ldap_server: Rename role from ldap-server to ldap_server
This commit is contained in:
parent
646cda06cb
commit
4d71934575
15 changed files with 1 additions and 1 deletions
200
roles/ldap_server/templates/slapd.conf.j2
Normal file
200
roles/ldap_server/templates/slapd.conf.j2
Normal file
|
|
@ -0,0 +1,200 @@
|
|||
#
|
||||
# See slapd.conf(5) for details on configuration options.
|
||||
# This file should NOT be world readable.
|
||||
#
|
||||
|
||||
# schema configs in different file
|
||||
include /etc/openldap/schema/core.schema
|
||||
include /etc/openldap/schema/cosine.schema
|
||||
include /etc/openldap/schema/inetorgperson.schema
|
||||
include /etc/openldap/schema/kerberos.schema
|
||||
include /etc/openldap/schema/openssh-lpk.schema
|
||||
include /etc/openldap/schema/ppolicy.schema
|
||||
include /etc/openldap/schema/rfc2307bis.schema
|
||||
include /etc/openldap/schema/samba.schema
|
||||
|
||||
# log statistics for connections, operations and results
|
||||
loglevel 256
|
||||
|
||||
# allow ldap version 2 binds
|
||||
allow bind_v2
|
||||
|
||||
# require modern ciphers for access
|
||||
localSSF 128
|
||||
security ssf=128
|
||||
|
||||
# use random id based on hostname
|
||||
serverID {{ 4095 | random(seed=inventory_hostname) }}
|
||||
|
||||
# limit search result sizes without hard limit
|
||||
sizelimit size.soft=500
|
||||
sizelimit size.hard=none
|
||||
|
||||
# pid and args files
|
||||
pidfile /run/openldap/slapd.pid
|
||||
argsfile /run/openldap/slapd.args
|
||||
|
||||
# overlay modules to load
|
||||
modulepath /usr/lib64/openldap
|
||||
moduleload ppolicy.la
|
||||
moduleload syncprov.la
|
||||
#moduleload smbkrb5pwd.la
|
||||
moduleload constraint.la
|
||||
|
||||
# certificates and ciphers (unfortunately modern cipher suite didn't work)
|
||||
TLSCertificateFile {{ tls_certs }}/{{ ldap_server_cert }}.crt
|
||||
TLSCertificateKeyFile {{ tls_private }}/{{ ldap_server_cert }}.key
|
||||
TLSCACertificatePath /etc/openldap/certs
|
||||
TLSDHParamFile {{ tls_certs }}/ffdhe3072.pem
|
||||
TLSVerifyClient try
|
||||
TLSECName prime256v1
|
||||
TLSCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||
TLSProtocolMin 3.3
|
||||
|
||||
# force hostname to get kerberos working correctly behind proxies
|
||||
sasl-host ldap.foo.sh
|
||||
|
||||
#####################################################################
|
||||
# database {{ ldap_basedn }} configurations
|
||||
#####################################################################
|
||||
|
||||
database mdb
|
||||
# 1GB i guess we don't go beyond this
|
||||
maxsize 1073741824
|
||||
|
||||
suffix "{{ ldap_basedn }}"
|
||||
rootdn "cn=manager,{{ ldap_basedn }}"
|
||||
|
||||
overlay ppolicy
|
||||
ppolicy_default cn=pwdPolicy,ou=System,{{ ldap_basedn }}
|
||||
ppolicy_hash_cleartext
|
||||
ppolicy_use_lockout
|
||||
password-hash {CRYPT}
|
||||
password-crypt-salt-format "$6$.8s"
|
||||
|
||||
overlay syncprov
|
||||
syncprov-checkpoint 100 10
|
||||
syncprov-sessionlog 100
|
||||
|
||||
overlay constraint
|
||||
constraint_attribute loginShell regex ^/bin/(bash|tcsh|zsh)$
|
||||
constraint_attribute uniqueMember uri ldap:///ou=People,{{ ldap_basedn }}?entryDN?one?(objectClass=inetOrgPerson)
|
||||
|
||||
# database directory
|
||||
# chmod 700 so ldap:ldap can create encrypted backups with group readable
|
||||
# access without access to clear text data
|
||||
directory /srv/ldap
|
||||
|
||||
{% if ldap_master is not defined %}
|
||||
# replication
|
||||
syncrepl rid={{ 999 | random(seed=inventory_hostname) }}
|
||||
provider=ldaps://ldap01.foo.sh
|
||||
type=refreshAndPersist
|
||||
retry="10 10 60 +"
|
||||
searchbase="{{ ldap_basedn }}"
|
||||
filter="(objectClass=*)"
|
||||
scope="sub"
|
||||
sizelimit=500000
|
||||
timelimit=360000
|
||||
schemachecking="off"
|
||||
bindmethod="simple"
|
||||
tls_reqcert="demand"
|
||||
binddn="uid=replicator,cn={{ inventory_hostname }},ou=Hosts,{{ ldap_basedn }}"
|
||||
credentials="{{ ldap_replicator_pass[inventory_hostname] }}"
|
||||
updateref ldaps://ldap01.foo.sh
|
||||
|
||||
{% endif %}
|
||||
# for syncrepl
|
||||
index entryCSN,entryUUID,objectClass eq
|
||||
# for kerberos kdc
|
||||
index krbPrincipalName eq
|
||||
# for username lookups
|
||||
index uid eq
|
||||
|
||||
# map root user to manager when authenticating via socket
|
||||
authz-regexp
|
||||
"gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
|
||||
"cn=manager,{{ ldap_basedn }}"
|
||||
# map rest of users authenticating via socket to correct ldap entries
|
||||
authz-regexp
|
||||
"gidNumber=([0-9]\+)\\\+uidNumber=([0-9]\+),cn=peercred,cn=external,cn=auth"
|
||||
"ldap:///{{ ldap_basedn }}??sub?(&(uidNumber=$2)(objectClass=posixAccount))"
|
||||
# map kerberos users
|
||||
authz-regexp
|
||||
"uid=([^,]\+),cn=gssapi,cn=auth"
|
||||
"ldap:///{{ ldap_basedn }}??sub?(&(uid=$1)(objectClass=posixAccount))"
|
||||
authz-regexp
|
||||
"uid=([^,]\+),cn=gss-spnego,cn=auth"
|
||||
"ldap:///{{ ldap_basedn }}??sub?(&(uid=$1)(objectClass=posixAccount))"
|
||||
|
||||
# require authentication for authenticated users that don't match above
|
||||
access to *
|
||||
by dn.children="cn=peercred,cn=external,cn=auth" auth
|
||||
by dn.children="cn=gssapi,cn=auth" auth
|
||||
by dn.children="cn=gss-spnego,cn=auth" auth
|
||||
by anonymous auth
|
||||
by * break
|
||||
|
||||
{% if ldap_master is defined %}
|
||||
# allow replicator to read everything
|
||||
access to *
|
||||
by dn.regex="uid=replicator,cn=[^,]+,ou=Hosts,{{ ldap_basedn }}" read
|
||||
by * break
|
||||
|
||||
{% endif %}
|
||||
# allow self to change password
|
||||
access to attrs=userPassword
|
||||
by self write
|
||||
by * compare
|
||||
|
||||
# allow kerberos to write password changes
|
||||
access to attrs=krbPrincipalKey,krbExtraData,krbLoginFailedCount,krbTicketFlags,krbPasswordExpiration,krbLastPwdChange
|
||||
by dn.exact="uid=krb5kadmin,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" write
|
||||
by dn.exact="uid=krb5kdc,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" read
|
||||
by * none
|
||||
|
||||
# allow kerberos to read own objects
|
||||
access to dn.sub=cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}
|
||||
by dn.exact="uid=krb5kadmin,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" read
|
||||
by dn.exact="uid=krb5kdc,cn={{ kerberos_realm }},ou=System,{{ ldap_basedn }}" read
|
||||
by * none
|
||||
|
||||
# allow group owners to edit members
|
||||
access to dn.one=ou=Groups,{{ ldap_basedn }} filter="(objectClass=groupOfUniqueNames)" attrs=owner,uniqueMember
|
||||
by dnattr=owner write
|
||||
by users read
|
||||
by * none
|
||||
|
||||
# allow self to change login shell
|
||||
access to dn.one=ou=People,{{ ldap_basedn }} attrs=loginShell
|
||||
by self write
|
||||
by users read
|
||||
by * none
|
||||
|
||||
# allow reads to netgroups
|
||||
# TODO: change that only sysadm + host certs can read
|
||||
access to dn.sub=ou=Netgroup,ou=System,{{ ldap_basedn }}
|
||||
by users read
|
||||
by * none
|
||||
|
||||
# allow reads to ou=System object itself
|
||||
access to dn.base=ou=System,{{ ldap_basedn }}
|
||||
by users read
|
||||
by * none
|
||||
|
||||
# block rest of queries to ou=System tree
|
||||
access to dn.sub=ou=System,{{ ldap_basedn }}
|
||||
by * none
|
||||
|
||||
# for the rest allow users to read and block rest
|
||||
access to *
|
||||
by users read
|
||||
by * none
|
||||
|
||||
#####################################################################
|
||||
# database for monitoring (allow only access through local socket)
|
||||
#####################################################################
|
||||
database monitor
|
||||
access to *
|
||||
by sockurl=ldapi:/// read
|
||||
by * none
|
||||
Loading…
Add table
Add a link
Reference in a new issue