[slapd] Add support for 'AutoGroup' overlay

CHANGELOG.rst

@@ -31,6 +31,13 @@ Added
 - The role can now drop PostgreSQL databases and remove roles when their state
   is set to ``absent`` in the Ansible inventory.
 
+:ref:`debops.slapd` role
+''''''''''''''''''''''''
+
+- Support for the dynamic LDAP groups maintained by the
+  :ref:`slapd__ref_autogroup_overlay` has been implemented in the role. Debian
+  Buster or newer is recommended for this feature to work properly.
+
 Changed
 ~~~~~~~
 

LICENSES/OLDAP-2.8.txt

@@ -0,0 +1,43 @@
+The OpenLDAP Public License
+
+Version 2.8, 17 August 2003
+
+Redistribution and use of this software and associated documentation ("Software"),
+with or without modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions in source form must retain copyright statements and notices,
+
+2. Redistributions in binary form must reproduce applicable copyright statements
+and notices, this list of conditions, and the following disclaimer in the
+documentation and/or other materials provided with the distribution, and
+
+   3. Redistributions must contain a verbatim copy of this document.
+
+The OpenLDAP Foundation may revise this license from time to time. Each revision
+is distinguished by a version number. You may use this Software under terms
+of this license revision or under the terms of any subsequent revision of
+the license.
+
+THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS
+``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS,
+OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT,
+INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
+OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+The names of the authors and copyright holders must not be used in advertising
+or otherwise to promote the sale, use or other dealing in this Software without
+specific, written prior permission. Title to copyright in this Software shall
+at all times remain with copyright holders.
+
+OpenLDAP is a registered trademark of the OpenLDAP Foundation.
+
+Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA.
+All Rights Reserved. Permission to copy and distribute verbatim copies of
+this document is granted.

ansible/roles/slapd/COPYRIGHT

@@ -1,7 +1,7 @@
 debops.slapd - Manage OpenLDAP server using Ansible
 
-Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
-Copyright (C) 2016-2019 DebOps <https://debops.org/>
+Copyright (C) 2016-2020 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2016-2020 DebOps <https://debops.org/>
 SPDX-License-Identifier: GPL-3.0-only
 
 This Ansible role is part of DebOps.

ansible/roles/slapd/defaults/main.yml

@@ -1,8 +1,8 @@
 ---
 # .. vim: foldmarker=[[[,]]]:foldmethod=marker
 
-# .. Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
-# .. Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# .. Copyright (C) 2016-2020 Maciej Delmanowski <drybjed@gmail.com>
+# .. Copyright (C) 2016-2020 DebOps <https://debops.org/>
 # .. SPDX-License-Identifier: GPL-3.0-only
 
 # .. _slapd__ref_defaults:
@@ -76,6 +76,9 @@ slapd__default_schemas:
   # Custom DebOps schema that defines mail-related LDAP objects and attributes
   - '{{ slapd__debops_schema_path + "/mailservice.schema" }}'
 
+  # Custom DebOps schema that adds support for Dynamic Groups maintained by AutoGroup overlay
+  - '{{ slapd__debops_schema_path + "/dyngroup.schema" }}'
+
                                                                    # ]]]
 # .. envvar:: slapd__schemas [[[
 #
@@ -389,6 +392,7 @@ slapd__default_tasks:
         - '{7}constraint'
         - '{8}back_monitor'
         - '{9}lastbind'
+        - '{10}autogroup'
     ordered: True
 
   - name: 'Enable Sync Provider overlay in the cn=config database'
@@ -421,35 +425,47 @@ slapd__default_tasks:
     attributes:
       olcOverlay: '{3}memberof'
 
-  - name: 'Enable memberOf overlay in the main database for Roles'
+  - name: 'Enable memberOf overlay in the main database for AutoGroups'
     dn: 'olcOverlay={4}memberof,olcDatabase={1}mdb,cn=config'
     objectClass: [ 'olcOverlayConfig', 'olcMemberOf' ]
     attributes:
       olcOverlay: '{4}memberof'
 
+  - name: 'Enable memberOf overlay in the main database for Roles'
+    dn: 'olcOverlay={5}memberof,olcDatabase={1}mdb,cn=config'
+    objectClass: [ 'olcOverlayConfig', 'olcMemberOf' ]
+    attributes:
+      olcOverlay: '{5}memberof'
+
   - name: 'Enable Referential Integrity overlay in the main database'
-    dn: 'olcOverlay={5}refint,olcDatabase={1}mdb,cn=config'
+    dn: 'olcOverlay={6}refint,olcDatabase={1}mdb,cn=config'
     objectClass: [ 'olcOverlayConfig', 'olcRefintConfig' ]
     attributes:
-      olcOverlay: '{5}refint'
+      olcOverlay: '{6}refint'
 
   - name: 'Enable Audit Logging overlay in the main database'
-    dn: 'olcOverlay={6}auditlog,olcDatabase={1}mdb,cn=config'
+    dn: 'olcOverlay={7}auditlog,olcDatabase={1}mdb,cn=config'
     objectClass: [ 'olcOverlayConfig', 'olcAuditLogConfig' ]
     attributes:
-      olcOverlay: '{6}auditlog'
+      olcOverlay: '{7}auditlog'
 
   - name: 'Enable Constraint overlay in the main database'
-    dn: 'olcOverlay={7}constraint,olcDatabase={1}mdb,cn=config'
+    dn: 'olcOverlay={8}constraint,olcDatabase={1}mdb,cn=config'
     objectClass: [ 'olcOverlayConfig', 'olcConstraintConfig' ]
     attributes:
-      olcOverlay: '{7}constraint'
+      olcOverlay: '{8}constraint'
+
+  - name: 'Enable AutoGroup overlay in the main database'
+    dn: 'olcOverlay={9}autogroup,olcDatabase={1}mdb,cn=config'
+    objectClass: [ 'olcOverlayConfig', 'olcAutomaticGroups' ]
+    attributes:
+      olcOverlay: '{9}autogroup'
 
   - name: 'Enable LastBind overlay in the main database'
-    dn: 'olcOverlay={8}lastbind,olcDatabase={1}mdb,cn=config'
+    dn: 'olcOverlay={10}lastbind,olcDatabase={1}mdb,cn=config'
     objectClass: [ 'olcOverlayConfig', 'olcLastBindConfig' ]
     attributes:
-      olcOverlay: '{8}lastbind'
+      olcOverlay: '{10}lastbind'
 
   - name: 'Configure Password Policy overlay in the main database'
     dn: 'olcOverlay={1}ppolicy,olcDatabase={1}mdb,cn=config'
@@ -483,8 +499,18 @@ slapd__default_tasks:
       olcMemberOfMemberOfAD: 'memberOf'
     state: 'exact'
 
-  - name: 'Configure memberOf overlay in the main database for Roles'
+  - name: 'Configure memberOf overlay in the main database for AutoGroups'
     dn: 'olcOverlay={4}memberof,olcDatabase={1}mdb,cn=config'
+    attributes:
+      olcMemberOfDangling: 'ignore'
+      olcMemberOfRefInt: 'TRUE'
+      olcMemberOfGroupOC: 'groupOfURLs'
+      olcMemberOfMemberAD: 'member'
+      olcMemberOfMemberOfAD: 'memberOf'
+    state: 'exact'
+
+  - name: 'Configure memberOf overlay in the main database for Roles'
+    dn: 'olcOverlay={5}memberof,olcDatabase={1}mdb,cn=config'
     attributes:
       olcMemberOfDangling: 'ignore'
       olcMemberOfRefInt: 'TRUE'
@@ -494,7 +520,7 @@ slapd__default_tasks:
     state: 'exact'
 
   - name: 'Configure Referential Integrity overlay in the main database'
-    dn: 'olcOverlay={5}refint,olcDatabase={1}mdb,cn=config'
+    dn: 'olcOverlay={6}refint,olcDatabase={1}mdb,cn=config'
     attributes:
       olcRefintAttribute:
         - 'member'
@@ -509,13 +535,13 @@ slapd__default_tasks:
     state: 'exact'
 
   - name: 'Configure Audit Logging overlay in the main database'
-    dn: 'olcOverlay={6}auditlog,olcDatabase={1}mdb,cn=config'
+    dn: 'olcOverlay={7}auditlog,olcDatabase={1}mdb,cn=config'
     attributes:
       olcAuditlogFile: '{{ slapd__log_dir + "/slapd-auditlog-main.ldif" }}'
     state: 'exact'
 
   - name: 'Configure Constraint overlay in the main database'
-    dn: 'olcOverlay={7}constraint,olcDatabase={1}mdb,cn=config'
+    dn: 'olcOverlay={8}constraint,olcDatabase={1}mdb,cn=config'
     attributes:
       olcConstraintAttribute:
         - 'jpegPhoto size 524288'  # 512 KiB
@@ -528,8 +554,16 @@ slapd__default_tasks:
         - 'mailAlternateAddress set "this/mailAlternateAddress & this/mail"'
     state: 'exact'
 
+  - name: 'Configure AutoGroup overlay in the main database'
+    dn: 'olcOverlay={9}autogroup,olcDatabase={1}mdb,cn=config'
+    attributes:
+      olcAGattrSet:
+        - '{0}groupOfURLs memberURL member'
+      olcAGmemberOfAd: 'memberOf'
+    state: 'exact'
+
   - name: 'Configure LastBind overlay in the main database'
-    dn: 'olcOverlay={8}lastbind,olcDatabase={1}mdb,cn=config'
+    dn: 'olcOverlay={10}lastbind,olcDatabase={1}mdb,cn=config'
     attributes:
       olcLastBindPrecision: '{{ (60 * 60 * 24) }}'
     state: 'exact'

ansible/roles/slapd/files/etc/ldap/schema/debops/dyngroup.schema

@@ -0,0 +1,96 @@
+# dyngroup.schema -- Dynamic Group schema
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright (C) 1998-2018 The OpenLDAP Foundation.
+## Copyright (C) 2020      Maciej Delmanowski <drybjed@gmail.com>
+## Copyright (C) 2020      DebOps <https://debops.org/>
+## SPDX-License-Identifier: OLDAP-2.8
+##
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+#
+# Dynamic Group schema (experimental), as defined by Netscape.  See
+# http://www.redhat.com/docs/manuals/ent-server/pdf/esadmin611.pdf
+# page 70 for details on how these groups were used.
+#
+# A description of the objectclass definition is available here:
+# http://www.redhat.com/docs/manuals/dir-server/schema/7.1/oc_dir.html#1303745
+#
+# depends upon:
+#	core.schema
+#
+# These definitions are considered experimental due to the lack of
+# a formal specification (e.g., RFC).
+#
+# NOT RECOMMENDED FOR PRODUCTION USE!  USE WITH CAUTION!
+#
+# The Netscape documentation describes this as an auxiliary objectclass
+# but their implementations have always defined it as a structural class.
+# The sloppiness here is because Netscape-derived servers don't actually
+# implement the X.500 data model, and they don't honor the distinction
+# between structural and auxiliary classes. This fact is noted here:
+# http://forum.java.sun.com/thread.jspa?threadID=5016864&messageID=9034636
+#
+# In accordance with other existing implementations, we define it as a
+# structural class.
+#
+# Our definition of memberURL also does not match theirs but again
+# their published definition and what works in practice do not agree.
+# In other words, the Netscape definitions are broken and interoperability
+# is not guaranteed.
+#
+# Also see the new DynGroup proposed spec at
+# http://tools.ietf.org/html/draft-haripriya-dynamicgroup-02
+#
+# This schema is modified to support the 'autogroup' overlay by adding a MAY
+# 'member' attribute to the 'groupOfURLs' LDAP object.
+
+objectIdentifier NetscapeRoot 2.16.840.1.113730
+
+objectIdentifier NetscapeLDAP NetscapeRoot:3
+objectIdentifier NetscapeLDAPattributeType NetscapeLDAP:1
+objectIdentifier NetscapeLDAPobjectClass NetscapeLDAP:2
+
+objectIdentifier OpenLDAPExp11	1.3.6.1.4.1.4203.666.11
+objectIdentifier DynGroupBase	OpenLDAPExp11:8
+objectIdentifier DynGroupAttr	DynGroupBase:1
+objectIdentifier DynGroupOC	DynGroupBase:2
+
+attributetype ( NetscapeLDAPattributeType:198
+	NAME 'memberURL'
+	DESC 'Identifies an URL associated with each member of a group. Any type of labeled URL can be used.'
+	SUP labeledURI )
+
+attributetype ( DynGroupAttr:1
+	NAME 'dgIdentity'
+	DESC 'Identity to use when processing the memberURL'
+	SUP distinguishedName SINGLE-VALUE )
+
+attributeType ( DynGroupAttr:2
+	NAME 'dgAuthz'
+	DESC 'Optional authorization rules that determine who is allowed to assume the dgIdentity'
+	EQUALITY authzMatch
+	SYNTAX 1.3.6.1.4.1.4203.666.2.7
+	X-ORDERED 'VALUES' )
+
+objectClass ( NetscapeLDAPobjectClass:33
+	NAME 'groupOfURLs'
+	SUP top STRUCTURAL
+	MUST cn
+	MAY ( memberURL $ businessCategory $ description $ o $ ou $
+	      member $ owner $ seeAlso ) )
+
+# The Haripriya dyngroup schema still needs a lot of work.
+# We're just adding support for the dgIdentity attribute for now...
+objectClass ( DynGroupOC:1
+	NAME 'dgIdentityAux'
+	SUP top AUXILIARY
+	MAY ( dgIdentity $ dgAuthz ) )

ansible/roles/slapd/meta/main.yml

@@ -1,6 +1,6 @@
 ---
-# Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
-# Copyright (C) 2016-2019 DebOps <https://debops.org/>
+# Copyright (C) 2016-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2016-2020 DebOps <https://debops.org/>
 # SPDX-License-Identifier: GPL-3.0-only
 
 # Ensure that custom Ansible plugins and modules included in the main DebOps
@@ -20,15 +20,15 @@ galaxy_info:
   platforms:
     - name: Ubuntu
       versions:
-        - precise
-        - trusty
+        - bionic
+        - focal
     - name: GenericLinux
       versions:
         - all
     - name: Debian
       versions:
-        - wheezy
-        - jessie
+        - buster
+        - bullseye
 
   galaxy_tags:
     - database

docs/ansible/roles/slapd/ldap-dit.rst

@@ -1,5 +1,5 @@
-.. Copyright (C) 2016-2019 Maciej Delmanowski <drybjed@gmail.com>
-.. Copyright (C) 2016-2019 DebOps <https://debops.org/>
+.. Copyright (C) 2016-2020 Maciej Delmanowski <drybjed@gmail.com>
+.. Copyright (C) 2016-2020 DebOps <https://debops.org/>
 .. SPDX-License-Identifier: GPL-3.0-only
 
 .. _slapd__ref_ldap_dit:
@@ -42,6 +42,8 @@ Directory structure
 
         - ``{9}lastbind``
 
+        - ``{10}autogroup``
+
       - :ref:`cn=schema <slapd__ref_ldap_schemas>`
 
         - :ref:`core.schema <slapd__ref_initial_schemas>`
@@ -70,6 +72,8 @@ Directory structure
 
         - :ref:`mailservice.schema <slapd__ref_mailservice>`
 
+        - :ref:`dyngroup.schema <slapd__ref_dyngroup>`
+
       - ``olcDatabase={0}config``
 
         - :ref:`olcOverlay={0}syncprov <slapd__ref_syncprov_overlay>` (:ref:`for Multi-Master replication <slapd__ref_syncrepl_multi_master>`)
@@ -84,15 +88,19 @@ Directory structure
 
         - :ref:`olcOverlay={3}memberof <slapd__ref_memberof_overlay>` (for ``groupOfNames`` LDAP objects)
 
-        - :ref:`olcOverlay={4}memberof <slapd__ref_memberof_overlay>` (for ``organizationalRole`` LDAP objects)
+        - :ref:`olcOverlay={4}memberof <slapd__ref_memberof_overlay>` (for ``groupOfURLs`` LDAP objects)
+
+        - :ref:`olcOverlay={5}memberof <slapd__ref_memberof_overlay>` (for ``organizationalRole`` LDAP objects)
+
+        - :ref:`olcOverlay={6}refint <slapd__ref_refint_overlay>`
 
-        - :ref:`olcOverlay={5}refint <slapd__ref_refint_overlay>`
+        - :ref:`olcOverlay={7}auditlog <slapd__ref_auditlog_overlay>`
 
-        - :ref:`olcOverlay={6}auditlog <slapd__ref_auditlog_overlay>`
+        - :ref:`olcOverlay={8}constraint <slapd__ref_constraint_overlay>`
 
-        - :ref:`olcOverlay={7}constraint <slapd__ref_constraint_overlay>`
+        - :ref:`olcOverlay={9}autogroup <slapd__ref_autogroup_overlay>`
 
-        - :ref:`olcOverlay={8}lastbind <slapd__ref_lastbind_overlay>`
+        - :ref:`olcOverlay={10}lastbind <slapd__ref_lastbind_overlay>`
 
         - :envvar:`olcAccess <slapd__acl_tasks>` (:ref:`documentation <slapd__ref_acl>`)