add support for ldap replication
This commit is contained in:
parent
b6b3dbbca3
commit
b13fbe1c2a
1 changed files with 26 additions and 0 deletions
|
@ -81,6 +81,25 @@ constraint_attribute uniqueMember uri ldap:///ou=People,{{ ldap_basedn }}?entryD
|
|||
# access without access to clear text data
|
||||
directory /srv/ldap
|
||||
|
||||
{% if ldap_master is not defined %}
|
||||
# replication
|
||||
syncrepl rid={{ 999 | random(seed=inventory_hostname) }}
|
||||
provider=ldaps://ldap01.foo.sh
|
||||
type=refreshAndPersist
|
||||
retry="10 10 60 +"
|
||||
searchbase="{{ ldap_basedn }}"
|
||||
filter="(objectClass=*)"
|
||||
scope="sub"
|
||||
sizelimit=500000
|
||||
timelimit=360000
|
||||
schemachecking="off"
|
||||
bindmethod="simple"
|
||||
tls_reqcert="demand"
|
||||
binddn="uid=replicator,cn={{ inventory_hostname }},ou=Hosts,{{ ldap_basedn }}"
|
||||
credentials="{{ ldap_replicator_pass[inventory_hostname] }}"
|
||||
updateref ldaps://ldap01.foo.sh
|
||||
|
||||
{% endif %}
|
||||
# for syncrepl
|
||||
index entryCSN,entryUUID,objectClass eq
|
||||
# for kerberos kdc
|
||||
|
@ -110,6 +129,13 @@ access to *
|
|||
by anonymous auth
|
||||
by * break
|
||||
|
||||
{% if ldap_master is defined %}
|
||||
# allow replicator to read everything
|
||||
access to *
|
||||
by dn.regex="uid=replicator,cn=[^,]+,ou=Hosts,{{ ldap_basedn }}" read
|
||||
by * break
|
||||
|
||||
{% endif %}
|
||||
# allow self to change password
|
||||
access to attrs=userPassword
|
||||
by self write
|
||||
|
|
Loading…
Add table
Reference in a new issue