setup ldap acl

defaults/main.yml

@@ -1,4 +1,5 @@
 ---
+ldap_proxy_base_dir: /etc/openldap/certs
 ldap_proxy_urls:
   - "ldapi:/// ldap:///"
 ldap_proxy_options: []
@@ -24,12 +25,19 @@ ldap_proxy_tls_source_use_files: True
 ldap_proxy_tls_cert_source: mycert.pem
 ldap_proxy_tls_key_source: mykey.pem
 ldap_proxy_tls_ca_source: ca.pem
-ldap_proxy_tls_cert_path: /etc/openldap/certs/mycert.pem
+ldap_proxy_tls_cert_path: "{{ ldap_proxy_base_dir }}/mycert.pem"
-ldap_proxy_tls_key_path: /etc/openldap/certs/mykey.pem
+ldap_proxy_tls_key_path: "{{ ldap_proxy_base_dir }}/mykey.pem"
-ldap_proxy_tls_ca_path: /etc/openldap/certs/ca.path
+ldap_proxy_tls_ca_path: "{{ ldap_proxy_base_dir }}/ca.path"
 
 ldap_proxy_server: "ldap://ad.example.com:389"
 ldap_proxy_server_suffix: "dc=example,dc=com"
 ldap_proxy_readonly_enabled: True
 
 ldap_proxy_loglevel: 0
+
+ldap_proxy_acl_file: "{{ ldap_proxy_base_dir }}/slapd.access"
+ldap_proxy_acls:
+  - access_to:
+      - '*'
+    access_by:
+      - '* read'

templates/etc/openldap/slapd.access.j2

@@ -0,0 +1,7 @@
+# {{ ansible_managed }}
+{% for acl in ldap_proxy_acls %}
+access to {{ acl.access_to | join(' ') }}
+{% for item in acl.access_by %}
+    {{ item }}
+{% endfor %}
+{% endfor %}

templates/etc/openldap/slapd.conf.j2

@@ -40,5 +40,8 @@ rebind-as-user
 uri                     "{{ ldap_proxy_server }}"
 suffix                  "{{ ldap_proxy_server_suffix }}"
 
+### ACL definition #########################################
+include                 "{{ ldap_proxy_acl_file }}"
+
 ### Logging ###################################################################
 loglevel                {{ ldap_proxy_loglevel }}