diff --git a/docs/rolereference.rst b/docs/rolereference.rst index d54c328fed64d97aacebaf59cd5e2e17f8e883d0..6892411f30de2b3477fb7d08375ea4fbd52aee04 100644 --- a/docs/rolereference.rst +++ b/docs/rolereference.rst @@ -418,51 +418,35 @@ Parameters strings if it is necessary to set multiple values for the same attribute. **ldap_permissions** (list, optional, ``see below``) - List of LDAP access controls to apply to directories served by the LDAP - server. + List of LDAP access rules to apply to base DN served by the LDAP server. The + listed access control rules will *replace* all existing rules, and will be + added in the same order they are listed in. Each item is a string that + constitutes a single access control rule. The format should be the same as + described in `OpenLDAP Administrator's Guide + `. Default value is: .. code-block:: yaml - - filter: '(olcSuffix=BASEDN)' - rules: - - > - to * - by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage - by * break - - > - to attrs=userPassword,shadowLastChange - by self write - by anonymous auth - by dn="cn=admin,BASEDN" write - by * none - - > - to dn.base="" - by * read - - > - to * - by self write - by dn="cn=admin,BASEDN" write - by users read - by * none - - Each item is a dictionary with the following options describing the - permissions: - - **filter** (string, mandatory) - An LDAP filter that should be applied on base DN ``cn=config`` using - sub-tree scope to locate the LDAP database for which the access control - rules will be applied. For default user database this could be something in - the lines of ``(olcSuffix=dc=example,dc=com)``. - - **rules** (list, mandatory) - A list of access control rules that should be applied for the selected - database. The access control rules listed will *replace* all existing - rules, and will be added in the same order they are listed in. Each item is - a string that constitutes a single access control rule. The format should be - the same as described in `OpenLDAP Administrator's Guide - `. + - > + to * + by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage + by * break + - > + to attrs=userPassword,shadowLastChange + by self write + by anonymous auth + by dn="cn=admin,BASEDN" write + by * none + - > + to dn.base="" + by * read + - > + to * + by self write + by dn="cn=admin,BASEDN" write + by * none **ldap_server_domain** (string, optional, ``ansible_facts[host]['domain']``) Domain that should be used for constructing the base DN of default user LDAP @@ -502,36 +486,33 @@ Here is an example configuration for setting-up LDAP server: --- - ldap_server_config: - domain: "example.com" - organization: "Example Corporation" - log_level: 256 - tls_certificate: ~/tls/ldap.example.com_ldap.pem - tls_key: ~/tls/ldap.example.com_ldap.key - ssf: 128 + ldap_server_domain: "example.com" + ldap_server_organization: "Example Corporation" + ldap_server_log_level: 256 + ldap_server_tls_certificate: ~/tls/ldap.example.com_ldap.pem + ldap_server_tls_key: ~/tls/ldap.example.com_ldap.key + ldap_server_ssf: 128 ldap_permissions: - - filter: '(olcSuffix=dc=example,dc=com)' - rules: - - > - to * - by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage - by * break - - > - to attrs=userPassword,shadowLastChange - by self write - by anonymous auth - by dn="cn=admin,dc=example,dc=com" write - by * none - - > - to dn.base="" - by * read - - > - to * - by self write - by dn="cn=admin,dc=example,dc=com" write - by users read - by * none + - > + to * + by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage + by * break + - > + to attrs=userPassword,shadowLastChange + by self write + by anonymous auth + by dn="cn=admin,dc=example,dc=com" write + by * none + - > + to dn.base="" + by * read + - > + to * + by self write + by dn="cn=admin,dc=example,dc=com" write + by users read + by * none ldap_entries: - dn: ou=people,dc=example,dc=com