majic-ansible-roles Changeset

Changeset - c1b844e6a76f

Parent rev.

Child rev.

[Not reviewed]

0 6 1

Branko Majic (branko) - 2 months ago 2025-01-25 00:31:04
branko@majic.rs

MAR-236: Add auxiliary object class to LDAP directory for optional countryName and friendlyCountryName attributes:

- Makes it easier to specify free-form optional country name in
LDAP-backed address books.
- Object class uses Majic-specific PEN (Private Enterprise Number)
"namespace" - 1.3.6.1.4.1.40926.417.2.1 (40926 is Majic PEN, 417
stands for LDAP, 2 stands for object class, and 1 is incremental
sequence number). The 417 is result of adding together lower-cased
letters LDAP in their decimal value.

7 files changed with 87 insertions and 3 deletions:

docs/releasenotes.rst

docs/rolereference.rst

roles/ldap_server/files/optionalcountry.ldif

roles/ldap_server/molecule/default/group_vars/parameters-optional.yml

roles/ldap_server/molecule/default/tests/test_default.py

roles/ldap_server/molecule/default/tests/test_optional.py

roles/ldap_server/tasks/main.yml

0 comments (0 inline, 0 general) First comment

docs/releasenotes.rst

➞

Show inline comments

@@ @@ -48,6 +48,9 @@ Upgraded to Ansible 10.4.x. Dropped support for Debian 11 @@
   * TLSv1.3 is now enabled by default (with RFC-defined mandatory
     ciphers), in addition to TLSv1.2.
   * Additional schema is enabled that introduces auxilliary object
     class ``optionalCountry`` with optional ``countryName / c`` and
     ``friendlyCountryName / co`` attributes. Useful for address books.
 * ``mail_server`` role

docs/rolereference.rst

➞

Show inline comments

@@ @@ -601,6 +601,13 @@ The role implements the following: @@
 * Configures OpenLDAP server (base DN - domain, organisation, TLS, SSF, log levels).
 * Enables the ``misc`` LDAP schema (from ``/etc/ldap/schema/misc.ldif``). This
   is necessary for the mail server role.
 * Deploys and enables the ``optionalcountry`` LDAP schema that adds
   auxilliary object class ``optionalCountry`` which allows two
   optional attributes to be specified - ``countryName / c`` and
   ``friendlyCountryName / co``. This is particularly useful for
   address book functionality (for applications that use LDAP directory
   as backend). No built-in object class seems to cover this particular
   use-case.
 * Enables the ``memberof`` overlay on top of default database. The overlay is
   configured to keep track of membership changes for object class
   ``groupOfUniqueNames`` via attribute ``uniqueMember``. Enforcement of

roles/ldap_server/files/optionalcountry.ldif

➞

Show inline comments

@@ new file 100644 @@
 dn: cn=optionalcountry,cn=schema,cn=config
 objectClass: olcSchemaConfig
 cn: optionalcountry
 olcObjectClasses: (
 .3.6.1.4.1.40926.417.2.1
   NAME 'optionalCountry'
   DESC 'Optional country code and friendly country name'
   SUP top AUXILIARY
   MAY ( countryName $ friendlyCountryName )
+  )

roles/ldap_server/molecule/default/group_vars/parameters-optional.yml

➞

Show inline comments

@@ @@ -24,6 +24,24 @@ ldap_entries: @@
       uid: jane
       cn: Jane Doe
       sn: Doe
   - dn: uid=blank-optional-country,dc=local
     attributes:
       objectClass:
         - inetOrgPerson
         - optionalCountry
       uid: blank-optional-country
       cn: Blank Optional Country
       sn: Blank Optional Country
   - dn: uid=optional-country,dc=local
     attributes:
       objectClass:
         - inetOrgPerson
         - optionalCountry
       uid: optional-country
       cn: Optional Country
       sn: Optional Country
       c: RS
       co: Serbia
 ldap_permissions:
   - >

roles/ldap_server/molecule/default/tests/test_default.py

➞

Show inline comments

@@ @@ -60,6 +60,18 @@ def test_misc_schema_presence(host): @@
         assert 'dn: cn={4}misc,cn=schema,cn=config' in misc_schema.stdout
 def test_optional_country_schema_presence(host):
     """
     Tests if the LDAP schema with object class for optional
     country code/name has been imported.
     """
     with host.sudo():
         country_schema = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config dn')
         assert country_schema.rc == 0
         assert 'dn: cn={5}optionalcountry,cn=schema,cn=config' in country_schema.stdout
 def test_memberof_module(host):
     """
     Tests if the memberof overlay has been enabled for the main database.

roles/ldap_server/molecule/default/tests/test_optional.py

➞

Show inline comments

@@ @@ -219,9 +219,25 @@ objectClass: simpleSecurityObject @@
 userPassword:: amFuZXBhc3N3b3Jk
 cn: Jane Doe
 sn: Doe
-uid: jane""")
 uid: jane
         entries = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b dc=local '(|(entrydn=uid=john,dc=local)(entrydn=uid=jane,dc=local))'")
 dn: uid=blank-optional-country,dc=local
 objectClass: inetOrgPerson
 objectClass: optionalCountry
 uid: blank-optional-country
 cn: Blank Optional Country
 sn: Blank Optional Country
 dn: uid=optional-country,dc=local
 objectClass: inetOrgPerson
 objectClass: optionalCountry
 uid: optional-country
 cn: Optional Country
 sn: Optional Country
 c: RS
 co: Serbia""")
         entries = host.run("ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b dc=local '(objectClass=inetOrgPerson)'")
         assert entries.rc == 0
         assert parse_ldif(entries.stdout) == expected_entries

roles/ldap_server/tasks/main.yml

➞

Show inline comments

@@ @@ -69,11 +69,29 @@ @@
   register: ldap_misc_schema_present
   changed_when: false
-- name: Deploy LDAP misc schema
+- name: Apply LDAP misc schema
   ansible.builtin.command: "ldapadd -H ldapi:/// -Q -Y EXTERNAL -f /etc/ldap/schema/misc.ldif"
   when: not ldap_misc_schema_present.stdout
   changed_when: true  # Always results in change due to task logic.
 - name: Deploy optional country schema definition
   ansible.builtin.copy:
     src: optionalcountry.ldif
     dest: "/etc/ldap/schema/optionalcountry.ldif"
     owner: root
     group: root
     mode: "0644"
 - name: Test if optional country schema is present
   ansible.builtin.command: "ldapsearch -H ldapi:/// -Q -LLL -A -Y EXTERNAL -b cn=schema,cn=config -s one '(cn={*}optionalcountry)' cn"
   register: ldap_optionalcountry_schema_present
   changed_when: false
 - name: Apply LDAP optional country schema
   ansible.builtin.command: "ldapadd -H ldapi:/// -Q -Y EXTERNAL -f /etc/ldap/schema/optionalcountry.ldif"
   when: not ldap_optionalcountry_schema_present.stdout
   changed_when: true  # Always results in change due to task logic.
 # Technically, the only thing this does is pick the size of DH
 # parameters to use, with GnuTLS (against which slapd is linked
 # against under Debian) picking a matching DH parameter from RFC-7919

0 comments (0 inline, 0 general) First comment