5 files changed, 39 insertions, 10 deletions

diff --git a/all.yml b/all.yml
new file mode 100644
index 0000000..69bc379
--- /dev/null
+++ b/all.yml
@@ -0,0 +1,7 @@
+---
+# Example:
+#   ansible-playbook -i stage_vms all.yml -t rkhunter
+
+- include: common.yml
+- include: IMAP.yml
+- include: MX.yml
diff --git a/common.yml b/common.yml
index ab8ab1d..bf666b2 100644
--- a/common.yml
+++ b/common.yml
@@ -25,3 +25,10 @@
   tags: slapd,ldap
   roles:
     - common-LDAP
+
+- name: Configure the LDAP provider
+  hosts: LDAP-provider
+  gather_facts: False
+  tags: slapd,ldap
+  roles:
+    - LDAP-provider
diff --git a/roles/LDAP-provider/files/etc/ldap/syncprov.ldif b/roles/LDAP-provider/files/etc/ldap/syncprov.ldif
new file mode 100644
index 0000000..42f06a0
--- /dev/null
+++ b/roles/LDAP-provider/files/etc/ldap/syncprov.ldif
@@ -0,0 +1,13 @@
+# References:
+# - http://www.openldap.org/doc/admin24/replication.html#Syncrepl
+# - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
+# - man 5 slapo-syncprov
+
+dn: olcOverlay=syncprov,olcDatabase={*}hdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcSyncProvConfig
+olcOverlay: syncprov
+# contextCSN saved to database every 50 updates or 5
+# minutes
+olcSpCheckpoint: 50 5
+olcSpReloadHint: TRUE
diff --git a/roles/LDAP-provider/tasks/main.yml b/roles/LDAP-provider/tasks/main.yml
new file mode 100644
index 0000000..64c8e30
--- /dev/null
+++ b/roles/LDAP-provider/tasks/main.yml
@@ -0,0 +1,12 @@
+- name: Copy the syncprov overlay configuration
+  copy: src=etc/ldap/syncprov.ldif
+        dest=/etc/ldap/fripost/syncprov.ldif
+        owner=root group=root
+        mode=0644
+
+- name: Load and configure the syncprov overlay
+  openldap: module=syncprov state=present
+            suffix=o=mailHosting,dc=fripost,dc=org
+            target=/etc/ldap/fripost/syncprov.ldif
+
+# TODO: authz constraint
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 27a0298..06eb692 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -66,18 +66,8 @@
     # TODO load other required schemas *before* loading the database
     - fripost/database.ldif
 
-- name: Load LDAP modules
-  openldap: module={{ item }}.la state=present
-  with_items:
-    # TODO only if provider
-    - syncprov
-    # TODO only if writable
-    - constraint
-
 - name: Start slapd
   service: name=slapd state=started
   when: not (r1.changed or r2.changed)
 
 - meta: flush_handlers
-
-# TODO: authz constraint syncprov