add LDAP setup for auth1 container
This commit is contained in:
parent
eb1844dc0d
commit
1060a848c3
|
@ -0,0 +1,2 @@
|
|||
# Vim
|
||||
.*.swp
|
|
@ -0,0 +1,35 @@
|
|||
# CSC Member Information Schema
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.27934.1.1.1 NAME 'term'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{5} )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.27934.1.1.2 NAME 'program'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{1024} SINGLE-VALUE )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.27934.1.1.3 NAME 'studentid'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{8} SINGLE-VALUE )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.27934.1.1.4 NAME 'position'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
|
||||
|
||||
attributetype ( 1.3.6.1.4.1.27934.1.1.5 NAME 'nonMemberTerm'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{5} )
|
||||
|
||||
objectclass ( 1.3.6.1.4.1.27934.1.2.1 NAME 'member'
|
||||
SUP top AUXILIARY
|
||||
MUST ( cn $ uid )
|
||||
MAY ( studentid $ program $ term $ nonMemberTerm $ description $ position ) )
|
||||
|
||||
objectclass ( 1.3.6.1.4.1.27934.1.2.2 NAME 'club'
|
||||
SUP top AUXILIARY
|
||||
MUST ( cn $ uid ) )
|
||||
|
||||
objectclass ( 1.3.6.1.4.1.27934.1.2.3 NAME 'group'
|
||||
SUP top STRUCTURAL
|
||||
MUST ( cn )
|
||||
MAY ( uniqueMember ) )
|
|
@ -0,0 +1,72 @@
|
|||
dn: {{ ldap_base }}
|
||||
objectClass: top
|
||||
objectClass: dcObject
|
||||
objectClass: organization
|
||||
dc: csclub
|
||||
o: Computer Science Club
|
||||
|
||||
dn: ou=People,{{ ldap_base }}
|
||||
objectClass: organizationalUnit
|
||||
ou: People
|
||||
|
||||
dn: ou=Groups,{{ ldap_base }}
|
||||
objectClass: organizationalUnit
|
||||
ou: Groups
|
||||
|
||||
dn: ou=SUDOers,{{ ldap_base }}
|
||||
objectClass: top
|
||||
objectClass: organizationalUnit
|
||||
ou: SUDOers
|
||||
|
||||
dn: cn=defaults,ou=SUDOers,{{ ldap_base }}
|
||||
objectClass: top
|
||||
objectClass: sudoRole
|
||||
cn: defaults
|
||||
sudoOption: !insults
|
||||
sudoOption: !lecture
|
||||
sudoOption: env_reset
|
||||
sudoOption: listpw=never
|
||||
sudoOption: shell_noargs
|
||||
|
||||
dn: cn=syscom,ou=Groups,{{ ldap_base }}
|
||||
objectClass: top
|
||||
objectClass: group
|
||||
objectClass: posixGroup
|
||||
cn: syscom
|
||||
gidNumber: 10001
|
||||
uniqueMember: uid=ctdalek,dc=People,{{ ldap_base }}
|
||||
|
||||
dn: cn=%syscom,ou=SUDOers,{{ ldap_base }}
|
||||
objectClass: top
|
||||
objectClass: sudoRole
|
||||
cn: %syscom
|
||||
sudoUser: %syscom
|
||||
sudoHost: ALL
|
||||
sudoCommand: ALL
|
||||
sudoRunAsUser: ALL
|
||||
|
||||
# The password for each user is slapd.
|
||||
# The hashes were generated with slappasswd.
|
||||
|
||||
dn: uid=ctdalek,ou=People,{{ ldap_base }}
|
||||
cn: Calum Dalek
|
||||
userPassword: {SSHA}oaQvmex/jH2MeBsmxZ7YVyaKcC7zYwDK
|
||||
loginShell: /bin/bash
|
||||
homeDirectory: /home/ctdalek
|
||||
uidNumber: 10101
|
||||
uid: ctdalek
|
||||
gidNumber: 10101
|
||||
objectClass: top
|
||||
objectClass: account
|
||||
objectClass: posixAccount
|
||||
objectClass: shadowAccount
|
||||
objectClass: member
|
||||
program: MAT/Mathematics Computer Science
|
||||
term: s2021
|
||||
|
||||
dn: cn=ctdalek,ou=Groups,{{ ldap_base }}
|
||||
objectClass: top
|
||||
objectClass: group
|
||||
objectClass: posixGroup
|
||||
cn: ctdalek
|
||||
gidNumber: 10101
|
|
@ -0,0 +1,20 @@
|
|||
#
|
||||
# LDAP Defaults
|
||||
#
|
||||
|
||||
# See ldap.conf(5) for details
|
||||
# This file should be world readable but not world writable.
|
||||
|
||||
#BASE dc=example,dc=com
|
||||
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
|
||||
BASE {{ ldap_base }}
|
||||
URI ldap://{{ auth1_ipv4_addr }}
|
||||
|
||||
#SIZELIMIT 12
|
||||
#TIMELIMIT 15
|
||||
#DEREF never
|
||||
|
||||
# TLS certificates (needed for GnuTLS)
|
||||
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
|
||||
|
||||
SUDOERS_BASE ou=SUDOers,dc=csclub,dc=internal
|
|
@ -0,0 +1,20 @@
|
|||
# /etc/nsswitch.conf
|
||||
#
|
||||
# Example configuration of GNU Name Service Switch functionality.
|
||||
# If you have the `glibc-doc-reference' and `info' packages installed, try:
|
||||
# `info libc "Name Service Switch"' for information about this file.
|
||||
|
||||
passwd: files ldap
|
||||
group: files ldap
|
||||
shadow: files ldap
|
||||
|
||||
hosts: files dns
|
||||
networks: files
|
||||
|
||||
protocols: db files
|
||||
services: db files
|
||||
ethers: db files
|
||||
rpc: db files
|
||||
|
||||
netgroup: nis
|
||||
sudoers: files ldap
|
|
@ -0,0 +1,287 @@
|
|||
# builtin
|
||||
#attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber'
|
||||
# DESC 'An integer uniquely identifying a user in an administrative domain'
|
||||
# EQUALITY integerMatch
|
||||
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||
# SINGLE-VALUE )
|
||||
#
|
||||
|
||||
# builtin
|
||||
#attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber'
|
||||
# DESC 'An integer uniquely identifying a group in an
|
||||
# administrative domain'
|
||||
# EQUALITY integerMatch
|
||||
# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||
# SINGLE-VALUE )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.2 NAME 'gecos'
|
||||
DESC 'The GECOS field; the common name'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SUBSTR caseIgnoreIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
||||
SINGLE-VALUE )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory'
|
||||
DESC 'The absolute path to the home directory'
|
||||
EQUALITY caseExactIA5Match
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
||||
SINGLE-VALUE )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.4 NAME 'loginShell'
|
||||
DESC 'The path to the login shell'
|
||||
EQUALITY caseExactIA5Match
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
||||
SINGLE-VALUE )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange'
|
||||
EQUALITY integerMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||
SINGLE-VALUE )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.6 NAME 'shadowMin'
|
||||
EQUALITY integerMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||
SINGLE-VALUE )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.7 NAME 'shadowMax'
|
||||
EQUALITY integerMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||
SINGLE-VALUE )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning'
|
||||
EQUALITY integerMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||
SINGLE-VALUE )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive'
|
||||
EQUALITY integerMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||
SINGLE-VALUE )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire'
|
||||
EQUALITY integerMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||
SINGLE-VALUE )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag'
|
||||
EQUALITY integerMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||
SINGLE-VALUE )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid'
|
||||
EQUALITY caseExactIA5Match
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup'
|
||||
EQUALITY caseExactIA5Match
|
||||
SUBSTR caseExactIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
|
||||
DESC 'Netgroup triple'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort'
|
||||
DESC 'Service port number'
|
||||
EQUALITY integerMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||
SINGLE-VALUE )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol'
|
||||
DESC 'Service protocol name'
|
||||
SUP name )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber'
|
||||
DESC 'IP protocol number'
|
||||
EQUALITY integerMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||
SINGLE-VALUE )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber'
|
||||
DESC 'ONC RPC number'
|
||||
EQUALITY integerMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||
SINGLE-VALUE )
|
||||
attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber'
|
||||
DESC 'IPv4 addresses as a dotted decimal omitting leading
|
||||
zeros or IPv6 addresses as defined in RFC2373'
|
||||
SUP name )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber'
|
||||
DESC 'IP network as a dotted decimal, eg. 192.168,
|
||||
omitting leading zeros'
|
||||
SUP name
|
||||
SINGLE-VALUE )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber'
|
||||
DESC 'IP netmask as a dotted decimal, eg. 255.255.255.0,
|
||||
omitting leading zeros'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
||||
SINGLE-VALUE )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.22 NAME 'macAddress'
|
||||
DESC 'MAC address in maximal, colon separated hex
|
||||
notation, eg. 00:00:92:90:ee:e2'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.23 NAME 'bootParameter'
|
||||
DESC 'rpc.bootparamd parameter'
|
||||
EQUALITY caseExactIA5Match
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.24 NAME 'bootFile'
|
||||
DESC 'Boot image name'
|
||||
EQUALITY caseExactIA5Match
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.26 NAME 'nisMapName'
|
||||
DESC 'Name of a A generic NIS map'
|
||||
SUP name )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry'
|
||||
DESC 'A generic NIS entry'
|
||||
EQUALITY caseExactIA5Match
|
||||
SUBSTR caseExactIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
||||
SINGLE-VALUE )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey'
|
||||
DESC 'NIS public key'
|
||||
EQUALITY octetStringMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey'
|
||||
DESC 'NIS secret key'
|
||||
EQUALITY octetStringMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.30 NAME 'nisDomain'
|
||||
DESC 'NIS domain'
|
||||
EQUALITY caseIgnoreIA5Match
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.31 NAME 'automountMapName'
|
||||
DESC 'automount Map Name'
|
||||
EQUALITY caseExactIA5Match
|
||||
SUBSTR caseExactIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.32 NAME 'automountKey'
|
||||
DESC 'Automount Key value'
|
||||
EQUALITY caseExactIA5Match
|
||||
SUBSTR caseExactIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
|
||||
|
||||
attributetype ( 1.3.6.1.1.1.1.33 NAME 'automountInformation'
|
||||
DESC 'Automount information'
|
||||
EQUALITY caseExactIA5Match
|
||||
SUBSTR caseExactIA5SubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
|
||||
|
||||
objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY
|
||||
DESC 'Abstraction of an account with POSIX attributes'
|
||||
MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
|
||||
MAY ( userPassword $ loginShell $ gecos $
|
||||
description ) )
|
||||
|
||||
objectclass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY
|
||||
DESC 'Additional attributes for shadow passwords'
|
||||
MUST uid
|
||||
MAY ( userPassword $ description $
|
||||
shadowLastChange $ shadowMin $ shadowMax $
|
||||
shadowWarning $ shadowInactive $
|
||||
shadowExpire $ shadowFlag ) )
|
||||
|
||||
objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY
|
||||
DESC 'Abstraction of a group of accounts'
|
||||
MUST gidNumber
|
||||
MAY ( userPassword $ memberUid $
|
||||
description ) )
|
||||
|
||||
objectclass ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL
|
||||
DESC 'Abstraction an Internet Protocol service.
|
||||
Maps an IP port and protocol (such as tcp or udp)
|
||||
to one or more names; the distinguished value of
|
||||
the cn attribute denotes the services canonical
|
||||
name'
|
||||
MUST ( cn $ ipServicePort $ ipServiceProtocol )
|
||||
MAY description )
|
||||
|
||||
objectclass ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL
|
||||
DESC 'Abstraction of an IP protocol. Maps a protocol number
|
||||
to one or more names. The distinguished value of the cn
|
||||
attribute denotes the protocols canonical name'
|
||||
MUST ( cn $ ipProtocolNumber )
|
||||
MAY description )
|
||||
|
||||
objectclass ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL
|
||||
DESC 'Abstraction of an Open Network Computing (ONC)
|
||||
[RFC1057] Remote Procedure Call (RPC) binding.
|
||||
This class maps an ONC RPC number to a name.
|
||||
The distinguished value of the cn attribute denotes
|
||||
the RPC services canonical name'
|
||||
MUST ( cn $ oncRpcNumber )
|
||||
MAY description )
|
||||
|
||||
objectclass ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY
|
||||
DESC 'Abstraction of a host, an IP device. The distinguished
|
||||
value of the cn attribute denotes the hosts canonical
|
||||
name. Device SHOULD be used as a structural class'
|
||||
MUST ( cn $ ipHostNumber )
|
||||
MAY ( userPassword $ l $ description $ manager ) )
|
||||
|
||||
objectclass ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL
|
||||
DESC 'Abstraction of a network. The distinguished value of
|
||||
the cn attribute denotes the networks canonical name'
|
||||
MUST ipNetworkNumber
|
||||
MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) )
|
||||
|
||||
objectclass ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL
|
||||
DESC 'Abstraction of a netgroup. May refer to other netgroups'
|
||||
MUST cn
|
||||
MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )
|
||||
|
||||
objectclass ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL
|
||||
DESC 'A generic abstraction of a NIS map'
|
||||
MUST nisMapName
|
||||
MAY description )
|
||||
|
||||
objectclass ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL
|
||||
DESC 'An entry in a NIS map'
|
||||
MUST ( cn $ nisMapEntry $ nisMapName )
|
||||
MAY description )
|
||||
|
||||
objectclass ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY
|
||||
DESC 'A device with a MAC address; device SHOULD be
|
||||
used as a structural class'
|
||||
MAY macAddress )
|
||||
|
||||
objectclass ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY
|
||||
DESC 'A device with boot parameters; device SHOULD be
|
||||
used as a structural class'
|
||||
MAY ( bootFile $ bootParameter ) )
|
||||
|
||||
objectclass ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY
|
||||
DESC 'An object with a public and secret key'
|
||||
MUST ( cn $ nisPublicKey $ nisSecretKey )
|
||||
MAY ( uidNumber $ description ) )
|
||||
|
||||
objectclass ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY
|
||||
DESC 'Associates a NIS domain with a naming context'
|
||||
MUST nisDomain )
|
||||
|
||||
objectclass ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL
|
||||
MUST ( automountMapName )
|
||||
MAY description )
|
||||
|
||||
objectclass ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL
|
||||
DESC 'Automount information'
|
||||
MUST ( automountKey $ automountInformation )
|
||||
MAY description )
|
||||
## namedObject is needed for groups without members
|
||||
objectclass ( 1.3.6.1.4.1.5322.13.1.1 NAME 'namedObject' SUP top
|
||||
STRUCTURAL MAY cn )
|
||||
|
|
@ -0,0 +1,148 @@
|
|||
# This is the main slapd configuration file. See slapd.conf(5) for more
|
||||
# info on the configuration options.
|
||||
|
||||
include /etc/ldap/schema/core.schema
|
||||
include /etc/ldap/schema/cosine.schema
|
||||
include /etc/ldap/schema/rfc2307bis.schema
|
||||
include /etc/ldap/schema/inetorgperson.schema
|
||||
include /etc/ldap/schema/sudo.schema
|
||||
include /etc/ldap/schema/csc.schema
|
||||
include /etc/ldap/schema/misc.schema
|
||||
|
||||
pidfile /var/run/slapd/slapd.pid
|
||||
argsfile /var/run/slapd/slapd.args
|
||||
|
||||
#Warning: "stats" is *lots* of logging
|
||||
loglevel sync
|
||||
#loglevel stats config sync acl
|
||||
|
||||
modulepath /usr/lib/ldap
|
||||
moduleload back_hdb
|
||||
moduleload syncprov
|
||||
moduleload auditlog
|
||||
moduleload unique
|
||||
|
||||
# resource limits
|
||||
#limits dn.base="cn=ldap-slave,{{ ldap_base }}" time=unlimited size=unlimited
|
||||
#limits group/group/uniqueMember="cn=syscom,ou=Group,{{ ldap_base }}" time=unlimited size=unlimited
|
||||
#limits group/group/uniqueMember="cn=office,ou=Group,{{ ldap_base }}" time=unlimited size=unlimited
|
||||
#limits users size=1000 time=300
|
||||
#limits * size=10 time=30
|
||||
|
||||
# the above don't seem to work
|
||||
sizelimit unlimited
|
||||
timelimit unlimited
|
||||
|
||||
# enable TLS connections
|
||||
# TLSCertificateFile /etc/ssl/private/csclub-wildcard-chain.crt
|
||||
# TLSCertificateKeyFile /etc/ssl/private/csclub-wildcard.key
|
||||
|
||||
# enable TLS client authentication
|
||||
#TLSCACertificateFile /etc/ssl/certs/csclub.pem
|
||||
#TLSVerifyClient allow
|
||||
|
||||
# consider local connections encrypted
|
||||
localssf 128
|
||||
|
||||
# map kerberos users to ldap users
|
||||
# sasl-realm CSCLUB.UWATERLOO.CA
|
||||
# authz-regexp "uid=([^/=]*),cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
|
||||
# "uid=$1,ou=people,{{ ldap_base }}"
|
||||
# authz-regexp "uid=ceod/admin,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
|
||||
# "cn=ceod,{{ ldap_base }}"
|
||||
# authz-regexp "uid=ldap/auth2.csclub.uwaterloo.ca,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
|
||||
# "cn=ldap-slave,{{ ldap_base }}"
|
||||
# authz-regexp "uid=renewal/([^/=]*).csclub.uwaterloo.ca,cn=CSCLUB.UWATERLOO.CA,cn=GSSAPI,cn=auth"
|
||||
# "cn=renewal,{{ ldap_base }}"
|
||||
|
||||
# map sasl external users to ldap users
|
||||
#authz-regexp "cn=ldap[0-9].csclub.uwaterloo.ca,ou=computer science club,o=university of waterloo,st=ontario,c=ca"
|
||||
# "cn=ldap-slave,{{ ldap_base }}"
|
||||
|
||||
# kerberos has code to allow SASL external auth, but it doesn't work yet
|
||||
#authz-regexp "cn=kdc[0-9].csclub.uwaterloo.ca,ou=computer science club,o=university of waterloo,st=ontario,c=ca"
|
||||
# "cn=kerberos-kdc,{{ ldap_base }}"
|
||||
#authz-regexp "cn=kadmin.csclub.uwaterloo.ca,ou=computer science club,o=university of waterloo,st=ontario,c=ca"
|
||||
# "cn=kerberos-admin,{{ ldap_base }}"
|
||||
|
||||
access to *
|
||||
by dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
|
||||
by * break
|
||||
|
||||
# systems committee get full access
|
||||
access to *
|
||||
by dn="cn=ceod,{{ ldap_base }}" write
|
||||
by group/group/uniqueMember="cn=syscom,ou=Group,{{ ldap_base }}" write
|
||||
by * break
|
||||
|
||||
# slave servers get full read access for replication
|
||||
access to *
|
||||
by dn="cn=ldap-slave,{{ ldap_base }}" read
|
||||
by * break
|
||||
|
||||
# allow office staff to add terms
|
||||
# the renewal program may do the same
|
||||
access to attrs=term
|
||||
by group/group/uniqueMember="cn=office,ou=Group,{{ ldap_base }}" add
|
||||
by dn="cn=renewal,{{ ldap_base }}" add
|
||||
by * read
|
||||
access to attrs=nonMemberTerm
|
||||
by group/group/uniqueMember="cn=office,ou=Group,{{ ldap_base }}" add
|
||||
by dn="cn=renewal,{{ ldap_base }}" add
|
||||
by * read
|
||||
|
||||
# allow users to change their shells
|
||||
access to attrs=loginShell
|
||||
by self write
|
||||
by * read
|
||||
|
||||
# allow simple authentication
|
||||
access to attrs=userPassword
|
||||
by anonymous auth
|
||||
by * none
|
||||
|
||||
# allow access to attributes of top; they would otherwise be denied below
|
||||
access to attrs=@top
|
||||
by * read
|
||||
|
||||
# default permit
|
||||
access to *
|
||||
by * read
|
||||
|
||||
# main database options
|
||||
# note: the mdb backend has a horrible bug in 2.4.31
|
||||
# that causes indexing to destroy the database
|
||||
database hdb
|
||||
suffix "{{ ldap_base }}"
|
||||
directory "/var/lib/ldap"
|
||||
rootdn cn=root,{{ ldap_base }}
|
||||
index default eq
|
||||
index objectClass
|
||||
index entryCSN,entryUUID
|
||||
index uid,uidNumber
|
||||
index cn,gidNumber
|
||||
index uniqueMember,memberUid
|
||||
index sudoUser,sudoHost pres,sub,eq
|
||||
index term,nonMemberTerm
|
||||
index mailLocalAddress
|
||||
index modifyTimestamp,createTimestamp
|
||||
|
||||
# 4 MB cache. use db_stat -m to check hit rate
|
||||
#dbconfig set_cachesize 0 4194304 0
|
||||
#cachesize 2000
|
||||
#idlcachesize 6000
|
||||
#checkpoint 512 30
|
||||
|
||||
# log all changes to the directory
|
||||
overlay auditlog
|
||||
auditlog /var/log/ldap/audit.log
|
||||
|
||||
# enforce uniqueness of usernames etc.
|
||||
overlay unique
|
||||
unique_uri ldap:///ou=People,{{ ldap_base }}?uid,uidNumber?sub
|
||||
unique_uri ldap:///ou=Group,{{ ldap_base }}?cn,gidNumber?sub
|
||||
|
||||
# this is the master server
|
||||
overlay syncprov
|
||||
syncprov-checkpoint 100 10
|
||||
syncprov-sessionlog 100
|
|
@ -0,0 +1,120 @@
|
|||
---
|
||||
- hosts: auth1
|
||||
vars:
|
||||
ldap_base: "{{ base_domain.split('.') | map('regex_replace', '^(.*)$', 'dc=\\1') | join(',') }}"
|
||||
tasks:
|
||||
- name: setup networking
|
||||
import_role:
|
||||
name: ../roles/network_setup
|
||||
vars:
|
||||
ipv4_addr: "{{ auth1_ipv4_addr }}"
|
||||
- meta: flush_handlers
|
||||
- name: install LDAP packages
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
loop:
|
||||
- slapd
|
||||
- ldap-utils
|
||||
- ldapvi
|
||||
- libnss-ldapd
|
||||
- libpam-ldapd
|
||||
- nscd
|
||||
- sudo-ldap
|
||||
- name: copy slapd.conf
|
||||
template:
|
||||
src: ldap/slapd.conf.j2
|
||||
dest: /etc/ldap/slapd.conf
|
||||
owner: openldap
|
||||
group: openldap
|
||||
notify: restart slapd
|
||||
- name: move slapd.d directory
|
||||
command:
|
||||
cmd: mv /etc/ldap/slapd.d /etc/ldap/slapd.d.bak
|
||||
removes: /etc/ldap/slapd.d
|
||||
notify: restart slapd
|
||||
- name: copy sudo.schema
|
||||
copy:
|
||||
remote_src: yes
|
||||
src: /usr/share/doc/sudo-ldap/schema.OpenLDAP
|
||||
dest: /etc/ldap/schema/sudo.schema
|
||||
owner: openldap
|
||||
group: openldap
|
||||
notify: restart slapd
|
||||
- name: copy other schemas
|
||||
copy:
|
||||
src: "ldap/{{ item }}"
|
||||
dest: "/etc/ldap/schema/{{ item }}"
|
||||
owner: openldap
|
||||
group: openldap
|
||||
loop:
|
||||
- rfc2307bis.schema
|
||||
- csc.schema
|
||||
notify: restart slapd
|
||||
- name: copy DB_CONFIG
|
||||
copy:
|
||||
remote_src: yes
|
||||
src: /usr/share/slapd/DB_CONFIG
|
||||
dest: /var/lib/ldap/DB_CONFIG
|
||||
owner: openldap
|
||||
group: openldap
|
||||
notify: restart slapd
|
||||
- name: make sure slapd is running
|
||||
systemd:
|
||||
name: slapd
|
||||
state: started
|
||||
- name: determine if cn=config is present
|
||||
command: ldapsearch -LLLQ -Y EXTERNAL -H ldapi:/// -b cn=config -s base
|
||||
ignore_errors: yes
|
||||
register: cn_config_cmd
|
||||
- name: stop slapd
|
||||
systemd:
|
||||
name: slapd
|
||||
state: stopped
|
||||
when: cn_config_cmd.rc == 0
|
||||
- name: purge old slapd database
|
||||
shell: rm /var/lib/ldap/*
|
||||
when: cn_config_cmd.rc == 0
|
||||
notify: restart slapd
|
||||
- name: copy ldap.conf
|
||||
template:
|
||||
src: ldap/ldap.conf.j2
|
||||
dest: /etc/ldap/ldap.conf
|
||||
notify:
|
||||
- restart nslcd
|
||||
- restart nscd
|
||||
- name: add member->uniqueMember map
|
||||
lineinfile:
|
||||
line: map group member uniqueMember
|
||||
path: /etc/nslcd.conf
|
||||
notify: restart nslcd
|
||||
- name: copy nsswitch.conf
|
||||
copy:
|
||||
src: ldap/nsswitch.conf
|
||||
dest: /etc/nsswitch.conf
|
||||
notify: restart nslcd
|
||||
- name: disable mail_badpass for sudo
|
||||
replace:
|
||||
path: /etc/sudoers
|
||||
regexp: "^(Defaults\\s+mail_badpass)$"
|
||||
replace: "#\\1"
|
||||
- meta: flush_handlers
|
||||
- name: copy LDIF data
|
||||
template:
|
||||
src: ldap/data.ldif.j2
|
||||
dest: /etc/ldap/data.ldif
|
||||
- name: load LDIF data
|
||||
command: ldapadd -c -f /etc/ldap/data.ldif -Y EXTERNAL -H ldapi:///
|
||||
ignore_errors: yes
|
||||
handlers:
|
||||
- name: restart slapd
|
||||
systemd:
|
||||
name: slapd
|
||||
state: restarted
|
||||
- name: restart nslcd
|
||||
systemd:
|
||||
name: nslcd
|
||||
state: restarted
|
||||
- name: restart nscd
|
||||
systemd:
|
||||
name: nscd
|
||||
state: restarted
|
|
@ -13,7 +13,7 @@
|
|||
state: present
|
||||
- name: override systemd services
|
||||
import_role:
|
||||
name: ../../roles/systemd_workarounds
|
||||
name: ../roles/systemd_workarounds
|
||||
vars:
|
||||
services: [ "mariadb" ]
|
||||
- name: allow remote connections to MariaDB
|
||||
|
|
|
@ -6,5 +6,6 @@ addn-hosts=/etc/dnsmasq_hosts
|
|||
address=/dns.{{ base_domain }}/{{ dns_ipv4_addr }}
|
||||
address=/mail.{{ base_domain }}/{{ mail_ipv4_addr }}
|
||||
cname=mailman.{{ base_domain }},mail.{{ base_domain }}
|
||||
address=/coffee.{{ base_domain }}/{{ coffee_ipv4_addr }}
|
||||
mx-host={{ base_domain }},mail.{{ base_domain }},50
|
||||
address=/coffee.{{ base_domain }}/{{ coffee_ipv4_addr }}
|
||||
address=/auth1.{{ base_domain }}/{{ auth1_ipv4_addr }}
|
||||
|
|
2
hosts
2
hosts
|
@ -2,6 +2,7 @@
|
|||
dns ansible_lxc_host=dns
|
||||
mail ansible_lxc_host=mail
|
||||
coffee ansible_lxc_host=coffee
|
||||
auth1 ansible_lxc_host=auth1
|
||||
outsider ansible_lxc_host=outsider
|
||||
|
||||
[containers:vars]
|
||||
|
@ -16,3 +17,4 @@ outsider_ipv4_addr = 192.168.125.2
|
|||
dns_ipv4_addr = 192.168.122.4
|
||||
mail_ipv4_addr = 192.168.122.52
|
||||
coffee_ipv4_addr = 192.168.122.20
|
||||
auth1_ipv4_addr = 192.168.122.117
|
||||
|
|
Loading…
Reference in New Issue