debops.nslcd default variables

APT packages


List of APT packages required for LDAP lookups via NSS and PAM.

  - [ 'libpam-ldapd', 'libnss-ldapd', 'nslcd', 'openssl', 'ca-certificates' ]
  - '{{ "nslcd-utils"
        if (ansible_local|d() and ansible_local.python|d() and
        else [] }}'

List of additional APT packages to install with nslcd package.

nslcd__packages: []

UNIX environment


Name of the UNIX system account which will be used to perform LDAP lookups via the nslcd service.

nslcd__user: 'nslcd'

Name of the UNIX system group which will be used to perform LDAP lookups via the nslcd service.

nslcd__group: 'nslcd'

Default umask for new home directories created by the pam_mkhomedir PAM module.

nslcd__mkhomedir_umask: '{{ ansible_local.core.homedir_umask
                            if (ansible_local|d() and ansible_local.core|d() and
                            else "0027" }}'

LDAP environment


The base Distinguished Name which should be used to create Distinguished Names of the LDAP directory objects, defined as a YAML list. If this variable is empty, /etc/nslcd.conf configuration file will not be generated.

nslcd__ldap_base_dn: '{{ ansible_local.ldap.base_dn
                         if (ansible_local|d() and ansible_local.ldap|d() and
                         else [] }}'

The Distinguished Name of the current host LDAP object, defined as a YAML list. It will be used as a base for the nslcd service account LDAP object. If the list is empty, the role will not create the account LDAP object automatically.

nslcd__ldap_device_dn: '{{ ansible_local.ldap.device_dn
                         if (ansible_local|d() and ansible_local.ldap|d() and
                         else [] }}'

The Relative Distinguished Name of the account LDAP object used by the nslcd service to access the LDAP directory.

nslcd__ldap_self_rdn: '{{ "uid=" + nslcd__user }}'

List of the LDAP object classes which will be used to create the LDAP object used by the nslcd service to access the LDAP directory.

nslcd__ldap_self_object_classes: [ 'account', 'simpleSecurityObject' ]

YAML dictionary that defines the attributes of the LDAP object used by the nslcd service to access the LDAP directory.

  uid: '{{ nslcd__ldap_self_rdn.split("=")[1] }}'
  userPassword: '{{ nslcd__ldap_bindpw }}'
  host: '{{ [ ansible_fqdn, ansible_hostname ] | unique }}'
  description: 'Account used by the "nslcd" service to access the LDAP directory'

The Distinguished Name of the account LDAP object used by the nslcd service to bind to the LDAP directory.

nslcd__ldap_binddn: '{{ ([ nslcd__ldap_self_rdn ] + nslcd__ldap_device_dn) | join(",") }}'

The password stored in the account LDAP object used by the nslcd service to bind to the LDAP directory.

nslcd__ldap_bindpw: '{{ lookup("password", secret + "/ldap/credentials/"
                               + nslcd__ldap_binddn | to_uuid + ".password length=32") }}'

List of LDAP search filters which are derived from URN-like patterns defined for a given host in the debops.ldap role. See Host-based access control for more details.

nslcd__ldap_posix_urns: '{{ (ansible_local.ldap.urn_patterns
                             if (ansible_local|d() and ansible_local.ldap|d() and
                             else [])
                            | map("regex_replace", "^(.*)$", "(host=posix:urn:\1)")
                            | list }}'

The LDAP filter used in passwd, shadow and group filters to control the access to UNIX environment on specific hosts or domains. See the filter_passwd_group parameter in nslcd configuration for its default usage.

nslcd__ldap_host_filter: '(|
                            (host=posix:{{ ansible_fqdn }})
                            (host=posix:\2a.{{ ansible_domain }})
                            {{ nslcd__ldap_posix_urns | join(" ") }}

Service configuration

These variables define the contents of the /etc/nslcd.conf configuration file. See nslcd__configuration for more details, and nslcd.conf(5) for possible configuration parameters.


The default nslcd configuration options defined by the role.


  - name: 'uid'
    comment: 'The user and group nslcd should run as.'
    value: '{{ nslcd__user }}'

  - name: 'gid'
    value: '{{ nslcd__group }}'

  - name: 'uri'
    comment: 'The location at which the LDAP server(s) should be reachable.'
    value: '{{ ansible_local.ldap.uri
               if (ansible_local|d() and ansible_local.ldap|d() and
               else "" }}'

  - name: 'base'
    comment: 'The search base that will be used for all queries.'
    value: '{{ nslcd__ldap_base_dn | join(",") }}'

  - name: 'ldap_version'
    comment: 'The LDAP protocol version to use.'
    value: '3'
    state: 'comment'

  - name: 'binddn'
    comment: 'The DN to bind with for normal lookups.'
    value: '{{ nslcd__ldap_binddn }}'

  - name: 'bindpw'
    value: '{{ nslcd__ldap_bindpw }}'

  - name: 'rootpwmoddn'
    comment: 'The DN used for password modifications by root.'
    value: 'cn=admin,dc=example,dc=com'
    state: 'comment'

  - name: 'ssl'
    comment: 'SSL options'
    value: '{{ "start_tls"
               if (ansible_local|d() and ansible_local.ldap|d() and
               else "on" }}'

  - name: 'tls_reqcert'
    value: 'demand'

  - name: 'tls_cacertfile'
    value: '/etc/ssl/certs/ca-certificates.crt'

  - name: 'scope'
    comment: 'The search scope.'
    value: 'sub'
    state: 'comment'

  - name: 'nss_min_uid'
    comment: |
      First valid UID/GID number expected to be in the LDAP directory.
      UIDs/GIDs lower than this value will be ignored.
    value: '{{ ansible_local.ldap.uid_gid_min
               if (ansible_local|d() and ansible_local.ldap|d() and
               else "10000" }}'

  - name: 'map_group_id'
    comment: |
      Use the 'gid' attribute instead of 'cn' as the POSIX group name.
    option: 'map'
    map: 'group'
    value: 'cn gid'

  - name: 'filter_passwd_group'
    raw: |
      filter passwd (& (objectClass=posixAccount) {{ nslcd__ldap_host_filter }} )
      filter group  (& (objectClass=posixGroupId) {{ nslcd__ldap_host_filter }} )
      filter shadow (& (objectClass=shadowAccount) {{ nslcd__ldap_host_filter }} )
    comment: 'Limit which UNIX accounts and groups are present on a host'

The nslcd configuration options defined on all hosts in the Ansible inventory.

nslcd__configuration: []

The nslcd configuration options defined on hosts in a specific Ansible inventory group.

nslcd__group_configuration: []

The nslcd configuration options defined on specific hosts in the Ansible inventory.

nslcd__host_configuration: []

The variable that combines other nslcd configuration options and is used in the role template.

nslcd__combined_configuration: '{{ nslcd__default_configuration
                                   + nslcd__configuration
                                   + nslcd__group_configuration
                                   + nslcd__host_configuration }}'

Configuration for other Ansible roles


Configuration for the debops.ldap Ansible role.


  - name: 'Create nslcd account for {{ nslcd__ldap_device_dn | join(",") }}'
    dn: '{{ nslcd__ldap_binddn }}'
    objectClass: '{{ nslcd__ldap_self_object_classes }}'
    attributes: '{{ nslcd__ldap_self_attributes }}'
    no_log: True
    state: '{{ "present" if nslcd__ldap_device_dn|d() else "ignore" }}'

Configuration for the debops.nsswitch Ansible role.

nslcd__nsswitch__dependent_services: [ 'ldap' ]