├── LICENSE ├── README.md ├── defaults └── main.yml ├── files └── samba.schema ├── handlers └── main.yml ├── meta └── main.yml ├── tasks ├── CentOS.yml ├── Ubuntu.yml └── main.yml ├── templates ├── DB_CONFIG.j2 ├── ldap.conf.j2 ├── slapd.conf.j2 └── slapd_defaults.j2 └── vars ├── CentOS.yml ├── Ubuntu.yml └── main.yml /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2015, Kevin Brebanov 2 | All rights reserved. 3 | 4 | Redistribution and use in source and binary forms, with or without 5 | modification, are permitted provided that the following conditions are met: 6 | 7 | * Redistributions of source code must retain the above copyright notice, this 8 | list of conditions and the following disclaimer. 9 | 10 | * Redistributions in binary form must reproduce the above copyright notice, 11 | this list of conditions and the following disclaimer in the documentation 12 | and/or other materials provided with the distribution. 13 | 14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 15 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 17 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 18 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 20 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 21 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 22 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 23 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 | 25 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | [![No Maintenance Intended](http://unmaintained.tech/badge.svg)](http://unmaintained.tech/) 2 | 3 | openldap 4 | ======== 5 | 6 | Installs and configures OpenLDAP 7 | 8 | Requirements 9 | ------------ 10 | 11 | This role requires Ansible 1.4 or higher. 12 | 13 | Role Variables 14 | -------------- 15 | 16 | | Name | Default | Description | 17 | |----------------------------------------|-----------------------------------------------------------------------------------------------------|-------------| 18 | | openldap_domain | example.com | | 19 | | openldap_organization | example | | 20 | | openldap_admin_password | password | | 21 | | openldap_default_services | ldap:/// ldapi:/// | | 22 | | openldap_default_options | "" | | 23 | | openldap_server_schemas | ['core', 'cosine', 'inetorgperson'] | | 24 | | openldap_server_loglevel | none | | 25 | | openldap_server_modules | ['back_hdb', 'syncprov'] | | 26 | | openldap_server_database | hdb | | 27 | | openldap_server_suffix | dc=example,dc=com | | 28 | | openldap_server_rootdn | cn=Manager,dc=example,dc=com | | 29 | | openldap_server_rootpw | password | | 30 | | openldap_server_indexes | ['objectClass,cn eq', 'entryCSN,entryUUID eq'] | | 31 | | openldap_server_acls | ['to attrs=userPassword by anonymous auth by self write by * none', 'to * by self write by * none'] | | 32 | | openldap_server_password_hash | "{SSHA}" | | 33 | | openldap_dbconfig_set_cachesize | 2097152 | | 34 | | openldap_dbconfig_set_lk_max_objects | 1500 | | 35 | | openldap_dbconfig_set_lk_max_locks | 1500 | | 36 | | openldap_dbconfig_set_lk_max_lockers | 1500 | | 37 | | openldap_client_uri | ldap://localhost | | 38 | | openldap_client_base | dc=example,dc=com | | 39 | | openldap_client_binddn | cn=Manager,dc=example,dc=com | | 40 | | openldap_client_sizelimit | 0 | | 41 | | openldap_client_timelimit | 0 | | 42 | | openldap_sync_syncprov_checkpoint | 50 10 | | 43 | | openldap_sync_syncprov_sessionlog | 100 | | 44 | | openldap_sync_consumer | false | | 45 | | openldap_sync_syncrepl_rid | 001 | | 46 | | openldap_sync_syncrepl_provider | ldap://ldap.example.com | | 47 | | openldap_sync_syncrepl_type | refreshAndPersist | | 48 | | openldap_sync_syncrepl_interval | 00:00:05:00 | | 49 | | openldap_sync_syncrepl_searchbase | "{{ openldap_server_suffix}}" | | 50 | | openldap_sync_syncrepl_binddn | cn=admin,dc=example,dc=com | | 51 | | openldap_sync_syncrepl_credentials | secret | | 52 | | openldap_sync_syncrepl_starttls | "no" | | 53 | | openldap_sync_syncrepl_retry | 60 + | | 54 | | openldap_sync_syncrepl_bindmethod | simple | | 55 | | openldap_sync_syncrepl_timeout | 0 | | 56 | | openldap_sync_syncrepl_network_timeout | 0 | | 57 | | openldap_sync_syncrepl_keepalive | 0:0:0 | | 58 | | openldap_sync_syncrepl_filter | (objectclass=\u002a) | | 59 | | openldap_sync_syncrepl_scope | sub | | 60 | | openldap_sync_syncrepl_schemachecking | off | | 61 | 62 | Dependencies 63 | ------------ 64 | 65 | None 66 | 67 | Example Playbook 68 | ---------------- 69 | 70 | Install OpenLDAP 71 | ``` 72 | - hosts: all 73 | roles: 74 | - { role: kbrebanov.openldap } 75 | ``` 76 | 77 | Install OpenLDAP specifying domain, organization and admin password 78 | ``` 79 | - hosts: all 80 | roles: 81 | - { role: kbrebanov.openldap, openldap_domain: 'site.com', openldap_organization: 'site', opendlap_admin_password: 'supersecret' } 82 | ``` 83 | 84 | License 85 | ------- 86 | 87 | BSD 88 | 89 | Author Information 90 | ------------------ 91 | 92 | Kevin Brebanov 93 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for openldap 3 | 4 | openldap_domain: example.com 5 | openldap_organization: example 6 | openldap_admin_password: password 7 | 8 | openldap_default_services: ldap:/// ldapi:/// 9 | openldap_default_options: "" 10 | 11 | openldap_server_schemas: 12 | - core 13 | - cosine 14 | - inetorgperson 15 | openldap_server_loglevel: none 16 | openldap_server_modules: 17 | - back_hdb 18 | - syncprov 19 | openldap_server_database: hdb 20 | openldap_server_suffix: dc=example,dc=com 21 | openldap_server_rootdn: cn=Manager,dc=example,dc=com 22 | openldap_server_rootpw: password 23 | openldap_server_indexes: 24 | - objectClass,cn eq 25 | - entryCSN,entryUUID eq 26 | openldap_server_acls: 27 | - to attrs=userPassword by anonymous auth by self write by * none 28 | - to * by self write by * none 29 | openldap_server_password_hash: "{SSHA}" 30 | 31 | openldap_dbconfig_set_cachesize: 2097152 32 | openldap_dbconfig_set_lk_max_objects: 1500 33 | openldap_dbconfig_set_lk_max_locks: 1500 34 | openldap_dbconfig_set_lk_max_lockers: 1500 35 | 36 | openldap_client_uri: ldap://localhost 37 | openldap_client_base: dc=example,dc=com 38 | openldap_client_binddn: cn=Manager,dc=example,dc=com 39 | openldap_client_sizelimit: 0 40 | openldap_client_timelimit: 0 41 | 42 | openldap_sync_syncprov_checkpoint: 50 10 43 | openldap_sync_syncprov_sessionlog: 100 44 | 45 | openldap_sync_consumer: False 46 | openldap_sync_syncrepl_rid: 001 47 | openldap_sync_syncrepl_provider: ldap://ldap.example.com 48 | openldap_sync_syncrepl_type: refreshAndPersist 49 | openldap_sync_syncrepl_interval: 00:00:05:00 50 | openldap_sync_syncrepl_searchbase: "{{ openldap_server_suffix}}" 51 | openldap_sync_syncrepl_binddn: cn=admin,dc=example,dc=com 52 | openldap_sync_syncrepl_credentials: secret 53 | openldap_sync_syncrepl_starttls: "no" 54 | openldap_sync_syncrepl_retry: 60 + 55 | openldap_sync_syncrepl_bindmethod: simple 56 | openldap_sync_syncrepl_timeout: 0 57 | openldap_sync_syncrepl_network_timeout: 0 58 | openldap_sync_syncrepl_keepalive: 0:0:0 59 | openldap_sync_syncrepl_filter: (objectclass=*) 60 | openldap_sync_syncrepl_scope: sub 61 | openldap_sync_syncrepl_schemachecking: off 62 | -------------------------------------------------------------------------------- /files/samba.schema: -------------------------------------------------------------------------------- 1 | ## 2 | ## schema file for OpenLDAP 2.x 3 | ## Schema for storing Samba user accounts and group maps in LDAP 4 | ## OIDs are owned by the Samba Team 5 | ## 6 | ## Prerequisite schemas - uid (cosine.schema) 7 | ## - displayName (inetorgperson.schema) 8 | ## - gidNumber (nis.schema) 9 | ## 10 | ## 1.3.6.1.4.1.7165.2.1.x - attributetypes 11 | ## 1.3.6.1.4.1.7165.2.2.x - objectclasses 12 | ## 13 | ## Printer support 14 | ## 1.3.6.1.4.1.7165.2.3.1.x - attributetypes 15 | ## 1.3.6.1.4.1.7165.2.3.2.x - objectclasses 16 | ## 17 | ## Samba4 18 | ## 1.3.6.1.4.1.7165.4.1.x - attributetypes 19 | ## 1.3.6.1.4.1.7165.4.2.x - objectclasses 20 | ## 1.3.6.1.4.1.7165.4.3.x - LDB/LDAP Controls 21 | ## 1.3.6.1.4.1.7165.4.4.x - LDB/LDAP Extended Operations 22 | ## 1.3.6.1.4.1.7165.4.255.x - mapped OIDs due to conflicts between AD and standards-track 23 | ## 24 | ## ----- READ THIS WHEN ADDING A NEW ATTRIBUTE OR OBJECT CLASS ------ 25 | ## 26 | ## Run the 'get_next_oid' bash script in this directory to find the 27 | ## next available OID for attribute type and object classes. 28 | ## 29 | ## $ ./get_next_oid 30 | ## attributetype ( 1.3.6.1.4.1.7165.2.1.XX NAME .... 31 | ## objectclass ( 1.3.6.1.4.1.7165.2.2.XX NAME .... 32 | ## 33 | ## Also ensure that new entries adhere to the declaration style 34 | ## used throughout this file 35 | ## 36 | ## ( 1.3.6.1.4.1.7165.2.XX.XX NAME .... 37 | ## ^ ^ ^ 38 | ## 39 | ## The spaces are required for the get_next_oid script (and for 40 | ## readability). 41 | ## 42 | ## ------------------------------------------------------------------ 43 | 44 | # objectIdentifier SambaRoot 1.3.6.1.4.1.7165 45 | # objectIdentifier Samba3 SambaRoot:2 46 | # objectIdentifier Samba3Attrib Samba3:1 47 | # objectIdentifier Samba3ObjectClass Samba3:2 48 | # objectIdentifier Samba4 SambaRoot:4 49 | 50 | ######################################################################## 51 | ## HISTORICAL ## 52 | ######################################################################## 53 | 54 | ## 55 | ## Password hashes 56 | ## 57 | #attributetype ( 1.3.6.1.4.1.7165.2.1.1 NAME 'lmPassword' 58 | # DESC 'LanManager Passwd' 59 | # EQUALITY caseIgnoreIA5Match 60 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) 61 | 62 | #attributetype ( 1.3.6.1.4.1.7165.2.1.2 NAME 'ntPassword' 63 | # DESC 'NT Passwd' 64 | # EQUALITY caseIgnoreIA5Match 65 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) 66 | 67 | ## 68 | ## Account flags in string format ([UWDX ]) 69 | ## 70 | #attributetype ( 1.3.6.1.4.1.7165.2.1.4 NAME 'acctFlags' 71 | # DESC 'Account Flags' 72 | # EQUALITY caseIgnoreIA5Match 73 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) 74 | 75 | ## 76 | ## Password timestamps & policies 77 | ## 78 | #attributetype ( 1.3.6.1.4.1.7165.2.1.3 NAME 'pwdLastSet' 79 | # DESC 'NT pwdLastSet' 80 | # EQUALITY integerMatch 81 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 82 | 83 | #attributetype ( 1.3.6.1.4.1.7165.2.1.5 NAME 'logonTime' 84 | # DESC 'NT logonTime' 85 | # EQUALITY integerMatch 86 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 87 | 88 | #attributetype ( 1.3.6.1.4.1.7165.2.1.6 NAME 'logoffTime' 89 | # DESC 'NT logoffTime' 90 | # EQUALITY integerMatch 91 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 92 | 93 | #attributetype ( 1.3.6.1.4.1.7165.2.1.7 NAME 'kickoffTime' 94 | # DESC 'NT kickoffTime' 95 | # EQUALITY integerMatch 96 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 97 | 98 | #attributetype ( 1.3.6.1.4.1.7165.2.1.8 NAME 'pwdCanChange' 99 | # DESC 'NT pwdCanChange' 100 | # EQUALITY integerMatch 101 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 102 | 103 | #attributetype ( 1.3.6.1.4.1.7165.2.1.9 NAME 'pwdMustChange' 104 | # DESC 'NT pwdMustChange' 105 | # EQUALITY integerMatch 106 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 107 | 108 | ## 109 | ## string settings 110 | ## 111 | #attributetype ( 1.3.6.1.4.1.7165.2.1.10 NAME 'homeDrive' 112 | # DESC 'NT homeDrive' 113 | # EQUALITY caseIgnoreIA5Match 114 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE ) 115 | 116 | #attributetype ( 1.3.6.1.4.1.7165.2.1.11 NAME 'scriptPath' 117 | # DESC 'NT scriptPath' 118 | # EQUALITY caseIgnoreIA5Match 119 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) 120 | 121 | #attributetype ( 1.3.6.1.4.1.7165.2.1.12 NAME 'profilePath' 122 | # DESC 'NT profilePath' 123 | # EQUALITY caseIgnoreIA5Match 124 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) 125 | 126 | #attributetype ( 1.3.6.1.4.1.7165.2.1.13 NAME 'userWorkstations' 127 | # DESC 'userWorkstations' 128 | # EQUALITY caseIgnoreIA5Match 129 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{255} SINGLE-VALUE ) 130 | 131 | #attributetype ( 1.3.6.1.4.1.7165.2.1.17 NAME 'smbHome' 132 | # DESC 'smbHome' 133 | # EQUALITY caseIgnoreIA5Match 134 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) 135 | 136 | #attributetype ( 1.3.6.1.4.1.7165.2.1.18 NAME 'domain' 137 | # DESC 'Windows NT domain to which the user belongs' 138 | # EQUALITY caseIgnoreIA5Match 139 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) 140 | 141 | ## 142 | ## user and group RID 143 | ## 144 | #attributetype ( 1.3.6.1.4.1.7165.2.1.14 NAME 'rid' 145 | # DESC 'NT rid' 146 | # EQUALITY integerMatch 147 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 148 | 149 | #attributetype ( 1.3.6.1.4.1.7165.2.1.15 NAME 'primaryGroupID' 150 | # DESC 'NT Group RID' 151 | # EQUALITY integerMatch 152 | # SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 153 | 154 | ## 155 | ## The smbPasswordEntry objectclass has been depreciated in favor of the 156 | ## sambaAccount objectclass 157 | ## 158 | #objectclass ( 1.3.6.1.4.1.7165.2.2.1 NAME 'smbPasswordEntry' SUP top AUXILIARY 159 | # DESC 'Samba smbpasswd entry' 160 | # MUST ( uid $ uidNumber ) 161 | # MAY ( lmPassword $ ntPassword $ pwdLastSet $ acctFlags )) 162 | 163 | #objectclass ( 1.3.6.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL 164 | # DESC 'Samba Account' 165 | # MUST ( uid $ rid ) 166 | # MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ 167 | # logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ 168 | # displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ 169 | # description $ userWorkstations $ primaryGroupID $ domain )) 170 | 171 | #objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY 172 | # DESC 'Samba Auxiliary Account' 173 | # MUST ( uid $ rid ) 174 | # MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ 175 | # logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ 176 | # displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $ 177 | # description $ userWorkstations $ primaryGroupID $ domain )) 178 | 179 | ######################################################################## 180 | ## END OF HISTORICAL ## 181 | ######################################################################## 182 | 183 | ####################################################################### 184 | ## Attributes used by Samba 3.0 schema ## 185 | ####################################################################### 186 | 187 | ## 188 | ## Password hashes 189 | ## 190 | attributetype ( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' 191 | DESC 'LanManager Password' 192 | EQUALITY caseIgnoreIA5Match 193 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) 194 | 195 | attributetype ( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' 196 | DESC 'MD4 hash of the unicode password' 197 | EQUALITY caseIgnoreIA5Match 198 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) 199 | 200 | ## 201 | ## Account flags in string format ([UWDX ]) 202 | ## 203 | attributetype ( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' 204 | DESC 'Account Flags' 205 | EQUALITY caseIgnoreIA5Match 206 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{16} SINGLE-VALUE ) 207 | 208 | ## 209 | ## Password timestamps & policies 210 | ## 211 | attributetype ( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' 212 | DESC 'Timestamp of the last password update' 213 | EQUALITY integerMatch 214 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 215 | 216 | attributetype ( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' 217 | DESC 'Timestamp of when the user is allowed to update the password' 218 | EQUALITY integerMatch 219 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 220 | 221 | attributetype ( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' 222 | DESC 'Timestamp of when the password will expire' 223 | EQUALITY integerMatch 224 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 225 | 226 | attributetype ( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' 227 | DESC 'Timestamp of last logon' 228 | EQUALITY integerMatch 229 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 230 | 231 | attributetype ( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' 232 | DESC 'Timestamp of last logoff' 233 | EQUALITY integerMatch 234 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 235 | 236 | attributetype ( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' 237 | DESC 'Timestamp of when the user will be logged off automatically' 238 | EQUALITY integerMatch 239 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 240 | 241 | attributetype ( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' 242 | DESC 'Bad password attempt count' 243 | EQUALITY integerMatch 244 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 245 | 246 | attributetype ( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' 247 | DESC 'Time of the last bad password attempt' 248 | EQUALITY integerMatch 249 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 250 | 251 | attributetype ( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' 252 | DESC 'Logon Hours' 253 | EQUALITY caseIgnoreIA5Match 254 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{42} SINGLE-VALUE ) 255 | 256 | ## 257 | ## string settings 258 | ## 259 | attributetype ( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' 260 | DESC 'Driver letter of home directory mapping' 261 | EQUALITY caseIgnoreIA5Match 262 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE ) 263 | 264 | attributetype ( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' 265 | DESC 'Logon script path' 266 | EQUALITY caseIgnoreMatch 267 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) 268 | 269 | attributetype ( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' 270 | DESC 'Roaming profile path' 271 | EQUALITY caseIgnoreMatch 272 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) 273 | 274 | attributetype ( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations' 275 | DESC 'List of user workstations the user is allowed to logon to' 276 | EQUALITY caseIgnoreMatch 277 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE ) 278 | 279 | attributetype ( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' 280 | DESC 'Home directory UNC path' 281 | EQUALITY caseIgnoreMatch 282 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 283 | 284 | attributetype ( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' 285 | DESC 'Windows NT domain to which the user belongs' 286 | EQUALITY caseIgnoreMatch 287 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 288 | 289 | attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' 290 | DESC 'Base64 encoded user parameter string' 291 | EQUALITY caseExactMatch 292 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) 293 | 294 | attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' 295 | DESC 'Concatenated MD5 hashes of the salted NT passwords used on this account' 296 | EQUALITY caseIgnoreIA5Match 297 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} ) 298 | 299 | ## 300 | ## SID, of any type 301 | ## 302 | 303 | attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' 304 | DESC 'Security ID' 305 | EQUALITY caseIgnoreIA5Match 306 | SUBSTR caseExactIA5SubstringsMatch 307 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) 308 | 309 | ## 310 | ## Primary group SID, compatible with ntSid 311 | ## 312 | 313 | attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' 314 | DESC 'Primary Group Security ID' 315 | EQUALITY caseIgnoreIA5Match 316 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) 317 | 318 | attributetype ( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' 319 | DESC 'Security ID List' 320 | EQUALITY caseIgnoreIA5Match 321 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} ) 322 | 323 | ## 324 | ## group mapping attributes 325 | ## 326 | attributetype ( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' 327 | DESC 'NT Group Type' 328 | EQUALITY integerMatch 329 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 330 | 331 | ## 332 | ## Store info on the domain 333 | ## 334 | 335 | attributetype ( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' 336 | DESC 'Next NT rid to give our for users' 337 | EQUALITY integerMatch 338 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 339 | 340 | attributetype ( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' 341 | DESC 'Next NT rid to give out for groups' 342 | EQUALITY integerMatch 343 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 344 | 345 | attributetype ( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' 346 | DESC 'Next NT rid to give out for anything' 347 | EQUALITY integerMatch 348 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 349 | 350 | attributetype ( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase' 351 | DESC 'Base at which the samba RID generation algorithm should operate' 352 | EQUALITY integerMatch 353 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 354 | 355 | attributetype ( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' 356 | DESC 'Share Name' 357 | EQUALITY caseIgnoreMatch 358 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) 359 | 360 | attributetype ( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' 361 | DESC 'Option Name' 362 | EQUALITY caseIgnoreMatch 363 | SUBSTR caseIgnoreSubstringsMatch 364 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) 365 | 366 | attributetype ( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' 367 | DESC 'A boolean option' 368 | EQUALITY booleanMatch 369 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) 370 | 371 | attributetype ( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' 372 | DESC 'An integer option' 373 | EQUALITY integerMatch 374 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 375 | 376 | attributetype ( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' 377 | DESC 'A string option' 378 | EQUALITY caseExactIA5Match 379 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) 380 | 381 | attributetype ( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption' 382 | DESC 'A string list option' 383 | EQUALITY caseIgnoreMatch 384 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) 385 | 386 | 387 | ##attributetype ( 1.3.6.1.4.1.7165.2.1.50 NAME 'sambaPrivName' 388 | ## SUP name ) 389 | 390 | ##attributetype ( 1.3.6.1.4.1.7165.2.1.52 NAME 'sambaPrivilegeList' 391 | ## DESC 'Privileges List' 392 | ## EQUALITY caseIgnoreIA5Match 393 | ## SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} ) 394 | 395 | attributetype ( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' 396 | DESC 'Trust Password Flags' 397 | EQUALITY caseIgnoreIA5Match 398 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) 399 | 400 | # "min password length" 401 | attributetype ( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' 402 | DESC 'Minimal password length (default: 5)' 403 | EQUALITY integerMatch 404 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 405 | 406 | # "password history" 407 | attributetype ( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength' 408 | DESC 'Length of Password History Entries (default: 0 => off)' 409 | EQUALITY integerMatch 410 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 411 | 412 | # "user must logon to change password" 413 | attributetype ( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' 414 | DESC 'Force Users to logon for password change (default: 0 => off, 2 => on)' 415 | EQUALITY integerMatch 416 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 417 | 418 | # "maximum password age" 419 | attributetype ( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' 420 | DESC 'Maximum password age, in seconds (default: -1 => never expire passwords)' 421 | EQUALITY integerMatch 422 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 423 | 424 | # "minimum password age" 425 | attributetype ( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' 426 | DESC 'Minimum password age, in seconds (default: 0 => allow immediate password change)' 427 | EQUALITY integerMatch 428 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 429 | 430 | # "lockout duration" 431 | attributetype ( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' 432 | DESC 'Lockout duration in minutes (default: 30, -1 => forever)' 433 | EQUALITY integerMatch 434 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 435 | 436 | # "reset count minutes" 437 | attributetype ( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservationWindow' 438 | DESC 'Reset time after lockout in minutes (default: 30)' 439 | EQUALITY integerMatch 440 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 441 | 442 | # "bad lockout attempt" 443 | attributetype ( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold' 444 | DESC 'Lockout users after bad logon attempts (default: 0 => off)' 445 | EQUALITY integerMatch 446 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 447 | 448 | # "disconnect time" 449 | attributetype ( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' 450 | DESC 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' 451 | EQUALITY integerMatch 452 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 453 | 454 | # "refuse machine password change" 455 | attributetype ( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdChange' 456 | DESC 'Allow Machine Password changes (default: 0 => off)' 457 | EQUALITY integerMatch 458 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 459 | 460 | # 461 | attributetype ( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword' 462 | DESC 'Clear text password (used for trusted domain passwords)' 463 | EQUALITY octetStringMatch 464 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) 465 | 466 | # 467 | attributetype ( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTextPassword' 468 | DESC 'Previous clear text password (used for trusted domain passwords)' 469 | EQUALITY octetStringMatch 470 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) 471 | 472 | attributetype ( 1.3.6.1.4.1.7165.2.1.70 NAME 'sambaTrustType' 473 | DESC 'Type of trust' 474 | EQUALITY integerMatch 475 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 476 | 477 | attributetype ( 1.3.6.1.4.1.7165.2.1.71 NAME 'sambaTrustAttributes' 478 | DESC 'Trust attributes for a trusted domain' 479 | EQUALITY integerMatch 480 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 481 | 482 | attributetype ( 1.3.6.1.4.1.7165.2.1.72 NAME 'sambaTrustDirection' 483 | DESC 'Direction of a trust' 484 | EQUALITY integerMatch 485 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 486 | 487 | attributetype ( 1.3.6.1.4.1.7165.2.1.73 NAME 'sambaTrustPartner' 488 | DESC 'Fully qualified name of the domain with which a trust exists' 489 | EQUALITY caseIgnoreMatch 490 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 491 | 492 | attributetype ( 1.3.6.1.4.1.7165.2.1.74 NAME 'sambaFlatName' 493 | DESC 'NetBIOS name of a domain' 494 | EQUALITY caseIgnoreMatch 495 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) 496 | 497 | attributetype ( 1.3.6.1.4.1.7165.2.1.75 NAME 'sambaTrustAuthOutgoing' 498 | DESC 'Authentication information for the outgoing portion of a trust' 499 | EQUALITY caseExactMatch 500 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) 501 | 502 | attributetype ( 1.3.6.1.4.1.7165.2.1.76 NAME 'sambaTrustAuthIncoming' 503 | DESC 'Authentication information for the incoming portion of a trust' 504 | EQUALITY caseExactMatch 505 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) 506 | 507 | attributetype ( 1.3.6.1.4.1.7165.2.1.77 NAME 'sambaSecurityIdentifier' 508 | DESC 'SID of a trusted domain' 509 | EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch 510 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) 511 | 512 | attributetype ( 1.3.6.1.4.1.7165.2.1.78 NAME 'sambaTrustForestTrustInfo' 513 | DESC 'Forest trust information for a trusted domain object' 514 | EQUALITY caseExactMatch 515 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) 516 | 517 | attributetype ( 1.3.6.1.4.1.7165.2.1.79 NAME 'sambaTrustPosixOffset' 518 | DESC 'POSIX offset of a trust' 519 | EQUALITY integerMatch 520 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 521 | 522 | attributetype ( 1.3.6.1.4.1.7165.2.1.80 NAME 'sambaSupportedEncryptionTypes' 523 | DESC 'Supported encryption types of a trust' 524 | EQUALITY integerMatch 525 | SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) 526 | 527 | ####################################################################### 528 | ## objectClasses used by Samba 3.0 schema ## 529 | ####################################################################### 530 | 531 | ## The X.500 data model (and therefore LDAPv3) says that each entry can 532 | ## only have one structural objectclass. OpenLDAP 2.0 does not enforce 533 | ## this currently but will in v2.1 534 | 535 | ## 536 | ## added new objectclass (and OID) for 3.0 to help us deal with backwards 537 | ## compatibility with 2.2 installations (e.g. ldapsam_compat) --jerry 538 | ## 539 | objectclass ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY 540 | DESC 'Samba 3.0 Auxilary SAM Account' 541 | MUST ( uid $ sambaSID ) 542 | MAY ( cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ 543 | sambaLogonTime $ sambaLogoffTime $ sambaKickoffTime $ 544 | sambaPwdCanChange $ sambaPwdMustChange $ sambaAcctFlags $ 545 | displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScript $ 546 | sambaProfilePath $ description $ sambaUserWorkstations $ 547 | sambaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ 548 | sambaBadPasswordCount $ sambaBadPasswordTime $ 549 | sambaPasswordHistory $ sambaLogonHours)) 550 | 551 | ## 552 | ## Group mapping info 553 | ## 554 | objectclass ( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' SUP top AUXILIARY 555 | DESC 'Samba Group Mapping' 556 | MUST ( gidNumber $ sambaSID $ sambaGroupType ) 557 | MAY ( displayName $ description $ sambaSIDList )) 558 | 559 | ## 560 | ## Trust password for trust relationships (any kind) 561 | ## 562 | objectclass ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL 563 | DESC 'Samba Trust Password' 564 | MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags ) 565 | MAY ( sambaSID $ sambaPwdLastSet )) 566 | 567 | ## 568 | ## Trust password for trusted domains 569 | ## (to be stored beneath the trusting sambaDomain object in the DIT) 570 | ## 571 | objectclass ( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPassword' SUP top STRUCTURAL 572 | DESC 'Samba Trusted Domain Password' 573 | MUST ( sambaDomainName $ sambaSID $ 574 | sambaClearTextPassword $ sambaPwdLastSet ) 575 | MAY ( sambaPreviousClearTextPassword )) 576 | 577 | ## 578 | ## Whole-of-domain info 579 | ## 580 | objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL 581 | DESC 'Samba Domain Information' 582 | MUST ( sambaDomainName $ 583 | sambaSID ) 584 | MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ 585 | sambaAlgorithmicRidBase $ 586 | sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ 587 | sambaMaxPwdAge $ sambaMinPwdAge $ 588 | sambaLockoutDuration $ sambaLockoutObservationWindow $ sambaLockoutThreshold $ 589 | sambaForceLogoff $ sambaRefuseMachinePwdChange )) 590 | 591 | ## 592 | ## used for idmap_ldap module 593 | ## 594 | objectclass ( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' SUP top AUXILIARY 595 | DESC 'Pool for allocating UNIX uids/gids' 596 | MUST ( uidNumber $ gidNumber ) ) 597 | 598 | 599 | objectclass ( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' SUP top AUXILIARY 600 | DESC 'Mapping from a SID to an ID' 601 | MUST ( sambaSID ) 602 | MAY ( uidNumber $ gidNumber ) ) 603 | 604 | objectclass ( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' SUP top STRUCTURAL 605 | DESC 'Structural Class for a SID' 606 | MUST ( sambaSID ) ) 607 | 608 | objectclass ( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' SUP top AUXILIARY 609 | DESC 'Samba Configuration Section' 610 | MAY ( description ) ) 611 | 612 | objectclass ( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' SUP top STRUCTURAL 613 | DESC 'Samba Share Section' 614 | MUST ( sambaShareName ) 615 | MAY ( description ) ) 616 | 617 | objectclass ( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' SUP top STRUCTURAL 618 | DESC 'Samba Configuration Option' 619 | MUST ( sambaOptionName ) 620 | MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $ 621 | sambaStringListoption $ description ) ) 622 | 623 | 624 | ## retired during privilege rewrite 625 | ##objectclass ( 1.3.6.1.4.1.7165.2.2.13 NAME 'sambaPrivilege' SUP top AUXILIARY 626 | ## DESC 'Samba Privilege' 627 | ## MUST ( sambaSID ) 628 | ## MAY ( sambaPrivilegeList ) ) 629 | 630 | ## 631 | ## used for IPA_ldapsam 632 | ## 633 | objectclass ( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' SUP top STRUCTURAL 634 | DESC 'Samba Trusted Domain Object' 635 | MUST ( cn ) 636 | MAY ( sambaTrustType $ sambaTrustAttributes $ sambaTrustDirection $ 637 | sambaTrustPartner $ sambaFlatName $ sambaTrustAuthOutgoing $ 638 | sambaTrustAuthIncoming $ sambaSecurityIdentifier $ 639 | sambaTrustForestTrustInfo $ sambaTrustPosixOffset $ 640 | sambaSupportedEncryptionTypes) ) 641 | -------------------------------------------------------------------------------- /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for openldap 3 | 4 | - name: restart slapd 5 | service: name=slapd state=restarted 6 | tags: openldap 7 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | galaxy_info: 3 | author: Kevin Brebanov 4 | description: Installs and configures OpenLDAP 5 | company: 6 | # Some suggested licenses: 7 | # - BSD (default) 8 | # - MIT 9 | # - GPLv2 10 | # - GPLv3 11 | # - Apache 12 | # - CC-BY 13 | license: BSD 14 | min_ansible_version: 1.4 15 | # 16 | # Below are all platforms currently available. Just uncomment 17 | # the ones that apply to your role. If you don't see your 18 | # platform on this list, let us know and we'll get it added! 19 | # 20 | platforms: 21 | #- name: EL 22 | # versions: 23 | # - all 24 | # - 5 25 | # - 6 26 | # - 7 27 | #- name: GenericUNIX 28 | # versions: 29 | # - all 30 | # - any 31 | #- name: Fedora 32 | # versions: 33 | # - all 34 | # - 16 35 | # - 17 36 | # - 18 37 | # - 19 38 | # - 20 39 | #- name: SmartOS 40 | # versions: 41 | # - all 42 | # - any 43 | #- name: opensuse 44 | # versions: 45 | # - all 46 | # - 12.1 47 | # - 12.2 48 | # - 12.3 49 | # - 13.1 50 | # - 13.2 51 | #- name: Amazon 52 | # versions: 53 | # - all 54 | # - 2013.03 55 | # - 2013.09 56 | #- name: GenericBSD 57 | # versions: 58 | # - all 59 | # - any 60 | #- name: FreeBSD 61 | # versions: 62 | # - all 63 | # - 8.0 64 | # - 8.1 65 | # - 8.2 66 | # - 8.3 67 | # - 8.4 68 | # - 9.0 69 | # - 9.1 70 | # - 9.1 71 | # - 9.2 72 | - name: Ubuntu 73 | versions: 74 | # - all 75 | # - lucid 76 | # - maverick 77 | # - natty 78 | # - oneiric 79 | # - precise 80 | # - quantal 81 | # - raring 82 | # - saucy 83 | - trusty 84 | #- name: SLES 85 | # versions: 86 | # - all 87 | # - 10SP3 88 | # - 10SP4 89 | # - 11 90 | # - 11SP1 91 | # - 11SP2 92 | # - 11SP3 93 | #- name: GenericLinux 94 | # versions: 95 | # - all 96 | # - any 97 | #- name: Debian 98 | # versions: 99 | # - all 100 | # - etch 101 | # - lenny 102 | # - squeeze 103 | # - wheezy 104 | # 105 | # Below are all categories currently available. Just as with 106 | # the platforms above, uncomment those that apply to your role. 107 | # 108 | categories: 109 | #- cloud 110 | #- cloud:ec2 111 | #- cloud:gce 112 | #- cloud:rax 113 | #- clustering 114 | #- database 115 | #- database:nosql 116 | #- database:sql 117 | #- development 118 | #- monitoring 119 | #- networking 120 | #- packaging 121 | - system 122 | #- web 123 | dependencies: [] 124 | # List your role dependencies here, one per line. Only 125 | # dependencies available via galaxy should be listed here. 126 | # Be sure to remove the '[]' above if you add dependencies 127 | # to this list. 128 | -------------------------------------------------------------------------------- /tasks/CentOS.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for openldap (CentOS specific) 3 | -------------------------------------------------------------------------------- /tasks/Ubuntu.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for openldap (Ubuntu specific) 3 | 4 | - name: Do not autoconfigure OpenLDAP 5 | debconf: > 6 | name=slapd 7 | question='slapd/no_configuration' 8 | value=true 9 | vtype=boolean 10 | tags: openldap 11 | 12 | - name: Install OpenLDAP packages 13 | apt: name={{ item }} state=present update_cache=yes 14 | with_items: "{{ openldap_packages }}" 15 | environment: "{{ env }}" 16 | tags: openldap 17 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # tasks file for openldap 3 | 4 | - name: Include distribution specific variables 5 | include_vars: "{{ ansible_distribution }}.yml" 6 | tags: openldap 7 | 8 | - include: CentOS.yml 9 | when: ansible_distribution == "CentOS" 10 | tags: openldap 11 | 12 | - include: Ubuntu.yml 13 | when: ansible_distribution == "Ubuntu" 14 | tags: openldap 15 | 16 | - name: Create OpenLDAP defaults configuration 17 | template: > 18 | src=slapd_defaults.j2 19 | dest={{ openldap_defaults_file }} 20 | owner=root 21 | group=root 22 | mode=0644 23 | notify: restart slapd 24 | tags: openldap 25 | 26 | - name: Copy Samba LDAP schema 27 | copy: > 28 | src=samba.schema 29 | dest={{ openldap_schema_directory }} 30 | owner=root 31 | group=root 32 | mode=0644 33 | tags: openldap 34 | 35 | - name: Hash OpenLDAP rootpw 36 | command: slappasswd -h {{ openldap_server_password_hash }} -s {{ openldap_server_rootpw }} 37 | register: rootpw 38 | tags: openldap 39 | 40 | - name: Create OpenLDAP server configuration 41 | template: > 42 | src=slapd.conf.j2 43 | dest={{ openldap_server_configuration }} 44 | owner=root 45 | group=root 46 | mode=0644 47 | notify: restart slapd 48 | tags: openldap 49 | 50 | - name: Create OpenLDAP DB_CONFIG 51 | template: > 52 | src=DB_CONFIG.j2 53 | dest={{ openldap_server_directory }}/DB_CONFIG 54 | owner=openldap 55 | group=openldap 56 | mode=0600 57 | notify: restart slapd 58 | tags: openldap 59 | 60 | - name: Create OpenLDAP client configuration 61 | template: > 62 | src=ldap.conf.j2 63 | dest={{ openldap_client_configuration }} 64 | owner=root 65 | group=root 66 | mode=0644 67 | tags: openldap 68 | 69 | - name: Ensure OpenLDAP service is started and enabled on boot 70 | service: name=slapd state=started enabled=yes 71 | tags: openldap 72 | -------------------------------------------------------------------------------- /templates/DB_CONFIG.j2: -------------------------------------------------------------------------------- 1 | set_cachesize 0 {{ openldap_dbconfig_set_cachesize }} 0 2 | set_lk_max_objects {{ openldap_dbconfig_set_lk_max_objects }} 3 | set_lk_max_locks {{ openldap_dbconfig_set_lk_max_locks }} 4 | set_lk_max_lockers {{ openldap_dbconfig_set_lk_max_lockers }} 5 | -------------------------------------------------------------------------------- /templates/ldap.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | URI {{ openldap_client_uri }} 4 | BASE {{ openldap_client_base }} 5 | BINDDN {{ openldap_client_binddn }} 6 | 7 | SIZELIMIT {{ openldap_client_sizelimit }} 8 | TIMELIMIT {{ openldap_client_timelimit }} 9 | -------------------------------------------------------------------------------- /templates/slapd.conf.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | # Basics 4 | 5 | {% for schema in openldap_server_schemas %} 6 | include /etc/ldap/schema/{{ schema }}.schema 7 | {% endfor %} 8 | 9 | pidfile {{ openldap_server_pidfile }} 10 | argsfile {{ openldap_server_argsfile }} 11 | loglevel {{ openldap_server_loglevel }} 12 | 13 | password-hash {{ openldap_server_password_hash }} 14 | 15 | modulepath {{ openldap_server_modulepath }} 16 | {% for module in openldap_server_modules %} 17 | moduleload {{ module }} 18 | {% endfor %} 19 | 20 | # Database configuration 21 | 22 | database {{ openldap_server_database }} 23 | suffix "{{ openldap_server_suffix }}" 24 | rootdn "{{ openldap_server_rootdn }}" 25 | rootpw {{ rootpw.stdout }} 26 | directory {{ openldap_server_directory }} 27 | {% for index in openldap_server_indexes %} 28 | index {{ index }} 29 | {% endfor %} 30 | 31 | overlay syncprov 32 | syncprov-checkpoint {{ openldap_sync_syncprov_checkpoint }} 33 | syncprov-sessionlog {{ openldap_sync_syncprov_sessionlog }} 34 | 35 | {% if openldap_sync_consumer %} 36 | syncrepl rid={{ openldap_sync_syncrepl_rid }} 37 | provider={{ openldap_sync_syncrepl_provider }} 38 | bindmethod={{ openldap_sync_syncrepl_bindmethod }} 39 | timeout={{ openldap_sync_syncrepl_timeout }} 40 | network-timeout={{ openldap_sync_syncrepl_network_timeout }} 41 | binddn="{{ openldap_sync_syncrepl_binddn }}" 42 | credentials="{{ openldap_sync_syncrepl_credentials }}" 43 | keepalive={{ openldap_sync_syncrepl_keepalive }} 44 | starttls={{ openldap_sync_syncrepl_starttls }} 45 | filter="{{ openldap_sync_syncrepl_filter }}" 46 | searchbase="{{ openldap_sync_syncrepl_searchbase }}" 47 | scope={{ openldap_sync_syncrepl_scope }} 48 | schemachecking={{ openldap_sync_syncrepl_schemachecking }} 49 | type={{ openldap_sync_syncrepl_type }} 50 | interval={{ openldap_sync_syncrepl_interval }} 51 | retry="{{ openldap_sync_syncrepl_retry }}" 52 | {% endif %} 53 | 54 | # ACLs 55 | {% for acl in openldap_server_acls %} 56 | access {{ acl }} 57 | {% endfor %} 58 | -------------------------------------------------------------------------------- /templates/slapd_defaults.j2: -------------------------------------------------------------------------------- 1 | # {{ ansible_managed }} 2 | 3 | # Default location of the slapd.conf file or slapd.d cn=config directory. If 4 | # empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to 5 | # /etc/ldap/slapd.conf). 6 | SLAPD_CONF= 7 | 8 | # System account to run the slapd server under. If empty the server 9 | # will run as root. 10 | SLAPD_USER="{{ openldap_default_user }}" 11 | 12 | # System group to run the slapd server under. If empty the server will 13 | # run in the primary group of its user. 14 | SLAPD_GROUP="{{ openldap_default_group }}" 15 | 16 | # Path to the pid file of the slapd server. If not set the init.d script 17 | # will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by 18 | # default) 19 | SLAPD_PIDFILE= 20 | 21 | # slapd normally serves ldap only on all TCP-ports 389. slapd can also 22 | # service requests on TCP-port 636 (ldaps) and requests via unix 23 | # sockets. 24 | # Example usage: 25 | # SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" 26 | SLAPD_SERVICES="{{ openldap_default_services }}" 27 | 28 | # If SLAPD_NO_START is set, the init script will not start or restart 29 | # slapd (but stop will still work). Uncomment this if you are 30 | # starting slapd via some other means or if you don't want slapd normally 31 | # started at boot. 32 | #SLAPD_NO_START=1 33 | 34 | # If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, 35 | # the init script will not start or restart slapd (but stop will still 36 | # work). Use this for temporarily disabling startup of slapd (when doing 37 | # maintenance, for example, or through a configuration management system) 38 | # when you don't want to edit a configuration file. 39 | SLAPD_SENTINEL_FILE={{ openldap_default_sentinel_file }} 40 | 41 | # For Kerberos authentication (via SASL), slapd by default uses the system 42 | # keytab file (/etc/krb5.keytab). To use a different keytab file, 43 | # uncomment this line and change the path. 44 | #export KRB5_KTNAME=/etc/krb5.keytab 45 | 46 | # Additional options to pass to slapd 47 | SLAPD_OPTIONS="{{ openldap_default_options }}" 48 | -------------------------------------------------------------------------------- /vars/CentOS.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for openldap (CentOS specific) 3 | -------------------------------------------------------------------------------- /vars/Ubuntu.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for openldap (Ubuntu specific) 3 | 4 | env: 5 | RUNLEVEL: 1 6 | 7 | openldap_packages: 8 | - slapd 9 | - ldap-utils 10 | 11 | openldap_defaults_file: /etc/default/slapd 12 | 13 | openldap_default_user: openldap 14 | openldap_default_group: openldap 15 | openldap_default_sentinel_file: /etc/ldap/noslapd 16 | 17 | openldap_server_pidfile: /var/run/slapd/slapd.pid 18 | openldap_server_argsfile: /var/run/slapd/slapd.args 19 | openldap_server_modulepath: /usr/lib/ldap 20 | openldap_server_directory: /var/lib/ldap 21 | openldap_server_configuration: /etc/ldap/slapd.conf 22 | openldap_client_configuration: /etc/ldap/ldap.conf 23 | 24 | openldap_schema_directory: /etc/ldap/schema 25 | -------------------------------------------------------------------------------- /vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for openldap 3 | --------------------------------------------------------------------------------