diff options
author | Jonas Gunz <himself@jonasgunz.de> | 2023-07-27 21:46:38 +0200 |
---|---|---|
committer | Jonas Gunz <himself@jonasgunz.de> | 2023-07-27 21:46:38 +0200 |
commit | 7ad67630c40c0669cc1c140ff2d42311fb780b47 (patch) | |
tree | 1c4d97ca3acea54f842c10b15eed71edb4d8e86d | |
parent | b1030896c67c59c12db51a65d842169d3b73339a (diff) | |
download | ansible_collection-7ad67630c40c0669cc1c140ff2d42311fb780b47.tar.gz |
openldap move access control to hostettings
-rw-r--r-- | galaxy.yml | 2 | ||||
-rw-r--r-- | roles/openldap/README.md | 26 | ||||
-rw-r--r-- | roles/openldap/defaults/main.yml | 26 | ||||
-rw-r--r-- | roles/openldap/tasks/main.yml | 35 | ||||
-rw-r--r-- | roles/openldap/tasks/schema.yml | 2 |
5 files changed, 56 insertions, 35 deletions
@@ -1,6 +1,6 @@ namespace: kompetenzbolzen name: stuff -version: 0.19.2 +version: 0.20.0 readme: README.md authors: - Jonas Gunz <himself@jonasgunz.de> diff --git a/roles/openldap/README.md b/roles/openldap/README.md index ed34f52..fb30537 100644 --- a/roles/openldap/README.md +++ b/roles/openldap/README.md @@ -25,7 +25,31 @@ ldap: DESC 'MANDATORY: OpenSSH LPK objectclass' MAY ( sshPublicKey $ uid ) )" - + ous: + - users + - apps + - groups + - unixgroups + groupsofnames: + in: 'ou=groups,dc=example,dc=com' + names: + - ldap_admin + - external_auth + access_control: + - >- + {0}to attrs=userPassword + by self write + by group/groupOfNames/member=cn=external_auth,ou=groups,dc=example,dc=com read + by anonymous auth + by * none + - >- + {1}to attrs=shadowLastChange + by self write + by * read + - >- + {2}to * + by users read + by group/groupOfNames/member=cn=ldap_admin,ou=groups,dc=example,dc=com manage ``` ## Notes diff --git a/roles/openldap/defaults/main.yml b/roles/openldap/defaults/main.yml index 4d18343..63094ee 100644 --- a/roles/openldap/defaults/main.yml +++ b/roles/openldap/defaults/main.yml @@ -11,4 +11,28 @@ ldap: key: '/etc/ssl/private/ssl-cert-snakeoil.key' cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem' schema: [] - + ous: + - users + - apps + - groups + - unixgroups + groupsofnames: + in: 'ou=groups,dc=example,dc=com' + names: + - ldap_admin + - external_auth + access_control: + - >- + {0}to attrs=userPassword + by self write + by group/groupOfNames/member=cn=external_auth,ou=groups,dc=example,dc=com read + by anonymous auth + by * none + - >- + {1}to attrs=shadowLastChange + by self write + by * read + - >- + {2}to * + by users read + by group/groupOfNames/member=cn=ldap_admin,ou=groups,dc=example,dc=com manage diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml index 444f47f..ce5df73 100644 --- a/roles/openldap/tasks/main.yml +++ b/roles/openldap/tasks/main.yml @@ -8,13 +8,6 @@ - python3-ldap become: yes -- name: Check for changed cert - command: /bin/true - when: - - cert_changed - notify: - - Restart slapd - # # Global server config # @@ -88,21 +81,7 @@ dn: olcDatabase={1}mdb,cn=config attributes: olcSuffix: '{{ ldap.base }}' - olcAccess: - - >- - {0}to attrs=userPassword - by self write - by group/groupOfNames/member=cn=external_auth,ou=groups,{{ ldap.base }} read - by anonymous auth - by * none - - >- - {1}to attrs=shadowLastChange - by self write - by * read - - >- - {2}to * - by users read - by group/groupOfNames/member=cn=ldap_admin,ou=groups,{{ ldap.base }} manage + olcAccess: '{{ ldap.access_control }}' olcRootDN: '{{ ldap.root_dn }}' olcRootPW: '{{ ldap.root_pw_hash }}' state: exact @@ -132,15 +111,11 @@ server_uri: ldap://localhost bind_dn: '{{ ldap.root_dn }}' bind_pw: '{{ ldap.root_pw }}' - loop: - - users - - apps - - groups - - unixgroups + loop: '{{ ldap.ous }}' - name: Create LDAP Admin group community.general.ldap_entry: - dn: 'cn={{ item }},ou=groups,{{ ldap.base }}' + dn: 'cn={{ item }},{{ ldap.groupsofnames.in }}' objectClass: - groupOfNames - top @@ -150,6 +125,4 @@ server_uri: ldap://localhost bind_dn: '{{ ldap.root_dn }}' bind_pw: '{{ ldap.root_pw }}' - loop: - - ldap_admin - - external_auth + loop: '{{ ldap.groupsofnames.names }}' diff --git a/roles/openldap/tasks/schema.yml b/roles/openldap/tasks/schema.yml index 64c7bc8..4d71432 100644 --- a/roles/openldap/tasks/schema.yml +++ b/roles/openldap/tasks/schema.yml @@ -1,7 +1,7 @@ - name: search for entry community.general.ldap_search: dn: 'cn=schema,cn=config' - filter: '(&(objectClass=olcSchemaConfig)(cn={*}openssh-lpk))' + filter: '(&(objectClass=olcSchemaConfig)(cn={*}{{ item["cn"] }}))' scope: children become: yes register: schemareg |