criecm.openldap

Panoramica Versioni Approfondimenti

Role Name

=========

Install OpenLDAP Server

Requirements

FreeBSD 11/12, Debian 8 (and newer versions)

Role Variables (default)

  • openldap_schemas ([core, cosine, inetorgperson, nis]) LDAP schemas to add to the configuration. If a schema file exists at files/openldap/{{name}}.schema, it will be copied.

  • openldap_slave_rid (0) Unique identifier for the slave 'rid' used in host variables. Other configuration settings can be unique in the playbook or group variables.

  • slapd_rc_flags ("-h 'ldap:/// ldaps:///'")

  • openldap_db_engine (mdb - or hdb for OpenBSD)

  • openldap_db_maxsize (1073741824)

  • openldap_bases ([]) A list of LDAP base dictionaries. Each base can include:

    • database (openldap_db_engine)
    • maxsize (openldap_db_maxsize) - estimated size in RAM
    • rootdn
    • suffix
    • directory (openldap_datadir, system-dependent) - required if more than one database
    • overlays ([]) - list of overlay names (modules will load if needed). Adding "syncrepl" here sets up the server as a syncrepl master.
    • includes ([]) - List of files to include; relative paths are for the playbook and will be placed in the destination directory.
    • slave: dictionary ({}) - configures this server as a slave (using the syncrepl protocol)
      • rid (openldap_slave_rid)
      • provider
      • searchbase (suffix)
      • binddn
      • credentials
      • bindmethod (simple)
      • scope (sub)
      • schemachecking (on)
      • type (refreshAndPersist)
      • retry ("60 10 120 +")
      • interval (00:00:00:15)
      • tls_cacert (ldap_tls_cacert)
      • updateref
    • indexes (["objectClass","pres,eq"]) (+ ["entryUUID,entryCSN","eq"] if it's a slave) - list of attribute names and their search types. Always includes "objectClass" and "entryUUID,entryCSN" (if a slave). Can be generated with:
    grep ^index openldap/templates/slapd.conf.j2|sed 's/index *//; s/\([^ ]*\) *\([^ ]*\) *$/  - [ "\1", "\2" ]/'

TLS

  • ldap_tls_cacert () - path to the CA certificate file. If it's an absolute path (starts with /), it should point to an existing CA certificate file (shared with the ldap_client role).

Files should be relative to openldap/inventory_hostname as the source and are copied to openldap_confdir/ssl/ at the destination.

  • openldap_tls_cert () - if specified, the name of the server certificate.

  • openldap_tls_key () - if specified, the name of the server key.

  • openldap_tls_cacert (ldap_tls_cacert) - path to a file to be copied to openldap_confdir/ca.crt, which overrides ldap_tls_cacert.

Dependencies

List any dependencies here.

Example Playbook

- hosts: servers
  roles:
    - criecm.openldap
  vars:
    openldap_schemas:
      - core
      - cosine
      - nis
      - inetorgperson
      - rfc2739
    ppolicy_default: cn=defppolicy,ou=policies,dc=at,dc=home
    openldap_bases:
      rootdn: cn=admin
      suffix: dc=at,dc=home
      includes: [ slapd.access ]
      overlays:
        - dynlist
        - ppolicy
        - smbk5pwd
      indexes:
        - [ "uid,uidNumber,gidNumber,memberUID", "pres,eq" ]
      slave:
        rid: 675
        provider: ldaps://master.ldap.univ.fr:636
        binddn: cn=bind,dc=dn
        credentials: bindpw

License

BSD

Informazioni sul progetto

openldap server

role openldap
Installa
ansible-galaxy install criecm.openldap
GitHub repository
7 stelle
16 fork
0 problemi aperti
Licenza
Unknown
Download
202
Proprietario
DSI Centrale Méditerranée
Direction des Systèmes d'Information