Getting started

OpenLDAP features enabled by default

The debops.slapd role enables and configures some of the OpenLDAP features that otherwise are enabled dynamically and could have different names in the LDAP directory on different installations due to the order in which they were enabled. If you are planning to apply the role on an existing installation, you should review the configuration before doing so - the OpenLDAP server usually refuses the incorrect configuration outright, which should not affect the existing installation, but that's not a 100% guarantee.

Access to service allowed by default

The default configuration allows access to the OpenLDAP service from anywhere through the firewall and TCP Wrappers. Keep that in mind while designing the LDAP Access Control List and password policies. You can control the default behaviour using the slapd__accept_any boolean variable. Another option is to use an external firewall with IDS/IPS systems that can analyze LDAP traffic.

Example inventory

To install and manage the OpenLDAP server on a host, you need to add it to the [debops_service_slapd] Ansible inventory group:

[debops_service_slapd]
hostname

Example playbook

If you are using this role without DebOps, here's an example Ansible playbook that uses the debops.slapd role:

---

- name: Manage OpenLDAP service
  hosts: [ 'debops_service_slapd', 'debops_slapd' ]
  become: True

  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'

  roles:

    - role: debops.ferm
      tags: [ 'role::ferm', 'skip::ferm' ]
      ferm__dependent_rules:
        - '{{ slapd__ferm__dependent_rules }}'

    - role: debops.tcpwrappers
      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
      tcpwrappers__dependent_allow:
        - '{{ slapd__tcpwrappers__dependent_allow }}'

    - role: debops.logrotate
      tags: [ 'role::logrotate', 'skip::logrotate' ]
      logrotate__dependent_config:
        - '{{ slapd__logrotate__dependent_config }}'

    - role: debops.python
      tags: [ 'role::python', 'skip::python', 'role::slapd' ]
      python__dependent_packages3:
        - '{{ slapd__python__dependent_packages3 }}'
      python__dependent_packages2:
        - '{{ slapd__python__dependent_packages2 }}'

    - role: debops.slapd
      tags: [ 'role::slapd', 'skip::slapd' ]

The included debops.ferm and debops.tcpwrappers Ansible roles are optional. They can be used for managing firewall and access rules to the LDAP service.

If you further want to enable LDAP transport layer security in debops.slapd role, the debops.pki and debops.dhparam roles must also be applied on the host. The debops.slapd role will automatically detect and use their configured environments if available.

Ansible tags

You can use Ansible --tags or --skip-tags parameters to limit what tasks are performed during Ansible run. This can be used after host is first configured to speed up playbook execution, when you are sure that most of the configuration has not been changed.

Available role tags:

role::slapd
Main role tag, should be used in the playbook to execute all of the role tasks as well as role dependencies.

Other resources

List of other useful resources related to the debops.slapd Ansible role: