debops.nslcd default variables¶
Sections
APT packages¶
-
nslcd__base_packages¶
List of APT packages required for LDAP lookups via NSS and PAM.
nslcd__base_packages:
- [ 'libpam-ldapd', 'libnss-ldapd', 'nslcd', 'openssl', 'ca-certificates' ]
- '{{ "nslcd-utils"
if (ansible_local|d() and ansible_local.python|d() and
(ansible_local.python.installed2|d())|bool)
else [] }}'
-
nslcd__packages¶
List of additional APT packages to install with nslcd package.
nslcd__packages: []
UNIX environment¶
-
nslcd__user¶
Name of the UNIX system account which will be used to perform LDAP lookups via the nslcd service.
nslcd__user: 'nslcd'
-
nslcd__group¶
Name of the UNIX system group which will be used to perform LDAP lookups via the nslcd service.
nslcd__group: 'nslcd'
-
nslcd__mkhomedir_umask¶
Default umask for new home directories created by the pam_mkhomedir PAM
module.
nslcd__mkhomedir_umask: '{{ ansible_local.core.homedir_umask|d("0027") }}'
LDAP environment¶
-
nslcd__ldap_enabled¶
Enable or disable integration with the LDAP directory. The integration is enabled automatically when the debops.ldap environment is configured on the host.
nslcd__ldap_enabled: '{{ ansible_local.ldap.enabled
if (ansible_local|d() and ansible_local.ldap|d() and
ansible_local.ldap.enabled is defined)
else False }}'
-
nslcd__ldap_base_dn¶
The base Distinguished Name which should be used to create Distinguished
Names of the LDAP directory objects, defined as a YAML list. If this variable
is empty, /etc/nslcd.conf configuration file will not be generated.
nslcd__ldap_base_dn: '{{ ansible_local.ldap.base_dn|d([]) }}'
-
nslcd__ldap_device_dn¶
The Distinguished Name of the current host LDAP object, defined as a YAML list. It will be used as a base for the nslcd service account LDAP object. If the list is empty, the role will not create the account LDAP object automatically.
nslcd__ldap_device_dn: '{{ ansible_local.ldap.device_dn|d([]) }}'
-
nslcd__ldap_self_rdn¶
The Relative Distinguished Name of the account LDAP object used by the nslcd service to access the LDAP directory.
nslcd__ldap_self_rdn: '{{ "uid=" + nslcd__user }}'
-
nslcd__ldap_self_object_classes¶
List of the LDAP object classes which will be used to create the LDAP object used by the nslcd service to access the LDAP directory.
nslcd__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
-
nslcd__ldap_self_attributes¶
YAML dictionary that defines the attributes of the LDAP object used by the nslcd service to access the LDAP directory.
nslcd__ldap_self_attributes:
uid: '{{ nslcd__ldap_self_rdn.split("=")[1] }}'
userPassword: '{{ nslcd__ldap_bindpw }}'
host: '{{ [ ansible_fqdn, ansible_hostname ] | unique }}'
description: 'Account used by the "nslcd" service to access the LDAP directory'
-
nslcd__ldap_binddn¶
The Distinguished Name of the account LDAP object used by the nslcd service to bind to the LDAP directory.
nslcd__ldap_binddn: '{{ ([ nslcd__ldap_self_rdn ] + nslcd__ldap_device_dn) | join(",") }}'
-
nslcd__ldap_bindpw¶
The password stored in the account LDAP object used by the nslcd service to bind to the LDAP directory.
nslcd__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
+ nslcd__ldap_binddn | to_uuid + ".password length=32"))
if nslcd__ldap_enabled|bool
else "" }}'
-
nslcd__ldap_posix_urns¶
List of LDAP search filters which are derived from URN-like patterns defined for a given host in the debops.ldap role. See Host-based access control for more details.
nslcd__ldap_posix_urns: '{{ (ansible_local.ldap.urn_patterns
if (ansible_local.ldap.urn_patterns|d())
else [])
| map("regex_replace", "^(.*)$", "(host=posix:urn:\1)")
| list }}'
-
nslcd__ldap_host_filter¶
The LDAP filter used in passwd, shadow and group filters to
control the access to UNIX environment on specific hosts or domains. See the
filter_passwd_group parameter in nslcd configuration for its
default usage.
nslcd__ldap_host_filter: '(|
(host=posix:all)
(host=posix:{{ ansible_fqdn }})
(host=posix:\2a.{{ ansible_domain }})
{{ nslcd__ldap_posix_urns | join(" ") }}
)'
Service configuration¶
These variables define the contents of the /etc/nslcd.conf
configuration file. See nslcd__configuration for more details, and
nslcd.conf(5) for possible configuration parameters.
-
nslcd__idle_timelimit¶
The idle timelimit for connections with the LDAP server. This must be lower than the server's olcIdleTimeout, otherwise nslcd will log error messages like "ldap_result() failed: Can't contact LDAP server".
nslcd__idle_timelimit: '600'
-
nslcd__default_configuration¶
The default nslcd configuration options defined by the role.
nslcd__default_configuration:
- name: 'uid'
comment: 'The user and group nslcd should run as.'
value: '{{ nslcd__user }}'
- name: 'gid'
value: '{{ nslcd__group }}'
- name: 'uri'
comment: 'The location at which the LDAP server(s) should be reachable.'
value: '{{ ansible_local.ldap.uri|d("") }}'
- name: 'idle_timelimit'
comment: 'The idle timelimit for connections with the LDAP server.'
value: '{{ nslcd__idle_timelimit }}'
- name: 'base'
comment: 'The search base that will be used for all queries.'
value: '{{ nslcd__ldap_base_dn | join(",") }}'
- name: 'ldap_version'
comment: 'The LDAP protocol version to use.'
value: '3'
state: 'comment'
- name: 'binddn'
comment: 'The DN to bind with for normal lookups.'
value: '{{ nslcd__ldap_binddn }}'
- name: 'bindpw'
value: '{{ nslcd__ldap_bindpw }}'
- name: 'rootpwmoddn'
comment: 'The DN used for password modifications by root.'
value: 'cn=admin,dc=example,dc=com'
state: 'comment'
- name: 'ssl'
comment: 'SSL options'
value: '{{ "start_tls"
if (ansible_local|d() and ansible_local.ldap|d() and
(ansible_local.ldap.start_tls|d())|bool)
else "on" }}'
- name: 'tls_reqcert'
value: 'demand'
- name: 'tls_cacertfile'
value: '/etc/ssl/certs/ca-certificates.crt'
- name: 'scope'
comment: 'The search scope.'
value: 'sub'
state: 'comment'
- name: 'nss_min_uid'
comment: |
First valid UID/GID number expected to be in the LDAP directory.
UIDs/GIDs lower than this value will be ignored.
value: '{{ ansible_local.ldap.uid_gid_min|d("10000") }}'
- name: 'map_group_id'
comment: |
Use the 'gid' attribute instead of 'cn' as the POSIX group name.
option: 'map'
map: 'group'
value: 'cn gid'
- name: 'filter_passwd_group'
raw: |
filter passwd (& (objectClass=posixAccount) {{ nslcd__ldap_host_filter }} )
filter group (& (objectClass=posixGroupId) {{ nslcd__ldap_host_filter }} )
filter shadow (& (objectClass=shadowAccount) {{ nslcd__ldap_host_filter }} )
comment: 'Limit which UNIX accounts and groups are present on a host'
-
nslcd__configuration¶
The nslcd configuration options defined on all hosts in the Ansible inventory.
nslcd__configuration: []
-
nslcd__group_configuration¶
The nslcd configuration options defined on hosts in a specific Ansible inventory group.
nslcd__group_configuration: []
-
nslcd__host_configuration¶
The nslcd configuration options defined on specific hosts in the Ansible inventory.
nslcd__host_configuration: []
-
nslcd__combined_configuration¶
The variable that combines other nslcd configuration options and is used in the role template.
nslcd__combined_configuration: '{{ nslcd__default_configuration
+ nslcd__configuration
+ nslcd__group_configuration
+ nslcd__host_configuration }}'
Configuration for other Ansible roles¶
-
nslcd__ldap__dependent_tasks¶
Configuration for the debops.ldap Ansible role.
nslcd__ldap__dependent_tasks:
- name: 'Create nslcd account for {{ nslcd__ldap_device_dn | join(",") }}'
dn: '{{ nslcd__ldap_binddn }}'
objectClass: '{{ nslcd__ldap_self_object_classes }}'
attributes: '{{ nslcd__ldap_self_attributes }}'
no_log: True
state: '{{ "present"
if ((ansible_local.ldap.posix_enabled|d())|bool and
nslcd__ldap_device_dn|d())
else "ignore" }}'
-
nslcd__nsswitch__dependent_services¶
Configuration for the debops.nsswitch Ansible role.
nslcd__nsswitch__dependent_services: [ 'ldap' ]