From 40abdfca64b0237896f5103cab99c1902c46d82e Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Wed, 29 May 2019 01:59:00 +0300
Subject: [PATCH] change ldap base dn entries to use variables

---
 roles/ldap/server/templates/slapd.conf.j2 | 25 ++++++++++++++---------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/roles/ldap/server/templates/slapd.conf.j2 b/roles/ldap/server/templates/slapd.conf.j2
index d2fce22..ebd2241 100644
--- a/roles/ldap/server/templates/slapd.conf.j2
+++ b/roles/ldap/server/templates/slapd.conf.j2
@@ -51,18 +51,18 @@ TLSCipherSuite {{ tls_ciphers }}
 TLSProtocolMin 3.3
 
 #####################################################################
-# database dc=foo,dc=sh configurations
+# database {{ ldap_basedn }} configurations
 #####################################################################
 
 database mdb
 # 1GB i guess we don't go beyond this
 maxsize 1073741824
 
-suffix "dc=foo,dc=sh"
-rootdn "cn=manager,dc=foo,dc=sh"
+suffix "{{ ldap_basedn }}"
+rootdn "cn=manager,{{ ldap_basedn }}"
 
 overlay ppolicy
-ppolicy_default cn=pwdPolicy,ou=System,dc=foo,dc=sh
+ppolicy_default cn=pwdPolicy,ou=System,{{ ldap_basedn }}
 ppolicy_hash_cleartext
 ppolicy_use_lockout
 password-hash {CRYPT}
@@ -74,7 +74,7 @@ syncprov-sessionlog 100
 
 overlay constraint
 constraint_attribute loginShell regex ^/bin/(bash|tcsh|zsh)$
-constraint_attribute uniqueMember uri ldap:///ou=People,dc=foo,dc=sh?entryDN?one?(objectClass=inetOrgPerson)
+constraint_attribute uniqueMember uri ldap:///ou=People,{{ ldap_basedn }}?entryDN?one?(objectClass=inetOrgPerson)
 
 # database directory
 # chmod 700 so ldap:ldap can create encrypted backups with group readable
@@ -87,11 +87,11 @@ index entryCSN,entryUUID,objectClass eq
 # map root user to manager when authenticating via socket
 authz-regexp
     "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
-    "cn=manager,dc=foo,dc=sh"
+    "cn=manager,{{ ldap_basedn }}"
 # map rest of users authenticating via socket to correct ldap entries
 authz-regexp
     "gidNumber=([0-9]\+)\\\+uidNumber=([0-9]\+),cn=peercred,cn=external,cn=auth"
-    "ldap:///dc=foo,dc=sh??sub?(&(uidNumber=$2)(objectClass=posixAccount))"
+    "ldap:///{{ ldap_basedn }}??sub?(&(uidNumber=$2)(objectClass=posixAccount))"
 
 # require authentication for authenticated users that don't match above
 access to *
@@ -104,20 +104,25 @@ access to attrs=userPassword
     by self write
     by * compare
 
+# allow kerberos to read own objects
+access to dn.sub=cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}
+    by dn.exact="uid=krb5kdc,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" read
+    by * none
+
 # allow group owners to edit members
-access to dn.one=ou=Groups,dc=foo,dc=sh filter="(objectClass=groupOfUniqueNames)" attrs=owner,uniqueMember
+access to dn.one=ou=Groups,{{ ldap_basedn }} filter="(objectClass=groupOfUniqueNames)" attrs=owner,uniqueMember
     by dnattr=owner write
     by users read
     by * none
 
 # allow self to change login shell
-access to dn.one=ou=People,dc=foo,dc=sh attrs=loginShell
+access to dn.one=ou=People,{{ ldap_basedn }} attrs=loginShell
     by self write
     by users read
     by * none
 
 # block rest of queries to ou=System tree
-access to dn.sub=ou=System,dc=foo,dc=sh
+access to dn.sub=ou=System,{{ ldap_basedn }}
     by * none
 
 # for the rest allow users to read and block rest