summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2013-12-01 22:21:41 +0100
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:51:02 +0200
commit0c99d9d1600c0fe2c494f9c59ba8ea7966dcd65f (patch)
treed97af36efc2f16a7164df52b5663d599196e6a7b
parentad5c4ebef590371352b4349443a7661fd25301ac (diff)
Provision /etc/default/slapd
This is because the UNIX domain socket to connect to when performing LDAP lookups needs to be in the chroot. Also, don't open a INET socket unless we're a Sync Provider.
-rw-r--r--roles/common-LDAP/tasks/main.yml16
-rw-r--r--roles/common-LDAP/templates/etc/default/slapd.j249
2 files changed, 65 insertions, 0 deletions
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index cb1e835..270924c 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -7,6 +7,15 @@
- db-util
- python-ldap
+- name: Configure slapd
+ template: src=etc/default/slapd.j2
+ dest=/etc/default/slapd
+ owner=root group=root
+ mode=0644
+ register: r1
+ notify:
+ - Restart slapd
+
# Upon install slapd create and populate a database under /var/lib/ldap.
# We clear it up and create a children directory to get finer-grain
# control.
@@ -27,6 +36,7 @@
dest=/var/lib/ldap/fripost/DB_CONFIG
owner=openldap group=openldap
mode=0600
+ register: r2
notify:
# Not sure if required
- Restart slapd
@@ -64,4 +74,10 @@
# TODO only if writable
- constraint
+- name: Start slapd
+ service: name=slapd state=started
+ when: not (r1.changed or r2.changed)
+
+- meta: flush_handlers
+
# TODO: authz constraint syncprov syncrepl
diff --git a/roles/common-LDAP/templates/etc/default/slapd.j2 b/roles/common-LDAP/templates/etc/default/slapd.j2
new file mode 100644
index 0000000..7eea421
--- /dev/null
+++ b/roles/common-LDAP/templates/etc/default/slapd.j2
@@ -0,0 +1,49 @@
+# Default location of the slapd.conf file or slapd.d cn=config directory. If
+# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
+# /etc/ldap/slapd.conf).
+SLAPD_CONF=
+
+# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER="openldap"
+
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP="openldap"
+
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by
+# default)
+SLAPD_PIDFILE=
+
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+SLAPD_SERVICES="ldapi:///"
+{% for i in postfix_instance.keys() | intersect(group_names) | list %}
+SLAPD_SERVICES="$SLAPD_SERVICES ldapi://%2Fvar%2Fspool%2Fpostfix-{{ postfix_instance[i].name }}%2Fprivate%2Fldapi/"
+{% endfor %}
+{% if 'LDAP-producer' in group_names %}
+SLAPD_SERVICES="$SLAPD_SERVICES ldap://172.16.0.1:389/"
+{% endif %}
+
+# If SLAPD_NO_START is set, the init script will not start or restart
+# slapd (but stop will still work). Uncomment this if you are
+# starting slapd via some other means or if you don't want slapd normally
+# started at boot.
+#SLAPD_NO_START=1
+
+# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
+# the init script will not start or restart slapd (but stop will still
+# work). Use this for temporarily disabling startup of slapd (when doing
+# maintenance, for example, or through a configuration management system)
+# when you don't want to edit a configuration file.
+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
+
+# For Kerberos authentication (via SASL), slapd by default uses the system
+# keytab file (/etc/krb5.keytab). To use a different keytab file,
+# uncomment this line and change the path.
+#export KRB5_KTNAME=/etc/krb5.keytab
+
+# Additional options to pass to slapd
+SLAPD_OPTIONS=""