Skip to content

Commit

Permalink
Merge pull request #14 from cloudscale-ch/denis/bookworm-slapd
Browse files Browse the repository at this point in the history 
Add support for slapd on bookworm
  • Loading branch information
@href
href authored Jan 25, 2024
2 parents ce5148d + ea5404c commit 155663c
Show file tree
Hide file tree
Showing 18 changed files with 831 additions and 169 deletions.
10 changes: 8 additions & 2 deletions ansible/plugins/lookup/file_src.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,10 @@ def run(self, terms, inject=None, **kwargs):
project_dir = debops.projectdir.ProjectDir(
config=project_config)
project_root = project_dir.path
config = project_dir.config.get(['views', 'system'])
if project_dir.config.get(['project', 'type']) == 'modern':
config = project_dir.config.get([])
else:
config = project_dir.config.get(['views', 'system'])
except NameError:
try:
project_root = find_debops_project(required=False)
Expand Down Expand Up @@ -151,7 +154,10 @@ def run(self, terms, variables=None, **kwargs):
project_dir = debops.projectdir.ProjectDir(
config=project_config)
project_root = project_dir.path
config = project_dir.config.get(['views', 'system'])
if project_dir.config.get(['project', 'type']) == 'modern':
config = project_dir.config.get([])
else:
config = project_dir.config.get(['views', 'system'])
except NameError:
try:
project_root = find_debops_project(required=False)
Expand Down
10 changes: 8 additions & 2 deletions ansible/plugins/lookup/task_src.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,10 @@ def run(self, terms, inject=None, **kwargs):
project_dir = debops.projectdir.ProjectDir(
config=project_config)
project_root = project_dir.path
config = project_dir.config.get(['views', 'system'])
if project_dir.config.get(['project', 'type']) == 'modern':
config = project_dir.config.get([])
else:
config = project_dir.config.get(['views', 'system'])
except NameError:
try:
project_root = find_debops_project(required=False)
Expand Down Expand Up @@ -151,7 +154,10 @@ def run(self, terms, variables=None, **kwargs):
project_dir = debops.projectdir.ProjectDir(
config=project_config)
project_root = project_dir.path
config = project_dir.config.get(['views', 'system'])
if project_dir.config.get(['project', 'type']) == 'modern':
config = project_dir.config.get([])
else:
config = project_dir.config.get(['views', 'system'])
except NameError:
try:
project_root = find_debops_project(required=False)
Expand Down
10 changes: 8 additions & 2 deletions ansible/plugins/lookup/template_src.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,10 @@ def run(self, terms, inject=None, **kwargs):
project_dir = debops.projectdir.ProjectDir(
config=project_config)
project_root = project_dir.path
config = project_dir.config.get(['views', 'system'])
if project_dir.config.get(['project', 'type']) == 'modern':
config = project_dir.config.get([])
else:
config = project_dir.config.get(['views', 'system'])
except NameError:
try:
project_root = find_debops_project(required=False)
Expand Down Expand Up @@ -152,7 +155,10 @@ def run(self, terms, variables=None, **kwargs):
project_dir = debops.projectdir.ProjectDir(
config=project_config)
project_root = project_dir.path
config = project_dir.config.get(['views', 'system'])
if project_dir.config.get(['project', 'type']) == 'modern':
config = project_dir.config.get([])
else:
config = project_dir.config.get(['views', 'system'])
except NameError:
try:
project_root = find_debops_project(required=False)
Expand Down
10 changes: 8 additions & 2 deletions ansible/roles/ansible_plugins/lookup_plugins/file_src.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,10 @@ def run(self, terms, inject=None, **kwargs):
project_dir = debops.projectdir.ProjectDir(
config=project_config)
project_root = project_dir.path
config = project_dir.config.get(['views', 'system'])
if project_dir.config.get(['project', 'type']) == 'modern':
config = project_dir.config.get([])
else:
config = project_dir.config.get(['views', 'system'])
except NameError:
try:
project_root = find_debops_project(required=False)
Expand Down Expand Up @@ -151,7 +154,10 @@ def run(self, terms, variables=None, **kwargs):
project_dir = debops.projectdir.ProjectDir(
config=project_config)
project_root = project_dir.path
config = project_dir.config.get(['views', 'system'])
if project_dir.config.get(['project', 'type']) == 'modern':
config = project_dir.config.get([])
else:
config = project_dir.config.get(['views', 'system'])
except NameError:
try:
project_root = find_debops_project(required=False)
Expand Down
10 changes: 8 additions & 2 deletions ansible/roles/ansible_plugins/lookup_plugins/task_src.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,10 @@ def run(self, terms, inject=None, **kwargs):
project_dir = debops.projectdir.ProjectDir(
config=project_config)
project_root = project_dir.path
config = project_dir.config.get(['views', 'system'])
if project_dir.config.get(['project', 'type']) == 'modern':
config = project_dir.config.get([])
else:
config = project_dir.config.get(['views', 'system'])
except NameError:
try:
project_root = find_debops_project(required=False)
Expand Down Expand Up @@ -151,7 +154,10 @@ def run(self, terms, variables=None, **kwargs):
project_dir = debops.projectdir.ProjectDir(
config=project_config)
project_root = project_dir.path
config = project_dir.config.get(['views', 'system'])
if project_dir.config.get(['project', 'type']) == 'modern':
config = project_dir.config.get([])
else:
config = project_dir.config.get(['views', 'system'])
except NameError:
try:
project_root = find_debops_project(required=False)
Expand Down
10 changes: 8 additions & 2 deletions ansible/roles/ansible_plugins/lookup_plugins/template_src.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,10 @@ def run(self, terms, inject=None, **kwargs):
project_dir = debops.projectdir.ProjectDir(
config=project_config)
project_root = project_dir.path
config = project_dir.config.get(['views', 'system'])
if project_dir.config.get(['project', 'type']) == 'modern':
config = project_dir.config.get([])
else:
config = project_dir.config.get(['views', 'system'])
except NameError:
try:
project_root = find_debops_project(required=False)
Expand Down Expand Up @@ -152,7 +155,10 @@ def run(self, terms, variables=None, **kwargs):
project_dir = debops.projectdir.ProjectDir(
config=project_config)
project_root = project_dir.path
config = project_dir.config.get(['views', 'system'])
if project_dir.config.get(['project', 'type']) == 'modern':
config = project_dir.config.get([])
else:
config = project_dir.config.get(['views', 'system'])
except NameError:
try:
project_root = find_debops_project(required=False)
Expand Down
79 changes: 50 additions & 29 deletions ansible/roles/slapd/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
# .. vim: foldmarker=[[[,]]]:foldmethod=marker

# .. Copyright (C) 2016-2020 Maciej Delmanowski <[email protected]>
# .. Copyright (C) 2016-2020 DebOps <https://debops.org/>
# .. Copyright (C) 2023 David Härdeman <[email protected]>
# .. Copyright (C) 2016-2023 DebOps <https://debops.org/>
# .. SPDX-License-Identifier: GPL-3.0-only

# .. _slapd__ref_defaults:
Expand Down Expand Up @@ -63,11 +64,14 @@ slapd__default_schemas:
- '{{ slapd__debops_schema_path + "/orgstructure.schema" }}'

# Password Policy schema, included in the 'slapd' APT package
- '/etc/ldap/schema/ppolicy.schema'
# This schema is built-in since OpenLDAP 2.5.x
- '{{ "/etc/ldap/schema/ppolicy.schema"
if ansible_distribution_release in ["buster", "bullseye", "focal"]
else [] }}'

# Support for 'host' and 'authorizedService' attributes, useful for granular
# access control to services and machines
- '/etc/ldap/schema/fusiondirectory/ldapns.schema'
- '{{ slapd__debops_schema_path + "/ldapns.schema" }}'

# Custom schema which defines a 'groupOfEntries' LDAP object which can create
# empty groups
Expand All @@ -77,7 +81,7 @@ slapd__default_schemas:
- '{{ slapd__debops_schema_path + "/openssh-lpk.schema" }}'

# Support for 'sudo' rules in LDAP directory
- '/etc/ldap/schema/fusiondirectory/sudo.schema'
- '{{ slapd__debops_schema_path + "/sudo.schema" }}'

# Support for 'eduPerson' and 'eduOrg' schema, included in DebOps
- '{{ slapd__debops_schema_path + "/eduperson.schema" }}'
Expand Down Expand Up @@ -151,32 +155,26 @@ slapd__combined_schemas: '{{ slapd__default_schemas
# .. envvar:: slapd__base_packages [[[
#
# List of required APT packages for OpenLDAP service.
slapd__base_packages: [ 'slapd', 'ldap-utils', 'ssl-cert', 'libldap-common' ]

# ]]]
# .. envvar:: slapd__rfc2307bis_packages [[[
#
# List of APT packages to install in preparation to use ``rfc2307bis`` schema
# instead of the ``nis`` schema.
slapd__rfc2307bis_packages: [ 'fusiondirectory-schema' ]
slapd__base_packages:
- 'slapd'
- 'ldap-utils'
- 'ssl-cert'
- 'libldap-common'
- 'schema2ldif'

# ]]]
# .. envvar:: slapd__schema_packages [[[
#
# List of APT packages that contain LDAP schemas loaded into the directory by
# the server. Debian has multiple ``fusiondirectory-*-schema`` and
# ``gosa-*-schema`` packages that conflict with each other, therefore the list
# of packages should be synchronized.
slapd__schema_packages:

# Support for 'sudo' rules in LDAP
- 'fusiondirectory-plugin-sudo-schema'
# List of APT packages that contain LDAP schemas to be loaded into the
# directory by the server.
slapd__schema_packages: []

# ]]]
# .. envvar:: slapd__packages [[[
#
# List of additional APT packages to install with OpenLDAP service.
slapd__packages: []

# ]]]
# ]]]
# OpenLDAP UNIX environment [[[
Expand Down Expand Up @@ -539,7 +537,11 @@ slapd__default_tasks:

- name: 'Enable AutoGroup overlay in the main database'
dn: 'olcOverlay={10}autogroup,olcDatabase={1}mdb,cn=config'
objectClass: [ 'olcOverlayConfig', 'olcAutomaticGroups' ]
objectClass:
- 'olcOverlayConfig'
- '{{ "olcAutomaticGroups"
if ansible_distribution_release in ["buster", "bullseye", "focal"]
else "olcAutoGroupConfig" }}'
attributes:
olcOverlay: '{10}autogroup'

Expand Down Expand Up @@ -648,13 +650,25 @@ slapd__default_tasks:
- 'mailAlternateAddress set "this/mailAlternateAddress & this/mail"'
state: 'exact'

- name: 'Configure AutoGroup overlay in the main database'
- name: 'Configure AutoGroup overlay in the main database (old naming)'
dn: 'olcOverlay={10}autogroup,olcDatabase={1}mdb,cn=config'
attributes:
olcAGattrSet:
- '{0}groupOfURLs memberURL member'
olcAGmemberOfAd: 'memberOf'
state: 'exact'
state: '{{ "exact"
if ansible_distribution_release in ["buster", "bullseye", "focal"]
else "ignore" }}'

- name: 'Configure AutoGroup overlay in the main database'
dn: 'olcOverlay={10}autogroup,olcDatabase={1}mdb,cn=config'
attributes:
olcAutoGroupAttrSet:
- '{0}groupOfURLs memberURL member'
olcAutoGroupMemberOfAd: 'memberOf'
state: '{{ "exact"
if ansible_distribution_release not in ["buster", "bullseye", "focal"]
else "ignore" }}'

- name: 'Configure LastBind overlay in the main database'
dn: 'olcOverlay={11}lastbind,olcDatabase={1}mdb,cn=config'
Expand Down Expand Up @@ -1079,7 +1093,6 @@ slapd__structure_tasks:
objectClass: 'organizationalRole'
attributes:
cn: 'Hidden Object Viewer'
memberOf: '{{ ([ "cn=Hidden Objects", "ou=Groups" ] + slapd__base_dn) | join(",") }}'
description: 'LDAP objects which can see hidden objects'

- name: 'Create cn=Hidden Objects group'
Expand All @@ -1088,11 +1101,15 @@ slapd__structure_tasks:
attributes:
cn: 'Hidden Objects'
member:
- '{{ ([ "cn=Hidden Objects", "ou=Groups" ] + slapd__base_dn) | join(",") }}'
- '{{ ([ "cn=Hidden Object Viewer", "ou=Roles" ] + slapd__base_dn) | join(",") }}'
memberOf: '{{ ([ "cn=Hidden Objects", "ou=Groups" ] + slapd__base_dn) | join(",") }}'
- '{{ (["cn=Hidden Object Viewer", "ou=Roles"] + slapd__base_dn) | join(",") }}'
description: 'LDAP objects which are accessible only by privileged accounts'

- name: 'Add cn=Hidden Objects group to itself'
dn: '{{ ["cn=Hidden Objects", "ou=Groups"] + slapd__base_dn }}'
attributes:
member:
- '{{ (["cn=Hidden Objects", "ou=Groups"] + slapd__base_dn) | join(",") }}'

- name: 'Create cn=UNIX SSH users group'
dn: '{{ [ "cn=UNIX SSH users", "ou=Groups" ] + slapd__base_dn }}'
objectClass: [ 'groupOfEntries', 'posixGroup', 'posixGroupId',
Expand Down Expand Up @@ -1183,6 +1200,7 @@ slapd__combined_tasks: '{{ slapd__default_tasks
+ slapd__tasks
+ slapd__group_tasks
+ slapd__host_tasks }}'

# ]]]
# ]]]
# Backup snapshots [[[
Expand Down Expand Up @@ -1236,8 +1254,8 @@ slapd__ports:
# Plaintext and StartTLS connections on port 389/tcp
- 'ldap'

# Encrypted SSL connections on port 636/tcp (deprecated)
- '{{ "ldaps" if slapd__pki|bool else [] }}'
# Encrypted SSL connections on port 636/tcp
- '{{ "ldaps" if slapd__pki | bool else [] }}'

# ]]]
# .. envvar:: slapd__accept_any [[[
Expand Down Expand Up @@ -1292,6 +1310,7 @@ slapd__group_allow: []
# List of IP addresses or CIDR subnets which should have access to the OpenLDAP
# server, defined on specific hosts in the Ansible inventory.
slapd__host_allow: []

# ]]]
# ]]]
# LDAP Access Control List tests [[[
Expand Down Expand Up @@ -1596,6 +1615,7 @@ slapd__slapacl_combined_tests: '{{ slapd__slapacl_default_tests
+ slapd__slapacl_tests
+ slapd__slapacl_group_tests
+ slapd__slapacl_host_tests }}'

# ]]]
# ]]]
# Configuration variables for other Ansible roles [[[
Expand Down Expand Up @@ -1711,5 +1731,6 @@ slapd__saslauthd__dependent_instances:
socket_path: '/var/lib/slapd/saslauthd'
socket_group: '{{ slapd__group }}'
ldap_profile: 'slapd'

# ]]]
# ]]]
30 changes: 30 additions & 0 deletions ansible/roles/slapd/files/etc/ldap/schema/debops/ldapns.schema
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
# SPDX-License-Identifier: GPL-2+
#
# Copied from Debian package: fusiondirectory-schema
# Also available from: https://github.com/fusiondirectory/fusiondirectory/blob/fusiondirectory-1.0.19-security-debian/contrib/openldap/ldapns.schema
# With the license here: https://github.com/fusiondirectory/fusiondirectory/blob/fusiondirectory-1.0.19-security-debian/COPYING


# $Id: ldapns.schema,v 1.3 2003/05/29 12:57:29 lukeh Exp $

# LDAP Name Service Additional Schema

# http://www.iana.org/assignments/gssapi-service-names

attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
DESC 'IANA GSS-API authorized service name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )

objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
DESC 'Auxiliary object class for adding authorizedService attribute'
SUP top
AUXILIARY
MAY authorizedService )

objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject'
DESC 'Auxiliary object class for adding host attribute'
SUP top
AUXILIARY
MAY host )

Loading

0 comments on commit 155663c

Please sign in to comment.