Skip to content
Permalink
Browse files

[debops.slapd] Enable substring index for sudoUser

Without this, the hosts that read 'sudo' rules from LDAP can get
completely frozen with Ansible playbook executed via 'become' method due
to too much non-indexed queries to the LDAP directory.
  • Loading branch information...
drybjed committed Sep 4, 2019
1 parent 15c8963 commit 065bbf83d1f21fbd87451cc2f919787e0b73b7cb
Showing with 9 additions and 1 deletion.
  1. +8 −0 CHANGELOG.rst
  2. +1 −1 ansible/roles/debops.slapd/defaults/main.yml
@@ -62,6 +62,14 @@ Updates of upstream application versions
hosts with more than one network interface (not counting ``lo``), or if local
DNS services are also present on the host.

:ref:`debops.slapd` role
''''''''''''''''''''''''

- Enable substring index for the ``sudoUser`` attribute from the :ref:`sudo
LDAP schema <slapd__ref_sudo>`. Existing installations should be updated
manually via the LDAP client, by setting the value of the ``sudoUser`` index
to ``eq,sub``.

:ref:`debops.sshd` role
'''''''''''''''''''''''

@@ -579,7 +579,7 @@ slapd__default_tasks:
- 'homeDirectory,loginShell eq'
- 'uidNumber,gidNumber eq'
- 'entryCSN,entryUUID eq'
- 'sudoUser eq'
- 'sudoUser eq,sub'

- name: 'Enable the monitor database'
dn: 'olcDatabase={2}monitor,cn=config'

0 comments on commit 065bbf8

Please sign in to comment.
You can’t perform that action at this time.