Compare commits

..

1 Commits

Author SHA1 Message Date
610b796763
feat: add playbook for managing LDAP directory contents 2025-05-06 23:22:50 +02:00
3 changed files with 8 additions and 121 deletions

View File

@ -9,10 +9,6 @@
server_uri: "{{ ldap_server_uri }}"
bind_dn: "{{ ldap_bind_dn }}"
bind_pw: "{{ ldap_bind_pw }}"
roles:
# Ensure all defaults from openldap role are in scope
- role: finallycoffee.base.openldap
when: false
tasks:
- name: Ensure org units in '{{ ldap_base_dn }}' are {{ _state }}
community.general.ldap_entry:
@ -23,87 +19,3 @@
loop: "{{ ldap_org_units | default([], true) }}"
loop_control:
loop_var: org_unit
- name: Ensure admin user is {{ _state }}
community.general.ldap_entry:
<<: *ldap_bind_info
dn: "uid={{ ldap_admin_user_rdn }},{{ ldap_admin_user_base }}"
objectClass: "{{ ldap_admin_user_object_classes }}"
attributes: "{{ ldap_admin_user_attributes }}"
state: "{{ _state }}"
vars:
ldap_admin_user_base: >-2
{{ ldap_admin_user_base_dn | default(ldap_base_dn, true) }}
when: ldap_admin_user_rdn is defined
- name: Ensure admin user attributes are correct
community.general.ldap_attrs:
<<: *ldap_bind_info
dn: "uid={{ ldap_admin_user_rdn }},{{ ldap_admin_user_base }}"
attributes: "{{ ldap_admin_user_attributes }}"
state: "{{ _state }}"
vars:
ldap_admin_user_base: >-2
{{ ldap_admin_user_base_dn | default(ldap_base_dn, true) }}
when:
- ldap_admin_user_rdn is defined
- _state == 'present'
- name: Ensure ldap groups are {{ _state }}
community.general.ldap_entry:
<<: *ldap_bind_info
dn: "{{ _ldap_group_dn }}"
objectClass: "{{ _ldap_group_object_classes }}"
attributes: "{{ _ldap_group_attributes }}"
state: "{{ _state }}"
vars:
_ldap_group_dn: >-2
cn={{ _ldap_group.name }},{{ ldap_group_base_dn }}
_ldap_group_object_classes:
- "groupOfNames"
_ldap_group_attributes:
cn: "{{ _ldap_group.name }}"
member: >-2
{{ _ldap_group.members | default([]) }}
loop: "{{ ldap_groups | default([], true) }}"
loop_control:
loop_var: _ldap_group
label: "{{ _ldap_group.name }}"
when:
- ldap_groups is defined
- ldap_group_base_dn is defined
- name: Ensure service accounts are {{ _state }}
community.general.ldap_entry:
<<: *ldap_bind_info
dn: "{{ _ldap_service_account_dn }}"
objectClass: "{{ _ldap_service_account_object_classes }}"
attributes: "{{ _ldap_service_account_attributes }}"
state: "{{ _state }}"
loop: &ldap_service_account_loop "{{ ldap_service_accounts | default([]) }}"
loop_control: &ldap_service_account_loop_control
loop_var: "_ldap_service_account"
label: "{{ _ldap_service_account.name }}"
vars: &ldap_service_account_vars
_ldap_service_account_dn: >-2
uid={{ _ldap_service_account.name }},{{ ldap_service_account_base_dn }}
_ldap_service_account_object_classes:
- "account"
- "simpleSecurityObject"
_ldap_service_account_attributes:
uid: "{{ _ldap_service_account.name }}"
userPassword: "{{ _ldap_service_account.password }}"
when: &ldap_service_account_when
- ldap_service_accounts is defined
- ldap_service_account_base_dn is defined
- name: Ensure service accounts attributes are correct
community.general.ldap_attrs:
<<: *ldap_bind_info
dn: "{{ _ldap_service_account_dn }}"
attributes: "{{ _ldap_service_account_attributes }}"
state: exact
loop: *ldap_service_account_loop
loop_control: *ldap_service_account_loop_control
vars: *ldap_service_account_vars
when: *ldap_service_account_when

View File

@ -26,13 +26,11 @@ openldap_additional_schemas: []
openldap_schemas: >-2
{{ openldap_enabled_schemas + openldap_additional_schemas }}
openldap_config_dn: "cn=config"
openldap_config_db_dn: "olcDatabase={0}config,cn=config"
openldap_config_db_olc_access:
- '{0} to *
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none'
openldap_config_attributes: {}
openldap_config_db: "cn=config"
openldap_config_db_olc_access: >-2
to *
by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
openldap_config_db_attributes:
olcAccess: "{{ openldap_config_db_olc_access }}"
@ -51,7 +49,7 @@ openldap_default_database_directory: >-2
openldap_default_database_indices: >-2
{{ openldap_default_indices + openldap_indices }}
openldap_default_database_config: >-2
olcDatabase={1}{{ openldap_default_database_name }},{{ openldap_config_dn }}
olcDatabase={1}{{ openldap_default_database_name }},{{ openldap_config_db }}
openldap_default_database:
name: "{{ openldap_default_database_name }}"
object_class: "{{ openldap_default_database_object_class }}"
@ -60,6 +58,5 @@ openldap_default_database:
root_pw: "{{ openldap_default_database_root_pw }}"
directory: "{{ openldap_default_database_directory }}"
indices: "{{ openldap_default_database_indices }}"
openldap_default_database_olc_access: "{{ openldap_config_db_olc_access }}"
openldap_databases:
- "{{ openldap_default_database }}"

View File

@ -1,31 +1,9 @@
---
- name: Ensure config attributes are configured
community.general.ldap_attrs:
dn: "{{ openldap_config_dn }}"
attributes: "{{ { entry.key : entry.value } }}"
state: exact
server_uri: "{{ openldap_socket_url }}"
loop: "{{ openldap_config_attributes | dict2items }}"
loop_control:
loop_var: "entry"
label: "{{ entry.key }}"
- name: Ensure config db attributes are configured
community.general.ldap_attrs:
dn: "{{ openldap_config_db_dn }}"
attributes: "{{ { entry.key : entry.value } }}"
state: exact
server_uri: "{{ openldap_socket_url }}"
loop: "{{ openldap_config_db_attributes | dict2items }}"
loop_control:
loop_var: "entry"
label: "{{ entry.key }}"
- name: Ensure ACLs for default database are configured
- name: Ensure ACLs are configured
community.general.ldap_attrs:
dn: "{{ openldap_default_database_config }}"
attributes:
olcAccess: "{{ openldap_default_database_olc_access }}"
olcAccess: "{{ openldap_config_db_olc_access }}"
state: "exact"
server_uri: "{{ openldap_socket_url }}"
retries: 3