diff --git a/ansible/plugins/lookup/file_src.py b/ansible/plugins/lookup/file_src.py index cc5eacfab5..3fdd3413fc 100644 --- a/ansible/plugins/lookup/file_src.py +++ b/ansible/plugins/lookup/file_src.py @@ -90,7 +90,10 @@ def run(self, terms, inject=None, **kwargs): project_dir = debops.projectdir.ProjectDir( config=project_config) project_root = project_dir.path - config = project_dir.config.get(['views', 'system']) + if project_dir.config.get(['project', 'type']) == 'modern': + config = project_dir.config.get([]) + else: + config = project_dir.config.get(['views', 'system']) except NameError: try: project_root = find_debops_project(required=False) @@ -151,7 +154,10 @@ def run(self, terms, variables=None, **kwargs): project_dir = debops.projectdir.ProjectDir( config=project_config) project_root = project_dir.path - config = project_dir.config.get(['views', 'system']) + if project_dir.config.get(['project', 'type']) == 'modern': + config = project_dir.config.get([]) + else: + config = project_dir.config.get(['views', 'system']) except NameError: try: project_root = find_debops_project(required=False) diff --git a/ansible/plugins/lookup/task_src.py b/ansible/plugins/lookup/task_src.py index 82ee6ecf7e..394219d0b6 100644 --- a/ansible/plugins/lookup/task_src.py +++ b/ansible/plugins/lookup/task_src.py @@ -90,7 +90,10 @@ def run(self, terms, inject=None, **kwargs): project_dir = debops.projectdir.ProjectDir( config=project_config) project_root = project_dir.path - config = project_dir.config.get(['views', 'system']) + if project_dir.config.get(['project', 'type']) == 'modern': + config = project_dir.config.get([]) + else: + config = project_dir.config.get(['views', 'system']) except NameError: try: project_root = find_debops_project(required=False) @@ -151,7 +154,10 @@ def run(self, terms, variables=None, **kwargs): project_dir = debops.projectdir.ProjectDir( config=project_config) project_root = project_dir.path - config = project_dir.config.get(['views', 'system']) + if project_dir.config.get(['project', 'type']) == 'modern': + config = project_dir.config.get([]) + else: + config = project_dir.config.get(['views', 'system']) except NameError: try: project_root = find_debops_project(required=False) diff --git a/ansible/plugins/lookup/template_src.py b/ansible/plugins/lookup/template_src.py index 1f9bc20065..daf6cd8abd 100644 --- a/ansible/plugins/lookup/template_src.py +++ b/ansible/plugins/lookup/template_src.py @@ -90,7 +90,10 @@ def run(self, terms, inject=None, **kwargs): project_dir = debops.projectdir.ProjectDir( config=project_config) project_root = project_dir.path - config = project_dir.config.get(['views', 'system']) + if project_dir.config.get(['project', 'type']) == 'modern': + config = project_dir.config.get([]) + else: + config = project_dir.config.get(['views', 'system']) except NameError: try: project_root = find_debops_project(required=False) @@ -152,7 +155,10 @@ def run(self, terms, variables=None, **kwargs): project_dir = debops.projectdir.ProjectDir( config=project_config) project_root = project_dir.path - config = project_dir.config.get(['views', 'system']) + if project_dir.config.get(['project', 'type']) == 'modern': + config = project_dir.config.get([]) + else: + config = project_dir.config.get(['views', 'system']) except NameError: try: project_root = find_debops_project(required=False) diff --git a/ansible/roles/ansible_plugins/lookup_plugins/file_src.py b/ansible/roles/ansible_plugins/lookup_plugins/file_src.py index cc5eacfab5..3fdd3413fc 100644 --- a/ansible/roles/ansible_plugins/lookup_plugins/file_src.py +++ b/ansible/roles/ansible_plugins/lookup_plugins/file_src.py @@ -90,7 +90,10 @@ def run(self, terms, inject=None, **kwargs): project_dir = debops.projectdir.ProjectDir( config=project_config) project_root = project_dir.path - config = project_dir.config.get(['views', 'system']) + if project_dir.config.get(['project', 'type']) == 'modern': + config = project_dir.config.get([]) + else: + config = project_dir.config.get(['views', 'system']) except NameError: try: project_root = find_debops_project(required=False) @@ -151,7 +154,10 @@ def run(self, terms, variables=None, **kwargs): project_dir = debops.projectdir.ProjectDir( config=project_config) project_root = project_dir.path - config = project_dir.config.get(['views', 'system']) + if project_dir.config.get(['project', 'type']) == 'modern': + config = project_dir.config.get([]) + else: + config = project_dir.config.get(['views', 'system']) except NameError: try: project_root = find_debops_project(required=False) diff --git a/ansible/roles/ansible_plugins/lookup_plugins/task_src.py b/ansible/roles/ansible_plugins/lookup_plugins/task_src.py index 82ee6ecf7e..394219d0b6 100644 --- a/ansible/roles/ansible_plugins/lookup_plugins/task_src.py +++ b/ansible/roles/ansible_plugins/lookup_plugins/task_src.py @@ -90,7 +90,10 @@ def run(self, terms, inject=None, **kwargs): project_dir = debops.projectdir.ProjectDir( config=project_config) project_root = project_dir.path - config = project_dir.config.get(['views', 'system']) + if project_dir.config.get(['project', 'type']) == 'modern': + config = project_dir.config.get([]) + else: + config = project_dir.config.get(['views', 'system']) except NameError: try: project_root = find_debops_project(required=False) @@ -151,7 +154,10 @@ def run(self, terms, variables=None, **kwargs): project_dir = debops.projectdir.ProjectDir( config=project_config) project_root = project_dir.path - config = project_dir.config.get(['views', 'system']) + if project_dir.config.get(['project', 'type']) == 'modern': + config = project_dir.config.get([]) + else: + config = project_dir.config.get(['views', 'system']) except NameError: try: project_root = find_debops_project(required=False) diff --git a/ansible/roles/ansible_plugins/lookup_plugins/template_src.py b/ansible/roles/ansible_plugins/lookup_plugins/template_src.py index 1f9bc20065..daf6cd8abd 100644 --- a/ansible/roles/ansible_plugins/lookup_plugins/template_src.py +++ b/ansible/roles/ansible_plugins/lookup_plugins/template_src.py @@ -90,7 +90,10 @@ def run(self, terms, inject=None, **kwargs): project_dir = debops.projectdir.ProjectDir( config=project_config) project_root = project_dir.path - config = project_dir.config.get(['views', 'system']) + if project_dir.config.get(['project', 'type']) == 'modern': + config = project_dir.config.get([]) + else: + config = project_dir.config.get(['views', 'system']) except NameError: try: project_root = find_debops_project(required=False) @@ -152,7 +155,10 @@ def run(self, terms, variables=None, **kwargs): project_dir = debops.projectdir.ProjectDir( config=project_config) project_root = project_dir.path - config = project_dir.config.get(['views', 'system']) + if project_dir.config.get(['project', 'type']) == 'modern': + config = project_dir.config.get([]) + else: + config = project_dir.config.get(['views', 'system']) except NameError: try: project_root = find_debops_project(required=False) diff --git a/ansible/roles/slapd/defaults/main.yml b/ansible/roles/slapd/defaults/main.yml index 778399cebe..4d75b85b64 100644 --- a/ansible/roles/slapd/defaults/main.yml +++ b/ansible/roles/slapd/defaults/main.yml @@ -2,7 +2,8 @@ # .. vim: foldmarker=[[[,]]]:foldmethod=marker # .. Copyright (C) 2016-2020 Maciej Delmanowski -# .. Copyright (C) 2016-2020 DebOps +# .. Copyright (C) 2023 David Härdeman +# .. Copyright (C) 2016-2023 DebOps # .. SPDX-License-Identifier: GPL-3.0-only # .. _slapd__ref_defaults: @@ -63,11 +64,14 @@ slapd__default_schemas: - '{{ slapd__debops_schema_path + "/orgstructure.schema" }}' # Password Policy schema, included in the 'slapd' APT package - - '/etc/ldap/schema/ppolicy.schema' + # This schema is built-in since OpenLDAP 2.5.x + - '{{ "/etc/ldap/schema/ppolicy.schema" + if ansible_distribution_release in ["buster", "bullseye", "focal"] + else [] }}' # Support for 'host' and 'authorizedService' attributes, useful for granular # access control to services and machines - - '/etc/ldap/schema/fusiondirectory/ldapns.schema' + - '{{ slapd__debops_schema_path + "/ldapns.schema" }}' # Custom schema which defines a 'groupOfEntries' LDAP object which can create # empty groups @@ -77,7 +81,7 @@ slapd__default_schemas: - '{{ slapd__debops_schema_path + "/openssh-lpk.schema" }}' # Support for 'sudo' rules in LDAP directory - - '/etc/ldap/schema/fusiondirectory/sudo.schema' + - '{{ slapd__debops_schema_path + "/sudo.schema" }}' # Support for 'eduPerson' and 'eduOrg' schema, included in DebOps - '{{ slapd__debops_schema_path + "/eduperson.schema" }}' @@ -151,32 +155,26 @@ slapd__combined_schemas: '{{ slapd__default_schemas # .. envvar:: slapd__base_packages [[[ # # List of required APT packages for OpenLDAP service. -slapd__base_packages: [ 'slapd', 'ldap-utils', 'ssl-cert', 'libldap-common' ] - - # ]]] -# .. envvar:: slapd__rfc2307bis_packages [[[ -# -# List of APT packages to install in preparation to use ``rfc2307bis`` schema -# instead of the ``nis`` schema. -slapd__rfc2307bis_packages: [ 'fusiondirectory-schema' ] +slapd__base_packages: + - 'slapd' + - 'ldap-utils' + - 'ssl-cert' + - 'libldap-common' + - 'schema2ldif' # ]]] # .. envvar:: slapd__schema_packages [[[ # -# List of APT packages that contain LDAP schemas loaded into the directory by -# the server. Debian has multiple ``fusiondirectory-*-schema`` and -# ``gosa-*-schema`` packages that conflict with each other, therefore the list -# of packages should be synchronized. -slapd__schema_packages: - - # Support for 'sudo' rules in LDAP - - 'fusiondirectory-plugin-sudo-schema' +# List of APT packages that contain LDAP schemas to be loaded into the +# directory by the server. +slapd__schema_packages: [] # ]]] # .. envvar:: slapd__packages [[[ # # List of additional APT packages to install with OpenLDAP service. slapd__packages: [] + # ]]] # ]]] # OpenLDAP UNIX environment [[[ @@ -539,7 +537,11 @@ slapd__default_tasks: - name: 'Enable AutoGroup overlay in the main database' dn: 'olcOverlay={10}autogroup,olcDatabase={1}mdb,cn=config' - objectClass: [ 'olcOverlayConfig', 'olcAutomaticGroups' ] + objectClass: + - 'olcOverlayConfig' + - '{{ "olcAutomaticGroups" + if ansible_distribution_release in ["buster", "bullseye", "focal"] + else "olcAutoGroupConfig" }}' attributes: olcOverlay: '{10}autogroup' @@ -648,13 +650,25 @@ slapd__default_tasks: - 'mailAlternateAddress set "this/mailAlternateAddress & this/mail"' state: 'exact' - - name: 'Configure AutoGroup overlay in the main database' + - name: 'Configure AutoGroup overlay in the main database (old naming)' dn: 'olcOverlay={10}autogroup,olcDatabase={1}mdb,cn=config' attributes: olcAGattrSet: - '{0}groupOfURLs memberURL member' olcAGmemberOfAd: 'memberOf' - state: 'exact' + state: '{{ "exact" + if ansible_distribution_release in ["buster", "bullseye", "focal"] + else "ignore" }}' + + - name: 'Configure AutoGroup overlay in the main database' + dn: 'olcOverlay={10}autogroup,olcDatabase={1}mdb,cn=config' + attributes: + olcAutoGroupAttrSet: + - '{0}groupOfURLs memberURL member' + olcAutoGroupMemberOfAd: 'memberOf' + state: '{{ "exact" + if ansible_distribution_release not in ["buster", "bullseye", "focal"] + else "ignore" }}' - name: 'Configure LastBind overlay in the main database' dn: 'olcOverlay={11}lastbind,olcDatabase={1}mdb,cn=config' @@ -1079,7 +1093,6 @@ slapd__structure_tasks: objectClass: 'organizationalRole' attributes: cn: 'Hidden Object Viewer' - memberOf: '{{ ([ "cn=Hidden Objects", "ou=Groups" ] + slapd__base_dn) | join(",") }}' description: 'LDAP objects which can see hidden objects' - name: 'Create cn=Hidden Objects group' @@ -1088,11 +1101,15 @@ slapd__structure_tasks: attributes: cn: 'Hidden Objects' member: - - '{{ ([ "cn=Hidden Objects", "ou=Groups" ] + slapd__base_dn) | join(",") }}' - - '{{ ([ "cn=Hidden Object Viewer", "ou=Roles" ] + slapd__base_dn) | join(",") }}' - memberOf: '{{ ([ "cn=Hidden Objects", "ou=Groups" ] + slapd__base_dn) | join(",") }}' + - '{{ (["cn=Hidden Object Viewer", "ou=Roles"] + slapd__base_dn) | join(",") }}' description: 'LDAP objects which are accessible only by privileged accounts' + - name: 'Add cn=Hidden Objects group to itself' + dn: '{{ ["cn=Hidden Objects", "ou=Groups"] + slapd__base_dn }}' + attributes: + member: + - '{{ (["cn=Hidden Objects", "ou=Groups"] + slapd__base_dn) | join(",") }}' + - name: 'Create cn=UNIX SSH users group' dn: '{{ [ "cn=UNIX SSH users", "ou=Groups" ] + slapd__base_dn }}' objectClass: [ 'groupOfEntries', 'posixGroup', 'posixGroupId', @@ -1183,6 +1200,7 @@ slapd__combined_tasks: '{{ slapd__default_tasks + slapd__tasks + slapd__group_tasks + slapd__host_tasks }}' + # ]]] # ]]] # Backup snapshots [[[ @@ -1236,8 +1254,8 @@ slapd__ports: # Plaintext and StartTLS connections on port 389/tcp - 'ldap' - # Encrypted SSL connections on port 636/tcp (deprecated) - - '{{ "ldaps" if slapd__pki|bool else [] }}' + # Encrypted SSL connections on port 636/tcp + - '{{ "ldaps" if slapd__pki | bool else [] }}' # ]]] # .. envvar:: slapd__accept_any [[[ @@ -1292,6 +1310,7 @@ slapd__group_allow: [] # List of IP addresses or CIDR subnets which should have access to the OpenLDAP # server, defined on specific hosts in the Ansible inventory. slapd__host_allow: [] + # ]]] # ]]] # LDAP Access Control List tests [[[ @@ -1596,6 +1615,7 @@ slapd__slapacl_combined_tests: '{{ slapd__slapacl_default_tests + slapd__slapacl_tests + slapd__slapacl_group_tests + slapd__slapacl_host_tests }}' + # ]]] # ]]] # Configuration variables for other Ansible roles [[[ @@ -1711,5 +1731,6 @@ slapd__saslauthd__dependent_instances: socket_path: '/var/lib/slapd/saslauthd' socket_group: '{{ slapd__group }}' ldap_profile: 'slapd' + # ]]] # ]]] diff --git a/ansible/roles/slapd/files/etc/ldap/schema/debops/ldapns.schema b/ansible/roles/slapd/files/etc/ldap/schema/debops/ldapns.schema new file mode 100644 index 0000000000..798349345e --- /dev/null +++ b/ansible/roles/slapd/files/etc/ldap/schema/debops/ldapns.schema @@ -0,0 +1,30 @@ +# SPDX-License-Identifier: GPL-2+ +# +# Copied from Debian package: fusiondirectory-schema +# Also available from: https://github.com/fusiondirectory/fusiondirectory/blob/fusiondirectory-1.0.19-security-debian/contrib/openldap/ldapns.schema +# With the license here: https://github.com/fusiondirectory/fusiondirectory/blob/fusiondirectory-1.0.19-security-debian/COPYING + + +# $Id: ldapns.schema,v 1.3 2003/05/29 12:57:29 lukeh Exp $ + +# LDAP Name Service Additional Schema + +# http://www.iana.org/assignments/gssapi-service-names + +attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' + DESC 'IANA GSS-API authorized service name' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' + DESC 'Auxiliary object class for adding authorizedService attribute' + SUP top + AUXILIARY + MAY authorizedService ) + +objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject' + DESC 'Auxiliary object class for adding host attribute' + SUP top + AUXILIARY + MAY host ) + diff --git a/ansible/roles/slapd/files/etc/ldap/schema/debops/rfc2307bis.ldif b/ansible/roles/slapd/files/etc/ldap/schema/debops/rfc2307bis.ldif new file mode 100644 index 0000000000..affcc8e4fb --- /dev/null +++ b/ansible/roles/slapd/files/etc/ldap/schema/debops/rfc2307bis.ldif @@ -0,0 +1,250 @@ +# SPDX-License-Identifier: GPL-2+ +# +# Copied from Debian package: fusiondirectory-schema +# Also available from: https://github.com/fusiondirectory/fusiondirectory/blob/fusiondirectory-1.0.19-security-debian/contrib/openldap/rfc2307bis.schema +# With the license here: https://github.com/fusiondirectory/fusiondirectory/blob/fusiondirectory-1.0.19-security-debian/COPYING +# Automatically converted from the .schema file + + +dn: cn=rfc2307bis,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: rfc2307bis +# builtin +# +#attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber' +# DESC 'An integer uniquely identifying a user in an administrative domain' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 +# SINGLE-VALUE ) +# builtin +# +#attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber' +# DESC 'An integer uniquely identifying a group in an +# administrative domain' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 +# SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.2 NAME 'gecos' + DESC 'The GECOS field; the common name' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' + DESC 'The absolute path to the home directory' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.4 NAME 'loginShell' + DESC 'The path to the login shell' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.6 NAME 'shadowMin' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.7 NAME 'shadowMax' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.12 NAME 'memberUid' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' + DESC 'Netgroup triple' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' + DESC 'Service port number' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' + DESC 'Service protocol name' + SUP name ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' + DESC 'IP protocol number' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber' + DESC 'ONC RPC number' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' + DESC 'IPv4 addresses as a dotted decimal omitting leading + zeros or IPv6 addresses as defined in RFC2373' + SUP name ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' + DESC 'IP network as a dotted decimal, eg. 192.168, + omitting leading zeros' + SUP name + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' + DESC 'IP netmask as a dotted decimal, eg. 255.255.255.0, + omitting leading zeros' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.22 NAME 'macAddress' + DESC 'MAC address in maximal, colon separated hex + notation, eg. 00:00:92:90:ee:e2' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.23 NAME 'bootParameter' + DESC 'rpc.bootparamd parameter' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.24 NAME 'bootFile' + DESC 'Boot image name' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.26 NAME 'nisMapName' + DESC 'Name of a A generic NIS map' + SUP name ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry' + DESC 'A generic NIS entry' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey' + DESC 'NIS public key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey' + DESC 'NIS secret key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' + DESC 'NIS domain' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) +olcAttributeTypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' + DESC 'automount Map Name' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' + DESC 'Automount Key value' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' + DESC 'Automount information' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcObjectClasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY + DESC 'Abstraction of an account with POSIX attributes' + MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) + MAY ( userPassword $ loginShell $ gecos $ + description ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY + DESC 'Additional attributes for shadow passwords' + MUST uid + MAY ( userPassword $ description $ + shadowLastChange $ shadowMin $ shadowMax $ + shadowWarning $ shadowInactive $ + shadowExpire $ shadowFlag ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY + DESC 'Abstraction of a group of accounts' + MUST gidNumber + MAY ( userPassword $ memberUid $ + description ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL + DESC 'Abstraction an Internet Protocol service. + Maps an IP port and protocol (such as tcp or udp) + to one or more names; the distinguished value of + the cn attribute denotes the services canonical + name' + MUST ( cn $ ipServicePort $ ipServiceProtocol ) + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL + DESC 'Abstraction of an IP protocol. Maps a protocol number + to one or more names. The distinguished value of the cn + attribute denotes the protocols canonical name' + MUST ( cn $ ipProtocolNumber ) + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL + DESC 'Abstraction of an Open Network Computing (ONC) + [RFC1057] Remote Procedure Call (RPC) binding. + This class maps an ONC RPC number to a name. + The distinguished value of the cn attribute denotes + the RPC services canonical name' + MUST ( cn $ oncRpcNumber ) + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY + DESC 'Abstraction of a host, an IP device. The distinguished + value of the cn attribute denotes the hosts canonical + name. Device SHOULD be used as a structural class' + MUST ( cn $ ipHostNumber ) + MAY ( userPassword $ l $ description $ manager ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL + DESC 'Abstraction of a network. The distinguished value of + the cn attribute denotes the networks canonical name' + MUST ipNetworkNumber + MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL + DESC 'Abstraction of a netgroup. May refer to other netgroups' + MUST cn + MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL + DESC 'A generic abstraction of a NIS map' + MUST nisMapName + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL + DESC 'An entry in a NIS map' + MUST ( cn $ nisMapEntry $ nisMapName ) + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY + DESC 'A device with a MAC address; device SHOULD be + used as a structural class' + MAY macAddress ) +olcObjectClasses: ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY + DESC 'A device with boot parameters; device SHOULD be + used as a structural class' + MAY ( bootFile $ bootParameter ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY + DESC 'An object with a public and secret key' + MUST ( cn $ nisPublicKey $ nisSecretKey ) + MAY ( uidNumber $ description ) ) +olcObjectClasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY + DESC 'Associates a NIS domain with a naming context' + MUST nisDomain ) +olcObjectClasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL + MUST ( automountMapName ) + MAY description ) +olcObjectClasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL + DESC 'Automount information' + MUST ( automountKey $ automountInformation ) + MAY description ) +## namedObject is needed for groups without members +olcObjectClasses: ( 1.3.6.1.4.1.5322.13.1.1 NAME 'namedObject' SUP top + STRUCTURAL MAY cn ) diff --git a/ansible/roles/slapd/files/etc/ldap/schema/debops/rfc2307bis.schema b/ansible/roles/slapd/files/etc/ldap/schema/debops/rfc2307bis.schema new file mode 100644 index 0000000000..1f0e6101c9 --- /dev/null +++ b/ansible/roles/slapd/files/etc/ldap/schema/debops/rfc2307bis.schema @@ -0,0 +1,295 @@ +# SPDX-License-Identifier: GPL-2+ +# +# Copied from Debian package: fusiondirectory-schema +# Also available from: https://github.com/fusiondirectory/fusiondirectory/blob/fusiondirectory-1.0.19-security-debian/contrib/openldap/rfc2307bis.schema +# With the license here: https://github.com/fusiondirectory/fusiondirectory/blob/fusiondirectory-1.0.19-security-debian/COPYING + + +# builtin +# +#attributetype ( 1.3.6.1.1.1.1.0 NAME 'uidNumber' +# DESC 'An integer uniquely identifying a user in an administrative domain' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 +# SINGLE-VALUE ) + +# builtin +# +#attributetype ( 1.3.6.1.1.1.1.1 NAME 'gidNumber' +# DESC 'An integer uniquely identifying a group in an +# administrative domain' +# EQUALITY integerMatch +# SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 +# SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.2 NAME 'gecos' + DESC 'The GECOS field; the common name' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' + DESC 'The absolute path to the home directory' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.4 NAME 'loginShell' + DESC 'The path to the login shell' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.6 NAME 'shadowMin' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.7 NAME 'shadowMax' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' + DESC 'Netgroup triple' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' + DESC 'Service port number' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' + DESC 'Service protocol name' + SUP name ) + +attributetype ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' + DESC 'IP protocol number' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber' + DESC 'ONC RPC number' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' + DESC 'IPv4 addresses as a dotted decimal omitting leading + zeros or IPv6 addresses as defined in RFC2373' + SUP name ) + +attributetype ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' + DESC 'IP network as a dotted decimal, eg. 192.168, + omitting leading zeros' + SUP name + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' + DESC 'IP netmask as a dotted decimal, eg. 255.255.255.0, + omitting leading zeros' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.22 NAME 'macAddress' + DESC 'MAC address in maximal, colon separated hex + notation, eg. 00:00:92:90:ee:e2' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.1.1.1.23 NAME 'bootParameter' + DESC 'rpc.bootparamd parameter' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.1.1.1.24 NAME 'bootFile' + DESC 'Boot image name' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.1.1.1.26 NAME 'nisMapName' + DESC 'Name of a A generic NIS map' + SUP name ) + +attributetype ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry' + DESC 'A generic NIS entry' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey' + DESC 'NIS public key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey' + DESC 'NIS secret key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' + DESC 'NIS domain' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26) + +attributetype ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' + DESC 'automount Map Name' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.32 NAME 'automountKey' + DESC 'Automount Key value' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' + DESC 'Automount information' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY + DESC 'Abstraction of an account with POSIX attributes' + MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) + MAY ( userPassword $ loginShell $ gecos $ + description ) ) + +objectclass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY + DESC 'Additional attributes for shadow passwords' + MUST uid + MAY ( userPassword $ description $ + shadowLastChange $ shadowMin $ shadowMax $ + shadowWarning $ shadowInactive $ + shadowExpire $ shadowFlag ) ) + +objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY + DESC 'Abstraction of a group of accounts' + MUST gidNumber + MAY ( userPassword $ memberUid $ + description ) ) + +objectclass ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL + DESC 'Abstraction an Internet Protocol service. + Maps an IP port and protocol (such as tcp or udp) + to one or more names; the distinguished value of + the cn attribute denotes the services canonical + name' + MUST ( cn $ ipServicePort $ ipServiceProtocol ) + MAY description ) + +objectclass ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL + DESC 'Abstraction of an IP protocol. Maps a protocol number + to one or more names. The distinguished value of the cn + attribute denotes the protocols canonical name' + MUST ( cn $ ipProtocolNumber ) + MAY description ) + +objectclass ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL + DESC 'Abstraction of an Open Network Computing (ONC) + [RFC1057] Remote Procedure Call (RPC) binding. + This class maps an ONC RPC number to a name. + The distinguished value of the cn attribute denotes + the RPC services canonical name' + MUST ( cn $ oncRpcNumber ) + MAY description ) + +objectclass ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY + DESC 'Abstraction of a host, an IP device. The distinguished + value of the cn attribute denotes the hosts canonical + name. Device SHOULD be used as a structural class' + MUST ( cn $ ipHostNumber ) + MAY ( userPassword $ l $ description $ manager ) ) + +objectclass ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL + DESC 'Abstraction of a network. The distinguished value of + the cn attribute denotes the networks canonical name' + MUST ipNetworkNumber + MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) ) + +objectclass ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL + DESC 'Abstraction of a netgroup. May refer to other netgroups' + MUST cn + MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) + +objectclass ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL + DESC 'A generic abstraction of a NIS map' + MUST nisMapName + MAY description ) + +objectclass ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL + DESC 'An entry in a NIS map' + MUST ( cn $ nisMapEntry $ nisMapName ) + MAY description ) + +objectclass ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY + DESC 'A device with a MAC address; device SHOULD be + used as a structural class' + MAY macAddress ) + +objectclass ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY + DESC 'A device with boot parameters; device SHOULD be + used as a structural class' + MAY ( bootFile $ bootParameter ) ) + +objectclass ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY + DESC 'An object with a public and secret key' + MUST ( cn $ nisPublicKey $ nisSecretKey ) + MAY ( uidNumber $ description ) ) + +objectclass ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY + DESC 'Associates a NIS domain with a naming context' + MUST nisDomain ) + +objectclass ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL + MUST ( automountMapName ) + MAY description ) + +objectclass ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL + DESC 'Automount information' + MUST ( automountKey $ automountInformation ) + MAY description ) +## namedObject is needed for groups without members +objectclass ( 1.3.6.1.4.1.5322.13.1.1 NAME 'namedObject' SUP top + STRUCTURAL MAY cn ) + diff --git a/ansible/roles/slapd/files/etc/ldap/schema/debops/sudo.schema b/ansible/roles/slapd/files/etc/ldap/schema/debops/sudo.schema new file mode 100644 index 0000000000..4382ffb2f4 --- /dev/null +++ b/ansible/roles/slapd/files/etc/ldap/schema/debops/sudo.schema @@ -0,0 +1,75 @@ +# SPDX-License-Identifier: GPL-2+ +# +# Copied from Debian package: fusiondirectory-plugin-sudo-schema +# Also available from: https://github.com/fusiondirectory/fusiondirectory-plugins/blob/fusiondirectory-1.0.19-security-debian/sudo/contrib/openldap/sudo.schema +# With the license here: https://github.com/fusiondirectory/fusiondirectory/blob/fusiondirectory-1.0.19-security-debian/COPYING + +attributetype ( 1.3.6.1.4.1.15953.9.1.1 + NAME 'sudoUser' + DESC 'User(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.2 + NAME 'sudoHost' + DESC 'Host(s) who may run sudo' + EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.3 + NAME 'sudoCommand' + DESC 'Command(s) to be executed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.4 + NAME 'sudoRunAs' + DESC 'User(s) impersonated by sudo (deprecated)' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.5 + NAME 'sudoOption' + DESC 'Options(s) followed by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.6 + NAME 'sudoRunAsUser' + DESC 'User(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.7 + NAME 'sudoRunAsGroup' + DESC 'Group(s) impersonated by sudo' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.8 + NAME 'sudoNotBefore' + DESC 'Start of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.9 + NAME 'sudoNotAfter' + DESC 'End of time interval for which the entry is valid' + EQUALITY generalizedTimeMatch + ORDERING generalizedTimeOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 ) + +attributetype ( 1.3.6.1.4.1.15953.9.1.10 + NAME 'sudoOrder' + DESC 'an integer to order the sudoRole entries' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 ) + +objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL + DESC 'Sudoer Entries' + MUST ( cn ) + MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $ sudoRunAsGroup $ sudoOption $ sudoOrder $ sudoNotBefore $ sudoNotAfter $ description )) diff --git a/ansible/roles/slapd/files/script/ldap-load-schema b/ansible/roles/slapd/files/script/ldap-load-schema index 3271e9215d..5047c31fc1 100755 --- a/ansible/roles/slapd/files/script/ldap-load-schema +++ b/ansible/roles/slapd/files/script/ldap-load-schema @@ -1,7 +1,8 @@ #!/usr/bin/env bash # Copyright (C) 2015-2019 Maciej Delmanowski -# Copyright (C) 2015-2019 DebOps +# Copyright (C) 2023 David Härdeman +# Copyright (C) 2015-2023 DebOps # SPDX-License-Identifier: GPL-3.0-only # Check if specified LDAP schema file is loaded in the local slapd cn=config @@ -13,7 +14,7 @@ set -o nounset -o pipefail -o errexit schema_file="${1}" if [ -z "${schema_file}" ] ; then - printf "Error: You need to specify schema file to load\\n" && exit 1 + printf "Error: You need to specify a schema file to load\\n" && exit 1 fi if [ ! -e "${schema_file}" ] ; then @@ -24,36 +25,35 @@ if [ ! -r "${schema_file}" ] ; then printf "Error: %s is unreadable\\n" "${schema_file}" && exit 1 fi -# The schema file is already converted, we can deal with them directly -if [[ "${schema_file}" == *.ldif ]] ; then - - # Get the DN of the schema - schema_dn="$(grep -E '^^dn:\s' "${schema_file}")" - - # Get list of already installed schemas from local LDAP server - schema_list() { - ldapsearch -Y EXTERNAL -H ldapi:/// -LLLQ -b 'cn=schema,cn=config' dn \ - | sed -e '/^$/d' -e 's/{[0-9]\+}//' - } - - if schema_list | grep -q "${schema_dn}" ; then - - # Schema is already installed, do nothing - exit 0 - - else - - # Try installing the schema in the database - ldapadd -Y EXTERNAL -H ldapi:/// -f "${schema_file}" - - fi - # The schema is not converted to ldif, defer to a helper script -elif [[ "${schema_file}" == *.schema ]] ; then - - if type fusiondirectory-insert-schema > /dev/null ; then - fusiondirectory-insert-schema -i "${schema_file}" +if [[ "${schema_file}" == *.schema ]] ; then + if type schema2ldif > /dev/null ; then + ldif_schema_file="${schema_file%.*}.ldif" + schema2ldif "${schema_file}" > "${ldif_schema_file}" + schema_file="${ldif_schema_file}" else printf "Error: %s needs to be in the .ldif format\\n" "${schema_file}" && exit 1 fi fi + +# From here on, only .ldif is supported +if [[ "${schema_file}" != *.ldif ]] ; then + printf "Error: %s is in an unsupported format\\n" "${schema_file}" && exit 1 +fi + +# Get the DN of the schema +schema_dn="$(grep -E '^^dn:\s' "${schema_file}")" + +# Get list of already installed schemas from local LDAP server +schema_list() { + ldapsearch -Y EXTERNAL -H ldapi:/// -LLLQ -b 'cn=schema,cn=config' dn \ + | sed -e '/^$/d' -e 's/{[0-9]\+}//' +} + +if schema_list | grep -q "${schema_dn}" ; then + # The schema is already installed, do nothing + exit 0 +else + # Try installing the schema in the database + ldapadd -Y EXTERNAL -H ldapi:/// -f "${schema_file}" +fi diff --git a/ansible/roles/slapd/tasks/main.yml b/ansible/roles/slapd/tasks/main.yml index 18f4ee1893..d7d5bc4e2d 100644 --- a/ansible/roles/slapd/tasks/main.yml +++ b/ansible/roles/slapd/tasks/main.yml @@ -1,6 +1,7 @@ --- # Copyright (C) 2016-2019 Maciej Delmanowski -# Copyright (C) 2016-2019 DebOps +# Copyright (C) 2023 David Härdeman +# Copyright (C) 2016-2023 DebOps # SPDX-License-Identifier: GPL-3.0-only - name: Import custom Ansible plugins @@ -15,10 +16,35 @@ import_role: name: 'secret' -- name: Prepare OpenLDAP installation to use the rfc2307bis schema - include_tasks: 'prepare_rfc2307bis.yml' - when: (slapd__rfc2307bis_enabled|bool and - (ansible_local is undefined or ansible_local.slapd is undefined)) +- name: Ensure that DebOps schema directory exists + ansible.builtin.file: + path: '{{ slapd__debops_schema_path }}' + state: 'directory' + mode: '0755' + +- name: Copy custom DebOps schemas to the OpenLDAP host + ansible.builtin.copy: + src: 'etc/ldap/schema/debops/' + dest: '{{ slapd__debops_schema_path + "/" }}' + mode: '0644' + +- name: Divert the original NIS schema included in Debian + debops.debops.dpkg_divert: + path: '/etc/ldap/schema/{{ item }}' + loop: [ 'nis.schema', 'nis.ldif' ] + when: slapd__rfc2307bis_enabled | bool and + not ansible_local.slapd | d(False) | bool + +- name: Symlink the new rfc2307bis schema in place of NIS schema + ansible.builtin.file: + state: 'link' + path: '/etc/ldap/schema/{{ item | replace("rfc2307bis", "nis") }}' + src: '{{ slapd__debops_schema_path + "/" + item }}' + mode: '0644' + loop: [ 'rfc2307bis.schema', 'rfc2307bis.ldif' ] + when: not ansible_check_mode | bool and + slapd__rfc2307bis_enabled | bool and + not ansible_local.slapd | d(False) | bool - name: Initialize BaseDN value in debconf using a DNS domain debconf: @@ -78,18 +104,6 @@ mode: '0755' tags: [ 'role::slapd:scripts' ] -- name: Ensure that DebOps schema directory exists - file: - path: '{{ slapd__debops_schema_path }}' - state: 'directory' - mode: '0755' - -- name: Copy custom DebOps schemas to the OpenLDAP host - copy: - src: 'etc/ldap/schema/debops/' - dest: '{{ slapd__debops_schema_path + "/" }}' - mode: '0644' - - name: Load custom LDAP schemas script: 'script/ldap-load-schema {{ item }}' loop: '{{ q("flattened", slapd__combined_schemas) }}' diff --git a/ansible/roles/slapd/tasks/prepare_rfc2307bis.yml b/ansible/roles/slapd/tasks/prepare_rfc2307bis.yml deleted file mode 100644 index 3534509bfc..0000000000 --- a/ansible/roles/slapd/tasks/prepare_rfc2307bis.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -# Copyright (C) 2016-2019 Maciej Delmanowski -# Copyright (C) 2016-2019 DebOps -# SPDX-License-Identifier: GPL-3.0-only - -- name: Install APT packages with rfc2307bis LDAP schema - package: - name: '{{ slapd__rfc2307bis_packages }}' - state: 'present' - register: slapd__register_rfc2307bis_packages - until: slapd__register_rfc2307bis_packages is succeeded - -- name: Divert the original NIS schema included in Debian - dpkg_divert: - path: '/etc/ldap/schema/{{ item }}' - loop: - - 'nis.schema' - - 'nis.ldif' - -- name: Convert FusionDirectory rfc2307bis schema to ldif - shell: schema2ldif rfc2307bis.schema > rfc2307bis.ldif - args: - creates: '/etc/ldap/schema/fusiondirectory/rfc2307bis.ldif' - chdir: '/etc/ldap/schema/fusiondirectory' - when: '"fusiondirectory-schema" in slapd__rfc2307bis_packages' - -- name: Symlink the new rfc2307bis schema in place of NIS schema - file: - state: 'link' - path: '/etc/ldap/schema/{{ item | replace("rfc2307bis", "nis") }}' - src: '{{ (("fusiondirectory-schema" in slapd__rfc2307bis_packages) - | ternary("fusiondirectory", "gosa")) + "/" + item }}' - mode: '0644' - loop: [ 'rfc2307bis.schema', 'rfc2307bis.ldif' ] - when: not ansible_check_mode|bool diff --git a/ansible/roles/slapd/tasks/slapd_tasks.yml b/ansible/roles/slapd/tasks/slapd_tasks.yml index f607ffbb32..389524b3f0 100644 --- a/ansible/roles/slapd/tasks/slapd_tasks.yml +++ b/ansible/roles/slapd/tasks/slapd_tasks.yml @@ -4,7 +4,7 @@ # SPDX-License-Identifier: GPL-3.0-only - name: '{{ item.name }}' - ldap_entry: + community.general.ldap_entry: dn: '{{ item.dn if (item.dn is string) else item.dn | join(",") }}' objectClass: '{{ item.objectClass | d(omit) }}' attributes: '{{ item.attributes | d(omit) }}' @@ -19,7 +19,7 @@ else False) }}' - name: '{{ item.name }}' - ldap_attrs: + community.general.ldap_attrs: dn: '{{ item.dn if (item.dn is string) else item.dn | join(",") }}' attributes: '{{ item.attributes | d({}) }}' ordered: '{{ item.ordered | d(False) }}' diff --git a/docs/ansible/roles/slapd/examples/multi-master-replication.yml b/docs/ansible/roles/slapd/examples/multi-master-replication.yml index e217591a10..1e1950618a 100644 --- a/docs/ansible/roles/slapd/examples/multi-master-replication.yml +++ b/docs/ansible/roles/slapd/examples/multi-master-replication.yml @@ -1,6 +1,6 @@ --- # Copyright (C) 2016-2019 Maciej Delmanowski -# Copyright (C) 2016-2019 DebOps +# Copyright (C) 2016-2023 DebOps # SPDX-License-Identifier: GPL-3.0-only slapd__group_allow: [ '192.0.2.0/24' ] @@ -69,7 +69,7 @@ slapd__cluster_tasks: tls_key="{{ slapd__tls_private_key }}" tls_cipher_suite="{{ slapd__tls_cipher_suite }}" - olcMirrorMode: 'TRUE' + olcMultiProvider: 'TRUE' state: 'exact' - name: 'Configure time and size limits in the main database' @@ -136,5 +136,5 @@ slapd__cluster_tasks: tls_key="{{ slapd__tls_private_key }}" tls_cipher_suite="{{ slapd__tls_cipher_suite }}" - olcMirrorMode: 'TRUE' + olcMultiProvider: 'TRUE' state: 'exact' diff --git a/docs/ansible/roles/slapd/guide-multi-master-replication.rst b/docs/ansible/roles/slapd/guide-multi-master-replication.rst index 836ef71645..16bf21cec5 100644 --- a/docs/ansible/roles/slapd/guide-multi-master-replication.rst +++ b/docs/ansible/roles/slapd/guide-multi-master-replication.rst @@ -144,6 +144,12 @@ The above configuration is available as a convenience in a separate :file:`examples/multi-master-replication.yml` file in the :ref:`debops.slapd` role documentation stored in the DebOps monorepo. +.. warning:: + The ``olcMultiProvider`` attribute was renamed from ``olcMirrorMode`` + between OpenLDAP versions 2.4 and 2.5. Make sure to use the old name if + you are using an older release. + + Configuration notes ~~~~~~~~~~~~~~~~~~~ diff --git a/docs/ansible/roles/slapd/ldap-schema.rst b/docs/ansible/roles/slapd/ldap-schema.rst index fbe18b11b3..6098d28deb 100644 --- a/docs/ansible/roles/slapd/ldap-schema.rst +++ b/docs/ansible/roles/slapd/ldap-schema.rst @@ -33,22 +33,13 @@ additive. You can define different sets of schemas on different Ansible inventory levels. The schema files need to already be present on the remote host to be imported -by the role. The default schemas included by the role are installed via APT -packages, you can see the available set of schemas by running the command: - -.. code-block:: console - - apt-cache search fusiondirectory plugin schema - -The Debian/Ubuntu archive also contains a smaller set of APT packages for the -GOsa² application which contain LDAP schemas, however the ``gosa-*`` and -``fusiondirectory-*`` packages conflict with each other. +by the role. You can use the :ref:`debops.resources` role to copy custom ``*.schema`` or ``*.ldif`` files to the remote host before importing them. The ``*.ldif`` files can be imported automatically, but the ``*.schema`` import relies on the -:command:`fusiondirectory-insert-schema` command which is available in the -``fusiondirectory-schema`` APT package. +:command:`schema2ldif` tool which is available from the APT package with the +same name. If you are using clustered OpenLDAP, for example in N-Way Multi Master replication mode, you should import the schemas only on one node at a time. @@ -96,30 +87,15 @@ the :command:`slapd` package installation and removing it from the already initialized directory can be difficult. Fortunately, there's a clean way to avoid this issue and enable the -``rfc2307bis`` schema on :command:`slapd` installation. The Debian Archive -contains two packages that provide it: `fusiondirectory-schema`__ and -`gosa-schema`__. Both packages conflict with each other, therefore only one can -be installed at a time. In the ``debops.slapd`` role, the -``fusiondirectory-schema`` has been selected because FusionDirectory project -seems to be an actively maintained fork of GOsa² and will be more likely to be -selected for installation; another reason is more -``fusiondirectory-plugin-*-schema`` APT packages available in Debian. - -The role still works fine with ``gosa-schema`` APT package installed, however -this will not be detected automatically; the user should redefine the -:envvar:`slapd__rfc2307bis_packages` list the Ansible inventory to select this -APT package. - -.. __: https://packages.debian.org/stable/fusiondirectory-schema -.. __: https://packages.debian.org/stable/gosa-schema - +``rfc2307bis`` schema on :command:`slapd` installation. Before the installation of the :command:`slapd` APT package, the -``debops.slapd`` role will install the ``fusiondirectory-schema`` package, -divert the :file:`/etc/ldap/schema/nis.(ldif,schema)` files aside using the -:command:`dpkg-divert` tool and create a symlink to the -:file:`/etc/ldap/fusiondirectory/rfc2307bis.(ldif,schema)` files in their -place. With this modification, when the :command:`slapd` APT package is -installed, it will automatically include the modified ``rfc2307bis`` schema. +``debops.slapd`` role will divert the +:file:`/etc/ldap/schema/nis.(ldif,schema)` files using the +:command:`dpkg-divert` tool, install the ``rfc2307bis`` files to the +:envvar:`slapd__debops_schema_path` directory and create symlinks where the +original ``nis`` schema used to be. With this modification, when the +:command:`slapd` APT package is installed, it will automatically include the +modified ``rfc2307bis`` schema. The automatic installation of the ``rfc2307bis`` schema can be disabled by setting the :envvar:`slapd__rfc2307bis_enabled` boolean variable to ``False``. @@ -319,12 +295,6 @@ are commonly used in academic institutions. .. __: https://www.internet2.edu/products-services/trust-identity/eduperson-eduorg/ -The schema is available in Debian in the -``fusiondirectory-plugin-supann-schema`` APT package, however that version is -slightly outdated and does not include object and attribute descriptions. -Because of that, DebOps contains its own copy of the schema, cleaned up and -updated, which will be imported by default to OpenLDAP directory server. - The version of the schema included in DebOps has been extended with additional attributes for the ``eduPerson`` and ``eduOrg`` Object Classes not present in the official specification. These attributes have been found useful in an