diff --git a/defaults/main.yml b/defaults/main.yml index 4beee11..406f6d9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,4 +1,5 @@ --- +ldap_proxy_base_dir: /etc/openldap/certs ldap_proxy_urls: - "ldapi:/// ldap:///" ldap_proxy_options: [] @@ -24,12 +25,19 @@ ldap_proxy_tls_source_use_files: True ldap_proxy_tls_cert_source: mycert.pem ldap_proxy_tls_key_source: mykey.pem ldap_proxy_tls_ca_source: ca.pem -ldap_proxy_tls_cert_path: /etc/openldap/certs/mycert.pem -ldap_proxy_tls_key_path: /etc/openldap/certs/mykey.pem -ldap_proxy_tls_ca_path: /etc/openldap/certs/ca.path +ldap_proxy_tls_cert_path: "{{ ldap_proxy_base_dir }}/mycert.pem" +ldap_proxy_tls_key_path: "{{ ldap_proxy_base_dir }}/mykey.pem" +ldap_proxy_tls_ca_path: "{{ ldap_proxy_base_dir }}/ca.path" ldap_proxy_server: "ldap://ad.example.com:389" ldap_proxy_server_suffix: "dc=example,dc=com" ldap_proxy_readonly_enabled: True ldap_proxy_loglevel: 0 + +ldap_proxy_acl_file: "{{ ldap_proxy_base_dir }}/slapd.access" +ldap_proxy_acls: + - access_to: + - '*' + access_by: + - '* read' diff --git a/templates/etc/openldap/slapd.access.j2 b/templates/etc/openldap/slapd.access.j2 new file mode 100644 index 0000000..f5f4266 --- /dev/null +++ b/templates/etc/openldap/slapd.access.j2 @@ -0,0 +1,7 @@ +# {{ ansible_managed }} +{% for acl in ldap_proxy_acls %} +access to {{ acl.access_to | join(' ') }} +{% for item in acl.access_by %} + {{ item }} +{% endfor %} +{% endfor %} diff --git a/templates/etc/openldap/slapd.conf.j2 b/templates/etc/openldap/slapd.conf.j2 index b3acdee..645d727 100644 --- a/templates/etc/openldap/slapd.conf.j2 +++ b/templates/etc/openldap/slapd.conf.j2 @@ -40,5 +40,8 @@ rebind-as-user uri "{{ ldap_proxy_server }}" suffix "{{ ldap_proxy_server_suffix }}" +### ACL definition ######################################### +include "{{ ldap_proxy_acl_file }}" + ### Logging ################################################################### loglevel {{ ldap_proxy_loglevel }}