OpenLDAP: External auth group to allow reading password

author: Jonas Gunz <himself@jonasgunz.de> 2022-07-19 00:07:15 +0200
committer: Jonas Gunz <himself@jonasgunz.de> 2022-07-19 00:07:15 +0200
commit: ff374a7a4fe2191e494e75d02e3307efa23f4168 (patch)
tree: 19400060bef2b4ec25264b30edf45dcba1fdf839 /roles
parent: 2c57b5370c6cd44f700985132f360c15d2664ebf (diff)
download: ansible_collection-ff374a7a4fe2191e494e75d02e3307efa23f4168.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml
index 27aca52..444f47f 100644
--- a/roles/openldap/tasks/main.yml
+++ b/roles/openldap/tasks/main.yml
@@ -92,6 +92,7 @@
         - >-
           {0}to attrs=userPassword
           by self write
+          by group/groupOfNames/member=cn=external_auth,ou=groups,{{ ldap.base }} read
           by anonymous auth
           by * none
         - >-
@@ -139,13 +140,16 @@
 
 - name: Create LDAP Admin group
   community.general.ldap_entry:
-    dn: 'cn=ldap_admin,ou=groups,{{ ldap.base }}'
+    dn: 'cn={{ item }},ou=groups,{{ ldap.base }}'
     objectClass:
       - groupOfNames
       - top
     attributes:
-      cn: 'ldap_admin'
+      cn: '{{ item }}'
       member: ''
     server_uri: ldap://localhost
     bind_dn: '{{ ldap.root_dn }}'
     bind_pw: '{{ ldap.root_pw }}'
+  loop:
+    - ldap_admin
+    - external_auth
author	Jonas Gunz <himself@jonasgunz.de>	2022-07-19 00:07:15 +0200
committer	Jonas Gunz <himself@jonasgunz.de>	2022-07-19 00:07:15 +0200
commit	ff374a7a4fe2191e494e75d02e3307efa23f4168 (patch)
tree	19400060bef2b4ec25264b30edf45dcba1fdf839 /roles
parent	2c57b5370c6cd44f700985132f360c15d2664ebf (diff)
download	ansible_collection-ff374a7a4fe2191e494e75d02e3307efa23f4168.tar.gz