debops.saslauthd default variables
Sections
Global configuration
- saslauthd__default_mechanism
The default authentication mechanism used by saslauthd if none is specified.
saslauthd__default_mechanism: '{{ "ldap" if saslauthd__ldap_device_dn | d() else "pam" }}'
APT packages
- saslauthd__base_packages
List of base APT packages to install for SASL support.
saslauthd__base_packages: [ 'sasl2-bin', 'libsasl2-modules' ]
- sslauthd__packages
List of additional APT packages to install with SASL support.
saslauthd__packages: []
Configuration of saslauthd instances
These variables define the instances of saslauthd managed by this role. See saslauthd__instances for more details.
- saslauthd__default_instances
The list of default saslauthd instances defined by the role.
saslauthd__default_instances:
- name: 'smtpd'
group: 'postfix'
description: 'Postfix SASL Authentication Daemon'
config_path: '/etc/postfix/sasl/smtpd.conf'
config_group: 'postfix'
config_raw: |
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
socket_path: '/var/spool/postfix/var/run/saslauthd'
socket_group: 'postfix'
ldap_profile: 'smtpd'
state: '{{ "present"
if ((ansible_local | d() and ansible_local.postfix | d() and
(ansible_local.postfix.installed | d()) | bool) or
("debops_service_postfix" in group_names))
else "ignore" }}'
- saslauthd__instances
List of saslauthd instances defined on all hosts in the Ansible inventory.
saslauthd__instances: []
- saslauthd__group_instances
List of saslauthd instances defined on hosts in specific Ansible inventory group.
saslauthd__group_instances: []
- saslauthd__host_instances
List of saslauthd instances defined on specific hosts in the Ansible inventory.
saslauthd__host_instances: []
- saslauthd__dependent_instances
List of saslauthd instances defined by other Ansible roles via role dependent variables.
saslauthd__dependent_instances: []
- saslauthd__combined_instances
The combined list of instances passed to the Ansible tasks.
saslauthd__combined_instances: '{{ q("flattened", (saslauthd__default_instances
+ saslauthd__instances
+ saslauthd__group_instances
+ saslauthd__host_instances
+ saslauthd__dependent_instances)) }}'
LDAP environment
- saslauthd__ldap_enabled
Enable or disable integration with the LDAP directory. The integration is enabled automatically when the debops.ldap environment is configured on the host.
saslauthd__ldap_enabled: '{{ ansible_local.ldap.enabled
if (ansible_local | d() and ansible_local.ldap | d() and
ansible_local.ldap.enabled is defined)
else False }}'
- saslauthd__ldap_base_dn
The base Distinguished Name which should be used to create Distinguished
Names of the LDAP directory objects, defined as a YAML list. If this variable
is empty, /etc/saslauthd.conf
configuration file will not be
generated.
saslauthd__ldap_base_dn: '{{ ansible_local.ldap.base_dn | d([]) }}'
- saslauthd__ldap_device_dn
The Distinguished Name of the current host LDAP object, defined as a YAML list. It will be used as a base for the saslauthd service account LDAP object. If the list is empty, the role will not create the account LDAP object automatically.
saslauthd__ldap_device_dn: '{{ ansible_local.ldap.device_dn | d([]) }}'
- saslauthd__ldap_self_rdn
The Relative Distinguished Name of the account LDAP object used by the saslauthd service to access the LDAP directory.
saslauthd__ldap_self_rdn: 'uid=saslauthd'
- saslauthd__ldap_self_object_classes
List of the LDAP object classes which will be used to create the LDAP object used by the saslauthd service to access the LDAP directory.
saslauthd__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
- saslauthd__ldap_self_attributes
YAML dictionary that defines the attributes of the LDAP object used by the saslauthd service to access the LDAP directory.
saslauthd__ldap_self_attributes:
uid: '{{ saslauthd__ldap_self_rdn.split("=")[1] }}'
userPassword: '{{ saslauthd__ldap_bindpw }}'
host: '{{ [ansible_fqdn, ansible_hostname] | unique }}'
description: 'Account used by the "saslauthd" service to access the LDAP directory'
- saslauthd__ldap_binddn
The Distinguished Name of the account LDAP object used by the saslauthd service to bind to the LDAP directory.
saslauthd__ldap_binddn: '{{ ([saslauthd__ldap_self_rdn] + saslauthd__ldap_device_dn) | join(",") }}'
- saslauthd__ldap_bindpw
The password stored in the account LDAP object used by the saslauthd service to bind to the LDAP directory.
saslauthd__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+ saslauthd__ldap_binddn | to_uuid + ".password length=32"))
if saslauthd__ldap_enabled | bool
else "" }}'
LDAP profiles
The variables below define different "LDAP profiles" which can be used by saslauthd instances to bind to and interact with the LDAP directory. See saslauthd__ldap_profiles for more details.
- saslauthd__ldap_default_profiles
List of default LDAP profiles for the saslauthd service defined by the role.
saslauthd__ldap_default_profiles:
- name: 'global'
state: '{{ "present" if saslauthd__ldap_device_dn | d() else "ignore" }}'
options:
- name: 'ldap_servers'
value: '{{ ansible_local.ldap.uri | d("") }}'
- name: 'ldap_bind_dn'
value: '{{ saslauthd__ldap_binddn }}'
- name: 'ldap_password'
value: '{{ saslauthd__ldap_bindpw }}'
- name: 'ldap_search_base'
value: '{{ (["ou=People"] + saslauthd__ldap_base_dn) | join(",") }}'
- name: 'ldap_filter'
value: '(&
(objectClass=inetOrgPerson)
(uid=%u)
)'
- name: 'ldap_scope'
value: 'sub'
- name: 'ldap_start_tls'
value: 'yes'
- name: 'ldap_tls_check_peer'
value: 'yes'
- name: 'ldap_tls_cacert_file'
value: '/etc/ssl/certs/ca-certificates.crt'
- name: 'slapd'
state: '{{ "present"
if (saslauthd__ldap_device_dn | d() and
((ansible_local | d() and ansible_local.slapd | d() and
(ansible_local.slapd.installed | d()) | bool) or
("debops_service_slapd" in group_names)))
else "ignore" }}'
options:
- name: 'ldap_servers'
value: '{{ ansible_local.ldap.uri | d("") }}'
- name: 'ldap_bind_dn'
value: '{{ saslauthd__ldap_binddn }}'
- name: 'ldap_password'
value: '{{ saslauthd__ldap_bindpw }}'
- name: 'ldap_search_base'
value: '{{ saslauthd__ldap_base_dn | join(",") }}'
- name: 'ldap_filter'
value: '(|
(&
(objectClass=inetOrgPerson)
(uid=%u)
)
(&
(objectClass=account)
(uid=%U)
(host=%r)
)
)'
- name: 'ldap_scope'
value: 'sub'
- name: 'ldap_start_tls'
value: 'yes'
- name: 'ldap_tls_check_peer'
value: 'yes'
- name: 'ldap_tls_cacert_file'
value: '/etc/ssl/certs/ca-certificates.crt'
- name: 'smtpd'
state: '{{ "present"
if (saslauthd__ldap_device_dn | d() and
((ansible_local | d() and ansible_local.postfix | d() and
(ansible_local.postfix.installed | d()) | bool) or
("debops_service_postfix" in group_names)))
else "ignore" }}'
options:
- name: 'ldap_servers'
value: '{{ ansible_local.ldap.uri | d("") }}'
- name: 'ldap_bind_dn'
value: '{{ saslauthd__ldap_binddn }}'
- name: 'ldap_password'
value: '{{ saslauthd__ldap_bindpw }}'
- name: 'ldap_search_base'
value: '{{ saslauthd__ldap_base_dn | join(",") }}'
- name: 'ldap_filter'
value: '(|
(&
(objectClass=mailRecipient)
(|
(uid=%u)
(mailAddress=%U@%r)
(mailAlternateAddress=%U@%r)
)
(|
(authorizedService=all)
(authorizedService=mail:send)
)
)
(&
(objectClass=account)
(uid=%U)
(host=%r)
(|
(authorizedService=all)
(authorizedService=mail:send)
)
)
)'
- name: 'ldap_scope'
value: 'sub'
- name: 'ldap_start_tls'
value: 'yes'
- name: 'ldap_tls_check_peer'
value: 'yes'
- name: 'ldap_tls_cacert_file'
value: '/etc/ssl/certs/ca-certificates.crt'
- saslauthd__ldap_profiles
List of LDAP profiles for the saslauthd service which should be present on all hosts in the Ansible inventory.
saslauthd__ldap_profiles: []
- saslauthd__ldap_group_profiles
List of LDAP profiles for the saslauthd service which should be present on hosts in a specific Ansible inventory group.
saslauthd__ldap_group_profiles: []
- saslauthd__ldap_host_profiles
List of LDAP profiles for the saslauthd service which should be present on specific hosts in the Ansible inventory.
saslauthd__ldap_host_profiles: []
- saslauthd__ldap_combined_profiles
Variable which combines all other LDAP profile lists and is used in the role tasks and templates.
saslauthd__ldap_combined_profiles: '{{ saslauthd__ldap_default_profiles
+ saslauthd__ldap_profiles
+ saslauthd__ldap_group_profiles
+ saslauthd__ldap_host_profiles }}'
Configuration for other Ansible roles
- saslauthdd__ldap__dependent_tasks
Configuration for the debops.ldap Ansible role.
saslauthd__ldap__dependent_tasks:
- name: 'Create saslauthd account for {{ saslauthd__ldap_device_dn | join(",") }}'
dn: '{{ saslauthd__ldap_binddn }}'
objectClass: '{{ saslauthd__ldap_self_object_classes }}'
attributes: '{{ saslauthd__ldap_self_attributes }}'
no_log: '{{ debops__no_log | d(True) }}'
state: '{{ "present" if saslauthd__ldap_device_dn | d() else "ignore" }}'