Ansible role to configure a standalone OpenLDAP server
This role configures a standalone OpenLDAP server on the target system.
If TLS encryption (i.e. LDAPS or LDAP with STARTTLS) is desired, the target system needs to have a suitable X.509 certificate.
Likewise, when client certificates are required of the LDAP clients, the issuing CA’s certificate needs to be present on the target system.
This roles does not handle deploying certificates.
If the target system runs Alpine Linux, Ansible must be configured to use Python 3 on the target system.
This is due to Alpine no longer packaging python-ldap for Python 2.
When this role sets passwords for entries with the object class sambaSamAccount
but no sambaNTPassword
attribute and openldap_server_sync_samba
is false
, the sambaNTPassword
attribute is automatically set to match the newly set password.
This requires passlib to be available on the controller.
If passlib is not installed, the respective tasks will fail, but not cause the role to fail.
openldap_server_use
net-nds/openldap
.openldap_server_overlays
openldap_server_modules
.openldap_server_schemas
core
) or paths to remote files in LDIF format (e.g. /etc/openldap/schema/core.ldif
).files/schemas
directory of this role.openldap_server_overlays
are automatically added to this list.core
schema.openldap_server_modules
openldap_server_sync_samba
userPassword
in sync with the fields required by Samba.smbk5pwd
overlay, which is automatically activated.false
.openldap_server_sync_kerberos
userPassword
in sync with the fields required by Kerberos.smbk5pwd
overlay, which is automatically activated.false
.openldap_server_overlay_config
openldap_server_overlay_defaults
(see defaults/main.yml
).openldap_server_default_root_dn
cn=config
.openldap_server_default_root_password
cn=config
.openldap_server_skip_default_acls
true
, these are not configured.false
.openldap_server_loglevel
stats
.trace
, packets
, args
, conns
, BER
, filter
, config
, ACL
, stats
, stats2
, shell
, parse
, cache
, index
, sync
and none
.-
to disable all non-critical log messages.openldap_server_sizelimit_soft
500
.openldap_server_sizelimit_hard
openldap_server_sizelimit_unchecked
openldap_server_timelimit_soft
3600
(1 hour).openldap_server_timelimit_hard
openldap_server_pw_hash
CRYPT
, SHA512-Crypt is used.ARGON2
.openldap_server_tls_cert
openldap_server_tls_cert_key
openldap_server_tls_client_ca
openldap_server_tls_enforce_client
true
(the default), clients must supply a valid certificate.false
, the certificate is optional but must be valid, if supplied.openldap_server_tls_client_ca
is not set.openldap_server_tls13_only
true
to enforce TLSv1.3 only.false
(the default), TLSv1.2 is enforced as the minimal supported protocol version.openldap_server_ciphers
openldap_server_extra_groups
openldap_server_inaccessible_paths
openldap_server_dit
database
mdb
.db_directory
root_dn
openldap_server_default_root_dn
.omit
to not set a root DN, even if openldap_server_default_root_dn
is set.root_password
openldap_server_default_root_password
.ppolicy_dn
cn=default,ou=policies
.openldap_server_ppolicy
is false
.samba_sid
SambaSID
attributes for entries that need it but do not have it in their attributes
.indices
cn: [eq, sub]
acls
db_max_size
1 GB
for 1 GiB.100 MB
is the default.db_checkpoint_bytes
0
.db_checkpoint_time
0
.data
dn
objectClass
attributes
dn
need to be present in this dictionary.children
data
element.The following shows a working example configuration:
openldap_server_schema:
- core
- cosine
- rfc2307bis
openldap_server_overlays:
- memberof
- ppolicy
openldap_server_overlay_config:
memberof:
olcMemberOfGroupOC: 'groupOfMembers'
olcMemberOfMemberAd: 'member'
olcMemberOfMemberOfAd: 'memberOf'
openldap_server_sync_samba: true
openldap_server_default_root_dn: 'cn=admin'
openldap_server_dit:
- indices:
cn: eq
objectClass: eq
acls:
# PAM
- 'to dn.one="ou=people,o=example organization" attrs=@posixAccount by group/groupOfMembers/member.exact="cn=posix,ou=groups,o=example organization" read by * break'
- 'to dn.one="ou=groups,o=example organization" attrs=@posixGroup,@groupOfMembers by group/groupOfMembers/member.exact="cn=posix,ou=groups,o=example organization" read by * break'
# Samba
- 'to dn.one="ou=people,o=example organization" attrs=@sambaSamAccount,@posixAccount by group/groupOfMembers/member.exact="cn=samba,ou=groups,o=example organization" read by * break'
- 'to dn.one="ou=groups,o=example organization" attrs=cn,@sambaGroupMapping by group/groupOfMembers/member.exact="cn=samba,ou=groups,o=example organization" read by * break'
- 'to dn.exact="sambaDomainName=example domain,o=example organization" attrs=@sambaDomain by group/groupOfMembers/member.exact="cn=samba,ou=groups,o=example organization" read by * break'
data:
dn: ['o'] # o=example organization
objectClass: 'organization'
attributes:
o: 'example organization'
children:
- dn: ['ou'] # ou=people,o=example organization
objectClass: 'organizationalUnit'
attributes:
ou: 'people'
children:
- dn: ['cn']
objectClass:
- 'account'
- 'posixAccount'
- 'sambaSamAccount'
attributes:
cn: 'example user'
uid: 'example'
uidNumber: 1000
gidNumber: 513
homeDirectory: '/home/example'
userPassword: 'very secret'
- dn: ['ou'] # ou=groups,o=example organization
objectClass: 'organizationalUnit'
attributes:
ou: 'groups'
children:
- dn: ['cn'] # cn=posix,ou=groups,o=example organization
objectClass: 'groupOfMembers'
attributes:
cn: 'posix'
description: 'Systems that can access POSIX accounts in LDAP'
- dn: ['cn'] # cn=samba,ou=groups,o=example organization
objectClass: 'groupOfMembers'
attributes:
cn: 'samba'
description: 'Systems that can access Samba accounts in LDAP'
- dn: ['cn'] # cn=Domain Users,ou=groups,o=example organization
objectClass:
- 'groupOfMembers'
- 'posixGroup'
- 'sambaGroupMapping'
attributes:
cn: 'Domain Users'
sambaSID: '513'
sambaGroupType: 2
gidNumber: 513
description: 'Netbios Domain Users'
member: 'cn=example user,ou=people,o=example organization'
- dn: ['cn'] # cn=Users,ou=groups,o=example organization
objectClass:
- 'groupOfMembers'
- 'posixGroup'
- 'sambaGroupMapping'
attributes:
cn: 'Users'
sambaSID: 'S-1-5-32-545'
sambaGroupType: 4
gidNumber: 545
description: 'Users'
- dn: ['ou'] # ou=policies,o=example organization
objectClass: 'organizationalUnit'
attributes:
ou: 'policies'
children:
- dn: ['cn'] # cn=default,ou=policies,o=example organization
objectClass:
- 'device'
- 'pwdPolicy'
attributes:
cn: 'default'
description: 'default password policy'
pwdAttribute: 'userPassword'
pwdCheckQuality: '1'
pwdMinLength: '8'
pwdLockout: 'TRUE'
pwdLockoutDuration: '600'
pwdMaxFailure: '5'
pwdFailureCountInterval: '3600'
pwdMustChange: 'TRUE'
- dn: ['sambaDomainName'] # sambaDomainName=example domain,o=example organization
objectClass: 'sambaDomain'
attributes:
sambaDomainName: 'example domain'
sambaPwdHistoryLength: 0
sambaMinPwdAge: 0
sambaMaxPwdAge: -1
While LDAP is mostly case insensitive, YAML is not.
This leads issues when attributes or object classes are not cased as expected.
It is recommended always using the exact same camelCase spelling as used in the schema definition files.
MIT, except for the following files:
samba.ldif
is part of the Samba distribution and licensed under the GNU GPL 3.0.krb5-kdc.ldif
is a conversion of krb5-kdc.schema
, which is part of the Heimdal project and licensed under the 3-clause BSD license.