From 7ad67630c40c0669cc1c140ff2d42311fb780b47 Mon Sep 17 00:00:00 2001 From: Jonas Gunz Date: Thu, 27 Jul 2023 21:46:38 +0200 Subject: openldap move access control to hostettings --- roles/openldap/tasks/main.yml | 35 ++++------------------------------- roles/openldap/tasks/schema.yml | 2 +- 2 files changed, 5 insertions(+), 32 deletions(-) (limited to 'roles/openldap/tasks') diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml index 444f47f..ce5df73 100644 --- a/roles/openldap/tasks/main.yml +++ b/roles/openldap/tasks/main.yml @@ -8,13 +8,6 @@ - python3-ldap become: yes -- name: Check for changed cert - command: /bin/true - when: - - cert_changed - notify: - - Restart slapd - # # Global server config # @@ -88,21 +81,7 @@ dn: olcDatabase={1}mdb,cn=config attributes: olcSuffix: '{{ ldap.base }}' - olcAccess: - - >- - {0}to attrs=userPassword - by self write - by group/groupOfNames/member=cn=external_auth,ou=groups,{{ ldap.base }} read - by anonymous auth - by * none - - >- - {1}to attrs=shadowLastChange - by self write - by * read - - >- - {2}to * - by users read - by group/groupOfNames/member=cn=ldap_admin,ou=groups,{{ ldap.base }} manage + olcAccess: '{{ ldap.access_control }}' olcRootDN: '{{ ldap.root_dn }}' olcRootPW: '{{ ldap.root_pw_hash }}' state: exact @@ -132,15 +111,11 @@ server_uri: ldap://localhost bind_dn: '{{ ldap.root_dn }}' bind_pw: '{{ ldap.root_pw }}' - loop: - - users - - apps - - groups - - unixgroups + loop: '{{ ldap.ous }}' - name: Create LDAP Admin group community.general.ldap_entry: - dn: 'cn={{ item }},ou=groups,{{ ldap.base }}' + dn: 'cn={{ item }},{{ ldap.groupsofnames.in }}' objectClass: - groupOfNames - top @@ -150,6 +125,4 @@ server_uri: ldap://localhost bind_dn: '{{ ldap.root_dn }}' bind_pw: '{{ ldap.root_pw }}' - loop: - - ldap_admin - - external_auth + loop: '{{ ldap.groupsofnames.names }}' diff --git a/roles/openldap/tasks/schema.yml b/roles/openldap/tasks/schema.yml index 64c7bc8..4d71432 100644 --- a/roles/openldap/tasks/schema.yml +++ b/roles/openldap/tasks/schema.yml @@ -1,7 +1,7 @@ - name: search for entry community.general.ldap_search: dn: 'cn=schema,cn=config' - filter: '(&(objectClass=olcSchemaConfig)(cn={*}openssh-lpk))' + filter: '(&(objectClass=olcSchemaConfig)(cn={*}{{ item["cn"] }}))' scope: children become: yes register: schemareg -- cgit v1.2.3