Update slapd server

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
This commit is contained in:
Yohann D'ANELLO 2021-05-24 18:31:43 +02:00
parent 571f694ed1
commit e8661bbddb
Signed by: ynerant
GPG Key ID: 3A75C55819C8CF85
5 changed files with 20 additions and 10 deletions

View File

@ -1,6 +1,9 @@
--- ---
glob_slapd: glob_slapd:
master_ip: "{{ query('ldap', 'ip', 'tealc', 'adm') | ipv4 | first }}" master_ip: "172.16.42.1"
ip: "172.16.42.1"
replica: false
# master_ip: "{{ query('ldap', 'ip', 'templier', 'adm') | ipv6 | first }}"
regex: "^(role:(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius|backup)|ecdsa-sha2-nistp256:.*|ssh-(ed25519|dss|rsa):.*)$" regex: "^(role:(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius|backup)|ecdsa-sha2-nistp256:.*|ssh-(ed25519|dss|rsa):.*)$"
replication_credentials: "{{ vault.ldap_replication_credentials }}" replication_credentials: "{{ vault.ldap_replication_credentials }}"
private_key: "{{ vault.ldap_private_key }}" private_key: "{{ vault.ldap_private_key }}"

2
hosts
View File

@ -14,7 +14,7 @@ virtu
vm vm
[slapd] [slapd]
dt.adh.crans.org templier.adm.ynerant.fr
[virtu] [virtu]
dt.adh.crans.org dt.adh.crans.org

7
plays/slapd.yml Executable file
View File

@ -0,0 +1,7 @@
#!/usr/bin/env ansible-playbook
---
- hosts: slapd
vars:
slapd: "{{ glob_slapd | default({}) | combine(service_slapd | default({})) | combine(loc_slapd | default({})) }}"
roles:
- slapd

View File

@ -22,8 +22,8 @@
group: openldap group: openldap
loop: loop:
- { dest: slapd.conf, mode: "0600" } - { dest: slapd.conf, mode: "0600" }
- { dest: ldap.key, mode: "0600" } #- { dest: ldap.key, mode: "0600" }
- { dest: ldap.pem, mode: "0644" } #- { dest: ldap.pem, mode: "0644" }
notify: Restart slapd notify: Restart slapd
- name: Deploy ldap services - name: Deploy ldap services

View File

@ -33,7 +33,7 @@ moduleload constraint
overlay constraint overlay constraint
constraint_attribute description regex {{ slapd.regex }} constraint_attribute description regex {{ slapd.regex }}
restrict=ldap:///ou=hosts,dc=ynerant,dc=fr??one?(objectClass=device) restrict=ldap:///ou=hosts,dc=ynerant,dc=fr??one?(objectClass=device)
constraint_attribute uid regex ^_ constraint_attribute uid regex ^ynerant
restrict=ldap:///ou=passwd,dc=ynerant,dc=fr??one?(objectClass=posixAccount) restrict=ldap:///ou=passwd,dc=ynerant,dc=fr??one?(objectClass=posixAccount)
moduleload syncprov moduleload syncprov
@ -41,8 +41,8 @@ moduleload syncprov
# TLS Certificates # TLS Certificates
#TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3 #TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3
TLSCertificateFile /etc/ldap/ldap.pem #TLSCertificateFile /etc/ldap/ldap.pem
TLSCertificateKeyFile /etc/ldap/ldap.key #TLSCertificateKeyFile /etc/ldap/ldap.key
# The maximum number of entries that is returned for a search operation # The maximum number of entries that is returned for a search operation
sizelimit 500 sizelimit 500
@ -162,13 +162,13 @@ overlay syncprov
access to attrs=userPassword,shadowLastChange access to attrs=userPassword,shadowLastChange
by anonymous auth by anonymous auth
by self write by self write
by set="[cn=nounou,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write by set="[cn=admin,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write
by dn="cn=replicator,dc=ynerant,dc=fr" read by dn="cn=replicator,dc=ynerant,dc=fr" read
by * none by * none
access to attrs=loginShell,mail,telephoneNumber access to attrs=loginShell,mail,telephoneNumber
by self write by self write
by set="[cn=nounou,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write by set="[cn=admin,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write
by dn="cn=replicator,dc=ynerant,dc=fr" read by dn="cn=replicator,dc=ynerant,dc=fr" read
by * read by * read
@ -186,7 +186,7 @@ access to dn.base="" by * read
# The admin dn has full write access, everyone else # The admin dn has full write access, everyone else
# can read everything. # can read everything.
access to * access to *
by set="[cn=nounou,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write by set="[cn=admin,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write
by dn="cn=replicator,dc=ynerant,dc=fr" read by dn="cn=replicator,dc=ynerant,dc=fr" read
by * read by * read
{% endif %} {% endif %}