diff options
Diffstat (limited to 'roles/openldap')
-rw-r--r-- | roles/openldap/README.md | 34 | ||||
-rw-r--r-- | roles/openldap/defaults/main.yml | 1 | ||||
-rw-r--r-- | roles/openldap/tasks/main.yml | 4 | ||||
-rw-r--r-- | roles/openldap/tasks/schema.yml | 44 |
4 files changed, 83 insertions, 0 deletions
diff --git a/roles/openldap/README.md b/roles/openldap/README.md new file mode 100644 index 0000000..ed34f52 --- /dev/null +++ b/roles/openldap/README.md @@ -0,0 +1,34 @@ +# openldap + +Example: + +```yaml +--- +ldap: + o: 'Example Com' + base: 'dc=example,dc=com' + root_dn: 'cn=admin,dc=example,dc=com' + root_pw: 'admin' + root_pw_hash: '{SSHA}T4NWs0yED2vORnKH4fWMSicNH0n0jtwP' + tls: + enable: false + ca: '/etc/ssl/certs/ssl-cert-snakeoil.pem' + key: '/etc/ssl/private/ssl-cert-snakeoil.key' + cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem' + schema: + - cn: openssh-lpk + olcAttributeTypes: "( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' + DESC 'MANDATORY: OpenSSH Public key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )" + olcObjectClasses: "( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY + DESC 'MANDATORY: OpenSSH LPK objectclass' + MAY ( sshPublicKey $ uid ) + )" + +``` + +## Notes + +Schema have to be manually deleted in `/etc/ldap/slapd.d/cn=config/cn=schema`. +be sure to remove all objects referencing the removed object BEFORE. diff --git a/roles/openldap/defaults/main.yml b/roles/openldap/defaults/main.yml index 17bb5bc..4d18343 100644 --- a/roles/openldap/defaults/main.yml +++ b/roles/openldap/defaults/main.yml @@ -10,4 +10,5 @@ ldap: ca: '/etc/ssl/certs/ssl-cert-snakeoil.pem' key: '/etc/ssl/private/ssl-cert-snakeoil.key' cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem' + schema: [] diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml index 594e30e..27aca52 100644 --- a/roles/openldap/tasks/main.yml +++ b/roles/openldap/tasks/main.yml @@ -73,6 +73,10 @@ state: present become: yes +- name: Install custom schema + include_tasks: schema.yml + loop: '{{ ldap.schema | default([]) }}' + # # schema # diff --git a/roles/openldap/tasks/schema.yml b/roles/openldap/tasks/schema.yml new file mode 100644 index 0000000..64c7bc8 --- /dev/null +++ b/roles/openldap/tasks/schema.yml @@ -0,0 +1,44 @@ +- name: search for entry + community.general.ldap_search: + dn: 'cn=schema,cn=config' + filter: '(&(objectClass=olcSchemaConfig)(cn={*}openssh-lpk))' + scope: children + become: yes + register: schemareg + +- name: Check results + assert: + that: + - schemareg['failed'] == false + - schemareg['results'] | length <= 1 + fail_msg: "More than one occurance of {{ item['cn'] }}! clean them out." + +- name: "Install schema: create entry" + community.general.ldap_entry: + dn: 'cn={{ item["cn"] }},cn=schema,cn=config' + state: present + objectClass: olcSchemaConfig + become: yes + when: schemareg['results'] | length == 0 + +- name: "Install schema: set attributes" + community.general.ldap_attrs: + dn: '{{ item["cn"] }},cn=schema,cn=config' + state: present + attributes: + objectClass: olcSchemaConfig + olcAttributeTypes: '{{ item["olcAttributeTypes"] }}' + olcObjectClasses: '{{ item["olcObjectClasses"] }}' + become: yes + when: schemareg['results'] | length == 0 + +- name: Update schema + community.general.ldap_attrs: + dn: '{{ schemareg["results"][0]["dn"] }}' + state: exact + attributes: + objectClass: olcSchemaConfig + olcAttributeTypes: '{{ item["olcAttributeTypes"] }}' + olcObjectClasses: '{{ item["olcObjectClasses"] }}' + become: yes + when: schemareg['results'] | length > 0 |