From d512c8b8bd4bb6ecdc5180afb44d92b0ba8a2d96 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Thu, 6 Jun 2019 01:58:04 +0300
Subject: [PATCH] add gssapi auth support for ldap server

---
 roles/ldap/server/meta/main.yml  | 1 +
 roles/ldap/server/tasks/main.yml | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/roles/ldap/server/meta/main.yml b/roles/ldap/server/meta/main.yml
index ba5147e..700faae 100644
--- a/roles/ldap/server/meta/main.yml
+++ b/roles/ldap/server/meta/main.yml
@@ -1,5 +1,6 @@
 ---
 
 dependencies:
+  - {role: kerberos/client}
   - {role: ldap/client}
   - {role: saslauthd}
diff --git a/roles/ldap/server/tasks/main.yml b/roles/ldap/server/tasks/main.yml
index 9171db1..2299e1f 100644
--- a/roles/ldap/server/tasks/main.yml
+++ b/roles/ldap/server/tasks/main.yml
@@ -4,6 +4,7 @@
     name: "{{ item }}"
     state: installed
   with_items:
+    - cyrus-sasl-gssapi
     - openldap-servers
     - ldapvi
 
@@ -173,3 +174,11 @@
     name: slapd
     state: started
     enabled: true
+
+- name: create slapd keytab
+  import_role:
+    name: kerberos/keytab
+  vars:
+    keytab: /etc/openldap/slapd.keytab
+    principals: ["ldap/{{ inventory_hostname }}@{{ kerberos_realm }}"]
+    group: ldap