GithubHelp home page GithubHelp logo

ansible-role-openldap's Introduction

cesnet.openldap

Ansible role for installing OpenLDAP server on Debian. It supports:

  • installing a single server
  • installing a master replica server
  • installing a slave replica server
  • activating memberOf overlay for consistent memberOf attribute of users
  • setting strong password hashing algorithm ARGON2 as the default hashing method

Variables

  • ldap_domain - DNS domain used for generating the base DN
  • ldap_top_organization - the value of o attribute of the base path
  • ldap_data_password - password for administrator account of the data tree
  • ldap_config_password - password for administrator account of the config tree
  • ldap_hold_package - whether to hold slapd package against upgrades (default no)
  • ldap_certificate_file - path to TLS certificate
  • ldap_certificate_key_file - path to TLS private key
  • ldap_certificate_chain_file - path to TLS certificate chain
  • ldap_access_rules_set - whether to set ACL, default is yes, may be set to "no" if ACL contains attributes not yet defined
  • ldap_access_rules_additional - access rules to be added to the default rules (default empty list)
  • ldap_size_limit - limit for the number of returned records, default is unlimited
  • ldap_master_replica - whether to configure the server as master replica (default no)
  • ldap_replication_password - password for replication user
  • ldap_slave_replica - whether to configure the server as slave replica (default no)
  • ldap_master_url - URL ot the master replica that the slave should connect to
  • ldap_users - list of users to create, keys user, password and description are required for each one
  • ldap_memberOf_overlay - whether to configure memberOf overlay for adding the attribute memberOf to group members and refint overlay for keeping consistency (default no)
  • ldap_sssvlv_overlay - whether to add Server Side Sorting and Virtual List View overlay (default no)
  • ldap_allow_empty_groups - whether to modify core schema to allow empty groups (default no)
  • ldap_strong_password_hashing - whether to configure strong password hashing as the default hashing method (default no)
  • ldap_pass_through_authentication - whether to configure pass-through authentication using Kerberos

For midPoint, set ldap_memberOf_overlay, ldap_sssvlv_overlay and ldap_allow_empty_groups to yes.

Examples

Example of installing a master server for replication:

- hosts: cloud6.perun-aai.org
  remote_user: root
  tasks:
    - name: "create ldap master"
      import_role:
        name: cesnet.openldap
      vars:
        ldap_domain: "cesnet.cz"
        ldap_top_organization: "perun"
        ldap_data_password: "test1"
        ldap_config_password: "test2"
        ldap_certificate_file: "/etc/letsencrypt/live/cloud6.perun-aai.org/cert.pem"
        ldap_certificate_key_file: "/etc/letsencrypt/live/cloud6.perun-aai.org/privkey.pem"
        ldap_certificate_chain_file: "/etc/letsencrypt/live/cloud6.perun-aai.org/chain.pem"
        ldap_master_replica: yes
        ldap_replication_password: "test"
        ldap_memberOf_overlay: yes
        ldap_sssvlv_overlay: yes
        ldap_allow_empty_groups: yes
        ldap_users:
          - user: proxy
            password: test
            description: "user for IdP Proxy"
        ldap_access_rules_additional:
          - >-
            to dn.subtree="dc=cesnet,dc=cz"
            by dn.exact="cn=proxy,dc=cesnet,dc=cz" read
            by * break

Example of installing a slave replica:

- hosts: cloud4.perun-aai.org
  remote_user: root
  tasks:
    - name: "create ldap slave replica"
      import_role:
        name: cesnet.openldap
      vars:
        ldap_domain: "cesnet.cz"
        ldap_top_organization: "perun"
        ldap_data_password: "test1"
        ldap_config_password: "test2"
        ldap_certificate_file: "/etc/letsencrypt/live/cloud4.perun-aai.org/cert.pem"
        ldap_certificate_key_file: "/etc/letsencrypt/live/cloud4.perun-aai.org/privkey.pem"
        ldap_certificate_chain_file: "/etc/letsencrypt/live/cloud4.perun-aai.org/chain.pem"
        ldap_slave_replica: yes
        ldap_replication_password: "test"
        ldap_master_url: 'ldaps://cloud6.perun-aai.org/'
        ldap_memberOf_overlay: yes

ansible-role-openldap's People

Contributors

martin-kuba avatar

Stargazers

avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.