forked from infra/ansible
Fix ldap-server (confirmed working on debian).
This commit is contained in:
parent
283a1154a9
commit
5d3282d567
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
ldap_ca: /etc/BKCA.crt
|
ldap_ca: /etc/ldap/ssl/BKCA.crt
|
||||||
ldap_uri: ldaps://ldap.binary.kitchen/
|
ldap_uri: ldaps://ldap.binary.kitchen/
|
||||||
ldap_host: ldap.binary.kitchen
|
ldap_host: ldap.binary.kitchen
|
||||||
ldap_base: dc=binary-kitchen,dc=de
|
ldap_base: dc=binary-kitchen,dc=de
|
||||||
|
@ -18,6 +18,7 @@
|
|||||||
with_items:
|
with_items:
|
||||||
- dnsutils
|
- dnsutils
|
||||||
- htop
|
- htop
|
||||||
|
- openssl
|
||||||
- pydf
|
- pydf
|
||||||
- sudo
|
- sudo
|
||||||
- vim-nox
|
- vim-nox
|
||||||
@ -34,5 +35,8 @@
|
|||||||
- name: Set shell for root user
|
- name: Set shell for root user
|
||||||
user: name=root shell=/bin/zsh
|
user: name=root shell=/bin/zsh
|
||||||
|
|
||||||
|
- name: Create LDAP certificate directory
|
||||||
|
file: path=/etc/ldap/ssl state=directory
|
||||||
|
|
||||||
- name: Copy LDAP certificate
|
- name: Copy LDAP certificate
|
||||||
copy: src=BKCA.crt dest=/etc/BKCA.crt
|
copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
|
||||||
|
@ -26,5 +26,8 @@
|
|||||||
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
- { src: '.zshrc.local', dest: '/root/.zshrc.local' }
|
||||||
- { src: 'prompt_gentoo_setup', dest: '/usr/local/share/zsh/5.2/functions/Prompts/prompt_gentoo_setup' }
|
- { src: 'prompt_gentoo_setup', dest: '/usr/local/share/zsh/5.2/functions/Prompts/prompt_gentoo_setup' }
|
||||||
|
|
||||||
|
- name: Create LDAP certificate directory
|
||||||
|
file: path=/etc/ldap/ssl state=directory
|
||||||
|
|
||||||
- name: Copy LDAP certificate
|
- name: Copy LDAP certificate
|
||||||
copy: src=BKCA.crt dest=/etc/BKCA.crt
|
copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
|
||||||
|
@ -6,12 +6,17 @@
|
|||||||
# attribute type definitions
|
# attribute type definitions
|
||||||
|
|
||||||
attributetype ( 23.42.1.1 NAME 'mailAlternateAddress'
|
attributetype ( 23.42.1.1 NAME 'mailAlternateAddress'
|
||||||
DESC 'Secondary (alias) Aail Address'
|
SUBSTR caseIgnoreSubstringsMatch
|
||||||
SUP mail )
|
DESC 'Secondary (alias) mailaddresses for the same user'
|
||||||
|
EQUALITY caseIgnoreIA5Match
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||||
|
|
||||||
attributetype ( 23.42.1.2 NAME 'rewMailAddress'
|
attributetype ( 23.42.1.2 NAME 'rewMailAddress'
|
||||||
|
SUBSTR caseIgnoreSubstringsMatch
|
||||||
DESC 'Rewritten Mail Address'
|
DESC 'Rewritten Mail Address'
|
||||||
SUP mail )
|
EQUALITY caseIgnoreIA5Match
|
||||||
|
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
||||||
|
SINGLE-VALUE )
|
||||||
|
|
||||||
# object class definitions
|
# object class definitions
|
||||||
|
|
||||||
@ -19,5 +24,4 @@ objectclass ( 23.42.2.1 NAME 'kitchenUser'
|
|||||||
DESC 'Binary Kitchen User'
|
DESC 'Binary Kitchen User'
|
||||||
SUP top AUXILIARY
|
SUP top AUXILIARY
|
||||||
MUST ( mail $ uid )
|
MUST ( mail $ uid )
|
||||||
MAY ( mailAlternateAddress $ rewMailAddress )
|
MAY ( mailAlternateAddress $ rewMailAddress ) )
|
||||||
)
|
|
||||||
|
@ -26,6 +26,11 @@
|
|||||||
notify: Restart slapd
|
notify: Restart slapd
|
||||||
tags: ldap
|
tags: ldap
|
||||||
|
|
||||||
|
- name: Ensure certificates are available
|
||||||
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ldap/ssl/ldapm.key -out /etc/ldap/ssl/ldapm.crt -days 730 -subj "/CN=ldapm.binary.kitchen" creates=/etc/ldap/ssl/ldapm.crt
|
||||||
|
notify: Restart slapd
|
||||||
|
tags: nginx
|
||||||
|
|
||||||
- name: Start slapd
|
- name: Start slapd
|
||||||
service: name=slapd state=started enabled=yes
|
service: name=slapd state=started enabled=yes
|
||||||
tags: ldap
|
tags: ldap
|
||||||
|
@ -62,7 +62,7 @@ access to *
|
|||||||
TLSCertificateFile /etc/ldap/ssl/ldapm.crt
|
TLSCertificateFile /etc/ldap/ssl/ldapm.crt
|
||||||
TLSCertificateKeyFile /etc/ldap/ssl/ldapm.key
|
TLSCertificateKeyFile /etc/ldap/ssl/ldapm.key
|
||||||
TLSCACertificateFile {{ ldap_ca }}
|
TLSCACertificateFile {{ ldap_ca }}
|
||||||
TLSCipherSuite TLSv1+RSA:!NULL
|
TLSCipherSuite NORMAL
|
||||||
TLSVerifyClient never
|
TLSVerifyClient never
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user