The best Ansible Role ;-) for installing and configuring OpenLDAP slapd with multiple backends.
- Idempotent (but see Notes).
- Multiple backends.
- Modules management.
- Schemas management.
- Overlay management.
- SSL activation.
- Monitor backend activation.
- Apparmor aware (for Ubuntu).
- Debian and Ubuntu friendly (anyone for Redhat likes and other platforms?).
- Possibility to create a minimal DIT with root DN and first level organizational units.
- A developer/maintainer willing to receive feedback and bug reports.
community.general.json_query needs jmespath:
pip3 install jmespath
This role must be run as root (for EXTERNAL authentification mechanism)
but will not become by itself.
| Name | Default | Description |
|---|---|---|
slapd_user |
"openldap" |
System user for slapd. |
slapd_group |
"{{ slapd_user }}" |
Group user for slapd. |
slapd_ssl |
false |
Activate SSL (ldaps:///). |
slapd_ssl_group |
"ssl-cert" |
Group slapd will be added to if slapd_ssl (to access keys in /etc/ssl/private). |
slapd_monitor |
false |
Activate monitor backend (cn=Monitor). |
slapd_monitor_admin |
required if slapd_monitor |
DN that will have read access to cn=Monitor. |
slapd_modules |
[] |
List of modules to add. |
slapd_module_path |
"/usr/lib/ldap" |
Path to the directory of modules. |
slapd_schemas |
[] |
List of schemas to add (.ldiff or .schema format). |
slapd_schema_path |
"/etc/ldap/schema" |
Path to the directory of schemas. |
slapd_apparmor_file |
"/etc/apparmor.d/usr.sbin.slapd" |
Path to slapd apparmor profile file. |
slapd_config_olc |
{} |
Any parameter recognized by slapd in cn=config. |
slapd_config_frontend |
{} |
Any parameter recognized by slapd in olcDatabase={-1}frontend,cn=config. |
slapd_config_config |
{} |
Any parameter recognized by slapd in olcDatabase={0}config,cn=config. |
slapd_config_backends |
{} |
Description of backends to configure. |
If slapd_ssl is true:
slapdsystem user (slapd_user) will be added to groupslapd_ssl_group;SLAPD_SERVICESvariable will be set to"ldap:/// ldaps:/// ldapi:///"in/etc/defaults/slapdfile;slapdservice will be restarted.
At least, these parameters must be set in slapd_config_olc:
olcTLSCertificateFile(name of a file that should be under/etc/ssl/certs);olcTLSCertificateKeyFile(name of a file that should be under/etc/ssl/private, ownerroot, groupssl-cert, mode0640);
slapd_config_backends is the list of backends to be in slapd configuration (except olcDatabase={-1}frontend,cn=config
and olcDatabase={0}config,cn=config that will always exist).
Each entry in this array is a dictionary with two to four members:
db_type: type of backend;overlays: overlays for this backend (optional), must havenameandattributesattributes;dit: information for tree initialization, if present a root DN and optional organizational units will be created;attributes: configuration attributes and values for this backend, at leastolcSuffixattribute is mandatory, others may be required depending of the type of backend.
Corresponding modules must be loaded for each db_type used:
asyncmeta: moduleback_asyncmeta;dnssrv: moduleback_dnssrv;ldap: moduleback_ldap;mdb: moduleback_mdb;meta: moduleback_meta;null: moduleback_null;passwd: moduleback_passwd;perl: moduleback_perl;relay: moduleback_relay;sock: moduleback_sock;sql: moduleback_sql.
Note: Only these backend types have been tested: ldap, mdb.
Corresponding modules must be loaded for each overlay used (supported overlays are: accesslog, auditlog,
autogroup, collect, constraint, dds, dyngroup, dynlist, homedir, lastbind, memberof, pcache,
ppolicy, refint, remoteauth, retcode, rwm, sssvlv, syncprov, translucent, unique, valsort).
If dit is there for a backend, it should be a dictionnary with a root mandatory key and
an optional organizational_units key. root is also a dictionnary with mandatories objectClass
(list of strings) and attributes keys (dictionnary). organizational_units is a list of strings
containing the names for the organizational units to be created directly under the root record.
The root DN will be attributes.olcSuffix which is mandatory.
Example:
slapd_config_backends:
- db_type: "mdb"
attributes:
olcSuffix: "o=Test Me,c=FR"
olcDbDirectory: "/var/lib/ldap-test-me"
dit:
root_record:
objectClass:
- "organization"
attributes:
o: "Test Me"
organizational_units:
- "People"
- "Group"
Collection community.general.
For adding the schema my-schema, the file my-schema.ldif or my-schema.schema must exist
in /etc/ldap/schema (or whatever {{slapd_schema_path}} is).
Due to OpenLDAP slapd limitations, it's not possible to dynamically remove modules and
schemas. So, even if you remove a module from slapd_modules or a schema from slapd_schemas,
this role will not try to remove them from the slapd configuration.
Removing configuration attributes from slapd_config_olc, slapd_config_frontend,
slapd_config_config, slapd_config_backends[*].attributes, and
slapd_config_backends[*].overlays.attributes will not remove them from slapdconfiguration.
See this bug report
for community.general.ldap_attrs
The workaround for removing an attribute is to use []. Exemple:
slapd_config_olc:
olcLogLevel: []
Minimal playbook:
- name: Minimal playbook for role seb4itik.slapd
hosts: ldap
vars:
slapd_modules:
- "back_mdb"
slapd_config_backends:
- db_type: "mdb"
attributes:
olcSuffix: "dc=test,dc=me"
olcDbDirectory: "/var/lib/ldap-test-me"
olcRootDN: "cn=admin,dc=test,dc=me"
olcRootPW: "{{ vault.ldap.admin_dn_password }}"
roles:
- "seb4itik.slapd"
More complete example:
- name: Example playbook for role seb4itik.slapd
hosts: ldap
vars:
slapd_ssl: true
slapd_monitor: true
slapd_monitor_admin: "gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
slapd_modules:
- "back_ldap"
- "back_mdb"
- "constraint"
slapd_schemas:
- "misc"
slapd_config_olc:
olcLogLevel: 64
olcTLSCertificateFile: "/etc/ssl/certs/ldap1.test.me.crt"
olcTLSCertificateKeyFile: "/etc/ssl/private/ldap1.test.me.key"
slapd_config_backends:
- db_type: "ldap"
attributes:
olcSuffix: "dc=another,dc=me"
olcDbURI: "ldaps:///ldap1.another.me"
- db_type: "mdb"
overlays:
- name: "constraint"
attributes:
olcConstraintAttribute:
- "mail regex ^[[:alnum:]]+@mydomain.com$"
attributes:
olcSuffix: "dc=test,dc=me"
olcDbDirectory: "/var/lib/ldap-test-me"
olcRootDN: "cn=admin,dc=test,dc=me"
olcRootPW: "{{ vault.ldap.admin_dn_password }}"
olcDbCheckpoint: "512 30"
olcDbMaxSize: 2147483648 # 2 Go
olcLastMod: "TRUE"
olcSizeLimit: 1500
olcLimits:
- '{0}dn.base="cn=SyncRepl,ou=DIT Roles,dc=test,dc=me" size=unlimited time=unlimited'
olcDbIndex:
- "objectClass eq"
- "cn,uid eq"
- "uidNumber,gidNumber eq"
- "member,uniqueMember,memberUid eq"
- "sn eq,sub"
- "givenName eq,sub"
- "mail eq"
olcAccess:
- '{0}to attrs=userPassword,shadowLastChange
by dn.base="cn=admin,ou=DIT Roles,dc=test,dc=me" write
by dn.base="cn=pwadmin,ou=DIT Roles,dc=test,dc=me" write
by anonymous auth
by self write
by * none'
- '{1}to dn.base=""
by * read'
- '{2}to *
by dn.base="cn=admin,ou=DIT Roles,dc=test,dc=me" write
by * read'
roles:
- "seb4itik.slapd"
- For parameters such as
olcAccess,olcSyncrepl,olcLimits, ... that are ordered lists, you should prefix each item with{N}. - Be careful with the case of
olcSyncreplparameter!
- Write tests (but problem between Docker and systemd).
- Other platforms (Redhat, ...).
- Optimisation: set_fact (all modules, all schemas, all suffixes...)
- Idempotency in attributes (for replacing "state: exact")
MIT