diff --git a/group_vars/re2o_ldap.yml b/group_vars/re2o_ldap.yml new file mode 100644 index 0000000000000000000000000000000000000000..f873e6f4320dc90ed86c4cc1b1c511b4c94f703e --- /dev/null +++ b/group_vars/re2o_ldap.yml @@ -0,0 +1,7 @@ +--- +glob_re2o_ldap: + suffix: dc=crans,dc=org + url: "ldaps://{{ query('ldap', 'ip', 'yson-partou', 'adm') | ipv4 | first }}:636" + root_password_hash: "{{ vault.ldap_master_password_hash }}" + certificate: "{{ vault.ldap_re2o_certificate }}" + private_key: "{{ vault.ldap_re2o_private_key }}" diff --git a/group_vars/re2o_ldap_replica.yml b/group_vars/re2o_ldap_replica.yml deleted file mode 100644 index ae4b34c1663e78c4f730d46f287937dc1822c552..0000000000000000000000000000000000000000 --- a/group_vars/re2o_ldap_replica.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -glob_re2o_ldap_replica: - replicator: - username: replicator - password: "{{ vault.ldap_replication_re2o_credentials }}" - suffix: dc=crans,dc=org - url: "ldaps://{{ query('ldap', 'ip', 'terenez', 'adm') | ipv4 | first }}:636" - root_password_hash: "{{ vault.ldap_master_password_hash }}" - certificate: "{{ vault.ldap_re2o_certificate }}" - private_key: "{{ vault.ldap_re2o_private_key }}" diff --git a/hosts b/hosts index b87feae27884d778d0a24f731e38f6408ed83dbd..af37685348f815a6f7f9025967ea007528262d50 100644 --- a/hosts +++ b/hosts @@ -193,7 +193,7 @@ radius [re2o_front] re2o.adm.crans.org -[re2o_ldap_replica] +[re2o_ldap] re2o-dev.adm.crans.org yson-partou.adm.crans.org diff --git a/plays/re2o-ldap-replica.yml b/plays/re2o-ldap-replica.yml deleted file mode 100755 index 1d1344a04e03ee97bf7ca2f404577122701eae8d..0000000000000000000000000000000000000000 --- a/plays/re2o-ldap-replica.yml +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env ansible-playbook ---- -- hosts: re2o_ldap_replica - vars: - re2o_ldap_replica: "{{ glob_re2o_ldap_replica | default({}) | combine(loc_re2o_ldap_replica | default({})) }}" - roles: - - re2o-ldap-replica diff --git a/plays/re2o-ldap.yml b/plays/re2o-ldap.yml new file mode 100755 index 0000000000000000000000000000000000000000..fcdd583e694a0311d1cf54c8179a7a8bcbe9810a --- /dev/null +++ b/plays/re2o-ldap.yml @@ -0,0 +1,7 @@ +#!/usr/bin/env ansible-playbook +--- +- hosts: re2o_ldap + vars: + re2o_ldap: "{{ glob_re2o_ldap | default({}) | combine(loc_re2o_ldap | default({})) }}" + roles: + - re2o-ldap diff --git a/roles/re2o-ldap-replica/templates/ldap/certinfo.ldif.j2 b/roles/re2o-ldap-replica/templates/ldap/certinfo.ldif.j2 deleted file mode 100644 index 8571016c49550c556b8d95fee23c700736850eeb..0000000000000000000000000000000000000000 --- a/roles/re2o-ldap-replica/templates/ldap/certinfo.ldif.j2 +++ /dev/null @@ -1,8 +0,0 @@ -{{ ansible_header | comment }} - -dn: cn=config -add: olcTLSCertificateFile -olcTLSCertificateFile: /etc/ldap/ldap.pem -- -add: olcTLSCertificateKeyFile -olcTLSCertificateKeyFile: /etc/ldap/ldap.key diff --git a/roles/re2o-ldap-replica/templates/ldap/db.ldif.j2 b/roles/re2o-ldap-replica/templates/ldap/db.ldif.j2 deleted file mode 100644 index ca2f992f1ff0c6b74ffa6825f0b233877ed8b66c..0000000000000000000000000000000000000000 --- a/roles/re2o-ldap-replica/templates/ldap/db.ldif.j2 +++ /dev/null @@ -1,188 +0,0 @@ -{{ ansible_header | comment }} - -# This file comes from the installation of Re2o -# https://gitlab.federez.net/re2o/re2o/-/blob/master/install_utils/db.ldiff - -dn: {{ re2o_ldap_replica.suffix }} -o: rezo -structuralObjectClass: organization -entryUUID: fc97a0fe-514b-1034-9e4d-59675b32507b -creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }} -createTimestamp: 20150225150906Z -description: ldap -objectClass: top -objectClass: dcObject -objectClass: organization -entryCSN: 20151003212702.245118Z#000000#000#000000 -modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }} -modifyTimestamp: 20151003212702Z -contextCSN: 20161004233332.689769Z#000000#000#000000 - -dn: cn=admin,{{ re2o_ldap_replica.suffix }} -objectClass: simpleSecurityObject -objectClass: organizationalRole -cn: admin -structuralObjectClass: organizationalRole -entryUUID: fc97fa72-514b-1034-9e4e-59675b32507b -creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }} -createTimestamp: 20150225150906Z -description:: TERBUCBhZG1pbmlzdHJhdG9yDQo= -userPassword: {{ re2o_ldap_replica.root_password_hash }} -entryCSN: 20160604005945.576566Z#000000#000#000000 -modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }} -modifyTimestamp: 20160604005945Z - -dn: cn=Utilisateurs,{{ re2o_ldap_replica.suffix }} -gidNumber: 500 -cn: Utilisateurs -structuralObjectClass: posixGroup -entryUUID: 5d53854e-5204-1034-8c61-8da535cabdfc -creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }} -createTimestamp: 20150226130856Z -sambaSID: 500 -uid: Users -objectClass: posixGroup -objectClass: top -objectClass: sambaSamAccount -objectClass: radiusprofile -entryCSN: 20150226130950.194154Z#000000#000#000000 -modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }} -modifyTimestamp: 20150226130950Z - -dn: ou=groups,{{ re2o_ldap_replica.suffix }} -objectClass: organizationalUnit -description: Groupes d'utilisateurs -ou: groups -structuralObjectClass: organizationalUnit -entryUUID: 986aa1b6-bb86-1035-9a4c-2ff0c800ec24 -creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }} -createTimestamp: 20160531142039Z -entryCSN: 20160531142039.780151Z#000000#000#000000 -modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }} -modifyTimestamp: 20160531142039Z - -dn: ou=services,ou=groups,{{ re2o_ldap_replica.suffix }} -objectClass: organizationalUnit -description: Groupes de comptes techniques -ou: services -structuralObjectClass: organizationalUnit -entryUUID: cbb56904-bc6a-1035-9fbb-3dc3850d88ba -creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }} -createTimestamp: 20160601173411Z -entryCSN: 20160601173411.088359Z#000000#000#000000 -modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }} -modifyTimestamp: 20160601173411Z - -dn: ou=service-users,{{ re2o_ldap_replica.suffix }} -objectClass: organizationalUnit -description: Utilisateurs techniques de l'annuaire -ou: service-users -structuralObjectClass: organizationalUnit -entryUUID: 0e397270-bc6b-1035-9fbd-3dc3850d88ba -creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }} -createTimestamp: 20160601173602Z -entryCSN: 20160601173602.683304Z#000000#000#000000 -modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }} -modifyTimestamp: 20160601173602Z - -dn: cn=freeradius,ou=service-users,{{ re2o_ldap_replica.suffix }} -objectClass: applicationProcess -objectClass: simpleSecurityObject -cn: freeradius -userPassword: {{ re2o_ldap_replica.root_password_hash }} -structuralObjectClass: applicationProcess -entryUUID: 8596e4ec-bc6b-1035-9fbf-3dc3850d88ba -creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }} -createTimestamp: 20160601173922Z -entryCSN: 20160601173922.944598Z#000000#000#000000 -modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }} -modifyTimestamp: 20160601173922Z - -dn: cn=nssauth,ou=service-users,{{ re2o_ldap_replica.suffix }} -objectClass: applicationProcess -objectClass: simpleSecurityObject -cn: nssauth -structuralObjectClass: applicationProcess -entryUUID: cfbdadc6-bc6b-1035-9fc4-3dc3850d88ba -creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }} -createTimestamp: 20160601174127Z -userPassword: {{ re2o_ldap_replica.root_password_hash }} -entryCSN: 20160603093724.770069Z#000000#000#000000 -modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }} -modifyTimestamp: 20160603093724Z - -dn: cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }} -objectClass: groupOfNames -cn: auth -member: cn=nssauth,ou=service-users,{{ re2o_ldap_replica.suffix }} -structuralObjectClass: groupOfNames -entryUUID: 98524836-bc6d-1035-9fc7-3dc3850d88ba -creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }} -createTimestamp: 20160601175413Z -entryCSN: 20160620005705.309928Z#000000#000#000000 -modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }} -modifyTimestamp: 20160620005705Z - -dn: ou=posix,ou=groups,{{ re2o_ldap_replica.suffix }} -objectClass: organizationalUnit -description: Groupes de comptes POSIX -ou: posix -structuralObjectClass: organizationalUnit -entryUUID: fbd89c4a-bdb5-1035-9045-d5a09894d93e -creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }} -createTimestamp: 20160603090455Z -entryCSN: 20160603090455.267192Z#000000#000#000000 -modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }} -modifyTimestamp: 20160603090455Z - -dn: cn=wifi,ou=service-users,{{ re2o_ldap_replica.suffix }} -objectClass: applicationProcess -objectClass: simpleSecurityObject -cn: wifi -structuralObjectClass: applicationProcess -entryUUID: 8cc2d1a6-bdc2-1035-9051-d5a09894d93e -creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }} -createTimestamp: 20160603103452Z -userPassword: {{ re2o_ldap_replica.root_password_hash }} -entryCSN: 20160603103638.682210Z#000000#000#000000 -modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }} -modifyTimestamp: 20160603103638Z - -dn: cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }} -objectClass: groupOfNames -cn: usermgmt -structuralObjectClass: groupOfNames -entryUUID: ec01e206-bdc2-1035-9054-d5a09894d93e -creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }} -createTimestamp: 20160603103732Z -member: cn=wifi,ou=service-users,{{ re2o_ldap_replica.suffix }} -entryCSN: 20160603103746.897151Z#000000#000#000000 -modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }} -modifyTimestamp: 20160603103746Z - -dn: cn=replica,ou=service-users,{{ re2o_ldap_replica.suffix }} -objectClass: applicationProcess -objectClass: simpleSecurityObject -cn: replica -structuralObjectClass: applicationProcess -entryUUID: caef5c54-c0e4-1035-948f-dfe369fe3d4f -creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }} -createTimestamp: 20160607101733Z -userPassword: {{ re2o_ldap_replica.root_password_hash }} -entryCSN: 20160607101829.424643Z#000000#000#000000 -modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }} -modifyTimestamp: 20160607101829Z - -dn: cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }} -objectClass: groupOfNames -cn: readonly -structuralObjectClass: groupOfNames -entryUUID: f6bd2366-c0e4-1035-9492-dfe369fe3d4f -creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }} -createTimestamp: 20160607101846Z -member: cn=replica,ou=service-users,{{ re2o_ldap_replica.suffix }} -member: cn=freeradius,ou=service-users,{{ re2o_ldap_replica.suffix }} -entryCSN: 20160619214628.287369Z#000000#000#000000 -modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }} -modifyTimestamp: 20160619214628Z - diff --git a/roles/re2o-ldap-replica/templates/ldap/ldap.key.j2 b/roles/re2o-ldap-replica/templates/ldap/ldap.key.j2 deleted file mode 100644 index 1dc6da0ca8f682be4727c0395fb680fad31cbc81..0000000000000000000000000000000000000000 --- a/roles/re2o-ldap-replica/templates/ldap/ldap.key.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ re2o_ldap_replica.private_key }} diff --git a/roles/re2o-ldap-replica/templates/ldap/ldap.pem.j2 b/roles/re2o-ldap-replica/templates/ldap/ldap.pem.j2 deleted file mode 100644 index 71d67e1ab8360ed865a8ea1b3868930d25089a1d..0000000000000000000000000000000000000000 --- a/roles/re2o-ldap-replica/templates/ldap/ldap.pem.j2 +++ /dev/null @@ -1 +0,0 @@ -{{ re2o_ldap_replica.certificate }} diff --git a/roles/re2o-ldap-replica/handlers/main.yml b/roles/re2o-ldap/handlers/main.yml similarity index 100% rename from roles/re2o-ldap-replica/handlers/main.yml rename to roles/re2o-ldap/handlers/main.yml diff --git a/roles/re2o-ldap-replica/tasks/main.yml b/roles/re2o-ldap/tasks/main.yml similarity index 87% rename from roles/re2o-ldap-replica/tasks/main.yml rename to roles/re2o-ldap/tasks/main.yml index 0bcd4c8dbac29cf810ad499c9f07ff25416dfe8e..485cf7ffe87992f648f415d2ac116452cb494a9b 100644 --- a/roles/re2o-ldap-replica/tasks/main.yml +++ b/roles/re2o-ldap/tasks/main.yml @@ -58,8 +58,7 @@ loop: - db - schema - - consumer_simple_sync - - certinfo + - replication - name: Initialize re2o-ldap schema when: not installation.stat.exists @@ -78,8 +77,8 @@ state: started - name: Enable data replication - when: not installation.stat.exists - shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /var/lib/slapd/consumer_simple_sync.ldif + when: not installation.stat.exists and re2o_ldap.replica is defined + shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /var/lib/slapd/replication.ldif # LDAPS configuration - name: Copy TLS certificate @@ -93,17 +92,13 @@ - ldap.pem - ldap.key -- name: Load TLS certificates - when: not installation.stat.exists - shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /var/lib/slapd/certinfo.ldif - - name: Enable LDAPS lineinfile: path: /etc/default/slapd regexp: '^SLAPD_SERVICES=' line: 'SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"' notify: Restart slapd - check_mode: false + when: not ansible_check_mode - name: Touch installation marker when: not installation.stat.exists diff --git a/roles/re2o-ldap/templates/ldap/db.ldif.j2 b/roles/re2o-ldap/templates/ldap/db.ldif.j2 new file mode 100644 index 0000000000000000000000000000000000000000..0181c093c918888cba435733144a6696702f3049 --- /dev/null +++ b/roles/re2o-ldap/templates/ldap/db.ldif.j2 @@ -0,0 +1,104 @@ +{{ ansible_header | comment }} + +# This file comes from the installation of Re2o +# https://gitlab.federez.net/re2o/re2o/-/blob/master/install_utils/db.ldiff + +dn: {{ re2o_ldap.suffix }} +o: rezo +structuralObjectClass: organization +description: ldap +objectClass: top +objectClass: dcObject +objectClass: organization +contextCSN: 20161004233332.689769Z#000000#000#000000 + +dn: cn=admin,{{ re2o_ldap.suffix }} +objectClass: simpleSecurityObject +objectClass: organizationalRole +cn: admin +structuralObjectClass: organizationalRole +description:: TERBUCBhZG1pbmlzdHJhdG9yDQo= +userPassword: {{ re2o_ldap.root_password_hash }} + +dn: cn=Utilisateurs,{{ re2o_ldap.suffix }} +gidNumber: 500 +cn: Utilisateurs +structuralObjectClass: posixGroup +sambaSID: 500 +uid: Users +objectClass: posixGroup +objectClass: top +objectClass: sambaSamAccount +objectClass: radiusprofile + +dn: ou=groups,{{ re2o_ldap.suffix }} +objectClass: organizationalUnit +description: Groupes d'utilisateurs +ou: groups +structuralObjectClass: organizationalUnit + +dn: ou=services,ou=groups,{{ re2o_ldap.suffix }} +objectClass: organizationalUnit +description: Groupes de comptes techniques +ou: services +structuralObjectClass: organizationalUnit + +dn: ou=service-users,{{ re2o_ldap.suffix }} +objectClass: organizationalUnit +description: Utilisateurs techniques de l'annuaire +ou: service-users +structuralObjectClass: organizationalUnit + +dn: cn=freeradius,ou=service-users,{{ re2o_ldap.suffix }} +objectClass: applicationProcess +objectClass: simpleSecurityObject +cn: freeradius +userPassword: {{ re2o_ldap.root_password_hash }} +structuralObjectClass: applicationProcess + +dn: cn=nssauth,ou=service-users,{{ re2o_ldap.suffix }} +objectClass: applicationProcess +objectClass: simpleSecurityObject +cn: nssauth +structuralObjectClass: applicationProcess +userPassword: {{ re2o_ldap.root_password_hash }} + +dn: cn=auth,ou=services,ou=groups,{{ re2o_ldap.suffix }} +objectClass: groupOfNames +cn: auth +member: cn=nssauth,ou=service-users,{{ re2o_ldap.suffix }} +structuralObjectClass: groupOfNames + +dn: ou=posix,ou=groups,{{ re2o_ldap.suffix }} +objectClass: organizationalUnit +description: Groupes de comptes POSIX +ou: posix +structuralObjectClass: organizationalUnit + +dn: cn=wifi,ou=service-users,{{ re2o_ldap.suffix }} +objectClass: applicationProcess +objectClass: simpleSecurityObject +cn: wifi +structuralObjectClass: applicationProcess +userPassword: {{ re2o_ldap.root_password_hash }} + +dn: cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap.suffix }} +objectClass: groupOfNames +cn: usermgmt +structuralObjectClass: groupOfNames +member: cn=wifi,ou=service-users,{{ re2o_ldap.suffix }} + +dn: cn=replica,ou=service-users,{{ re2o_ldap.suffix }} +objectClass: applicationProcess +objectClass: simpleSecurityObject +cn: replica +structuralObjectClass: applicationProcess +userPassword: {{ re2o_ldap.root_password_hash }} + +dn: cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }} +objectClass: groupOfNames +cn: readonly +structuralObjectClass: groupOfNames +member: cn=replica,ou=service-users,{{ re2o_ldap.suffix }} +member: cn=freeradius,ou=service-users,{{ re2o_ldap.suffix }} + diff --git a/roles/re2o-ldap/templates/ldap/ldap.key.j2 b/roles/re2o-ldap/templates/ldap/ldap.key.j2 new file mode 100644 index 0000000000000000000000000000000000000000..007496f0db3034a985a4a582c7e7775471cb2e94 --- /dev/null +++ b/roles/re2o-ldap/templates/ldap/ldap.key.j2 @@ -0,0 +1 @@ +{{ re2o_ldap.private_key }} diff --git a/roles/re2o-ldap/templates/ldap/ldap.pem.j2 b/roles/re2o-ldap/templates/ldap/ldap.pem.j2 new file mode 100644 index 0000000000000000000000000000000000000000..853d78b66c41355cb2ef4ea9d378c09e5666a148 --- /dev/null +++ b/roles/re2o-ldap/templates/ldap/ldap.pem.j2 @@ -0,0 +1 @@ +{{ re2o_ldap.certificate }} diff --git a/roles/re2o-ldap-replica/templates/ldap/consumer_simple_sync.ldif.j2 b/roles/re2o-ldap/templates/ldap/replication.ldif.j2 similarity index 53% rename from roles/re2o-ldap-replica/templates/ldap/consumer_simple_sync.ldif.j2 rename to roles/re2o-ldap/templates/ldap/replication.ldif.j2 index f15a81dfcde86af2b4cce00ee9612bdaa96a642b..7b74785ccc8a55672f61b4b1296c8203402c4116 100644 --- a/roles/re2o-ldap-replica/templates/ldap/consumer_simple_sync.ldif.j2 +++ b/roles/re2o-ldap/templates/ldap/replication.ldif.j2 @@ -1,14 +1,15 @@ {{ ansible_header | comment }} +{% if re2o_ldap.replica is defined %} dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcSyncrepl olcSyncrepl: rid=1 - provider={{ re2o_ldap_replica.url }} + provider={{ re2o_ldap.url }} bindmethod=simple - binddn="cn={{ re2o_ldap_replica.replicator.username }},{{ re2o_ldap_replica.suffix }}" - credentials={{ re2o_ldap_replica.replicator.password }} - searchbase="{{ re2o_ldap_replica.suffix }}" + binddn="cn={{ re2o_ldap.replica.username }},{{ re2o_ldap.suffix }}" + credentials={{ re2o_ldap.replica.password }} + searchbase="{{ re2o_ldap.suffix }}" scope=sub schemachecking=on type=refreshAndPersist @@ -18,4 +19,5 @@ olcSyncrepl: rid=1 tls_reqcert=allow - add: olcUpdateRef -olcUpdateRef: {{ re2o_ldap_replica.url }} +olcUpdateRef: {{ re2o_ldap.url }} +{% endif %} diff --git a/roles/re2o-ldap-replica/templates/ldap/schema.ldif.j2 b/roles/re2o-ldap/templates/ldap/schema.ldif.j2 similarity index 92% rename from roles/re2o-ldap-replica/templates/ldap/schema.ldif.j2 rename to roles/re2o-ldap/templates/ldap/schema.ldif.j2 index 564a2380019de15108f703b066c946d2e39593af..036ab3afd2ab27ec043e40096ecd34f1a5386011 100644 --- a/roles/re2o-ldap-replica/templates/ldap/schema.ldif.j2 +++ b/roles/re2o-ldap/templates/ldap/schema.ldif.j2 @@ -13,13 +13,9 @@ olcSaslHost: 127.0.0.1 olcSaslSecProps: none olcToolThreads: 1 structuralObjectClass: olcGlobal -entryUUID: fc8ef918-514b-1034-9c2c-0faf5bc7ead5 -creatorsName: cn=config -createTimestamp: 20150225150906Z -entryCSN: 20150930214326.686146Z#000000#000#000000 -modifiersName: cn=admin,cn=config -modifyTimestamp: 20150930214326Z contextCSN: 20160619215244.315124Z#000000#000#000000 +olcTLSCertificateFile: /etc/ldap/ldap.pem +olcTLSCertificateKeyFile: /etc/ldap/ldap.key dn: cn=module{0},cn=config objectClass: olcModuleList @@ -28,23 +24,11 @@ olcModulePath: /usr/lib/ldap olcModuleLoad: {0}back_hdb olcModuleLoad: {1}syncprov structuralObjectClass: olcModuleList -entryUUID: fc8f8478-514b-1034-9c34-0faf5bc7ead5 -creatorsName: cn=admin,cn=config -createTimestamp: 20150225150906Z -entryCSN: 20150305013830.870926Z#000000#000#000000 -modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth -modifyTimestamp: 20150305013830Z dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema structuralObjectClass: olcSchemaConfig -entryUUID: fc8f0ef8-514b-1034-9c2f-0faf5bc7ead5 -creatorsName: cn=admin,cn=config -createTimestamp: 20150225150906Z -entryCSN: 20150225150906.558504Z#000000#000#000000 -modifiersName: cn=admin,cn=config -modifyTimestamp: 20150225150906Z dn: cn={0}core,cn=schema,cn=config objectClass: olcSchemaConfig @@ -286,12 +270,6 @@ olcObjectClasses: {25}( 1.3.6.1.4.1.1466.344 NAME 'dcObject' DESC 'RFC2247: olcObjectClasses: {26}( 1.3.6.1.1.3.1 NAME 'uidObject' DESC 'RFC2377: uid ob ject' SUP top AUXILIARY MUST uid ) structuralObjectClass: olcSchemaConfig -entryUUID: fc8f1d30-514b-1034-9c30-0faf5bc7ead5 -creatorsName: cn=admin,cn=config -createTimestamp: 20150225150906Z -entryCSN: 20150225150906.558865Z#000000#000#000000 -modifiersName: cn=admin,cn=config -modifyTimestamp: 20150225150906Z dn: cn={1}cosine,cn=schema,cn=config objectClass: olcSchemaConfig @@ -463,12 +441,6 @@ olcObjectClasses: {12}( 0.9.2342.19200300.100.4.22 NAME 'qualityLabelledData ' SUP top AUXILIARY MUST dsaQuality MAY ( subtreeMinimumQuality $ subtreeMa ximumQuality ) ) structuralObjectClass: olcSchemaConfig -entryUUID: fc8f49fe-514b-1034-9c31-0faf5bc7ead5 -creatorsName: cn=admin,cn=config -createTimestamp: 20150225150906Z -entryCSN: 20150225150906.560014Z#000000#000#000000 -modifiersName: cn=admin,cn=config -modifyTimestamp: 20150225150906Z dn: cn={2}nis,cn=schema,cn=config objectClass: olcSchemaConfig @@ -570,12 +542,6 @@ olcObjectClasses: {12}( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' DESC 'A devic e with boot parameters' SUP top AUXILIARY MAY ( bootFile $ bootParameter ) ) structuralObjectClass: olcSchemaConfig -entryUUID: fc8f6894-514b-1034-9c32-0faf5bc7ead5 -creatorsName: cn=admin,cn=config -createTimestamp: 20150225150906Z -entryCSN: 20150225150906.560798Z#000000#000#000000 -modifiersName: cn=admin,cn=config -modifyTimestamp: 20150225150906Z dn: cn={3}inetorgperson,cn=schema,cn=config objectClass: olcSchemaConfig @@ -618,12 +584,6 @@ olcObjectClasses: {0}( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RF r $ photo $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIden tifier $ preferredLanguage $ userSMIMECertificate $ userPKCS12 ) ) structuralObjectClass: olcSchemaConfig -entryUUID: fc8f7bf4-514b-1034-9c33-0faf5bc7ead5 -creatorsName: cn=admin,cn=config -createTimestamp: 20150225150906Z -entryCSN: 20150225150906.561294Z#000000#000#000000 -modifiersName: cn=admin,cn=config -modifyTimestamp: 20150225150906Z dn: cn={4}samba,cn=schema,cn=config objectClass: olcSchemaConfig @@ -845,12 +805,6 @@ olcObjectClasses: {11}( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' DE mbaFlatName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaSecuri tyIdentifier $ sambaTrustForestTrustInfo ) ) structuralObjectClass: olcSchemaConfig -entryUUID: 677ff3fa-51fe-1034-95ae-1d2624d4874d -creatorsName: cn=config -createTimestamp: 20150226122616Z -entryCSN: 20150226122616.391238Z#000000#000#000000 -modifiersName: cn=config -modifyTimestamp: 20150226122616Z dn: cn={5}radius,cn=schema,cn=config objectClass: olcSchemaConfig @@ -1046,23 +1000,11 @@ olcObjectClasses: {0}( 1.3.6.1.4.1.3317.4.3.2.1 NAME 'radiusprofile' DESC '' ateGroupId $ radiusTunnelServerEndpoint $ radiusTunnelType $ radiusUserCate gory $ radiusVSA $ radiusExpiration $ dialupAccess ) ) structuralObjectClass: olcSchemaConfig -entryUUID: 6cc08fcc-51ff-1034-9b54-ebb8a280e8d5 -creatorsName: cn=config -createTimestamp: 20150226123334Z -entryCSN: 20150911222512.172657Z#000000#000#000000 -modifiersName: cn=admin,cn=config -modifyTimestamp: 20150911222512Z dn: olcBackend={0}hdb,cn=config objectClass: olcBackendConfig olcBackend: {0}hdb structuralObjectClass: olcBackendConfig -entryUUID: fc8f9bf2-514b-1034-9c35-0faf5bc7ead5 -creatorsName: cn=admin,cn=config -createTimestamp: 20150225150906Z -entryCSN: 20150225150906.562113Z#000000#000#000000 -modifiersName: cn=admin,cn=config -modifyTimestamp: 20150225150906Z dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig @@ -1074,12 +1016,6 @@ olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=Subschema" by * read olcSizeLimit: 5000 structuralObjectClass: olcDatabaseConfig -entryUUID: fc8f0016-514b-1034-9c2d-0faf5bc7ead5 -creatorsName: cn=config -createTimestamp: 20150225150906Z -entryCSN: 20150225150906.558122Z#000000#000#000000 -modifiersName: cn=config -modifyTimestamp: 20150225150906Z dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig @@ -1087,63 +1023,66 @@ olcDatabase: {0}config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth manage by * break olcRootDN: cn=config -olcRootPW: {{ re2o_ldap_replica.root_password_hash }} +olcRootPW: {{ re2o_ldap.root_password_hash }} structuralObjectClass: olcDatabaseConfig -entryUUID: fc8f0930-514b-1034-9c2e-0faf5bc7ead5 -creatorsName: cn=config -createTimestamp: 20150225150906Z -entryCSN: 20160604011429.596188Z#000000#000#000000 -modifiersName: cn=config -modifyTimestamp: 20160604011429Z dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov structuralObjectClass: olcSyncProvConfig -entryUUID: 78e96750-c0e5-1035-9495-dfe369fe3d4f -creatorsName: cn=config -createTimestamp: 20160607102224Z -entryCSN: 20160607102224.927072Z#000000#000#000000 -modifiersName: cn=config -modifyTimestamp: 20160607102224Z dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap -olcSuffix: {{ re2o_ldap_replica.suffix }} -olcAccess: {0}to attrs=userPassword,sambaNTPassword,mail by self write by an - onymous auth by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write by group="cn - =readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group=" - cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write by * no - ne -olcAccess: {1}to attrs=shadowLastChange,gecos,loginShell by self write by an - onymous auth by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write by group="cn - =readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group=" - cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group="cn - =usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write by * none -olcAccess: {2}to dn.base="" by * read -olcAccess: {3}to dn.sub="ou=groups,{{ re2o_ldap_replica.suffix }}" by group="cn= - auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group="cn=re - adonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read -olcAccess: {4}to dn.base="cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}" by * read -olcAccess: {5}to dn.sub="cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}" by grou - p="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by self r - ead by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" - read by group="cn=usermgmt,ou=services,ou=groups,dc=example,dc=or - g" write -olcAccess: {6}to dn.sub="ou=service-users,{{ re2o_ldap_replica.suffix }}" by gro - up="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read by group - ="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read -olcAccess: {7}to dn.base="{{ re2o_ldap_replica.suffix }}" by * read -olcAccess: {8}to * by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write by self - read by group="cn=readonly,ou=services,ou=groups,dc=example,dc=or - g" read +olcSuffix: {{ re2o_ldap.suffix }} +olcAccess: {0}to attrs=userPassword,sambaNTPassword,mail + by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write + by self write + by anonymous auth + by dn="cn=admin,{{ re2o_ldap.suffix }}" write + by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read + by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap.suffix }}" write + by * none +olcAccess: {1}to attrs=shadowLastChange,gecos,loginShell + by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write + by self write + by anonymous auth + by dn="cn=admin,{{ re2o_ldap.suffix }}" write + by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read + by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read + by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap.suffix }}" write + by * none +olcAccess: {2}to dn.base="" + by * read +olcAccess: {3}to dn.sub="ou=groups,{{ re2o_ldap.suffix }}" + by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write + by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read + by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read +olcAccess: {4}to dn.base="cn=Utilisateurs,{{ re2o_ldap.suffix }}" + by * read +olcAccess: {5}to dn.sub="cn=Utilisateurs,{{ re2o_ldap.suffix }}" + by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read + by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write + by self read + by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read + by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap.suffix }}" write +olcAccess: {6}to dn.sub="ou=service-users,{{ re2o_ldap.suffix }}" + by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write + by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read + by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read +olcAccess: {7}to dn.base="{{ re2o_ldap.suffix }}" + by * read +olcAccess: {8}to * + by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write + by dn="cn=admin,{{ re2o_ldap.suffix }}" write + by self read + by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read olcLastMod: TRUE -olcRootDN: cn=admin,{{ re2o_ldap_replica.suffix }} -olcRootPW: {{ re2o_ldap_replica.root_password_hash }} +olcRootDN: cn=admin,{{ re2o_ldap.suffix }} +olcRootPW: {{ re2o_ldap.root_password_hash }} olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 @@ -1164,12 +1103,6 @@ olcDbIndex: entryUUID eq olcDbIndex: radiusCallingStationId eq olcSizeLimit: 50000 structuralObjectClass: olcHdbConfig -entryUUID: fc8fa138-514b-1034-9c36-0faf5bc7ead5 -creatorsName: cn=admin,cn=config -createTimestamp: 20150225150906Z -entryCSN: 20160619215244.315124Z#000000#000#000000 -modifiersName: cn=config -modifyTimestamp: 20160619215244Z dn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig @@ -1179,10 +1112,4 @@ olcSpCheckpoint: 100 10 olcSpSessionlog: 100 olcSpNoPresent: TRUE structuralObjectClass: olcSyncProvConfig -entryUUID: 12c7a6f2-5724-1034-94b5-dd13061b01b4 -creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth -createTimestamp: 20150305013830Z -entryCSN: 20160607103125.521039Z#000000#000#000000 -modifiersName: cn=config -modifyTimestamp: 20160607103125Z