From ff374a7a4fe2191e494e75d02e3307efa23f4168 Mon Sep 17 00:00:00 2001
From: Jonas Gunz <himself@jonasgunz.de>
Date: Tue, 19 Jul 2022 00:07:15 +0200
Subject: OpenLDAP: External auth group to allow reading password

---
 galaxy.yml                    | 2 +-
 roles/openldap/tasks/main.yml | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/galaxy.yml b/galaxy.yml
index 3e49761..3f8eb5f 100644
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -1,6 +1,6 @@
 namespace: kompetenzbolzen
 name: stuff
-version: 0.14.0
+version: 0.14.1
 readme: README.md
 authors:
 - Jonas Gunz <himself@jonasgunz.de>
diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml
index 27aca52..444f47f 100644
--- a/roles/openldap/tasks/main.yml
+++ b/roles/openldap/tasks/main.yml
@@ -92,6 +92,7 @@
         - >-
           {0}to attrs=userPassword
           by self write
+          by group/groupOfNames/member=cn=external_auth,ou=groups,{{ ldap.base }} read
           by anonymous auth
           by * none
         - >-
@@ -139,13 +140,16 @@
 
 - name: Create LDAP Admin group
   community.general.ldap_entry:
-    dn: 'cn=ldap_admin,ou=groups,{{ ldap.base }}'
+    dn: 'cn={{ item }},ou=groups,{{ ldap.base }}'
     objectClass:
       - groupOfNames
       - top
     attributes:
-      cn: 'ldap_admin'
+      cn: '{{ item }}'
       member: ''
     server_uri: ldap://localhost
     bind_dn: '{{ ldap.root_dn }}'
     bind_pw: '{{ ldap.root_pw }}'
+  loop:
+    - ldap_admin
+    - external_auth
-- 
cgit v1.2.3