aboutsummaryrefslogtreecommitdiff
path: root/roles/openldap/tasks
diff options
context:
space:
mode:
authorGravatar Jonas Gunz <himself@jonasgunz.de> 2023-07-27 21:46:38 +0200
committerGravatar Jonas Gunz <himself@jonasgunz.de> 2023-07-27 21:46:38 +0200
commit7ad67630c40c0669cc1c140ff2d42311fb780b47 (patch)
tree1c4d97ca3acea54f842c10b15eed71edb4d8e86d /roles/openldap/tasks
parentb1030896c67c59c12db51a65d842169d3b73339a (diff)
downloadansible_collection-7ad67630c40c0669cc1c140ff2d42311fb780b47.tar.gz
openldap move access control to hostettings
Diffstat (limited to 'roles/openldap/tasks')
-rw-r--r--roles/openldap/tasks/main.yml35
-rw-r--r--roles/openldap/tasks/schema.yml2
2 files changed, 5 insertions, 32 deletions
diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml
index 444f47f..ce5df73 100644
--- a/roles/openldap/tasks/main.yml
+++ b/roles/openldap/tasks/main.yml
@@ -8,13 +8,6 @@
- python3-ldap
become: yes
-- name: Check for changed cert
- command: /bin/true
- when:
- - cert_changed
- notify:
- - Restart slapd
-
#
# Global server config
#
@@ -88,21 +81,7 @@
dn: olcDatabase={1}mdb,cn=config
attributes:
olcSuffix: '{{ ldap.base }}'
- olcAccess:
- - >-
- {0}to attrs=userPassword
- by self write
- by group/groupOfNames/member=cn=external_auth,ou=groups,{{ ldap.base }} read
- by anonymous auth
- by * none
- - >-
- {1}to attrs=shadowLastChange
- by self write
- by * read
- - >-
- {2}to *
- by users read
- by group/groupOfNames/member=cn=ldap_admin,ou=groups,{{ ldap.base }} manage
+ olcAccess: '{{ ldap.access_control }}'
olcRootDN: '{{ ldap.root_dn }}'
olcRootPW: '{{ ldap.root_pw_hash }}'
state: exact
@@ -132,15 +111,11 @@
server_uri: ldap://localhost
bind_dn: '{{ ldap.root_dn }}'
bind_pw: '{{ ldap.root_pw }}'
- loop:
- - users
- - apps
- - groups
- - unixgroups
+ loop: '{{ ldap.ous }}'
- name: Create LDAP Admin group
community.general.ldap_entry:
- dn: 'cn={{ item }},ou=groups,{{ ldap.base }}'
+ dn: 'cn={{ item }},{{ ldap.groupsofnames.in }}'
objectClass:
- groupOfNames
- top
@@ -150,6 +125,4 @@
server_uri: ldap://localhost
bind_dn: '{{ ldap.root_dn }}'
bind_pw: '{{ ldap.root_pw }}'
- loop:
- - ldap_admin
- - external_auth
+ loop: '{{ ldap.groupsofnames.names }}'
diff --git a/roles/openldap/tasks/schema.yml b/roles/openldap/tasks/schema.yml
index 64c7bc8..4d71432 100644
--- a/roles/openldap/tasks/schema.yml
+++ b/roles/openldap/tasks/schema.yml
@@ -1,7 +1,7 @@
- name: search for entry
community.general.ldap_search:
dn: 'cn=schema,cn=config'
- filter: '(&(objectClass=olcSchemaConfig)(cn={*}openssh-lpk))'
+ filter: '(&(objectClass=olcSchemaConfig)(cn={*}{{ item["cn"] }}))'
scope: children
become: yes
register: schemareg