From 0c99d9d1600c0fe2c494f9c59ba8ea7966dcd65f Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 1 Dec 2013 22:21:41 +0100 Subject: Provision /etc/default/slapd This is because the UNIX domain socket to connect to when performing LDAP lookups needs to be in the chroot. Also, don't open a INET socket unless we're a Sync Provider. --- roles/common-LDAP/tasks/main.yml | 16 ++++++++ roles/common-LDAP/templates/etc/default/slapd.j2 | 49 ++++++++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 roles/common-LDAP/templates/etc/default/slapd.j2 diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml index cb1e835..270924c 100644 --- a/roles/common-LDAP/tasks/main.yml +++ b/roles/common-LDAP/tasks/main.yml @@ -7,6 +7,15 @@ - db-util - python-ldap +- name: Configure slapd + template: src=etc/default/slapd.j2 + dest=/etc/default/slapd + owner=root group=root + mode=0644 + register: r1 + notify: + - Restart slapd + # Upon install slapd create and populate a database under /var/lib/ldap. # We clear it up and create a children directory to get finer-grain # control. @@ -27,6 +36,7 @@ dest=/var/lib/ldap/fripost/DB_CONFIG owner=openldap group=openldap mode=0600 + register: r2 notify: # Not sure if required - Restart slapd @@ -64,4 +74,10 @@ # TODO only if writable - constraint +- name: Start slapd + service: name=slapd state=started + when: not (r1.changed or r2.changed) + +- meta: flush_handlers + # TODO: authz constraint syncprov syncrepl diff --git a/roles/common-LDAP/templates/etc/default/slapd.j2 b/roles/common-LDAP/templates/etc/default/slapd.j2 new file mode 100644 index 0000000..7eea421 --- /dev/null +++ b/roles/common-LDAP/templates/etc/default/slapd.j2 @@ -0,0 +1,49 @@ +# Default location of the slapd.conf file or slapd.d cn=config directory. If +# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to +# /etc/ldap/slapd.conf). +SLAPD_CONF= + +# System account to run the slapd server under. If empty the server +# will run as root. +SLAPD_USER="openldap" + +# System group to run the slapd server under. If empty the server will +# run in the primary group of its user. +SLAPD_GROUP="openldap" + +# Path to the pid file of the slapd server. If not set the init.d script +# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by +# default) +SLAPD_PIDFILE= + +# slapd normally serves ldap only on all TCP-ports 389. slapd can also +# service requests on TCP-port 636 (ldaps) and requests via unix +# sockets. +SLAPD_SERVICES="ldapi:///" +{% for i in postfix_instance.keys() | intersect(group_names) | list %} +SLAPD_SERVICES="$SLAPD_SERVICES ldapi://%2Fvar%2Fspool%2Fpostfix-{{ postfix_instance[i].name }}%2Fprivate%2Fldapi/" +{% endfor %} +{% if 'LDAP-producer' in group_names %} +SLAPD_SERVICES="$SLAPD_SERVICES ldap://172.16.0.1:389/" +{% endif %} + +# If SLAPD_NO_START is set, the init script will not start or restart +# slapd (but stop will still work). Uncomment this if you are +# starting slapd via some other means or if you don't want slapd normally +# started at boot. +#SLAPD_NO_START=1 + +# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists, +# the init script will not start or restart slapd (but stop will still +# work). Use this for temporarily disabling startup of slapd (when doing +# maintenance, for example, or through a configuration management system) +# when you don't want to edit a configuration file. +SLAPD_SENTINEL_FILE=/etc/ldap/noslapd + +# For Kerberos authentication (via SASL), slapd by default uses the system +# keytab file (/etc/krb5.keytab). To use a different keytab file, +# uncomment this line and change the path. +#export KRB5_KTNAME=/etc/krb5.keytab + +# Additional options to pass to slapd +SLAPD_OPTIONS="" -- cgit v1.2.3