majic-ansible-roles Files · roles/ldap

Files @ 814be5def61d

Branch filter:

Location: majic-ansible-roles/roles/ldap_server/defaults/main.yml

814be5def61d 1010 B text/x-yaml Show Annotation Show as Raw Download as Raw

branko

MAR-189: Added support for Debian 11 Bullseye to xmpp_server role:

- Roll-out LDAP client configuration since Bullseye does not come with
a stock one at /etc/ldap/ldap.conf that sets the trust anchor
correctly for validating LDAP server certificates.
- Drop the backports pinning in case of Bullseye (for now let's try to
keep the Buster and Bullseye at same versions for simplicity).
- Drop installation of Python apt bindings (no longer used).
- Tests for Buster and Bullseye need to be split-up a bit due to some
differences around backports etc.

---

enable_backup: false
ldap_entries: []
# Internal value, base DN.
ldap_server_int_basedn: "{{ ldap_server_domain | regex_replace('\\.', ',dc=') | regex_replace('^', 'dc=') }}"
ldap_server_organization: "Private"
ldap_server_log_level: 256
ldap_server_ssf: 128
ldap_server_consumers: []
ldap_server_groups: []
ldap_permissions:
  - >
    to *
    by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
    by dn="cn=admin,{{ ldap_server_int_basedn }}" manage
    by * break
  - >
    to attrs=userPassword,shadowLastChange
    by self write
    by anonymous auth
    by * none
  - >
    to dn.base=""
    by * read
  - >
    to *
    by self write
    by dn="cn=admin,{{ ldap_server_int_basedn }}" write
    by users read
    by * none

ldap_tls_ciphers: "NONE:\
+VERS-TLS1.2:\
+CTYPE-X509:\
+COMP-NULL:\
+SIGN-RSA-SHA256:\
+SIGN-RSA-SHA384:\
+SIGN-RSA-SHA512:\
+DHE-RSA:\
+ECDHE-RSA:\
+SHA256:\
+SHA384:\
+SHA512:\
+AEAD:\
+AES-128-GCM:\
+AES-256-GCM:\
+CHACHA20-POLY1305:\
+CURVE-ALL"