majic-ansible-roles Changeset

Changeset - 63d26c0b3d86

Parent rev.

Child rev.

[Not reviewed]

0 4 0

Branko Majic (branko) - 9 years ago 2015-08-30 20:11:03
branko@majic.rs

MAR-19: Simplified LDAP permissions specification for the LDAP server. Auto-calculate on which db the permissions need to be changed (instead of having user provide it). Also switched to a single tree where it can be configured. Updated the example in role reference.

4 files changed with 88 insertions and 112 deletions:

docs/rolereference.rst

roles/ldap_server/defaults/main.yml

roles/ldap_server/tasks/main.yml

testsite/group_vars/ldap.yml

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -418,51 +418,35 @@ Parameters @@
   strings if it is necessary to set multiple values for the same attribute.
 **ldap_permissions** (list, optional, ``see below``)
   List of LDAP access controls to apply to directories served by the LDAP
   server.
   List of LDAP access rules to apply to base DN served by the LDAP server. The
   listed access control rules will *replace* all existing rules, and will be
   added in the same order they are listed in. Each item is a string that
   constitutes a single access control rule. The format should be the same as
   described in `OpenLDAP Administrator's Guide
   <http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%20via%20Dynamic%20Configuration>`.
   Default value is:
   .. code-block:: yaml
     - filter: '(olcSuffix=BASEDN)'
       rules:
         - >
           to *
           by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
           by * break
         - >
           to attrs=userPassword,shadowLastChange
           by self write
           by anonymous auth
           by dn="cn=admin,BASEDN" write
           by * none
         - >
           to dn.base=""
           by * read
         - >
           to *
           by self write
           by dn="cn=admin,BASEDN" write
           by users read
           by * none
   Each item is a dictionary with the following options describing the
   permissions:
   **filter** (string, mandatory)
     An LDAP filter that should be applied on base DN ``cn=config`` using
     sub-tree scope to locate the LDAP database for which the access control
     rules will be applied. For default user database this could be something in
     the lines of ``(olcSuffix=dc=example,dc=com)``.
   **rules** (list, mandatory)
     A list of access control rules that should be applied for the selected
     database. The access control rules listed will *replace* all existing
     rules, and will be added in the same order they are listed in. Each item is
     a string that constitutes a single access control rule. The format should be
     the same as described in `OpenLDAP Administrator's Guide
     <http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%20via%20Dynamic%20Configuration>`.
     - >
       to *
       by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
       by * break
     - >
       to attrs=userPassword,shadowLastChange
       by self write
       by anonymous auth
       by dn="cn=admin,BASEDN" write
       by * none
     - >
       to dn.base=""
       by * read
     - >
       to *
       by self write
       by dn="cn=admin,BASEDN" write
       by * none
 **ldap_server_domain** (string, optional, ``ansible_facts[host]['domain']``)
   Domain that should be used for constructing the base DN of default user LDAP
   ---
   ldap_server_config:
     domain: "example.com"
     organization: "Example Corporation"
     log_level: 256
     tls_certificate: ~/tls/ldap.example.com_ldap.pem
     tls_key: ~/tls/ldap.example.com_ldap.key
     ssf: 128
   ldap_server_domain: "example.com"
   ldap_server_organization: "Example Corporation"
   ldap_server_log_level: 256
   ldap_server_tls_certificate: ~/tls/ldap.example.com_ldap.pem
   ldap_server_tls_key: ~/tls/ldap.example.com_ldap.key
   ldap_server_ssf: 128
   ldap_permissions:
     - filter: '(olcSuffix=dc=example,dc=com)'
       rules:
         - >
           to *
           by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
           by * break
         - >
           to attrs=userPassword,shadowLastChange
           by self write
           by anonymous auth
           by dn="cn=admin,dc=example,dc=com" write
           by * none
         - >
           to dn.base=""
           by * read
         - >
           to *
           by self write
           by dn="cn=admin,dc=example,dc=com" write
           by users read
           by * none
     - >
       to *
       by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
       by * break
     - >
       to attrs=userPassword,shadowLastChange
       by self write
       by anonymous auth
       by dn="cn=admin,dc=example,dc=com" write
       by * none
     - >
       to dn.base=""
       by * read
     - >
       to *
       by self write
       by dn="cn=admin,dc=example,dc=com" write
       by users read
       by * none
   ldap_entries:
     - dn: ou=people,dc=example,dc=com

roles/ldap_server/defaults/main.yml

➞

Show inline comments

 ldap_server_tls_key: "/etc/ssl/private/{{ ansible_facts[host]['fqdn'] }}_ldap.key"
 ldap_server_ssf: 128
 ldap_permissions:
   - filter: '(olcSuffix={{ ldap_server_int_basedn }})'
     rules:
       - >
         to *
         by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
         by dn="cn=admin,{{ ldap_server_int_basedn }}" manage
         by * break
       - >
         to attrs=userPassword,shadowLastChange
         by self write
         by anonymous auth
         by * none
       - >
         to dn.base=""
         by * read
       - >
         to *
         by self write
         by dn="cn=admin,{{ ldap_server_int_basedn }}" write
         by * none
   - >
     to *
     by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
     by dn="cn=admin,{{ ldap_server_int_basedn }}" manage
     by * break
   - >
     to attrs=userPassword,shadowLastChange
     by self write
     by anonymous auth
     by * none
   - >
     to dn.base=""
     by * read
   - >
     to *
     by self write
     by dn="cn=admin,{{ ldap_server_int_basedn }}" write
     by * none

roles/ldap_server/tasks/main.yml

➞

Show inline comments

@@ @@ -71,9 +71,8 @@ @@
 - name: Apply database permissions
   ldap_permissions:
     filter: "{{ item.filter }}"
     rules: "{{ item.rules }}"
   with_items: ldap_permissions
     filter: "(olcSuffix={{ ldap_server_int_basedn }})"
     rules: "{{ ldap_permissions }}"
 - name: Create LDAP entries
   ldap_entry: ""

testsite/group_vars/ldap.yml

➞

Show inline comments

 ldap_server_ssf: 128
 ldap_permissions:
   - filter: '(olcSuffix={{ testsite_ldap_base }})'
     rules:
       - >
         to *
         by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
         by dn="cn=admin,{{ testsite_ldap_base }}" manage
         by * break
       - >
         to attrs=userPassword,shadowLastChange
         by self write
         by anonymous auth
         by * none
       - >
         to dn.base=""
         by * read
       - >
         to *
         by self write
         by dn="cn=admin,{{ testsite_ldap_base }}" write
         by users read
         by * none
   - >
     to *
     by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
     by dn="cn=admin,{{ testsite_ldap_base }}" manage
     by * break
   - >
     to attrs=userPassword,shadowLastChange
     by self write
     by anonymous auth
     by * none
   - >
     to dn.base=""
     by * read
   - >
     to *
     by self write
     by dn="cn=admin,{{ testsite_ldap_base }}" write
     by users read
     by * none
 ldap_entries:
   - dn: "cn={4}misc,cn=schema,cn=config"

0 comments (0 inline, 0 general)