foo.sh/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add support for ldap replication

Browse source
This commit is contained in:
Timo Makinen 2019-06-06 22:11:10 +03:00
parent b6b3dbbca3
commit b13fbe1c2a
1 changed files with 26 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

26
roles/ldap/server/templates/slapd.conf.j2
View file

@ -81,6 +81,25 @@ constraint_attribute uniqueMember uri ldap:///ou=People,{{ ldap_basedn }}?entryD
# access without access to clear text data # access without access to clear text data
directory /srv/ldap directory /srv/ldap
{% if ldap_master is not defined %}
# replication
syncrepl rid={{ 999 | random(seed=inventory_hostname) }}
provider=ldaps://ldap01.foo.sh
type=refreshAndPersist
retry="10 10 60 +"
searchbase="{{ ldap_basedn }}"
filter="(objectClass=*)"
scope="sub"
sizelimit=500000
timelimit=360000
schemachecking="off"
bindmethod="simple"
tls_reqcert="demand"
binddn="uid=replicator,cn={{ inventory_hostname }},ou=Hosts,{{ ldap_basedn }}"
credentials="{{ ldap_replicator_pass[inventory_hostname] }}"
updateref ldaps://ldap01.foo.sh
{% endif %}
# for syncrepl # for syncrepl
index entryCSN,entryUUID,objectClass eq index entryCSN,entryUUID,objectClass eq
# for kerberos kdc # for kerberos kdc
@ -110,6 +129,13 @@ access to *
by anonymous auth by anonymous auth
by * break by * break
{% if ldap_master is defined %}
# allow replicator to read everything
access to *
by dn.regex="uid=replicator,cn=[^,]+,ou=Hosts,{{ ldap_basedn }}" read
by * break
{% endif %}
# allow self to change password # allow self to change password
access to attrs=userPassword access to attrs=userPassword
by self write by self write