From ff374a7a4fe2191e494e75d02e3307efa23f4168 Mon Sep 17 00:00:00 2001
From: Jonas Gunz <himself@jonasgunz.de>
Date: Tue, 19 Jul 2022 00:07:15 +0200
Subject: OpenLDAP: External auth group to allow reading password

---
 roles/openldap/tasks/main.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'roles/openldap')

diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml
index 27aca52..444f47f 100644
--- a/roles/openldap/tasks/main.yml
+++ b/roles/openldap/tasks/main.yml
@@ -92,6 +92,7 @@
         - >-
           {0}to attrs=userPassword
           by self write
+          by group/groupOfNames/member=cn=external_auth,ou=groups,{{ ldap.base }} read
           by anonymous auth
           by * none
         - >-
@@ -139,13 +140,16 @@
 
 - name: Create LDAP Admin group
   community.general.ldap_entry:
-    dn: 'cn=ldap_admin,ou=groups,{{ ldap.base }}'
+    dn: 'cn={{ item }},ou=groups,{{ ldap.base }}'
     objectClass:
       - groupOfNames
       - top
     attributes:
-      cn: 'ldap_admin'
+      cn: '{{ item }}'
       member: ''
     server_uri: ldap://localhost
     bind_dn: '{{ ldap.root_dn }}'
     bind_pw: '{{ ldap.root_pw }}'
+  loop:
+    - ldap_admin
+    - external_auth
-- 
cgit v1.2.3