debops.saslauthd default variables

Global configuration


The default authentication mechanism used by saslauthd if none is specified.

saslauthd__default_mechanism: '{{ "ldap" if saslauthd__ldap_device_dn|d() else "pam" }}'

APT packages


List of base APT packages to install for SASL support.

saslauthd__base_packages: [ 'sasl2-bin', 'libsasl2-modules' ]

List of additional APT packages to install with SASL support.

saslauthd__packages: []

Configuration of saslauthd instances

These variables define the instances of saslauthd managed by this role. See saslauthd__instances for more details.


The list of default saslauthd instances defined by the role.


  - name: 'smtpd'
    group: 'postfix'
    description: 'Postfix SASL Authentication Daemon'
    config_path: '/etc/postfix/sasl/smtpd.conf'
    config_group: 'postfix'
    config_raw: |
      pwcheck_method: saslauthd
      mech_list: PLAIN LOGIN
    socket_path: '/var/spool/postfix/var/run/saslauthd'
    socket_group: 'postfix'
    ldap_profile: 'smtpd'
    state: '{{ "present"
               if ((ansible_local|d() and ansible_local.postfix|d() and
                    (ansible_local.postfix.installed|d())|bool) or
                   ("debops_service_postfix" in group_names))
               else "ignore" }}'

List of saslauthd instances defined on all hosts in the Ansible inventory.

saslauthd__instances: []

List of saslauthd instances defined on hosts in specific Ansible inventory group.

saslauthd__group_instances: []

List of saslauthd instances defined on specific hosts in the Ansible inventory.

saslauthd__host_instances: []

List of saslauthd instances defined by other Ansible roles via role dependent variables.

saslauthd__dependent_instances: []

The combined list of instances passed to the Ansible tasks.

saslauthd__combined_instances: '{{ q("flattened", (saslauthd__default_instances
                                                  + saslauthd__instances
                                                  + saslauthd__group_instances
                                                  + saslauthd__host_instances
                                                  + saslauthd__dependent_instances)) }}'

LDAP environment


Enable or disable integration with the LDAP directory. The integration is enabled automatically when the debops.ldap environment is configured on the host.

saslauthd__ldap_enabled: '{{ ansible_local.ldap.enabled
                             if (ansible_local|d() and ansible_local.ldap|d() and
                                 ansible_local.ldap.enabled is defined)
                             else False }}'

The base Distinguished Name which should be used to create Distinguished Names of the LDAP directory objects, defined as a YAML list. If this variable is empty, /etc/saslauthd.conf configuration file will not be generated.

saslauthd__ldap_base_dn: '{{ ansible_local.ldap.base_dn|d([]) }}'

The Distinguished Name of the current host LDAP object, defined as a YAML list. It will be used as a base for the saslauthd service account LDAP object. If the list is empty, the role will not create the account LDAP object automatically.

saslauthd__ldap_device_dn: '{{ ansible_local.ldap.device_dn|d([]) }}'

The Relative Distinguished Name of the account LDAP object used by the saslauthd service to access the LDAP directory.

saslauthd__ldap_self_rdn: 'uid=saslauthd'

List of the LDAP object classes which will be used to create the LDAP object used by the saslauthd service to access the LDAP directory.

saslauthd__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]

YAML dictionary that defines the attributes of the LDAP object used by the saslauthd service to access the LDAP directory.

  uid: '{{ saslauthd__ldap_self_rdn.split("=")[1] }}'
  userPassword: '{{ saslauthd__ldap_bindpw }}'
  host: '{{ [ ansible_fqdn, ansible_hostname ] | unique }}'
  description: 'Account used by the "saslauthd" service to access the LDAP directory'

The Distinguished Name of the account LDAP object used by the saslauthd service to bind to the LDAP directory.

saslauthd__ldap_binddn: '{{ ([ saslauthd__ldap_self_rdn ] + saslauthd__ldap_device_dn) | join(",") }}'

The password stored in the account LDAP object used by the saslauthd service to bind to the LDAP directory.

saslauthd__ldap_bindpw: '{{ (lookup("password", secret + "/ldap/credentials/"
                                    + saslauthd__ldap_binddn | to_uuid + ".password length=32"))
                            if saslauthd__ldap_enabled|bool
                            else "" }}'

LDAP profiles

The variables below define different "LDAP profiles" which can be used by saslauthd instances to bind to and interact with the LDAP directory. See saslauthd__ldap_profiles for more details.


List of default LDAP profiles for the saslauthd service defined by the role.


  - name: 'global'
    state: '{{ "present" if saslauthd__ldap_device_dn|d() else "ignore" }}'

      - name: 'ldap_servers'
        value: '{{ ansible_local.ldap.uri|d("") }}'

      - name: 'ldap_bind_dn'
        value: '{{ saslauthd__ldap_binddn }}'

      - name: 'ldap_password'
        value: '{{ saslauthd__ldap_bindpw }}'

      - name: 'ldap_search_base'
        value: '{{ ([ "ou=People" ] + saslauthd__ldap_base_dn) | join(",") }}'

      - name: 'ldap_filter'
        value: '(&

      - name: 'ldap_scope'
        value: 'sub'

      - name: 'ldap_start_tls'
        value: 'yes'

      - name: 'ldap_tls_check_peer'
        value: 'yes'

      - name: 'ldap_tls_cacert_file'
        value: '/etc/ssl/certs/ca-certificates.crt'

  - name: 'slapd'
    state: '{{ "present"
               if (saslauthd__ldap_device_dn|d() and
                   ((ansible_local|d() and ansible_local.slapd|d() and
                     (ansible_local.slapd.installed|d())|bool) or
                    ("debops_service_slapd" in group_names)))
               else "ignore" }}'

      - name: 'ldap_servers'
        value: '{{ ansible_local.ldap.uri|d("") }}'

      - name: 'ldap_bind_dn'
        value: '{{ saslauthd__ldap_binddn }}'

      - name: 'ldap_password'
        value: '{{ saslauthd__ldap_bindpw }}'

      - name: 'ldap_search_base'
        value: '{{ saslauthd__ldap_base_dn | join(",") }}'

      - name: 'ldap_filter'
        value: '(|

      - name: 'ldap_scope'
        value: 'sub'

      - name: 'ldap_start_tls'
        value: 'yes'

      - name: 'ldap_tls_check_peer'
        value: 'yes'

      - name: 'ldap_tls_cacert_file'
        value: '/etc/ssl/certs/ca-certificates.crt'

  - name: 'smtpd'
    state: '{{ "present"
               if (saslauthd__ldap_device_dn|d() and
                   ((ansible_local|d() and ansible_local.postfix|d() and
                     (ansible_local.postfix.installed|d())|bool) or
                    ("debops_service_postfix" in group_names)))
               else "ignore" }}'

      - name: 'ldap_servers'
        value: '{{ ansible_local.ldap.uri|d("") }}'

      - name: 'ldap_bind_dn'
        value: '{{ saslauthd__ldap_binddn }}'

      - name: 'ldap_password'
        value: '{{ saslauthd__ldap_bindpw }}'

      - name: 'ldap_search_base'
        value: '{{ saslauthd__ldap_base_dn | join(",") }}'

      - name: 'ldap_filter'
        value: '(|

      - name: 'ldap_scope'
        value: 'sub'

      - name: 'ldap_start_tls'
        value: 'yes'

      - name: 'ldap_tls_check_peer'
        value: 'yes'

      - name: 'ldap_tls_cacert_file'
        value: '/etc/ssl/certs/ca-certificates.crt'

List of LDAP profiles for the saslauthd service which should be present on all hosts in the Ansible inventory.

saslauthd__ldap_profiles: []

List of LDAP profiles for the saslauthd service which should be present on hosts in a specific Ansible inventory group.

saslauthd__ldap_group_profiles: []

List of LDAP profiles for the saslauthd service which should be present on specific hosts in the Ansible inventory.

saslauthd__ldap_host_profiles: []

Variable which combines all other LDAP profile lists and is used in the role tasks and templates.

saslauthd__ldap_combined_profiles: '{{ saslauthd__ldap_default_profiles
                                       + saslauthd__ldap_profiles
                                       + saslauthd__ldap_group_profiles
                                       + saslauthd__ldap_host_profiles }}'

Configuration for other Ansible roles


Configuration for the debops.ldap Ansible role.


  - name: 'Create saslauthd account for {{ saslauthd__ldap_device_dn | join(",") }}'
    dn: '{{ saslauthd__ldap_binddn }}'
    objectClass: '{{ saslauthd__ldap_self_object_classes }}'
    attributes: '{{ saslauthd__ldap_self_attributes }}'
    no_log: '{{ debops__no_log | d(True) }}'
    state: '{{ "present" if saslauthd__ldap_device_dn|d() else "ignore" }}'