summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/LDAP-provider/files/etc/ldap/dynlist.ldif26
-rw-r--r--roles/LDAP-provider/tasks/main.yml12
-rw-r--r--roles/common-LDAP/templates/etc/ldap/database.ldif.j22
3 files changed, 37 insertions, 3 deletions
diff --git a/roles/LDAP-provider/files/etc/ldap/dynlist.ldif b/roles/LDAP-provider/files/etc/ldap/dynlist.ldif
new file mode 100644
index 0000000..df9a806
--- /dev/null
+++ b/roles/LDAP-provider/files/etc/ldap/dynlist.ldif
@@ -0,0 +1,26 @@
+# References:
+# - https://www.openldap.org/doc/admin24/overlays.html#Dynamic%20Lists
+# - man 5 slapo-dynlist
+
+# TODO bookworm (slapd 2.5)
+# “The dynlist overlay has been reworked with the 2.5 release to use a
+# consistent namespace as with other overlays. As a side-effect the
+# following cn=config parameters are deprecated and will be removed in a
+# future release: olcDlAttrSet is replaced with olcDynListAttrSet
+# olcDynamicList is replaced with olcDynListConfig”
+#
+# XXX that didn't solve the spaming from nextcloud's user_ldap plugin,
+# so we disable activity mails for “Your group memberships were
+# modified“ for now. See also
+#
+# https://github.com/nextcloud/server/issues/42195
+# https://github.com/nextcloud/server/issues/29832
+#
+# TODO bookworm: use “dynlist-attrset groupOfURLs memberURL
+# member+memberOf@groupOfNames” to also populate memberOf
+#
+dn: olcOverlay=dynlist,olcDatabase={*}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcDynamicList
+olcOverlay: dynlist
+olcDlAttrSet: groupOfURLs memberURL member
diff --git a/roles/LDAP-provider/tasks/main.yml b/roles/LDAP-provider/tasks/main.yml
index 9bc227e..8d4e327 100644
--- a/roles/LDAP-provider/tasks/main.yml
+++ b/roles/LDAP-provider/tasks/main.yml
@@ -4,6 +4,15 @@
target=etc/ldap/syncprov.ldif
local=file
+#- name: Load dyngroup schema
+# openldap: target=/etc/ldap/schema/dyngroup.ldif
+
+- name: Load and configure the dynlist overlay
+ openldap: module=dynlist
+ suffix=dc=fripost,dc=org
+ target=etc/ldap/dynlist.ldif
+ local=file
+
## XXX should be /etc/sasl2/slapd.conf ideally, but it doesn't work with
## Stretch, cf #211156 and #798462:
## ldapsearch -LLLx -H ldapi:// -b "" -s base supportedSASLMechanisms
@@ -15,7 +24,4 @@
owner=root group=root
mode=0644
-#- name: Load dyngroup schema
-# openldap: target=/etc/ldap/schema/dyngroup.ldif
-
# TODO: authz constraint
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index a0ac705..f10bb33 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -538,9 +538,11 @@ olcAccess: to dn.exact="ou=groups,dc=fripost,dc=org"
by dn.exact="cn=nextcloud,ou=services,dc=fripost,dc=org" tls_ssf=128 =rsd
by users =0 break
olcAccess: to dn.exact="cn=medlemmar,ou=groups,dc=fripost,dc=org"
+ attrs=entry,entryDN,entryUUID,objectClass,cn,description,member
by dn.exact="cn=nextcloud,ou=services,dc=fripost,dc=org" tls_ssf=128 =rsd
by users =0 break
olcAccess: to dn.exact="cn=styrelse,ou=groups,dc=fripost,dc=org"
+ attrs=entry,entryDN,entryUUID,objectClass,cn,description,member
by dn.exact="cn=nextcloud,ou=services,dc=fripost,dc=org" tls_ssf=128 =rsd
by users =0 break
#
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-12 01:58:11 +0000