Verified Commit 40c38f61 authored by Maciej Delmanowski's avatar Maciej Delmanowski

Merge branch 'drybjed-small-enhancements-fixes'

parents 2494b5cc 690a4f85
Pipeline #62828350 (#577) passed with stages
in 39 minutes and 37 seconds
......@@ -18,6 +18,13 @@ You can read information about required changes between releases in the
.. _debops master: https://github.com/debops/debops/compare/v1.0.0...master
Added
~~~~~
- [debops.slapd] The role can now control on which ports and services OpenLDAP
listens for connections. The ``ldaps:///`` service is enabled by default when
support for the :ref:`debops.pki` role is enabled on the OpenLDAP host.
`debops v1.0.0`_ - 2019-05-22
-----------------------------
......
......@@ -436,7 +436,7 @@
{% endif %}
{% endif %}
{% set nginx__tpl_hostname_domain = item.hostname_domain | d((item.name if item.name is string else item.name[0]).split('.')[1:] | join('.')) %}
{% set nginx__tpl_hostname_domain = item.hostname_domain | d(((item.name if item.name is string else item.name[0]) if item.name|d() else ansible_fqdn).split('.')[1:] | join('.')) %}
{% set nginx__tpl_final_hostname_domain = [] %}
{% if item.hostname_domain is undefined %}
{% for domain_suffix in nginx__hostname_domains[::-1] %}
......
......@@ -735,6 +735,36 @@ slapd__snapshot_cron_jobs: [ 'daily', 'weekly', 'monthly' ]
# Network access to OpenLDAP server [[[
# -------------------------------------
# .. envvar:: slapd__services [[[
#
# List of the service URLs on which OpenLDAP should listen for new connections.
# Network access is controlled using the firewall rules defined below.
slapd__services:
# Listen for plaintext and StartTLS connections
- 'ldap:///'
# Listen for encrypted SSL connections (deprecated)
- '{{ "ldaps:///" if slapd__pki|bool else [] }}'
# Listen for connections on local UNIX domain socket
- 'ldapi:///'
# ]]]
# .. envvar:: slapd__ports [[[
#
# List of TCP service names of the ports on which OpenLDAP listens for network
# connections. These ports will be opened in the firewall so that other hosts
# can contact the LDAP service.
slapd__ports:
# Plaintext and StartTLS connections on port 389/tcp
- 'ldap'
# Encrypted SSL connections on port 636/tcp (deprecated)
- '{{ "ldaps" if slapd__pki|bool else [] }}'
# ]]]
# .. envvar:: slapd__accept_any [[[
#
# If ``True``, the role will configure the firewall and TCP Wrappers to accept
......@@ -849,7 +879,7 @@ slapd__ferm__dependent_rules:
- name: 'reject_slapd'
type: 'accept'
protocol: 'tcp'
dport: [ 'ldap' ]
dport: '{{ q("flattened", slapd__ports) }}'
multiport: True
saddr: '{{ slapd__deny + slapd__group_deny + slapd__host_deny }}'
weight: '45'
......@@ -862,7 +892,7 @@ slapd__ferm__dependent_rules:
- name: 'accept_slapd'
type: 'accept'
protocol: 'tcp'
dport: [ 'ldap' ]
dport: '{{ q("flattened", slapd__ports) }}'
multiport: True
saddr: '{{ slapd__allow + slapd__group_allow + slapd__host_allow }}'
accept_any: '{{ slapd__accept_any }}'
......
......@@ -30,11 +30,25 @@
state: 'present'
register: slapd__register_unix_groups
- name: Restart slapd if UNIX groups were modified
- name: Divert the OpenLDAP environment file
command: dpkg-divert --quiet --local --divert /etc/default/slapd.dpkg-divert
--rename /etc/default/slapd
args:
creates: '/etc/default/slapd.dpkg-divert'
- name: Generate the OpenLDAP environment file
template:
src: 'etc/default/slapd.j2'
dest: '/etc/default/slapd'
mode: '0644'
register: slapd__register_environment
- name: Restart slapd if its configuration was modified
service:
name: 'slapd'
state: 'restarted'
when: slapd__register_unix_groups is changed
when: slapd__register_unix_groups is changed or
slapd__register_environment is changed
- name: Ensure that the log directory exists
file:
......
# {{ ansible_managed }}
# Default location of the slapd.conf file or slapd.d cn=config directory. If
# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
# /etc/ldap/slapd.conf).
SLAPD_CONF=
# System account to run the slapd server under. If empty the server
# will run as root.
SLAPD_USER="{{ slapd__user }}"
# System group to run the slapd server under. If empty the server will
# run in the primary group of its user.
SLAPD_GROUP="{{ slapd__group }}"
# Path to the pid file of the slapd server. If not set the init.d script
# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by
# default)
SLAPD_PIDFILE=
# slapd normally serves ldap only on all TCP-ports 389. slapd can also
# service requests on TCP-port 636 (ldaps) and requests via unix
# sockets.
# Example usage:
# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
SLAPD_SERVICES="{{ q('flattened', slapd__services) | join(' ') }}"
# If SLAPD_NO_START is set, the init script will not start or restart
# slapd (but stop will still work). Uncomment this if you are
# starting slapd via some other means or if you don't want slapd normally
# started at boot.
#SLAPD_NO_START=1
# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
# the init script will not start or restart slapd (but stop will still
# work). Use this for temporarily disabling startup of slapd (when doing
# maintenance, for example, or through a configuration management system)
# when you don't want to edit a configuration file.
SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
# For Kerberos authentication (via SASL), slapd by default uses the system
# keytab file (/etc/krb5.keytab). To use a different keytab file,
# uncomment this line and change the path.
#export KRB5_KTNAME=/etc/krb5.keytab
# Additional options to pass to slapd
SLAPD_OPTIONS=""
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment