diff options
author | Jonas Gunz <himself@jonasgunz.de> | 2023-07-27 21:46:38 +0200 |
---|---|---|
committer | Jonas Gunz <himself@jonasgunz.de> | 2023-07-27 21:46:38 +0200 |
commit | 7ad67630c40c0669cc1c140ff2d42311fb780b47 (patch) | |
tree | 1c4d97ca3acea54f842c10b15eed71edb4d8e86d /roles/openldap/tasks | |
parent | b1030896c67c59c12db51a65d842169d3b73339a (diff) | |
download | ansible_collection-7ad67630c40c0669cc1c140ff2d42311fb780b47.tar.gz |
openldap move access control to hostettings
Diffstat (limited to 'roles/openldap/tasks')
-rw-r--r-- | roles/openldap/tasks/main.yml | 35 | ||||
-rw-r--r-- | roles/openldap/tasks/schema.yml | 2 |
2 files changed, 5 insertions, 32 deletions
diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml index 444f47f..ce5df73 100644 --- a/roles/openldap/tasks/main.yml +++ b/roles/openldap/tasks/main.yml @@ -8,13 +8,6 @@ - python3-ldap become: yes -- name: Check for changed cert - command: /bin/true - when: - - cert_changed - notify: - - Restart slapd - # # Global server config # @@ -88,21 +81,7 @@ dn: olcDatabase={1}mdb,cn=config attributes: olcSuffix: '{{ ldap.base }}' - olcAccess: - - >- - {0}to attrs=userPassword - by self write - by group/groupOfNames/member=cn=external_auth,ou=groups,{{ ldap.base }} read - by anonymous auth - by * none - - >- - {1}to attrs=shadowLastChange - by self write - by * read - - >- - {2}to * - by users read - by group/groupOfNames/member=cn=ldap_admin,ou=groups,{{ ldap.base }} manage + olcAccess: '{{ ldap.access_control }}' olcRootDN: '{{ ldap.root_dn }}' olcRootPW: '{{ ldap.root_pw_hash }}' state: exact @@ -132,15 +111,11 @@ server_uri: ldap://localhost bind_dn: '{{ ldap.root_dn }}' bind_pw: '{{ ldap.root_pw }}' - loop: - - users - - apps - - groups - - unixgroups + loop: '{{ ldap.ous }}' - name: Create LDAP Admin group community.general.ldap_entry: - dn: 'cn={{ item }},ou=groups,{{ ldap.base }}' + dn: 'cn={{ item }},{{ ldap.groupsofnames.in }}' objectClass: - groupOfNames - top @@ -150,6 +125,4 @@ server_uri: ldap://localhost bind_dn: '{{ ldap.root_dn }}' bind_pw: '{{ ldap.root_pw }}' - loop: - - ldap_admin - - external_auth + loop: '{{ ldap.groupsofnames.names }}' diff --git a/roles/openldap/tasks/schema.yml b/roles/openldap/tasks/schema.yml index 64c7bc8..4d71432 100644 --- a/roles/openldap/tasks/schema.yml +++ b/roles/openldap/tasks/schema.yml @@ -1,7 +1,7 @@ - name: search for entry community.general.ldap_search: dn: 'cn=schema,cn=config' - filter: '(&(objectClass=olcSchemaConfig)(cn={*}openssh-lpk))' + filter: '(&(objectClass=olcSchemaConfig)(cn={*}{{ item["cn"] }}))' scope: children become: yes register: schemareg |