change ldap base dn entries to use variables

2019-05-29 01:59:00 +03:00 · 2019-05-29 01:59:00 +03:00 · 40abdfca64
commit 40abdfca64
parent 53cacdcb2e
1 changed files with 15 additions and 10 deletions
--- a/roles/ldap/server/templates/slapd.conf.j2
+++ b/roles/ldap/server/templates/slapd.conf.j2
@ -51,18 +51,18 @@ TLSCipherSuite {{ tls_ciphers }}
 TLSProtocolMin 3.3
 #####################################################################
-# database dc=foo,dc=sh configurations
+# database {{ ldap_basedn }} configurations
 #####################################################################
 database mdb
 # 1GB i guess we don't go beyond this
 maxsize 1073741824
-suffix "dc=foo,dc=sh"
+suffix "{{ ldap_basedn }}"
-rootdn "cn=manager,dc=foo,dc=sh"
+rootdn "cn=manager,{{ ldap_basedn }}"
 overlay ppolicy
-ppolicy_default cn=pwdPolicy,ou=System,dc=foo,dc=sh
+ppolicy_default cn=pwdPolicy,ou=System,{{ ldap_basedn }}
 ppolicy_hash_cleartext
 ppolicy_use_lockout
 password-hash {CRYPT}
@ -74,7 +74,7 @@ syncprov-sessionlog 100
 overlay constraint
 constraint_attribute loginShell regex ^/bin/(bash|tcsh|zsh)$
-constraint_attribute uniqueMember uri ldap:///ou=People,dc=foo,dc=sh?entryDN?one?(objectClass=inetOrgPerson)
+constraint_attribute uniqueMember uri ldap:///ou=People,{{ ldap_basedn }}?entryDN?one?(objectClass=inetOrgPerson)
 # database directory
 # chmod 700 so ldap:ldap can create encrypted backups with group readable
@ -87,11 +87,11 @@ index entryCSN,entryUUID,objectClass eq
 # map root user to manager when authenticating via socket
 authz-regexp
    "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
-    "cn=manager,dc=foo,dc=sh"
+    "cn=manager,{{ ldap_basedn }}"
 # map rest of users authenticating via socket to correct ldap entries
 authz-regexp
    "gidNumber=([0-9]\+)\\\+uidNumber=([0-9]\+),cn=peercred,cn=external,cn=auth"
-    "ldap:///dc=foo,dc=sh??sub?(&(uidNumber=$2)(objectClass=posixAccount))"
+    "ldap:///{{ ldap_basedn }}??sub?(&(uidNumber=$2)(objectClass=posixAccount))"
 # require authentication for authenticated users that don't match above
 access to *
@ -104,20 +104,25 @@ access to attrs=userPassword
    by self write
    by * compare
 # allow kerberos to read own objects
 access to dn.sub=cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}
    by dn.exact="uid=krb5kdc,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" read
    by * none
 # allow group owners to edit members
-access to dn.one=ou=Groups,dc=foo,dc=sh filter="(objectClass=groupOfUniqueNames)" attrs=owner,uniqueMember
+access to dn.one=ou=Groups,{{ ldap_basedn }} filter="(objectClass=groupOfUniqueNames)" attrs=owner,uniqueMember
    by dnattr=owner write
    by users read
    by * none
 # allow self to change login shell
-access to dn.one=ou=People,dc=foo,dc=sh attrs=loginShell
+access to dn.one=ou=People,{{ ldap_basedn }} attrs=loginShell
    by self write
    by users read
    by * none
 # block rest of queries to ou=System tree
-access to dn.sub=ou=System,dc=foo,dc=sh
+access to dn.sub=ou=System,{{ ldap_basedn }}
    by * none
 # for the rest allow users to read and block rest