From f7b85d62145a8719545331bfb8bc3fe987805c5b Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Tue, 29 Dec 2020 16:25:22 +0100
Subject: [PATCH] [slapd] uid musts start with _

---
 roles/slapd/templates/ldap/slapd.conf.j2 | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/roles/slapd/templates/ldap/slapd.conf.j2 b/roles/slapd/templates/ldap/slapd.conf.j2
index 5c6cccab..86053d40 100644
--- a/roles/slapd/templates/ldap/slapd.conf.j2
+++ b/roles/slapd/templates/ldap/slapd.conf.j2
@@ -29,6 +29,13 @@ moduleload 		auditlog
 overlay 		auditlog
 auditlog 		/var/log/openldap/auditlog.log
 
+moduleload constraint
+overlay constraint
+constraint_attribute description regex ^(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius)$
+  restrict=ldap:///ou=hosts,dc=crans,dc=org??one?(objectClass=device)
+constraint_attribute uid regex ^_
+  restrict=ldap:///ou=passwd,dc=crans,dc=org??one?(objectClass=posixAccount)
+
 moduleload 		syncprov
 {% endif %}
 
-- 
GitLab