first version of ldap server role
This commit is contained in:
parent
2804d730c9
commit
89aa8eb0ef
11 changed files with 2008 additions and 0 deletions
134
roles/ldap/server/templates/slapd.conf.j2
Normal file
134
roles/ldap/server/templates/slapd.conf.j2
Normal file
|
|
@ -0,0 +1,134 @@
|
|||
#
|
||||
# See slapd.conf(5) for details on configuration options.
|
||||
# This file should NOT be world readable.
|
||||
#
|
||||
|
||||
# schema configs in different file
|
||||
include /etc/openldap/schema/core.schema
|
||||
include /etc/openldap/schema/cosine.schema
|
||||
include /etc/openldap/schema/inetorgperson.schema
|
||||
include /etc/openldap/schema/kerberos.schema
|
||||
include /etc/openldap/schema/openssh-lpk.schema
|
||||
include /etc/openldap/schema/ppolicy.schema
|
||||
include /etc/openldap/schema/rfc2307bis.schema
|
||||
include /etc/openldap/schema/samba.schema
|
||||
|
||||
# disable logging (TODO: check different levels)
|
||||
loglevel none
|
||||
|
||||
# allow ldap version 2 binds
|
||||
allow bind_v2
|
||||
|
||||
# require modern ciphers for access
|
||||
localSSF 128
|
||||
security ssf=128
|
||||
|
||||
# use random id based on hostname
|
||||
serverID {{ 4095 | random(seed=inventory_hostname) }}
|
||||
|
||||
# limit search result sizes without hard limit
|
||||
sizelimit size.soft=500
|
||||
sizelimit size.hard=none
|
||||
|
||||
# pid and args files
|
||||
pidfile /run/openldap/slapd.pid
|
||||
argsfile /run/openldap/slapd.args
|
||||
|
||||
# overlay modules to load
|
||||
modulepath /usr/lib64/openldap
|
||||
moduleload ppolicy.la
|
||||
moduleload syncprov.la
|
||||
#moduleload smbkrb5pwd.la
|
||||
moduleload constraint.la
|
||||
|
||||
# certificates and ciphers (unfortunately modern cipher suite didn't work)
|
||||
TLSCertificateFile {{ tls_certs }}/{{ ldap_server_cert }}.crt
|
||||
TLSCertificateKeyFile {{ tls_private }}/{{ ldap_server_cert }}.key
|
||||
TLSCACertificatePath /etc/openldap/certs
|
||||
TLSVerifyClient try
|
||||
TLSECName prime256v1
|
||||
TLSCipherSuite {{ tls_ciphers }}
|
||||
TLSProtocolMin 3.3
|
||||
|
||||
#####################################################################
|
||||
# database dc=foo,dc=sh configurations
|
||||
#####################################################################
|
||||
|
||||
database mdb
|
||||
# 1GB i guess we don't go beyond this
|
||||
maxsize 1073741824
|
||||
|
||||
suffix "dc=foo,dc=sh"
|
||||
rootdn "cn=manager,dc=foo,dc=sh"
|
||||
|
||||
overlay ppolicy
|
||||
ppolicy_default cn=pwdPolicy,ou=System,dc=foo,dc=sh
|
||||
ppolicy_hash_cleartext
|
||||
ppolicy_use_lockout
|
||||
password-hash {CRYPT}
|
||||
password-crypt-salt-format "$6$.8s"
|
||||
|
||||
overlay syncprov
|
||||
syncprov-checkpoint 100 10
|
||||
syncprov-sessionlog 100
|
||||
|
||||
overlay constraint
|
||||
constraint_attribute loginShell regex ^/bin/(bash|tcsh|zsh)$
|
||||
constraint_attribute uniqueMember uri ldap:///ou=People,dc=foo,dc=sh?entryDN?one?(objectClass=inetOrgPerson)
|
||||
|
||||
# database directory
|
||||
# chmod 700 so ldap:ldap can create encrypted backups with group readable
|
||||
# access without access to clear text data
|
||||
directory /srv/ldap
|
||||
|
||||
# for syncrepl
|
||||
index entryCSN,entryUUID,objectClass eq
|
||||
|
||||
# map root user to manager when authenticating via socket
|
||||
authz-regexp
|
||||
"gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth"
|
||||
"cn=manager,dc=foo,dc=sh"
|
||||
# map rest of users authenticating via socket to correct ldap entries
|
||||
authz-regexp
|
||||
"gidNumber=([0-9]\+)\\\+uidNumber=([0-9]\+),cn=peercred,cn=external,cn=auth"
|
||||
"ldap:///dc=foo,dc=sh??sub?(&(uidNumber=$2)(objectClass=posixAccount))"
|
||||
|
||||
# require authentication for authenticated users that don't match above
|
||||
access to *
|
||||
by dn.children="cn=peercred,cn=external,cn=auth" auth
|
||||
by anonymous auth
|
||||
by * break
|
||||
|
||||
# allow self to change password
|
||||
access to attrs=userPassword
|
||||
by self write
|
||||
by * compare
|
||||
|
||||
# allow group owners to edit members
|
||||
access to dn.one=ou=Groups,dc=foo,dc=sh filter="(objectClass=groupOfUniqueNames)" attrs=owner,uniqueMember
|
||||
by dnattr=owner write
|
||||
by users read
|
||||
by * none
|
||||
|
||||
# allow self to change login shell
|
||||
access to dn.one=ou=People,dc=foo,dc=sh attrs=loginShell
|
||||
by self write
|
||||
by users read
|
||||
by * none
|
||||
|
||||
# block rest of queries to ou=System tree
|
||||
access to dn.sub=ou=System,dc=foo,dc=sh
|
||||
by * none
|
||||
|
||||
# for the rest allow users to read and block rest
|
||||
access to *
|
||||
by users read
|
||||
by * none
|
||||
|
||||
#####################################################################
|
||||
# database for monitoring (allow only access through local socket)
|
||||
#####################################################################
|
||||
database monitor
|
||||
access to *
|
||||
by sockurl=ldapi:/// read
|
||||
by * none
|
||||
Loading…
Add table
Add a link
Reference in a new issue