OpenLDAP basic DIT with some OUs, some users and corresponding ACLs.
- one simpleSecurityObject
ldap-admin
withmanage
permissions on everything - one simpleSecurityObject
sssd-user
withread
permissions on everything - three regular users (
posixAccount
andinetOrgPerson
) to use for actual logins - one
posixGroup
that the three regular users have asgidNumber
This role should be run against/on a LDAP server. Tested against OpenLDAP 2.4 on Debian 8/9/10, CentOS 7/8, openSUSE Leap 15.x and SLES15 currently.
The role will install any dependencies that Ansible's ldap_attr
or ldap_entry
modules need.
Role logic This role has several parts, than can be enabled by setting some variables:
apply_ACLs
: (default: true) Whether or not to apply the ACLsadd_debugging_script_and_ldif_files
: (default: false) Whether debugging script and LDIF files should be createdremove_everything
: If you set this, the role will remove EVERYTHING it created, this includes files as well as directory entries. Only exception is the baseDN, as that cannot be deleted (easily).
Naming details
base_dn
: the desired baseDN, default value isdc=training,dc=b1-systems,dc=de
users_ou
: desired name of the OU for users, default value isou=users
groups_ou
: desired name of the OU for groups, default value isou=groups
rootdn_name
: relative DN of the rootDN, the base_dn will be added automatically (settings this tocn=b1admin
will make itcn=b1admin,dc=training,dc=b1-systems,dc=de
when using the default value for the baseDN)
Password Hashes
ldap_admin_password_hash
: (required) hashed password for the ldap-admin usersssd_user_password_hash
: (required) hashed password for the sssd-user userregular_users_password_hash
: (required) hashed password for the regular users
Please note, the regular users will share the same password. This is for testing purposes, obviously.
Cleartext passwords
In case you set the add_debugging_script_and_ldif_files
variable, this role will create a debugging script and lots of LDIF files to help with debugging. You can then delete and manually create users, groups or set/delete the ACLs.
The debugging script needs the cleartext passwords of the users. This should obviously not be used on productive servers with real passwords!
rootdn_password
: cleartext password of the rootDNldap_admin_password
: cleartext password of the ldap-admin usersssd_user_password
: cleartext password of the sssd-userregular_users_password
: cleartext password of the regular users
None
A simple playbook that will only do the minimum will look like this:
- hosts: servers
roles:
- role: 'johanneskastl.ldap_data_basic_example'
To delete everything this role created, use a playbook like this:
- hosts: servers
roles:
- role: 'johanneskastl.ldap_data_basic_example'
vars:
remove_everything: 'true'
A playbook that will not only create the groups and users in LDAP but also create the debugging script and LDIF files will be a little more work:
- hosts: servers
roles:
- role: 'johanneskastl.ldap_data_basic_example'
vars:
# create ACL debugging script
add_debugging_script_and_ldif_files: 'true'
rootdn_name: 'cn=Manager'
# Password Hashes
ldap_admin_password_hash: '{SSHA}0123456789abcdef}'
sssd_user_password_hash: '{SSHA}567890abcdef12345'
regular_users_password_hash: '{SSHA}abcdef123456789'
# Passwords
rootdn_password: 'totallysupersecret'
ldap_admin_password: 'alsoreallysecret'
sssd_user_password: 'shouldalsobesecret'
regular_users_password: 'secret'
BSD-3-Clause
I am Johannes Kastl, reachable via [email protected].