openldap move access control to hostettings

4 files changed, 55 insertions, 34 deletions

diff --git a/roles/openldap/README.md b/roles/openldap/README.md
index ed34f52..fb30537 100644
--- a/roles/openldap/README.md
+++ b/roles/openldap/README.md
@@ -25,7 +25,31 @@ ldap:
         DESC 'MANDATORY: OpenSSH LPK objectclass'
         MAY ( sshPublicKey $ uid )
         )"
-
+  ous:
+    - users
+    - apps
+    - groups
+    - unixgroups
+  groupsofnames:
+    in: 'ou=groups,dc=example,dc=com'
+    names:
+      - ldap_admin
+      - external_auth
+  access_control:
+    - >-
+      {0}to attrs=userPassword
+      by self write
+      by group/groupOfNames/member=cn=external_auth,ou=groups,dc=example,dc=com read
+      by anonymous auth
+      by * none
+    - >-
+      {1}to attrs=shadowLastChange
+      by self write
+      by * read
+    - >-
+      {2}to *
+      by users read
+      by group/groupOfNames/member=cn=ldap_admin,ou=groups,dc=example,dc=com manage
 ```
 
 ## Notes
diff --git a/roles/openldap/defaults/main.yml b/roles/openldap/defaults/main.yml
index 4d18343..63094ee 100644
--- a/roles/openldap/defaults/main.yml
+++ b/roles/openldap/defaults/main.yml
@@ -11,4 +11,28 @@ ldap:
     key: '/etc/ssl/private/ssl-cert-snakeoil.key'
     cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
   schema: []
-
+  ous:
+    - users
+    - apps
+    - groups
+    - unixgroups
+  groupsofnames:
+    in: 'ou=groups,dc=example,dc=com'
+    names:
+      - ldap_admin
+      - external_auth
+  access_control:
+    - >-
+      {0}to attrs=userPassword
+      by self write
+      by group/groupOfNames/member=cn=external_auth,ou=groups,dc=example,dc=com read
+      by anonymous auth
+      by * none
+    - >-
+      {1}to attrs=shadowLastChange
+      by self write
+      by * read
+    - >-
+      {2}to *
+      by users read
+      by group/groupOfNames/member=cn=ldap_admin,ou=groups,dc=example,dc=com manage
diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml
index 444f47f..ce5df73 100644
--- a/roles/openldap/tasks/main.yml
+++ b/roles/openldap/tasks/main.yml
@@ -8,13 +8,6 @@
       - python3-ldap
   become: yes
 
-- name: Check for changed cert
-  command: /bin/true
-  when:
-    - cert_changed
-  notify:
-    - Restart slapd
-
 #
 # Global server config
 #
@@ -88,21 +81,7 @@
     dn: olcDatabase={1}mdb,cn=config
     attributes:
       olcSuffix: '{{ ldap.base }}'
-      olcAccess:
-        - >-
-          {0}to attrs=userPassword
-          by self write
-          by group/groupOfNames/member=cn=external_auth,ou=groups,{{ ldap.base }} read
-          by anonymous auth
-          by * none
-        - >-
-          {1}to attrs=shadowLastChange
-          by self write
-          by * read
-        - >-
-          {2}to *
-          by users read
-          by group/groupOfNames/member=cn=ldap_admin,ou=groups,{{ ldap.base }} manage
+      olcAccess: '{{ ldap.access_control }}'
       olcRootDN: '{{ ldap.root_dn }}'
       olcRootPW: '{{ ldap.root_pw_hash }}'
     state: exact
@@ -132,15 +111,11 @@
     server_uri: ldap://localhost
     bind_dn: '{{ ldap.root_dn }}'
     bind_pw: '{{ ldap.root_pw }}'
-  loop:
-    - users
-    - apps
-    - groups
-    - unixgroups
+  loop: '{{ ldap.ous }}'
 
 - name: Create LDAP Admin group
   community.general.ldap_entry:
-    dn: 'cn={{ item }},ou=groups,{{ ldap.base }}'
+    dn: 'cn={{ item }},{{ ldap.groupsofnames.in }}'
     objectClass:
       - groupOfNames
       - top
@@ -150,6 +125,4 @@
     server_uri: ldap://localhost
     bind_dn: '{{ ldap.root_dn }}'
     bind_pw: '{{ ldap.root_pw }}'
-  loop:
-    - ldap_admin
-    - external_auth
+  loop: '{{ ldap.groupsofnames.names }}'
diff --git a/roles/openldap/tasks/schema.yml b/roles/openldap/tasks/schema.yml
index 64c7bc8..4d71432 100644
--- a/roles/openldap/tasks/schema.yml
+++ b/roles/openldap/tasks/schema.yml
@@ -1,7 +1,7 @@
 - name: search for entry
   community.general.ldap_search:
     dn: 'cn=schema,cn=config'
-    filter: '(&(objectClass=olcSchemaConfig)(cn={*}openssh-lpk))'
+    filter: '(&(objectClass=olcSchemaConfig)(cn={*}{{ item["cn"] }}))'
     scope: children
   become: yes
   register: schemareg