setup ldap acl

2018-12-01 15:33:37 +01:00 · 2018-12-01 15:33:37 +01:00 · 4e61e1b07b
parent de065fac0d
commit 4e61e1b07b
3 changed files with 21 additions and 3 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,4 +1,5 @@
 ---
+ldap_proxy_base_dir: /etc/openldap/certs
 ldap_proxy_urls:
  - "ldapi:/// ldap:///"
 ldap_proxy_options: []
@ -24,12 +25,19 @@ ldap_proxy_tls_source_use_files: True
 ldap_proxy_tls_cert_source: mycert.pem
 ldap_proxy_tls_key_source: mykey.pem
 ldap_proxy_tls_ca_source: ca.pem
-ldap_proxy_tls_cert_path: /etc/openldap/certs/mycert.pem
-ldap_proxy_tls_key_path: /etc/openldap/certs/mykey.pem
-ldap_proxy_tls_ca_path: /etc/openldap/certs/ca.path
+ldap_proxy_tls_cert_path: "{{ ldap_proxy_base_dir }}/mycert.pem"
+ldap_proxy_tls_key_path: "{{ ldap_proxy_base_dir }}/mykey.pem"
+ldap_proxy_tls_ca_path: "{{ ldap_proxy_base_dir }}/ca.path"

 ldap_proxy_server: "ldap://ad.example.com:389"
 ldap_proxy_server_suffix: "dc=example,dc=com"
 ldap_proxy_readonly_enabled: True

 ldap_proxy_loglevel: 0
+
+ldap_proxy_acl_file: "{{ ldap_proxy_base_dir }}/slapd.access"
+ldap_proxy_acls:
+  - access_to:
+      - '*'
+    access_by:
+      - '* read'
--- a/templates/etc/openldap/slapd.access.j2
+++ b/templates/etc/openldap/slapd.access.j2
@ -0,0 +1,7 @@
+# {{ ansible_managed }}
+{% for acl in ldap_proxy_acls %}
+access to {{ acl.access_to | join(' ') }}
+{% for item in acl.access_by %}
+    {{ item }}
+{% endfor %}
+{% endfor %}
--- a/templates/etc/openldap/slapd.conf.j2
+++ b/templates/etc/openldap/slapd.conf.j2
@ -40,5 +40,8 @@ rebind-as-user
 uri                     "{{ ldap_proxy_server }}"
 suffix                  "{{ ldap_proxy_server_suffix }}"

+### ACL definition #########################################
+include                 "{{ ldap_proxy_acl_file }}"
+
 ### Logging ###################################################################
 loglevel                {{ ldap_proxy_loglevel }}