Getting started

OpenLDAP features enabled by default

The debops.slapd role enables and configures some of the OpenLDAP features that otherwise are enabled dynamically and could have different names in the LDAP directory on different installations due to the order in which they were enabled. If you are planning to apply the role on an existing installation, you should review the configuration before doing so - the OpenLDAP server usually refuses the incorrect configuration outright, which should not affect the existing installation, but that's not a 100% guarantee.

Access to service allowed by default

The default configuration allows access to the OpenLDAP service from anywhere through the firewall and TCP Wrappers. Keep that in mind while designing the LDAP Access Control List and password policies. You can control the default behaviour using the slapd__accept_any boolean variable. Another option is to use an external firewall with IDS/IPS systems that can analyze LDAP traffic.

SASL authentication

The role uses the debops.saslauthd Ansible role to configure the saslauthd service which provides SASL authentication capability. PAM authentication is used by default to authenticate LDAP access via the UNIX accounts. If LDAP support is configured on the host by the debops.ldap role, the directory will be used for authentication instead.

Humans can authenticate themselves by specifying their account names without a domain part, which are defined by the uid attribute of their inetOrgPerson LDAP objects, looked up in the ou=People subtree of the LDAP directory.

Computers can authenticate to the LDAP directory by specifying an UNIX account name and their FQDN domain name, for example sshd@host.example.org, which corresponds to the uid and host attributes of the account LDAP objects. Only hosts that have been registered in the LDAP directory ou=Hosts subtree can authenticate with this method.

The debops.saslauthd role defines the slapd LDAP profile which contains the LDAP search query and filtering rules which can be used for access control to the OpenLDAP directory itself.

Example inventory

To install and manage the OpenLDAP server on a host, you need to add it to the [debops_service_slapd] Ansible inventory group:

[debops_service_slapd]
hostname

Example playbook

If you are using this role without DebOps, here's an example Ansible playbook that uses the debops.slapd role:

---

- name: Manage OpenLDAP service
  hosts: [ 'debops_service_slapd', 'debops_slapd' ]
  become: True

  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'

  roles:

    - role: debops.ferm
      tags: [ 'role::ferm', 'skip::ferm' ]
      ferm__dependent_rules:
        - '{{ slapd__ferm__dependent_rules }}'

    - role: debops.tcpwrappers
      tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
      tcpwrappers__dependent_allow:
        - '{{ slapd__tcpwrappers__dependent_allow }}'

    - role: debops.logrotate
      tags: [ 'role::logrotate', 'skip::logrotate' ]
      logrotate__dependent_config:
        - '{{ slapd__logrotate__dependent_config }}'

    - role: debops.python
      tags: [ 'role::python', 'skip::python', 'role::ldap', 'role::slapd' ]
      python__dependent_packages3:
        - '{{ ldap__python__dependent_packages3 }}'
        - '{{ slapd__python__dependent_packages3 }}'
      python__dependent_packages2:
        - '{{ ldap__python__dependent_packages2 }}'
        - '{{ slapd__python__dependent_packages2 }}'

    - role: debops.ldap
      tags: [ 'role::ldap', 'skip::ldap' ]
      ldap__dependent_tasks:
        - '{{ saslauthd__ldap__dependent_tasks }}'

    - role: debops.saslauthd
      tags: [ 'role::saslauthd', 'skip::saslauthd' ]
      saslauthd__dependent_instances:
        - '{{ slapd__saslauthd__dependent_instances }}'

    - role: debops.slapd
      tags: [ 'role::slapd', 'skip::slapd' ]

The included debops.ferm and debops.tcpwrappers Ansible roles are optional. They can be used for managing firewall and access rules to the LDAP service.

If you further want to enable LDAP transport layer security in debops.slapd role, the debops.pki and debops.dhparam roles must also be applied on the host. The debops.slapd role will automatically detect and use their configured environments if available.

Ansible tags

You can use Ansible --tags or --skip-tags parameters to limit what tasks are performed during Ansible run. This can be used after host is first configured to speed up playbook execution, when you are sure that most of the configuration has not been changed.

Available role tags:

role::slapd
Main role tag, should be used in the playbook to execute all of the role tasks as well as role dependencies.

Other resources

List of other useful resources related to the debops.slapd Ansible role: