debops.saslauthd default variables

Global configuration

saslauthd__default_mechanism

The default authentication mechanism used by saslauthd if none is specified.

saslauthd__default_mechanism: '{{ "ldap" if saslauthd__ldap_device_dn|d() else "pam" }}'

APT packages

saslauthd__base_packages

List of base APT packages to install for SASL support.

saslauthd__base_packages: [ 'sasl2-bin', 'libsasl2-modules' ]
sslauthd__packages

List of additional APT packages to install with SASL support.

saslauthd__packages: []

Configuration of saslauthd instances

These variables define the instances of saslauthd managed by this role. See saslauthd__instances for more details.

saslauthd__default_instances

The list of default saslauthd instances defined by the role.

saslauthd__default_instances:

  - name: 'smtpd'
    group: 'postfix'
    description: 'Postfix SASL Authentication Daemon'
    config_path: '/etc/postfix/sasl/smtpd.conf'
    config_group: 'postfix'
    config_raw: |
      pwcheck_method: saslauthd
      mech_list: PLAIN LOGIN
    socket_path: '/var/spool/postfix/var/run/saslauthd'
    socket_group: 'postfix'
    ldap_profile: 'smtpd'
    state: '{{ "present"
               if ((ansible_local|d() and ansible_local.postfix|d() and
                    (ansible_local.postfix.installed|d())|bool) or
                   ("debops_service_postfix" in group_names))
               else "ignore" }}'
saslauthd__instances

List of saslauthd instances defined on all hosts in the Ansible inventory.

saslauthd__instances: []
saslauthd__group_instances

List of saslauthd instances defined on hosts in specific Ansible inventory group.

saslauthd__group_instances: []
saslauthd__host_instances

List of saslauthd instances defined on specific hosts in the Ansible inventory.

saslauthd__host_instances: []
saslauthd__dependent_instances

List of saslauthd instances defined by other Ansible roles via role dependent variables.

saslauthd__dependent_instances: []
saslauthd__combined_instances

The combined list of instances passed to the Ansible tasks.

saslauthd__combined_instances: '{{ q("flattened", (saslauthd__default_instances
                                                  + saslauthd__instances
                                                  + saslauthd__group_instances
                                                  + saslauthd__host_instances
                                                  + saslauthd__dependent_instances)) }}'

LDAP environment

saslauthd__ldap_enabled

Enable or disable integration with the LDAP directory. The integration is enabled automatically when the debops.ldap environment is configured on the host.

saslauthd__ldap_enabled: '{{ ansible_local.ldap.enabled
                             if (ansible_local|d() and ansible_local.ldap|d() and
                                 ansible_local.ldap.enabled is defined)
                             else False }}'
saslauthd__ldap_base_dn

The base Distinguished Name which should be used to create Distinguished Names of the LDAP directory objects, defined as a YAML list. If this variable is empty, /etc/saslauthd.conf configuration file will not be generated.

saslauthd__ldap_base_dn: '{{ ansible_local.ldap.base_dn|d([]) }}'
saslauthd__ldap_device_dn

The Distinguished Name of the current host LDAP object, defined as a YAML list. It will be used as a base for the saslauthd service account LDAP object. If the list is empty, the role will not create the account LDAP object automatically.

saslauthd__ldap_device_dn: '{{ ansible_local.ldap.device_dn|d([]) }}'
saslauthd__ldap_self_rdn

The Relative Distinguished Name of the account LDAP object used by the saslauthd service to access the LDAP directory.

saslauthd__ldap_self_rdn: 'uid=saslauthd'
saslauthd__ldap_self_object_classes

List of the LDAP object classes which will be used to create the LDAP object used by the saslauthd service to access the LDAP directory.

saslauthd__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]
saslauthd__ldap_self_attributes

YAML dictionary that defines the attributes of the LDAP object used by the saslauthd service to access the LDAP directory.

saslauthd__ldap_self_attributes:
  uid: '{{ saslauthd__ldap_self_rdn.split("=")[1] }}'
  userPassword: '{{ saslauthd__ldap_bindpw }}'
  host: '{{ [ ansible_fqdn, ansible_hostname ] | unique }}'
  description: 'Account used by the "saslauthd" service to access the LDAP directory'
saslauthd__ldap_binddn

The Distinguished Name of the account LDAP object used by the saslauthd service to bind to the LDAP directory.

saslauthd__ldap_binddn: '{{ ([ saslauthd__ldap_self_rdn ] + saslauthd__ldap_device_dn) | join(",") }}'
saslauthd__ldap_bindpw

The password stored in the account LDAP object used by the saslauthd service to bind to the LDAP directory.

saslauthd__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
                                    + saslauthd__ldap_binddn | to_uuid + ".password length=32"))
                            if saslauthd__ldap_enabled|bool
                            else "" }}'

LDAP profiles

The variables below define different "LDAP profiles" which can be used by saslauthd instances to bind to and interact with the LDAP directory. See saslauthd__ldap_profiles for more details.

saslauthd__ldap_default_profiles

List of default LDAP profiles for the saslauthd service defined by the role.

saslauthd__ldap_default_profiles:

  - name: 'global'
    state: '{{ "present" if saslauthd__ldap_device_dn|d() else "ignore" }}'
    options:

      - name: 'ldap_servers'
        value: '{{ ansible_local.ldap.uri|d("") }}'

      - name: 'ldap_bind_dn'
        value: '{{ saslauthd__ldap_binddn }}'

      - name: 'ldap_password'
        value: '{{ saslauthd__ldap_bindpw }}'

      - name: 'ldap_search_base'
        value: '{{ ([ "ou=People" ] + saslauthd__ldap_base_dn) | join(",") }}'

      - name: 'ldap_filter'
        value: '(&
                  (objectClass=inetOrgPerson)
                  (uid=%u)
                )'

      - name: 'ldap_scope'
        value: 'sub'

      - name: 'ldap_start_tls'
        value: 'yes'

      - name: 'ldap_tls_check_peer'
        value: 'yes'

      - name: 'ldap_tls_cacert_file'
        value: '/etc/ssl/certs/ca-certificates.crt'

  - name: 'slapd'
    state: '{{ "present"
               if (saslauthd__ldap_device_dn|d() and
                   ((ansible_local|d() and ansible_local.slapd|d() and
                     (ansible_local.slapd.installed|d())|bool) or
                    ("debops_service_slapd" in group_names)))
               else "ignore" }}'
    options:

      - name: 'ldap_servers'
        value: '{{ ansible_local.ldap.uri|d("") }}'

      - name: 'ldap_bind_dn'
        value: '{{ saslauthd__ldap_binddn }}'

      - name: 'ldap_password'
        value: '{{ saslauthd__ldap_bindpw }}'

      - name: 'ldap_search_base'
        value: '{{ saslauthd__ldap_base_dn | join(",") }}'

      - name: 'ldap_filter'
        value: '(|
                  (&
                    (objectClass=inetOrgPerson)
                    (uid=%u)
                  )
                  (&
                    (objectClass=account)
                    (uid=%U)
                    (host=%r)
                  )
                )'

      - name: 'ldap_scope'
        value: 'sub'

      - name: 'ldap_start_tls'
        value: 'yes'

      - name: 'ldap_tls_check_peer'
        value: 'yes'

      - name: 'ldap_tls_cacert_file'
        value: '/etc/ssl/certs/ca-certificates.crt'

  - name: 'smtpd'
    state: '{{ "present"
               if (saslauthd__ldap_device_dn|d() and
                   ((ansible_local|d() and ansible_local.postfix|d() and
                     (ansible_local.postfix.installed|d())|bool) or
                    ("debops_service_postfix" in group_names)))
               else "ignore" }}'
    options:

      - name: 'ldap_servers'
        value: '{{ ansible_local.ldap.uri|d("") }}'

      - name: 'ldap_bind_dn'
        value: '{{ saslauthd__ldap_binddn }}'

      - name: 'ldap_password'
        value: '{{ saslauthd__ldap_bindpw }}'

      - name: 'ldap_search_base'
        value: '{{ saslauthd__ldap_base_dn | join(",") }}'

      - name: 'ldap_filter'
        value: '(|
                  (&
                    (objectClass=mailRecipient)
                    (|
                      (uid=%u)
                      (mailAddress=%U@%r)
                      (mailAlternateAddress=%U@%r)
                    )
                    (|
                      (authorizedService=all)
                      (authorizedService=mail:send)
                    )
                  )
                  (&
                    (objectClass=account)
                    (uid=%U)
                    (host=%r)
                    (|
                      (authorizedService=all)
                      (authorizedService=mail:send)
                    )
                  )
                )'

      - name: 'ldap_scope'
        value: 'sub'

      - name: 'ldap_start_tls'
        value: 'yes'

      - name: 'ldap_tls_check_peer'
        value: 'yes'

      - name: 'ldap_tls_cacert_file'
        value: '/etc/ssl/certs/ca-certificates.crt'
saslauthd__ldap_profiles

List of LDAP profiles for the saslauthd service which should be present on all hosts in the Ansible inventory.

saslauthd__ldap_profiles: []
saslauthd__ldap_group_profiles

List of LDAP profiles for the saslauthd service which should be present on hosts in a specific Ansible inventory group.

saslauthd__ldap_group_profiles: []
saslauthd__ldap_host_profiles

List of LDAP profiles for the saslauthd service which should be present on specific hosts in the Ansible inventory.

saslauthd__ldap_host_profiles: []
saslauthd__ldap_combined_profiles

Variable which combines all other LDAP profile lists and is used in the role tasks and templates.

saslauthd__ldap_combined_profiles: '{{ saslauthd__ldap_default_profiles
                                       + saslauthd__ldap_profiles
                                       + saslauthd__ldap_group_profiles
                                       + saslauthd__ldap_host_profiles }}'

Configuration for other Ansible roles

saslauthdd__ldap__dependent_tasks

Configuration for the debops.ldap Ansible role.

saslauthd__ldap__dependent_tasks:

  - name: 'Create saslauthd account for {{ saslauthd__ldap_device_dn | join(",") }}'
    dn: '{{ saslauthd__ldap_binddn }}'
    objectClass: '{{ saslauthd__ldap_self_object_classes }}'
    attributes: '{{ saslauthd__ldap_self_attributes }}'
    no_log: False
    state: '{{ "present" if saslauthd__ldap_device_dn|d() else "ignore" }}'