Update slapd server
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
This commit is contained in:
parent
571f694ed1
commit
e8661bbddb
GPG Key ID:
3A75C55819C8CF85
|
|
@ -1,6 +1,9 @@
|
|||
---
|
||||
glob_slapd:
|
||||
master_ip: "{{ query('ldap', 'ip', 'tealc', 'adm') | ipv4 | first }}"
|
||||
master_ip: "172.16.42.1"
|
||||
ip: "172.16.42.1"
|
||||
replica: false
|
||||
# master_ip: "{{ query('ldap', 'ip', 'templier', 'adm') | ipv6 | first }}"
|
||||
regex: "^(role:(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius|backup)|ecdsa-sha2-nistp256:.*|ssh-(ed25519|dss|rsa):.*)$"
|
||||
replication_credentials: "{{ vault.ldap_replication_credentials }}"
|
||||
private_key: "{{ vault.ldap_private_key }}"
|
||||
|
|
|
|||
2
hosts
2
hosts
|
|
@ -14,7 +14,7 @@ virtu
|
|||
vm
|
||||
|
||||
[slapd]
|
||||
dt.adh.crans.org
|
||||
templier.adm.ynerant.fr
|
||||
|
||||
[virtu]
|
||||
dt.adh.crans.org
|
||||
|
|
|
|||
|
|
@ -0,0 +1,7 @@
|
|||
#!/usr/bin/env ansible-playbook
|
||||
---
|
||||
- hosts: slapd
|
||||
vars:
|
||||
slapd: "{{ glob_slapd | default({}) | combine(service_slapd | default({})) | combine(loc_slapd | default({})) }}"
|
||||
roles:
|
||||
- slapd
|
||||
|
|
@ -22,8 +22,8 @@
|
|||
group: openldap
|
||||
loop:
|
||||
- { dest: slapd.conf, mode: "0600" }
|
||||
- { dest: ldap.key, mode: "0600" }
|
||||
- { dest: ldap.pem, mode: "0644" }
|
||||
#- { dest: ldap.key, mode: "0600" }
|
||||
#- { dest: ldap.pem, mode: "0644" }
|
||||
notify: Restart slapd
|
||||
|
||||
- name: Deploy ldap services
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ moduleload constraint
|
|||
overlay constraint
|
||||
constraint_attribute description regex {{ slapd.regex }}
|
||||
restrict=ldap:///ou=hosts,dc=ynerant,dc=fr??one?(objectClass=device)
|
||||
constraint_attribute uid regex ^_
|
||||
constraint_attribute uid regex ^ynerant
|
||||
restrict=ldap:///ou=passwd,dc=ynerant,dc=fr??one?(objectClass=posixAccount)
|
||||
|
||||
moduleload syncprov
|
||||
|
|
@ -41,8 +41,8 @@ moduleload syncprov
|
|||
|
||||
# TLS Certificates
|
||||
#TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3
|
||||
TLSCertificateFile /etc/ldap/ldap.pem
|
||||
TLSCertificateKeyFile /etc/ldap/ldap.key
|
||||
#TLSCertificateFile /etc/ldap/ldap.pem
|
||||
#TLSCertificateKeyFile /etc/ldap/ldap.key
|
||||
|
||||
# The maximum number of entries that is returned for a search operation
|
||||
sizelimit 500
|
||||
|
|
@ -162,13 +162,13 @@ overlay syncprov
|
|||
access to attrs=userPassword,shadowLastChange
|
||||
by anonymous auth
|
||||
by self write
|
||||
by set="[cn=nounou,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write
|
||||
by set="[cn=admin,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write
|
||||
by dn="cn=replicator,dc=ynerant,dc=fr" read
|
||||
by * none
|
||||
|
||||
access to attrs=loginShell,mail,telephoneNumber
|
||||
by self write
|
||||
by set="[cn=nounou,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write
|
||||
by set="[cn=admin,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write
|
||||
by dn="cn=replicator,dc=ynerant,dc=fr" read
|
||||
by * read
|
||||
|
||||
|
|
@ -186,7 +186,7 @@ access to dn.base="" by * read
|
|||
# The admin dn has full write access, everyone else
|
||||
# can read everything.
|
||||
access to *
|
||||
by set="[cn=nounou,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write
|
||||
by set="[cn=admin,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write
|
||||
by dn="cn=replicator,dc=ynerant,dc=fr" read
|
||||
by * read
|
||||
{% endif %}
|
||||
|
|
|
|||
Loading…
Reference in New Issue