From 749991b39a5d56633842c2b0687cc42aed22696a Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Fri, 1 Apr 2016 18:37:02 +0200 Subject: [PATCH] Have ldap-server offer ldaps connections. --- roles/ldap-server/files/slapd | 45 +++++++++++++++++++++++ roles/ldap-server/tasks/main.yml | 4 ++ roles/ldap-server/templates/slapd.conf.j2 | 3 ++ 3 files changed, 52 insertions(+) create mode 100644 roles/ldap-server/files/slapd diff --git a/roles/ldap-server/files/slapd b/roles/ldap-server/files/slapd new file mode 100644 index 0000000..cb6f1b6 --- /dev/null +++ b/roles/ldap-server/files/slapd @@ -0,0 +1,45 @@ +# Default location of the slapd.conf file or slapd.d cn=config directory. If +# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to +# /etc/ldap/slapd.conf). +SLAPD_CONF= + +# System account to run the slapd server under. If empty the server +# will run as root. +SLAPD_USER="openldap" + +# System group to run the slapd server under. If empty the server will +# run in the primary group of its user. +SLAPD_GROUP="openldap" + +# Path to the pid file of the slapd server. If not set the init.d script +# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by +# default) +SLAPD_PIDFILE= + +# slapd normally serves ldap only on all TCP-ports 389. slapd can also +# service requests on TCP-port 636 (ldaps) and requests via unix +# sockets. +# Example usage: +# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" +SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" + +# If SLAPD_NO_START is set, the init script will not start or restart +# slapd (but stop will still work). Uncomment this if you are +# starting slapd via some other means or if you don't want slapd normally +# started at boot. +#SLAPD_NO_START=1 + +# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, +# the init script will not start or restart slapd (but stop will still +# work). Use this for temporarily disabling startup of slapd (when doing +# maintenance, for example, or through a configuration management system) +# when you don't want to edit a configuration file. +SLAPD_SENTINEL_FILE=/etc/ldap/noslapd + +# For Kerberos authentication (via SASL), slapd by default uses the system +# keytab file (/etc/krb5.keytab). To use a different keytab file, +# uncomment this line and change the path. +#export KRB5_KTNAME=/etc/krb5.keytab + +# Additional options to pass to slapd +SLAPD_OPTIONS="" diff --git a/roles/ldap-server/tasks/main.yml b/roles/ldap-server/tasks/main.yml index 0571726..cd66d72 100644 --- a/roles/ldap-server/tasks/main.yml +++ b/roles/ldap-server/tasks/main.yml @@ -21,6 +21,10 @@ notify: Restart slapd tags: ldap +- name: Configure slapd (init script) + copy: src=slapd dest=/etc/default/slapd + tags: ldap + - name: Configure slapd template: src=slapd.conf.j2 dest=/etc/ldap/slapd.conf notify: Restart slapd diff --git a/roles/ldap-server/templates/slapd.conf.j2 b/roles/ldap-server/templates/slapd.conf.j2 index cc58bac..f6c1169 100644 --- a/roles/ldap-server/templates/slapd.conf.j2 +++ b/roles/ldap-server/templates/slapd.conf.j2 @@ -49,6 +49,9 @@ access to attrs=userPassword by self write by anonymous auth by * none +access to attrs=loginShell + by self write + by * none access to * by self read by users read