majic-ansible-roles Changeset

Changeset - 99edcba90842

Parent rev.

Child rev.

[Not reviewed]

0 1 1

Branko Majic (branko) - 9 years ago 2015-08-30 20:00:03
branko@majic.rs

MAR-19: Simplified the parameters for LDAP server role. Most of the parameters have become optional, with some smart defaults.

2 files changed with 69 insertions and 9 deletions:

docs/rolereference.rst

roles/ldap_server/defaults/main.yml

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -410,16 +410,44 @@ The role implements the following: @@
 Parameters
 ~~~~~~~~~~
-**ldap_entries** (list, mandatory)
+**ldap_entries** (list, optional, ``[]``)
   List of entries that should be kept in the LDAP directory. Each item is a
   dictionary describing a single LDAP entry, with all of its attributes
   listed. The keys in this dictionary should be the attribute names. The values
   should be either strings, for setting a single attribute value, or a list of
   strings if it is necessary to set multiple values for the same attribute.
-**ldap_permissions** (list, mandatory)
+**ldap_permissions** (list, optional, ``see below``)
   List of LDAP access controls to apply to directories served by the LDAP
   server. Each item is a dictionary with the following options describing the
   server.
   Default value is:
   .. code-block:: yaml
     - filter: '(olcSuffix=BASEDN)'
       rules:
         - >
           to *
           by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
           by * break
         - >
           to attrs=userPassword,shadowLastChange
           by self write
           by anonymous auth
           by dn="cn=admin,BASEDN" write
           by * none
         - >
           to dn.base=""
           by * read
         - >
           to *
           by self write
           by dn="cn=admin,BASEDN" write
           by users read
           by * none
   Each item is a dictionary with the following options describing the
   permissions:
   **filter** (string, mandatory)
@@ @@ -436,31 +464,31 @@ Parameters @@
     the same as described in `OpenLDAP Administrator's Guide
     <http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%20via%20Dynamic%20Configuration>`.
-**ldap_server_domain** (string, mandatory)
+**ldap_server_domain** (string, optional, ``ansible_facts[host]['domain']``)
   Domain that should be used for constructing the base DN of default user LDAP
   database. This should be a sub-domain dedicated to organisation. The base DN
   will be constructed by putting all elements of the sub-domain as ``dc``
   entries (as per standard Debian convention). I.e. ``example.com`` would get
   transformed into ``dc=example,dc=com``.
-**ldap_server_organization** (string, mandatory)
+**ldap_server_organization** (string, optional, ``Private``)
   Organization that should be specified in the base DN entry.
-**ldap_server_log_level** (string, mandatory)
+**ldap_server_log_level** (string, optional, ``256``)
   Log level to use for the server. This should be compatible with OpenLDAP
   configuration option ``olcLogLevel``. See `OpenLDAP Administrator's Guide
   <http://www.openldap.org/doc/admin24/slapdconf2.html#cn=config>` for value
   description and syntax.
-**ldap_server_tls_certificate** (string, mandatory)
+**ldap_server_tls_certificate** (string, optional, ``/etc/ssl/certs/FQDN_ldap.pem``)
   Path to file on Ansible host that contains the X.509 certificate used for TLS
   for LDAP service. The file will be copied to directory ``/etc/ssl/certs/``.
-**ldap_server_tls_key** (string, mandatory)
+**ldap_server_tls_key** (string, optional, ``/etc/ssl/private/FQDN_ldap.key``)
   Path to file on Ansible host that contains the private key used for TLS for
   LDAP service. The file will be copied to directory ``/etc/ssl/private/``.
-**ldap_server_ssf** (number, mandatory)
+**ldap_server_ssf** (number, optional, ``128``)
   Minimum *Security Strength Factor* to require from all incoming
   connections. This applies for both remote and local connections.

roles/ldap_server/defaults/main.yml

➞

Show inline comments

@@ new file 100644 @@
 ---
 ldap_entries: []
 ldap_server_domain: "{{ ansible_facts[host]['domain'] }}"
 # Internal value, base DN.
 ldap_server_int_basedn: "{{ ldap_server_domain | regex_replace('\\.', ',dc=') | regex_replace('^', 'dc=') }}"
 ldap_server_organization: "Private"
 ldap_server_log_level: 256
 ldap_server_tls_certificate: "/etc/ssl/certs/{{ ansible_facts[host]['fqdn'] }}_ldap.pem"
 ldap_server_tls_key: "/etc/ssl/private/{{ ansible_facts[host]['fqdn'] }}_ldap.key"
 ldap_server_ssf: 128
 ldap_permissions:
   - filter: '(olcSuffix={{ ldap_server_int_basedn }})'
     rules:
       - >
         to *
         by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
         by dn="cn=admin,{{ ldap_server_int_basedn }}" manage
         by * break
       - >
         to attrs=userPassword,shadowLastChange
         by self write
         by anonymous auth
         by * none
       - >
         to dn.base=""
         by * read
       - >
         to *
         by self write
         by dn="cn=admin,{{ ldap_server_int_basedn }}" write
         by * none

0 comments (0 inline, 0 general)