Commit 2d4cb7f2 authored by Maciej Delmanowski's avatar Maciej Delmanowski

[debops.slapd] Enable memberof and refint overlays

parent 01cd5fda
......@@ -363,6 +363,8 @@ slapd__default_tasks:
- '{1}syncprov'
- '{2}ppolicy'
- '{3}unique'
- '{4}memberof'
- '{5}refint'
ordered: True
- name: 'Enable Sync Provider overlay in the cn=config database'
......@@ -389,6 +391,18 @@ slapd__default_tasks:
attributes:
olcOverlay: '{2}unique'
- name: 'Enable memberOf overlay in the main database'
dn: 'olcOverlay={3}memberof,olcDatabase={1}mdb,cn=config'
objectClass: [ 'olcOverlayConfig', 'olcMemberOf' ]
attributes:
olcOverlay: '{3}memberof'
- name: 'Enable Referential Integrity overlay in the main database'
dn: 'olcOverlay={4}refint,olcDatabase={1}mdb,cn=config'
objectClass: [ 'olcOverlayConfig', 'olcRefintConfig' ]
attributes:
olcOverlay: '{4}refint'
- name: 'Configure Password Policy overlay in the main database'
dn: 'olcOverlay={1}ppolicy,olcDatabase={1}mdb,cn=config'
attributes:
......@@ -409,6 +423,27 @@ slapd__default_tasks:
- 'ldap:///ou=People,{{ slapd__basedn }}?mail?sub'
state: 'exact'
- name: 'Configure memberOf overlay in the main database'
dn: 'olcOverlay={3}memberof,olcDatabase={1}mdb,cn=config'
attributes:
olcMemberOfDangling: 'ignore'
olcMemberOfRefInt: 'TRUE'
olcMemberOfGroupOC: 'groupOfNames'
olcMemberOfMemberAD: 'member'
olcMemberOfMemberOfAD: 'memberOf'
state: 'exact'
- name: 'Configure Referential Integrity overlay in the main database'
dn: 'olcOverlay={4}refint,olcDatabase={1}mdb,cn=config'
attributes:
olcRefintAttribute:
- 'member'
- 'memberOf'
- 'uniqueMember'
- 'manager'
- 'owner'
state: 'exact'
- name: 'Configure the OpenLDAP server log level'
dn: 'cn=config'
attributes:
......
......@@ -16,59 +16,10 @@ should review the configuration before doing so - the OpenLDAP server usually
refuses the incorrect configuration outright, which should not affect the
existing installation, but that's not a 100% guarantee.
.. _slapd__ref_syncprov_overlay:
- :ref:`slapd__ref_overlays`
- :ref:`slapd__ref_ldap_schemas`
- :ref:`slapd__ref_acl`
Sync Provider overlay
~~~~~~~~~~~~~~~~~~~~~
The role will by default enable the `Sync Provider`__ (``syncprov``) dynamic
module and overlay, in both the ``cn=config`` configuration database, and the
main OpenLDAP database.
The Sync Provider functionality is used in different `data replication`__
strategies. Enabling it by default, even on a standalone OpenLDAP server,
should be harmless - the replication requires additional configuration defined
in each OpenLDAP database. The overlay is enabled first to keep the
``X-ORDERED`` index number consistent between the ``cn=config`` database and
the main database.
.. __: http://www.zytrax.com/books/ldap/ch6/syncprov.html
.. __: https://www.openldap.org/doc/admin24/replication.html
.. _slapd__ref_ppolicy_overlay:
Password Policy overlay
~~~~~~~~~~~~~~~~~~~~~~~
The :ref:`debops.slapd` role will by default import the ``ppolicy`` LDAP
schema, load the ``ppolicy`` dynamic module and enable the Password Policy
overlay in the main OpenLDAP database.
The `Password Policy`__ overlay is used to maintain the security and quality of
various passwords stored in the LDAP database. By default the overlay will
ensure that the cleartext passwords passed to the OpenLDAP server are hashed
using the algorithms specified in the ``olcPasswordHash`` parameter (salted
SHA-512 via :man:`crypt(3)` function is set by default by the
:ref:`debops.slapd` role).
The LDAP administrators can define default and custom Password Policies in the
main database, which can enforce additional password requirements, like minimum
password length, different types of characters used, lockout policy, etc.
.. __: https://www.zytrax.com/books/ldap/ch6/ppolicy.html
.. _slapd__ref_unique_overlay:
Attribute Uniqueness overlay
----------------------------
The `Attribute Uniqueness overlay`__ is used to enforce that specific LDAP
attributes are unique acrosse the LDAP directory. The default configuration
enforces the uniqueness of the ``uidNumber`` and ``gidNumber`` attributes in
the entire LDAP directory, and the ``uid``, ``gid`` and ``mail`` attributes in
the ``ou=People,dc=example,dc=org`` subtree of the directory.
.. __: https://www.openldap.org/doc/admin24/overlays.html#Attribute%20Uniqueness
Access to service allowed by default
------------------------------------
......
......@@ -19,6 +19,7 @@ instances and integrates with other DebOps roles like :ref:`debops.pki` and
:maxdepth: 2
getting-started
slapd-overlays
ldap-schema
ldap-acl
backup-restore
......
......@@ -26,6 +26,10 @@ Directory structure
- ``{3}unique``
- ``{4}memberof``
- ``{5}refint``
- :ref:`cn=schema <slapd__ref_ldap_schemas>`
- :ref:`core.schema <slapd__ref_initial_schemas>`
......@@ -54,6 +58,10 @@ Directory structure
- :ref:`olcOverlay={2}unique <slapd__ref_unique_overlay>`
- :ref:`olcOverlay={3}memberof <slapd__ref_memberof_overlay>`
- :ref:`olcOverlay={4}refint <slapd__ref_refint_overlay>`
- :envvar:`olcAccess <slapd__acl_tasks>` (:ref:`documentation <slapd__ref_acl>`)
- :envvar:`dc=example,dc=org <slapd__base_dn>`
......
.. _slapd__ref_overlays:
OpenLDAP Overlays
=================
OpenLDAP server supports `overlays`__ which can be added to a LDAP database to
modify its functionality. The overlays listed below are enabled by the
:ref:`debops.slapd` role by default.
.. __: https://www.openldap.org/doc/admin24/overlays.html
.. contents::
:local:
.. _slapd__ref_syncprov_overlay:
Sync Provider overlay
---------------------
The role will by default enable the `Sync Provider`__ (``syncprov``) dynamic
module and overlay, in both the ``cn=config`` configuration database, and the
main OpenLDAP database.
The Sync Provider functionality is used in different `data replication`__
strategies. Enabling it by default, even on a standalone OpenLDAP server,
should be harmless - the replication requires additional configuration defined
in each OpenLDAP database. The overlay is enabled first to keep the
``X-ORDERED`` index number consistent between the ``cn=config`` database and
the main database.
.. __: http://www.zytrax.com/books/ldap/ch6/syncprov.html
.. __: https://www.openldap.org/doc/admin24/replication.html
.. _slapd__ref_ppolicy_overlay:
Password Policy overlay
-----------------------
The :ref:`debops.slapd` role will by default import the ``ppolicy`` LDAP
schema, load the ``ppolicy`` dynamic module and enable the Password Policy
overlay in the main OpenLDAP database.
The `Password Policy`__ overlay is used to maintain the security and quality of
various passwords stored in the LDAP database. By default the overlay will
ensure that the cleartext passwords passed to the OpenLDAP server are hashed
using the algorithms specified in the ``olcPasswordHash`` parameter (salted
SHA-512 via :man:`crypt(3)` function is set by default by the
:ref:`debops.slapd` role).
The LDAP administrators can define default and custom Password Policies in the
main database, which can enforce additional password requirements, like minimum
password length, different types of characters used, lockout policy, etc.
.. __: https://www.zytrax.com/books/ldap/ch6/ppolicy.html
.. _slapd__ref_unique_overlay:
Attribute Uniqueness overlay
----------------------------
The `Attribute Uniqueness overlay`__ is used to enforce that specific LDAP
attributes are unique acrosse the LDAP directory. The default configuration
enforces the uniqueness of the ``uidNumber`` and ``gidNumber`` attributes in
the entire LDAP directory, and the ``uid``, ``gid`` and ``mail`` attributes in
the ``ou=People,dc=example,dc=org`` subtree of the directory.
.. __: https://www.openldap.org/doc/admin24/overlays.html#Attribute%20Uniqueness
.. _slapd__ref_memberof_overlay:
Reverse Group Membership Maintenance overlay
--------------------------------------------
The `memberOf overlay`__ is used to update the LDAP objects of group members
when they are added or removed from a particular ``groupOfNames`` object.
Applications and services can search for objects with the ``memberOf``
attribute with specific values to get the list of groups a given user belongs
to.
.. __: https://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%20Maintenance
.. _slapd__ref_refint_overlay:
Referential Integrity overlay
-----------------------------
The `refint overlay`__ is used to update Distinguished Name references in other
LDAP objects when a particular object is renamed or removed. This ensures that
the references between objects in the LDAP database are consistent.
.. __: https://www.openldap.org/doc/admin24/overlays.html#Referential%20Integrity
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment