aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Jonas Gunz <himself@jonasgunz.de> 2023-07-27 21:46:38 +0200
committerGravatar Jonas Gunz <himself@jonasgunz.de> 2023-07-27 21:46:38 +0200
commit7ad67630c40c0669cc1c140ff2d42311fb780b47 (patch)
tree1c4d97ca3acea54f842c10b15eed71edb4d8e86d
parentb1030896c67c59c12db51a65d842169d3b73339a (diff)
downloadansible_collection-7ad67630c40c0669cc1c140ff2d42311fb780b47.tar.gz
openldap move access control to hostettings
-rw-r--r--galaxy.yml2
-rw-r--r--roles/openldap/README.md26
-rw-r--r--roles/openldap/defaults/main.yml26
-rw-r--r--roles/openldap/tasks/main.yml35
-rw-r--r--roles/openldap/tasks/schema.yml2
5 files changed, 56 insertions, 35 deletions
diff --git a/galaxy.yml b/galaxy.yml
index 5ebf08c..7c647e1 100644
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -1,6 +1,6 @@
namespace: kompetenzbolzen
name: stuff
-version: 0.19.2
+version: 0.20.0
readme: README.md
authors:
- Jonas Gunz <himself@jonasgunz.de>
diff --git a/roles/openldap/README.md b/roles/openldap/README.md
index ed34f52..fb30537 100644
--- a/roles/openldap/README.md
+++ b/roles/openldap/README.md
@@ -25,7 +25,31 @@ ldap:
DESC 'MANDATORY: OpenSSH LPK objectclass'
MAY ( sshPublicKey $ uid )
)"
-
+ ous:
+ - users
+ - apps
+ - groups
+ - unixgroups
+ groupsofnames:
+ in: 'ou=groups,dc=example,dc=com'
+ names:
+ - ldap_admin
+ - external_auth
+ access_control:
+ - >-
+ {0}to attrs=userPassword
+ by self write
+ by group/groupOfNames/member=cn=external_auth,ou=groups,dc=example,dc=com read
+ by anonymous auth
+ by * none
+ - >-
+ {1}to attrs=shadowLastChange
+ by self write
+ by * read
+ - >-
+ {2}to *
+ by users read
+ by group/groupOfNames/member=cn=ldap_admin,ou=groups,dc=example,dc=com manage
```
## Notes
diff --git a/roles/openldap/defaults/main.yml b/roles/openldap/defaults/main.yml
index 4d18343..63094ee 100644
--- a/roles/openldap/defaults/main.yml
+++ b/roles/openldap/defaults/main.yml
@@ -11,4 +11,28 @@ ldap:
key: '/etc/ssl/private/ssl-cert-snakeoil.key'
cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
schema: []
-
+ ous:
+ - users
+ - apps
+ - groups
+ - unixgroups
+ groupsofnames:
+ in: 'ou=groups,dc=example,dc=com'
+ names:
+ - ldap_admin
+ - external_auth
+ access_control:
+ - >-
+ {0}to attrs=userPassword
+ by self write
+ by group/groupOfNames/member=cn=external_auth,ou=groups,dc=example,dc=com read
+ by anonymous auth
+ by * none
+ - >-
+ {1}to attrs=shadowLastChange
+ by self write
+ by * read
+ - >-
+ {2}to *
+ by users read
+ by group/groupOfNames/member=cn=ldap_admin,ou=groups,dc=example,dc=com manage
diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml
index 444f47f..ce5df73 100644
--- a/roles/openldap/tasks/main.yml
+++ b/roles/openldap/tasks/main.yml
@@ -8,13 +8,6 @@
- python3-ldap
become: yes
-- name: Check for changed cert
- command: /bin/true
- when:
- - cert_changed
- notify:
- - Restart slapd
-
#
# Global server config
#
@@ -88,21 +81,7 @@
dn: olcDatabase={1}mdb,cn=config
attributes:
olcSuffix: '{{ ldap.base }}'
- olcAccess:
- - >-
- {0}to attrs=userPassword
- by self write
- by group/groupOfNames/member=cn=external_auth,ou=groups,{{ ldap.base }} read
- by anonymous auth
- by * none
- - >-
- {1}to attrs=shadowLastChange
- by self write
- by * read
- - >-
- {2}to *
- by users read
- by group/groupOfNames/member=cn=ldap_admin,ou=groups,{{ ldap.base }} manage
+ olcAccess: '{{ ldap.access_control }}'
olcRootDN: '{{ ldap.root_dn }}'
olcRootPW: '{{ ldap.root_pw_hash }}'
state: exact
@@ -132,15 +111,11 @@
server_uri: ldap://localhost
bind_dn: '{{ ldap.root_dn }}'
bind_pw: '{{ ldap.root_pw }}'
- loop:
- - users
- - apps
- - groups
- - unixgroups
+ loop: '{{ ldap.ous }}'
- name: Create LDAP Admin group
community.general.ldap_entry:
- dn: 'cn={{ item }},ou=groups,{{ ldap.base }}'
+ dn: 'cn={{ item }},{{ ldap.groupsofnames.in }}'
objectClass:
- groupOfNames
- top
@@ -150,6 +125,4 @@
server_uri: ldap://localhost
bind_dn: '{{ ldap.root_dn }}'
bind_pw: '{{ ldap.root_pw }}'
- loop:
- - ldap_admin
- - external_auth
+ loop: '{{ ldap.groupsofnames.names }}'
diff --git a/roles/openldap/tasks/schema.yml b/roles/openldap/tasks/schema.yml
index 64c7bc8..4d71432 100644
--- a/roles/openldap/tasks/schema.yml
+++ b/roles/openldap/tasks/schema.yml
@@ -1,7 +1,7 @@
- name: search for entry
community.general.ldap_search:
dn: 'cn=schema,cn=config'
- filter: '(&(objectClass=olcSchemaConfig)(cn={*}openssh-lpk))'
+ filter: '(&(objectClass=olcSchemaConfig)(cn={*}{{ item["cn"] }}))'
scope: children
become: yes
register: schemareg