add support for ldap replication

This commit is contained in:
Timo Makinen 2019-06-06 22:11:10 +03:00
parent b6b3dbbca3
commit b13fbe1c2a

View file

@ -81,6 +81,25 @@ constraint_attribute uniqueMember uri ldap:///ou=People,{{ ldap_basedn }}?entryD
# access without access to clear text data
directory /srv/ldap
{% if ldap_master is not defined %}
# replication
syncrepl rid={{ 999 | random(seed=inventory_hostname) }}
provider=ldaps://ldap01.foo.sh
type=refreshAndPersist
retry="10 10 60 +"
searchbase="{{ ldap_basedn }}"
filter="(objectClass=*)"
scope="sub"
sizelimit=500000
timelimit=360000
schemachecking="off"
bindmethod="simple"
tls_reqcert="demand"
binddn="uid=replicator,cn={{ inventory_hostname }},ou=Hosts,{{ ldap_basedn }}"
credentials="{{ ldap_replicator_pass[inventory_hostname] }}"
updateref ldaps://ldap01.foo.sh
{% endif %}
# for syncrepl
index entryCSN,entryUUID,objectClass eq
# for kerberos kdc
@ -110,6 +129,13 @@ access to *
by anonymous auth
by * break
{% if ldap_master is defined %}
# allow replicator to read everything
access to *
by dn.regex="uid=replicator,cn=[^,]+,ou=Hosts,{{ ldap_basedn }}" read
by * break
{% endif %}
# allow self to change password
access to attrs=userPassword
by self write