Update slapd server

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
2021-05-24 18:31:43 +02:00 · 2021-05-24 18:31:43 +02:00 · e8661bbddb
parent 571f694ed1
commit e8661bbddb
5 changed files with 20 additions and 10 deletions
--- a/group_vars/slapd.yml
+++ b/group_vars/slapd.yml
@ -1,6 +1,9 @@
 ---
 glob_slapd:
-  master_ip: "{{ query('ldap', 'ip', 'tealc', 'adm') | ipv4 | first }}"
+  master_ip: "172.16.42.1"
  ip: "172.16.42.1"
  replica: false
  # master_ip: "{{ query('ldap', 'ip', 'templier', 'adm') | ipv6 | first }}"
  regex: "^(role:(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius|backup)|ecdsa-sha2-nistp256:.*|ssh-(ed25519|dss|rsa):.*)$"
  replication_credentials: "{{ vault.ldap_replication_credentials }}"
  private_key: "{{ vault.ldap_private_key }}"
--- a/2
+++ b/2
@ -14,7 +14,7 @@ virtu
 vm
 [slapd]
-dt.adh.crans.org
+templier.adm.ynerant.fr
 [virtu]
 dt.adh.crans.org
--- a/plays/slapd.yml
+++ b/plays/slapd.yml
@ -0,0 +1,7 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts: slapd
  vars:
    slapd: "{{ glob_slapd | default({}) | combine(service_slapd | default({})) | combine(loc_slapd | default({})) }}"
  roles:
    - slapd
--- a/roles/slapd/tasks/main.yml
+++ b/roles/slapd/tasks/main.yml
@ -22,8 +22,8 @@
    group: openldap
  loop:
    - { dest: slapd.conf, mode: "0600" }
-    - { dest: ldap.key, mode: "0600" }
+   #- { dest: ldap.key, mode: "0600" }
-    - { dest: ldap.pem, mode: "0644" }
+   #- { dest: ldap.pem, mode: "0644" }
  notify: Restart slapd
 - name: Deploy ldap services
--- a/roles/slapd/templates/ldap/slapd.conf.j2
+++ b/roles/slapd/templates/ldap/slapd.conf.j2
@ -33,7 +33,7 @@ moduleload constraint
 overlay constraint
 constraint_attribute description regex {{ slapd.regex }}
  restrict=ldap:///ou=hosts,dc=ynerant,dc=fr??one?(objectClass=device)
-constraint_attribute uid regex ^_
+constraint_attribute uid regex ^ynerant
  restrict=ldap:///ou=passwd,dc=ynerant,dc=fr??one?(objectClass=posixAccount)
 moduleload 		syncprov
@ -41,8 +41,8 @@ moduleload 		syncprov
 # TLS Certificates
 #TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3
-TLSCertificateFile /etc/ldap/ldap.pem
+#TLSCertificateFile /etc/ldap/ldap.pem
-TLSCertificateKeyFile /etc/ldap/ldap.key
+#TLSCertificateKeyFile /etc/ldap/ldap.key
 # The maximum number of entries that is returned for a search operation
 sizelimit 500
@ -162,13 +162,13 @@ overlay syncprov
 access to attrs=userPassword,shadowLastChange
        by anonymous auth
        by self write
-        by set="[cn=nounou,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write
+        by set="[cn=admin,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write
        by dn="cn=replicator,dc=ynerant,dc=fr" read
        by * none
 access to attrs=loginShell,mail,telephoneNumber
        by self write
-        by set="[cn=nounou,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write
+        by set="[cn=admin,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write
        by dn="cn=replicator,dc=ynerant,dc=fr" read
        by * read
@ -186,7 +186,7 @@ access to dn.base="" by * read
 # The admin dn has full write access, everyone else
 # can read everything.
 access to *
-        by set="[cn=nounou,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write
+        by set="[cn=admin,ou=group,dc=ynerant,dc=fr]/memberUid & user/uid" write
        by dn="cn=replicator,dc=ynerant,dc=fr" read
        by * read
 {% endif %}