aboutsummaryrefslogtreecommitdiff
path: root/roles/openldap
diff options
context:
space:
mode:
Diffstat (limited to 'roles/openldap')
-rw-r--r--roles/openldap/README.md34
-rw-r--r--roles/openldap/defaults/main.yml1
-rw-r--r--roles/openldap/tasks/main.yml4
-rw-r--r--roles/openldap/tasks/schema.yml44
4 files changed, 83 insertions, 0 deletions
diff --git a/roles/openldap/README.md b/roles/openldap/README.md
new file mode 100644
index 0000000..ed34f52
--- /dev/null
+++ b/roles/openldap/README.md
@@ -0,0 +1,34 @@
+# openldap
+
+Example:
+
+```yaml
+---
+ldap:
+ o: 'Example Com'
+ base: 'dc=example,dc=com'
+ root_dn: 'cn=admin,dc=example,dc=com'
+ root_pw: 'admin'
+ root_pw_hash: '{SSHA}T4NWs0yED2vORnKH4fWMSicNH0n0jtwP'
+ tls:
+ enable: false
+ ca: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+ key: '/etc/ssl/private/ssl-cert-snakeoil.key'
+ cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+ schema:
+ - cn: openssh-lpk
+ olcAttributeTypes: "( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey'
+ DESC 'MANDATORY: OpenSSH Public key'
+ EQUALITY octetStringMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )"
+ olcObjectClasses: "( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
+ DESC 'MANDATORY: OpenSSH LPK objectclass'
+ MAY ( sshPublicKey $ uid )
+ )"
+
+```
+
+## Notes
+
+Schema have to be manually deleted in `/etc/ldap/slapd.d/cn=config/cn=schema`.
+be sure to remove all objects referencing the removed object BEFORE.
diff --git a/roles/openldap/defaults/main.yml b/roles/openldap/defaults/main.yml
index 17bb5bc..4d18343 100644
--- a/roles/openldap/defaults/main.yml
+++ b/roles/openldap/defaults/main.yml
@@ -10,4 +10,5 @@ ldap:
ca: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
key: '/etc/ssl/private/ssl-cert-snakeoil.key'
cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+ schema: []
diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml
index 594e30e..27aca52 100644
--- a/roles/openldap/tasks/main.yml
+++ b/roles/openldap/tasks/main.yml
@@ -73,6 +73,10 @@
state: present
become: yes
+- name: Install custom schema
+ include_tasks: schema.yml
+ loop: '{{ ldap.schema | default([]) }}'
+
#
# schema
#
diff --git a/roles/openldap/tasks/schema.yml b/roles/openldap/tasks/schema.yml
new file mode 100644
index 0000000..64c7bc8
--- /dev/null
+++ b/roles/openldap/tasks/schema.yml
@@ -0,0 +1,44 @@
+- name: search for entry
+ community.general.ldap_search:
+ dn: 'cn=schema,cn=config'
+ filter: '(&(objectClass=olcSchemaConfig)(cn={*}openssh-lpk))'
+ scope: children
+ become: yes
+ register: schemareg
+
+- name: Check results
+ assert:
+ that:
+ - schemareg['failed'] == false
+ - schemareg['results'] | length <= 1
+ fail_msg: "More than one occurance of {{ item['cn'] }}! clean them out."
+
+- name: "Install schema: create entry"
+ community.general.ldap_entry:
+ dn: 'cn={{ item["cn"] }},cn=schema,cn=config'
+ state: present
+ objectClass: olcSchemaConfig
+ become: yes
+ when: schemareg['results'] | length == 0
+
+- name: "Install schema: set attributes"
+ community.general.ldap_attrs:
+ dn: '{{ item["cn"] }},cn=schema,cn=config'
+ state: present
+ attributes:
+ objectClass: olcSchemaConfig
+ olcAttributeTypes: '{{ item["olcAttributeTypes"] }}'
+ olcObjectClasses: '{{ item["olcObjectClasses"] }}'
+ become: yes
+ when: schemareg['results'] | length == 0
+
+- name: Update schema
+ community.general.ldap_attrs:
+ dn: '{{ schemareg["results"][0]["dn"] }}'
+ state: exact
+ attributes:
+ objectClass: olcSchemaConfig
+ olcAttributeTypes: '{{ item["olcAttributeTypes"] }}'
+ olcObjectClasses: '{{ item["olcObjectClasses"] }}'
+ become: yes
+ when: schemareg['results'] | length > 0