add LDAP setup for auth1 container

2021-05-28 00:04:03 -04:00 · 2021-05-28 00:04:03 -04:00 · 1060a848c3
parent eb1844dc0d
commit 1060a848c3
11 changed files with 709 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
+# Vim
+.*.swp
--- a/auth1/ldap/csc.schema
+++ b/auth1/ldap/csc.schema
@ -0,0 +1,35 @@
+# CSC Member Information Schema
+
+attributetype ( 1.3.6.1.4.1.27934.1.1.1 NAME 'term'
+    EQUALITY caseIgnoreIA5Match
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{5} )
+
+attributetype ( 1.3.6.1.4.1.27934.1.1.2 NAME 'program'
+    EQUALITY caseIgnoreIA5Match
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.27934.1.1.3 NAME 'studentid'
+    EQUALITY caseIgnoreIA5Match
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.4.1.27934.1.1.4 NAME 'position'
+    EQUALITY caseIgnoreIA5Match
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
+
+attributetype ( 1.3.6.1.4.1.27934.1.1.5 NAME 'nonMemberTerm'
+    EQUALITY caseIgnoreIA5Match
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{5} )
+
+objectclass ( 1.3.6.1.4.1.27934.1.2.1 NAME 'member'
+    SUP top AUXILIARY
+    MUST ( cn $ uid )
+    MAY ( studentid $ program $ term $ nonMemberTerm $ description $ position ) )
+
+objectclass ( 1.3.6.1.4.1.27934.1.2.2 NAME 'club'
+    SUP top AUXILIARY
+    MUST ( cn $ uid ) )
+
+objectclass ( 1.3.6.1.4.1.27934.1.2.3 NAME 'group'
+    SUP top STRUCTURAL
+    MUST ( cn )
+    MAY ( uniqueMember ) )
--- a/auth1/ldap/data.ldif.j2
+++ b/auth1/ldap/data.ldif.j2
@ -0,0 +1,72 @@
+dn: {{ ldap_base }}
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+dc: csclub
+o: Computer Science Club
+
+dn: ou=People,{{ ldap_base }}
+objectClass: organizationalUnit
+ou: People
+
+dn: ou=Groups,{{ ldap_base }}
+objectClass: organizationalUnit
+ou: Groups
+
+dn: ou=SUDOers,{{ ldap_base }}
+objectClass: top
+objectClass: organizationalUnit
+ou: SUDOers
+
+dn: cn=defaults,ou=SUDOers,{{ ldap_base }}
+objectClass: top
+objectClass: sudoRole
+cn: defaults
+sudoOption: !insults
+sudoOption: !lecture
+sudoOption: env_reset
+sudoOption: listpw=never
+sudoOption: shell_noargs
+
+dn: cn=syscom,ou=Groups,{{ ldap_base }}
+objectClass: top
+objectClass: group
+objectClass: posixGroup
+cn: syscom
+gidNumber: 10001
+uniqueMember: uid=ctdalek,dc=People,{{ ldap_base }}
+
+dn: cn=%syscom,ou=SUDOers,{{ ldap_base }}
+objectClass: top
+objectClass: sudoRole
+cn: %syscom
+sudoUser: %syscom
+sudoHost: ALL
+sudoCommand: ALL
+sudoRunAsUser: ALL
+
+# The password for each user is slapd.
+# The hashes were generated with slappasswd.
+
+dn: uid=ctdalek,ou=People,{{ ldap_base }}
+cn: Calum Dalek
+userPassword: {SSHA}oaQvmex/jH2MeBsmxZ7YVyaKcC7zYwDK
+loginShell: /bin/bash
+homeDirectory: /home/ctdalek
+uidNumber: 10101
+uid: ctdalek
+gidNumber: 10101
+objectClass: top
+objectClass: account
+objectClass: posixAccount
+objectClass: shadowAccount
+objectClass: member
+program: MAT/Mathematics Computer Science
+term: s2021
+
+dn: cn=ctdalek,ou=Groups,{{ ldap_base }}
+objectClass: top
+objectClass: group
+objectClass: posixGroup
+cn: ctdalek
+gidNumber: 10101
--- a/auth1/ldap/ldap.conf.j2
+++ b/auth1/ldap/ldap.conf.j2
@ -0,0 +1,20 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE   dc=example,dc=com
+#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
+BASE {{ ldap_base }}
+URI ldap://{{ auth1_ipv4_addr }}
+
+#SIZELIMIT      12
+#TIMELIMIT      15
+#DEREF          never
+
+# TLS certificates (needed for GnuTLS)
+TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
+
+SUDOERS_BASE    ou=SUDOers,dc=csclub,dc=internal
--- a/auth1/ldap/nsswitch.conf
+++ b/auth1/ldap/nsswitch.conf
@ -0,0 +1,20 @@
+# /etc/nsswitch.conf
+#
+# Example configuration of GNU Name Service Switch functionality.
+# If you have the `glibc-doc-reference' and `info' packages installed, try:
+# `info libc "Name Service Switch"' for information about this file.
+
+passwd:         files ldap
+group:          files ldap
+shadow:         files ldap
+
+hosts:          files dns 
+networks:       files
+
+protocols:      db files
+services:       db files
+ethers:         db files
+rpc:            db files
+
+netgroup:       nis
+sudoers:        files ldap
--- a/auth1/ldap/rfc2307bis.schema
+++ b/auth1/ldap/rfc2307bis.schema
@ -0,0 +1,287 @@
+# builtin
+#attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber'
+#  DESC 'An integer uniquely identifying a user in an administrative domain'
+#  EQUALITY integerMatch
+#  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+#  SINGLE-VALUE )
+#
+
+# builtin
+#attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber'
+#  DESC 'An integer uniquely identifying a group in an
+#        administrative domain'
+#  EQUALITY integerMatch
+#  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+#  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.2 NAME 'gecos'
+  DESC 'The GECOS field; the common name'
+  EQUALITY caseIgnoreIA5Match
+  SUBSTR caseIgnoreIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory'
+  DESC 'The absolute path to the home directory'
+  EQUALITY caseExactIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.4 NAME 'loginShell'
+  DESC 'The path to the login shell'
+  EQUALITY caseExactIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange'
+  EQUALITY integerMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.6 NAME 'shadowMin'
+  EQUALITY integerMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.7 NAME 'shadowMax'
+  EQUALITY integerMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning'
+  EQUALITY integerMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive'
+  EQUALITY integerMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
+  EQUALITY integerMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag'
+  EQUALITY integerMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid'
+  EQUALITY caseExactIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup'
+  EQUALITY caseExactIA5Match
+  SUBSTR caseExactIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
+  DESC 'Netgroup triple'
+  EQUALITY caseIgnoreIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort'
+  DESC 'Service port number'
+  EQUALITY integerMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol'
+  DESC 'Service protocol name'
+  SUP name )
+
+attributetype ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber'
+  DESC 'IP protocol number'
+  EQUALITY integerMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber'
+  DESC 'ONC RPC number'
+  EQUALITY integerMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
+  SINGLE-VALUE )
+attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber'
+  DESC 'IPv4 addresses as a dotted decimal omitting leading
+        zeros or IPv6 addresses as defined in RFC2373'
+  SUP name )
+
+attributetype ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber'
+  DESC 'IP network as a dotted decimal, eg. 192.168,
+        omitting leading zeros'
+  SUP name
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber'
+  DESC 'IP netmask as a dotted decimal, eg. 255.255.255.0,
+        omitting leading zeros'
+  EQUALITY caseIgnoreIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.22 NAME 'macAddress'
+  DESC 'MAC address in maximal, colon separated hex
+        notation, eg. 00:00:92:90:ee:e2'
+  EQUALITY caseIgnoreIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.1.1.1.23 NAME 'bootParameter'
+  DESC 'rpc.bootparamd parameter'
+  EQUALITY caseExactIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.1.1.1.24 NAME 'bootFile'
+  DESC 'Boot image name'
+  EQUALITY caseExactIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.1.1.1.26 NAME 'nisMapName'
+  DESC 'Name of a A generic NIS map'
+  SUP name )
+
+attributetype ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry'
+  DESC 'A generic NIS entry'
+  EQUALITY caseExactIA5Match
+  SUBSTR caseExactIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+  SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey'
+  DESC 'NIS public key'
+  EQUALITY octetStringMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey'
+  DESC 'NIS secret key'
+  EQUALITY octetStringMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.30 NAME 'nisDomain'
+  DESC 'NIS domain'
+  EQUALITY caseIgnoreIA5Match
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
+
+attributetype ( 1.3.6.1.1.1.1.31 NAME 'automountMapName'
+  DESC 'automount Map Name'
+  EQUALITY caseExactIA5Match
+  SUBSTR caseExactIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.32 NAME 'automountKey'
+  DESC 'Automount Key value'
+  EQUALITY caseExactIA5Match
+  SUBSTR caseExactIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+attributetype ( 1.3.6.1.1.1.1.33 NAME 'automountInformation'
+  DESC 'Automount information'
+  EQUALITY caseExactIA5Match
+  SUBSTR caseExactIA5SubstringsMatch
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY
+  DESC 'Abstraction of an account with POSIX attributes'
+  MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
+  MAY ( userPassword $ loginShell $ gecos $
+        description ) )
+
+objectclass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY
+  DESC 'Additional attributes for shadow passwords'
+  MUST uid
+  MAY ( userPassword $ description $
+        shadowLastChange $ shadowMin $ shadowMax $
+        shadowWarning $ shadowInactive $
+        shadowExpire $ shadowFlag ) )
+
+objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY
+  DESC 'Abstraction of a group of accounts'
+  MUST gidNumber
+  MAY ( userPassword $ memberUid $
+        description ) )
+
+objectclass ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL
+  DESC 'Abstraction an Internet Protocol service.
+        Maps an IP port and protocol (such as tcp or udp)
+        to one or more names; the distinguished value of
+        the cn attribute denotes the services canonical
+        name'
+  MUST ( cn $ ipServicePort $ ipServiceProtocol )
+  MAY description )
+
+objectclass ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL
+  DESC 'Abstraction of an IP protocol. Maps a protocol number
+        to one or more names. The distinguished value of the cn
+        attribute denotes the protocols canonical name'
+  MUST ( cn $ ipProtocolNumber )
+  MAY description )
+
+objectclass ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL
+  DESC 'Abstraction of an Open Network Computing (ONC)
+       [RFC1057] Remote Procedure Call (RPC) binding.
+       This class maps an ONC RPC number to a name.
+       The distinguished value of the cn attribute denotes
+       the RPC services canonical name'
+  MUST ( cn $ oncRpcNumber )
+  MAY description )
+
+objectclass ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY
+  DESC 'Abstraction of a host, an IP device. The distinguished
+        value of the cn attribute denotes the hosts canonical
+        name. Device SHOULD be used as a structural class'
+  MUST ( cn $ ipHostNumber )
+  MAY ( userPassword $ l $ description $ manager ) )
+
+objectclass ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL
+  DESC 'Abstraction of a network. The distinguished value of
+        the cn attribute denotes the networks canonical name'
+  MUST ipNetworkNumber
+  MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) )
+
+objectclass ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL
+  DESC 'Abstraction of a netgroup. May refer to other netgroups'
+  MUST cn
+  MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )
+
+objectclass ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL
+  DESC 'A generic abstraction of a NIS map'
+  MUST nisMapName
+  MAY description )
+
+objectclass ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL
+  DESC 'An entry in a NIS map'
+  MUST ( cn $ nisMapEntry $ nisMapName )
+  MAY description )
+
+objectclass ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY
+  DESC 'A device with a MAC address; device SHOULD be
+        used as a structural class'
+  MAY macAddress )
+
+objectclass ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY
+  DESC 'A device with boot parameters; device SHOULD be
+        used as a structural class'
+  MAY ( bootFile $ bootParameter ) )
+
+objectclass ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY
+  DESC 'An object with a public and secret key'
+  MUST ( cn $ nisPublicKey $ nisSecretKey )
+  MAY ( uidNumber $ description ) )
+
+objectclass ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY
+  DESC 'Associates a NIS domain with a naming context'
+  MUST nisDomain )
+
+objectclass ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL
+  MUST ( automountMapName )
+  MAY description )
+
+objectclass ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL
+  DESC 'Automount information'
+  MUST ( automountKey $ automountInformation )
+  MAY description )
+## namedObject is needed for groups without members
+objectclass ( 1.3.6.1.4.1.5322.13.1.1 NAME 'namedObject' SUP top
+       STRUCTURAL MAY cn )
+
--- a/auth1/ldap/slapd.conf.j2
+++ b/auth1/ldap/slapd.conf.j2
@ -0,0 +1,148 @@
+# This is the main slapd configuration file. See slapd.conf(5) for more
+# info on the configuration options.
+
+include         /etc/ldap/schema/core.schema
+include         /etc/ldap/schema/cosine.schema
+include         /etc/ldap/schema/rfc2307bis.schema
+include         /etc/ldap/schema/inetorgperson.schema
+include         /etc/ldap/schema/sudo.schema
+include         /etc/ldap/schema/csc.schema
+include         /etc/ldap/schema/misc.schema
+
+pidfile         /var/run/slapd/slapd.pid
+argsfile        /var/run/slapd/slapd.args
+
+#Warning: "stats" is *lots* of logging
+loglevel       sync
+#loglevel      stats config sync acl
+
+modulepath      /usr/lib/ldap
+moduleload      back_hdb
+moduleload      syncprov
+moduleload      auditlog
+moduleload      unique
+
+# resource limits
+#limits dn.base="cn=ldap-slave,{{ ldap_base }}" time=unlimited size=unlimited
+#limits group/group/uniqueMember="cn=syscom,ou=Group,{{ ldap_base }}" time=unlimited size=unlimited
+#limits group/group/uniqueMember="cn=office,ou=Group,{{ ldap_base }}" time=unlimited size=unlimited
+#limits users size=1000 time=300
+#limits *     size=10   time=30
+
+# the above don't seem to work
+sizelimit unlimited
+timelimit unlimited
+
+# enable TLS connections
+# TLSCertificateFile      /etc/ssl/private/csclub-wildcard-chain.crt
+# TLSCertificateKeyFile   /etc/ssl/private/csclub-wildcard.key
+
+# enable TLS client authentication
+#TLSCACertificateFile    /etc/ssl/certs/csclub.pem
+#TLSVerifyClient         allow
+
+# consider local connections encrypted
+localssf        128
+
+# map kerberos users to ldap users
+# sasl-realm      CSCLUB.UWATERLOO.CA
+# authz-regexp    "uid=([^/=]*),cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
+#                 "uid=$1,ou=people,{{ ldap_base }}"
+# authz-regexp    "uid=ceod/admin,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
+#                 "cn=ceod,{{ ldap_base }}"
+# authz-regexp    "uid=ldap/auth2.csclub.uwaterloo.ca,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
+#                 "cn=ldap-slave,{{ ldap_base }}"
+# authz-regexp    "uid=renewal/([^/=]*).csclub.uwaterloo.ca,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
+#                 "cn=renewal,{{ ldap_base }}"
+
+# map sasl external users to ldap users
+#authz-regexp    "cn=ldap[0-9].csclub.uwaterloo.ca,ou=computer science club,o=university of waterloo,st=ontario,c=ca"
+#                "cn=ldap-slave,{{ ldap_base }}"
+
+# kerberos has code to allow SASL external auth, but it doesn't work yet
+#authz-regexp    "cn=kdc[0-9].csclub.uwaterloo.ca,ou=computer science club,o=university of waterloo,st=ontario,c=ca"
+#                "cn=kerberos-kdc,{{ ldap_base }}"
+#authz-regexp    "cn=kadmin.csclub.uwaterloo.ca,ou=computer science club,o=university of waterloo,st=ontario,c=ca"
+#                "cn=kerberos-admin,{{ ldap_base }}"
+
+access to *
+        by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+        by * break
+
+# systems committee get full access
+access to *
+        by dn="cn=ceod,{{ ldap_base }}" write
+        by group/group/uniqueMember="cn=syscom,ou=Group,{{ ldap_base }}" write
+        by * break
+
+# slave servers get full read access for replication
+access to *
+        by dn="cn=ldap-slave,{{ ldap_base }}" read
+        by * break
+
+# allow office staff to add terms
+# the renewal program may do the same
+access to attrs=term
+        by group/group/uniqueMember="cn=office,ou=Group,{{ ldap_base }}" add
+        by dn="cn=renewal,{{ ldap_base }}" add
+        by * read
+access to attrs=nonMemberTerm
+        by group/group/uniqueMember="cn=office,ou=Group,{{ ldap_base }}" add
+        by dn="cn=renewal,{{ ldap_base }}" add
+        by * read
+
+# allow users to change their shells
+access to attrs=loginShell
+        by self write
+        by * read
+
+# allow simple authentication
+access to attrs=userPassword
+        by anonymous auth
+        by * none
+
+# allow access to attributes of top; they would otherwise be denied below
+access to attrs=@top
+        by * read
+
+# default permit
+access to *
+        by * read
+
+# main database options
+# note: the mdb backend has a horrible bug in 2.4.31
+#       that causes indexing to destroy the database
+database        hdb
+suffix          "{{ ldap_base }}"
+directory       "/var/lib/ldap"
+rootdn          cn=root,{{ ldap_base }}
+index           default eq
+index           objectClass
+index           entryCSN,entryUUID
+index           uid,uidNumber
+index           cn,gidNumber
+index           uniqueMember,memberUid
+index           sudoUser,sudoHost pres,sub,eq
+index           term,nonMemberTerm
+index           mailLocalAddress
+index           modifyTimestamp,createTimestamp
+
+# 4 MB cache. use db_stat -m to check hit rate
+#dbconfig        set_cachesize 0 4194304 0
+#cachesize       2000
+#idlcachesize    6000
+#checkpoint      512 30
+
+# log all changes to the directory
+overlay         auditlog
+auditlog        /var/log/ldap/audit.log
+
+# enforce uniqueness of usernames etc.
+overlay         unique
+unique_uri      ldap:///ou=People,{{ ldap_base }}?uid,uidNumber?sub
+unique_uri      ldap:///ou=Group,{{ ldap_base }}?cn,gidNumber?sub
+
+# this is the master server
+overlay syncprov
+syncprov-checkpoint 100 10
+syncprov-sessionlog 100
--- a/auth1/main.yml
+++ b/auth1/main.yml
@ -0,0 +1,120 @@
+---
+- hosts: auth1
+  vars:
+    ldap_base: "{{ base_domain.split('.') | map('regex_replace', '^(.*)$', 'dc=\\1') | join(',') }}"
+  tasks:
+    - name: setup networking
+      import_role:
+        name: ../roles/network_setup
+      vars:
+        ipv4_addr: "{{ auth1_ipv4_addr }}"
+    - meta: flush_handlers
+    - name: install LDAP packages
+      apt:
+        name: "{{ item }}"
+      loop:
+        - slapd
+        - ldap-utils
+        - ldapvi
+        - libnss-ldapd
+        - libpam-ldapd
+        - nscd
+        - sudo-ldap
+    - name: copy slapd.conf
+      template:
+        src: ldap/slapd.conf.j2
+        dest: /etc/ldap/slapd.conf
+        owner: openldap
+        group: openldap
+      notify: restart slapd
+    - name: move slapd.d directory
+      command:
+        cmd: mv /etc/ldap/slapd.d /etc/ldap/slapd.d.bak
+        removes: /etc/ldap/slapd.d
+      notify: restart slapd
+    - name: copy sudo.schema
+      copy:
+        remote_src: yes
+        src: /usr/share/doc/sudo-ldap/schema.OpenLDAP
+        dest: /etc/ldap/schema/sudo.schema
+        owner: openldap
+        group: openldap
+      notify: restart slapd
+    - name: copy other schemas
+      copy:
+        src: "ldap/{{ item }}"
+        dest: "/etc/ldap/schema/{{ item }}"
+        owner: openldap
+        group: openldap
+      loop:
+        - rfc2307bis.schema
+        - csc.schema
+      notify: restart slapd
+    - name: copy DB_CONFIG
+      copy:
+        remote_src: yes
+        src: /usr/share/slapd/DB_CONFIG
+        dest: /var/lib/ldap/DB_CONFIG
+        owner: openldap
+        group: openldap
+      notify: restart slapd
+    - name: make sure slapd is running
+      systemd:
+        name: slapd
+        state: started
+    - name: determine if cn=config is present
+      command: ldapsearch -LLLQ -Y EXTERNAL -H ldapi:/// -b cn=config -s base
+      ignore_errors: yes
+      register: cn_config_cmd
+    - name: stop slapd
+      systemd:
+        name: slapd
+        state: stopped
+      when: cn_config_cmd.rc == 0
+    - name: purge old slapd database
+      shell: rm /var/lib/ldap/*
+      when: cn_config_cmd.rc == 0
+      notify: restart slapd
+    - name: copy ldap.conf
+      template:
+        src: ldap/ldap.conf.j2
+        dest: /etc/ldap/ldap.conf
+      notify:
+        - restart nslcd
+        - restart nscd
+    - name: add member->uniqueMember map
+      lineinfile:
+        line: map group member uniqueMember
+        path: /etc/nslcd.conf
+      notify: restart nslcd
+    - name: copy nsswitch.conf
+      copy:
+        src: ldap/nsswitch.conf
+        dest: /etc/nsswitch.conf
+      notify: restart nslcd
+    - name: disable mail_badpass for sudo
+      replace:
+        path: /etc/sudoers
+        regexp: "^(Defaults\\s+mail_badpass)$"
+        replace: "#\\1"
+    - meta: flush_handlers
+    - name: copy LDIF data
+      template:
+        src: ldap/data.ldif.j2
+        dest: /etc/ldap/data.ldif
+    - name: load LDIF data
+      command: ldapadd -c -f /etc/ldap/data.ldif -Y EXTERNAL -H ldapi:///
+      ignore_errors: yes
+  handlers:
+    - name: restart slapd
+      systemd:
+        name: slapd
+        state: restarted
+    - name: restart nslcd
+      systemd:
+        name: nslcd
+        state: restarted
+    - name: restart nscd
+      systemd:
+        name: nscd
+        state: restarted
--- a/coffee/main.yml
+++ b/coffee/main.yml
@ -13,7 +13,7 @@
        state: present
    - name: override systemd services
      import_role:
-        name: ../../roles/systemd_workarounds
+        name: ../roles/systemd_workarounds
      vars:
        services: [ "mariadb" ]
    - name: allow remote connections to MariaDB
--- a/dns/templates/dnsmasq.conf.j2
+++ b/dns/templates/dnsmasq.conf.j2
@ -6,5 +6,6 @@ addn-hosts=/etc/dnsmasq_hosts
 address=/dns.{{ base_domain }}/{{ dns_ipv4_addr }}
 address=/mail.{{ base_domain }}/{{ mail_ipv4_addr }}
 cname=mailman.{{ base_domain }},mail.{{ base_domain }}
-address=/coffee.{{ base_domain }}/{{ coffee_ipv4_addr }}
 mx-host={{ base_domain }},mail.{{ base_domain }},50
+address=/coffee.{{ base_domain }}/{{ coffee_ipv4_addr }}
+address=/auth1.{{ base_domain }}/{{ auth1_ipv4_addr }}
--- a/2
+++ b/2
@ -2,6 +2,7 @@
 dns      ansible_lxc_host=dns
 mail     ansible_lxc_host=mail
 coffee   ansible_lxc_host=coffee
+auth1    ansible_lxc_host=auth1
 outsider ansible_lxc_host=outsider

 [containers:vars]
@ -16,3 +17,4 @@ outsider_ipv4_addr = 192.168.125.2
 dns_ipv4_addr      = 192.168.122.4
 mail_ipv4_addr     = 192.168.122.52
 coffee_ipv4_addr   = 192.168.122.20
+auth1_ipv4_addr    = 192.168.122.117