Update slapd server
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
This commit is contained in:
parent
571f694ed1
commit
e8661bbddb
@ -1,6 +1,9 @@
|
|||||||
---
|
---
|
||||||
glob_slapd:
|
glob_slapd:
|
||||||
master_ip: "{{ query('ldap', 'ip', 'tealc', 'adm') | ipv4 | first }}"
|
master_ip: "172.16.42.1"
|
||||||
|
ip: "172.16.42.1"
|
||||||
|
replica: false
|
||||||
|
# master_ip: "{{ query('ldap', 'ip', 'templier', 'adm') | ipv6 | first }}"
|
||||||
regex: "^(role:(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius|backup)|ecdsa-sha2-nistp256:.*|ssh-(ed25519|dss|rsa):.*)$"
|
regex: "^(role:(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius|backup)|ecdsa-sha2-nistp256:.*|ssh-(ed25519|dss|rsa):.*)$"
|
||||||
replication_credentials: "{{ vault.ldap_replication_credentials }}"
|
replication_credentials: "{{ vault.ldap_replication_credentials }}"
|
||||||
private_key: "{{ vault.ldap_private_key }}"
|
private_key: "{{ vault.ldap_private_key }}"
|
||||||
|
2
hosts
2
hosts
@ -14,7 +14,7 @@ virtu
|
|||||||
vm
|
vm
|
||||||
|
|
||||||
[slapd]
|
[slapd]
|
||||||
dt.adh.crans.org
|
templier.adm.ynerant.fr
|
||||||
|
|
||||||
[virtu]
|
[virtu]
|
||||||
dt.adh.crans.org
|
dt.adh.crans.org
|
||||||
|
7
plays/slapd.yml
Executable file
7
plays/slapd.yml
Executable file
@ -0,0 +1,7 @@
|
|||||||
|
#!/usr/bin/env ansible-playbook
|
||||||
|
---
|
||||||
|
- hosts: slapd
|
||||||
|
vars:
|
||||||
|
slapd: "{{ glob_slapd | default({}) | combine(service_slapd | default({})) | combine(loc_slapd | default({})) }}"
|
||||||
|
roles:
|
||||||
|
- slapd
|
@ -22,8 +22,8 @@
|
|||||||
group: openldap
|
group: openldap
|
||||||
loop:
|
loop:
|
||||||
- { dest: slapd.conf, mode: "0600" }
|
- { dest: slapd.conf, mode: "0600" }
|
||||||
- { dest: ldap.key, mode: "0600" }
|
#- { dest: ldap.key, mode: "0600" }
|
||||||
- { dest: ldap.pem, mode: "0644" }
|
#- { dest: ldap.pem, mode: "0644" }
|
||||||
notify: Restart slapd
|
notify: Restart slapd
|
||||||
|
|
||||||
- name: Deploy ldap services
|
- name: Deploy ldap services
|
||||||
|
@ -33,7 +33,7 @@ moduleload constraint
|
|||||||
overlay constraint
|
overlay constraint
|
||||||
constraint_attribute description regex {{ slapd.regex }}
|
constraint_attribute description regex {{ slapd.regex }}
|
||||||
restrict=ldap:///ou=hosts,dc=ynerant,dc=fr??one?(objectClass=device)
|
restrict=ldap:///ou=hosts,dc=ynerant,dc=fr??one?(objectClass=device)
|
||||||
constraint_attribute uid regex ^_
|
constraint_attribute uid regex ^ynerant
|
||||||
restrict=ldap:///ou=passwd,dc=ynerant,dc=fr??one?(objectClass=posixAccount)
|
restrict=ldap:///ou=passwd,dc=ynerant,dc=fr??one?(objectClass=posixAccount)
|
||||||
|
|
||||||
moduleload syncprov
|
moduleload syncprov
|
||||||
@ -41,8 +41,8 @@ moduleload syncprov
|
|||||||
|
|
||||||
# TLS Certificates
|
# TLS Certificates
|
||||||
#TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3
|
#TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3
|
||||||
TLSCertificateFile /etc/ldap/ldap.pem
|
#TLSCertificateFile /etc/ldap/ldap.pem
|
||||||
TLSCertificateKeyFile /etc/ldap/ldap.key
|
#TLSCertificateKeyFile /etc/ldap/ldap.key
|
||||||
|
|
||||||
# The maximum number of entries that is returned for a search operation
|
# The maximum number of entries that is returned for a search operation
|
||||||
sizelimit 500
|
sizelimit 500
|
||||||
@ -162,13 +162,13 @@ overlay syncprov
|
|||||||
access to attrs=userPassword,shadowLastChange
|
access to attrs=userPassword,shadowLastChange
|
||||||
by anonymous auth
|
by anonymous auth
|
||||||
by self write
|
by self write
|
||||||
by set="[cn=nounou,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write
|
by set="[cn=admin,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write
|
||||||
by dn="cn=replicator,dc=ynerant,dc=fr" read
|
by dn="cn=replicator,dc=ynerant,dc=fr" read
|
||||||
by * none
|
by * none
|
||||||
|
|
||||||
access to attrs=loginShell,mail,telephoneNumber
|
access to attrs=loginShell,mail,telephoneNumber
|
||||||
by self write
|
by self write
|
||||||
by set="[cn=nounou,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write
|
by set="[cn=admin,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write
|
||||||
by dn="cn=replicator,dc=ynerant,dc=fr" read
|
by dn="cn=replicator,dc=ynerant,dc=fr" read
|
||||||
by * read
|
by * read
|
||||||
|
|
||||||
@ -186,7 +186,7 @@ access to dn.base="" by * read
|
|||||||
# The admin dn has full write access, everyone else
|
# The admin dn has full write access, everyone else
|
||||||
# can read everything.
|
# can read everything.
|
||||||
access to *
|
access to *
|
||||||
by set="[cn=nounou,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write
|
by set="[cn=admin,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write
|
||||||
by dn="cn=replicator,dc=ynerant,dc=fr" read
|
by dn="cn=replicator,dc=ynerant,dc=fr" read
|
||||||
by * read
|
by * read
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
Loading…
Reference in New Issue
Block a user