenticate.

ise_single_request_timeout

integer

added in cisco.ise 3.0.0

Timeout (in seconds) for RESTful HTTP requests.

Default: :ansible-option-default:`60`

ise_username

string / required

The Identity Services Engine username to authenticate.

ise_uses_api_gateway

boolean

added in cisco.ise 1.1.0

Flag that informs the SDK whether to use the Identity Services Engine’s API Gateway to send requests.

If it is true, it uses the ISE’s API Gateway and sends requests to https://{{ise_hostname}}.

If it is false, it sends the requests to https://{{ise_hostname}}:{{port}}, where the port value depends on the Service used (ERS, Mnt, UI, PxGrid).

Choices:

ise_uses_csrf_token

boolean

added in cisco.ise 3.0.0

Flag that informs the SDK whether we send the CSRF token to ISE’s ERS APIs.

If it is True, the SDK assumes that your ISE CSRF Check is enabled.

If it is True, it assumes you need the SDK to manage the CSRF token automatically for you.

Choices:

ise_verify

boolean

Flag to enable or disable SSL certificate verification.

Choices:

ise_version

string

Informs the SDK which version of Identity Services Engine to use.

Default: :ansible-option-default:`"3.1\_Patch\_1"`

ise_wait_on_rate_limit

boolean

Flag for Identity Services Engine SDK to enable automatic rate-limit handling.

Choices:

name

string

Name.

Notes

Note

  • SDK Method used are activedirectory.Activedirectory.create_activedirectory,

  • Paths used are post /activedirectory/,

  • Does not support check_mode

  • The plugin runs on the control node and does not use any ansible connection plugins, but instead the embedded connection manager from Cisco ISE SDK

  • The parameters starting with ise_ are used by the Cisco ISE Python SDK to establish the connection

Examples

---
- name: Create
  cisco.ise.activedirectory:
    ise_hostname: "{{ise_hostname}}"
    ise_username: "{{ise_username}}"
    ise_password: "{{ise_password}}"
    ise_verify: "{{ise_verify}}"
    state: present
    adAttributes:
      attributes:
        - defaultValue: defaultString
          internalName: internalName1
          name: name1
          type: STRING
        - defaultValue: 1.1.1.1
          internalName: internalName2
          name: name2
          type: IP
        - defaultValue: 'true'
          internalName: internalName3
          name: name3
          type: BOOLEAN
        - defaultValue: '5'
          internalName: internalName4
          name: name4
          type: INT
        - defaultValue: defaultOctetString
          internalName: internalName5
          name: name5
          type: OCTET_STRING
    adScopesNames: Default_Scope
    adgroups:
      groups:
        - name: cisco.com/operators
          sid: S-1-5-32-548
          type: GLOBAL
        - name: cisco.com/office users
          sid: S-1-5-33-326
          type: DOMAIN LOCAL
    advancedSettings:
      agingTime: 5
      authProtectionType: WIRELESS
      country: co
      department: department
      email: mail
      enableAuthorizationFlow: false
      enableCallbackForDialinClient: false
      enableDialinPermissionCheck: false
      enableFailedAuthProtection: false
      enableMachineAccess: true
      enableMachineAuth: true
      enablePassChange: true
      enableRewrites: false
      enableSessionStitching: false
      failedAuthThreshold: 5
      firstName: givenName
      identityNotInAdBehaviour: SEARCH_JOINED_FOREST
      jobTitle: title
      lastName: sn
      locality: l
      organizationalUnit: company
      plaintextAuth: false
      rewriteRules:
        - rewriteMatch: exampleMatch0
          rewriteResult: exampleResult0
          rowId: 0
        - rewriteMatch: exampleMatch1
          rewriteResult: exampleResult1
          rowId: 1
        - rewriteMatch: exampleMatch2
          rewriteResult: exampleResult2
          rowId: 2
        - rewriteMatch: exampleMatch3
          rewriteResult: exampleResult3
          rowId: 3
      schema: ACTIVE_DIRECTORY
      stateOrProvince: st
      streetAddress: streetAddress
      telephone: telephoneNumber
      unreachableDomainsBehaviour: PROCEED
    description: Group of Active company users
    domain: cisco.com
    enableDomainAllowedList: true
    id: f75760e7-a4f9-40ef-93bb-88a97e9fb171
    name: Company_users

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

ise_response

list / elements=dictionary

A dictionary or list with the response returned by the Cisco ISE Python SDK

Returned: always

Sample: :ansible-rv-sample-value:`"[\\n {\\n \\"id\\": \\"string\\",\\n \\"name\\": \\"string\\",\\n \\"description\\": \\"string\\",\\n \\"link\\": {\\n \\"rel\\": \\"string\\",\\n \\"href\\": \\"string\\",\\n \\"type\\": \\"string\\"\\n }\\n }\\n]\\n"`

Authors

  • Rafael Campos (@racampos)