fix(openldap): allow properly configuring the cn=config namespace and the config db

2025-05-13 20:46:04 +02:00 · 2025-05-13 20:46:04 +02:00 · b692f58fd3
commit b692f58fd3
parent 0b03640e40
2 changed files with 33 additions and 8 deletions
--- a/roles/openldap/defaults/main/openldap.yml
+++ b/roles/openldap/defaults/main/openldap.yml
@ -26,11 +26,13 @@ openldap_additional_schemas: []
 openldap_schemas: >-2
  {{ openldap_enabled_schemas + openldap_additional_schemas }}

-openldap_config_db: "cn=config"
-openldap_config_db_olc_access: >-2
-  to *
-    by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
-    by * none
+openldap_config_dn: "cn=config"
+openldap_config_db_dn: "olcDatabase={0}config,cn=config"
+openldap_config_db_olc_access:
+  - '{0} to *
+      by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+      by * none'
+openldap_config_attributes: {}
 openldap_config_db_attributes:
  olcAccess: "{{ openldap_config_db_olc_access }}"

@ -49,7 +51,7 @@ openldap_default_database_directory: >-2
 openldap_default_database_indices: >-2
  {{ openldap_default_indices + openldap_indices }}
 openldap_default_database_config: >-2
-  olcDatabase={1}{{ openldap_default_database_name }},{{ openldap_config_db }}
+  olcDatabase={1}{{ openldap_default_database_name }},{{ openldap_config_dn }}
 openldap_default_database:
  name: "{{ openldap_default_database_name }}"
  object_class: "{{ openldap_default_database_object_class }}"
@ -58,5 +60,6 @@ openldap_default_database:
  root_pw: "{{ openldap_default_database_root_pw }}"
  directory: "{{ openldap_default_database_directory }}"
  indices: "{{ openldap_default_database_indices }}"
+openldap_default_database_olc_access: "{{ openldap_config_db_olc_access }}"
 openldap_databases:
  - "{{ openldap_default_database }}" 
--- a/roles/openldap/tasks/configure.yml
+++ b/roles/openldap/tasks/configure.yml
@ -1,9 +1,31 @@
 ---
- name: Ensure ACLs are configured
+- name: Ensure config attributes are configured
+  community.general.ldap_attrs:
+    dn: "{{ openldap_config_dn }}"
+    attributes: "{{ { entry.key : entry.value } }}"
+    state: exact
+    server_uri: "{{ openldap_socket_url }}"
+  loop: "{{ openldap_config_attributes | dict2items }}"
+  loop_control:
+    loop_var: "entry"
+    label: "{{ entry.key }}"
+
+- name: Ensure config db attributes are configured
+  community.general.ldap_attrs:
+    dn: "{{ openldap_config_db_dn }}"
+    attributes: "{{ { entry.key : entry.value } }}"
+    state: exact
+    server_uri: "{{ openldap_socket_url }}"
+  loop: "{{ openldap_config_db_attributes | dict2items }}"
+  loop_control:
+    loop_var: "entry"
+    label: "{{ entry.key }}"
+
+- name: Ensure ACLs for default database are configured
  community.general.ldap_attrs:
    dn: "{{ openldap_default_database_config }}"
    attributes:
-      olcAccess: "{{ openldap_config_db_olc_access }}"
+      olcAccess: "{{ openldap_default_database_olc_access }}"
    state: "exact"
    server_uri: "{{ openldap_socket_url }}"
  retries: 3