Skip to content
Permalink
Browse files

Merge branch 'drybjed-docs-ldap-updates'

  • Loading branch information...
drybjed committed Sep 28, 2019
2 parents c77093e + ad06574 commit ef68a81210b7b01fc565034f42cd26f700f0ad41
@@ -1,6 +1,6 @@
# eduperson.schema - eduPerson & eduOrg schema definition

# Copyright (C) Maciej Delmanowski <drybjed@gmail.com>
# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
# Copyright (C) 2019 DebOps project https://debops.org/
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -45,6 +45,11 @@ used for :ref:`ldap__ref_admin`.
The playbook will not make any changes to existing LDAP objects. The default
``cn=admin`` LDAP object created during OpenLDAP installation will be removed.

.. note:: For the LDAP access to work, Ansible Controller needs to trust the
Certificate Authority which is used by the OpenLDAP service. If you rely on
the :ref:`debops.pki` internal CA, you will have to add the Root CA
certificate managed by the role to the operating system certificate store.


Example inventory
-----------------
@@ -23,14 +23,36 @@ Object Classes and Attributes
- :ref:`debops.saslauthd`: :envvar:`Object Classes <saslauthd__ldap_self_object_classes>`, :envvar:`Attributes <saslauthd__ldap_self_attributes>`


.. _saslauthd__ref_ldap_dit_access:

Access Control
--------------

DebOps LDAP environment includes the :ref:`'ldapns' schema <slapd__ref_ldapns>`
which can be used to define access control rules to services. The lists below
define the attribute values which will grant access to the service managed by
the :ref:`debops.saslauthd` role, and specifies other roles with the same
access control rules:

The ``smtpd`` LDAP profile
~~~~~~~~~~~~~~~~~~~~~~~~~~

- objectClass ``authorizedServiceObject``, attribute ``authorizedService``:

- ``smtpd``
- ``*`` (all services)

LDAP filter definition: :envvar:`saslauthd__ldap_default_profiles`


Parent nodes
------------

- :ref:`debops.ldap <ldap__ref_ldap_dit>`

- :envvar:`ansible_local.ldap.base_dn <ldap__base_dn>` -> :envvar:`sshd__ldap_base_dn`
- :envvar:`ansible_local.ldap.base_dn <ldap__base_dn>` -> :envvar:`saslauthd__ldap_base_dn`

- :envvar:`ansible_local.ldap.device_dn <ldap__device_dn>` -> :envvar:`sshd__ldap_device_dn`
- :envvar:`ansible_local.ldap.device_dn <ldap__device_dn>` -> :envvar:`saslauthd__ldap_device_dn`


Child nodes
@@ -48,10 +48,12 @@ Directory structure

- :ref:`posixgroupid.schema <slapd__ref_posixgroupid>`

- :ref:`openssh-lpk.schema <slapd__ref_openssh_lpk>`
- :ref:`ppolicy.schema <slapd__ref_ppolicy_schema>`

- :ref:`ldapns.schema <slapd__ref_ldapns>`

- :ref:`openssh-lpk.schema <slapd__ref_openssh_lpk>`

- :ref:`sudo.schema <slapd__ref_sudo>`

- :ref:`eduperson.schema <slapd__ref_eduperson>`
@@ -184,6 +184,15 @@ attribute as the UNIX group name, but it's usually a simple configuration
change.


.. _slapd__ref_ppolicy_schema:

The ``ppolicy`` schema
----------------------

The ``ppolicy`` schema provides LDAP object and attribute definitions required
by the :ref:`slapd__ref_ppolicy_overlay`.


.. _slapd__ref_ldapns:

The ``ldapns`` schema
@@ -23,6 +23,32 @@ Object Classes and Attributes
- :ref:`debops.sshd`: :envvar:`Object Classes <sshd__ldap_self_object_classes>`, :envvar:`Attributes <sshd__ldap_self_attributes>`


.. _sshd__ref_ldap_dit_access:

Access Control
--------------

DebOps LDAP environment includes the :ref:`'ldapns' schema <slapd__ref_ldapns>`
which can be used to define access control rules to services. The lists below
define the attribute values which will grant access to the service managed by
the :ref:`debops.sshd` role, and specifies other roles with the same access
control rules:

- objectClass ``authorizedServiceObject``, attribute ``authorizedService``:

- ``sshd``
- ``*`` (all services)

- objectClass ``hostObject``, attribute ``host``:

- ``hostname``
- ``hostname.example.org``
- ``*.example.org``
- ``*`` (all hosts)

LDAP filter definition: :envvar:`sshd__ldap_filter`


Parent nodes
------------

0 comments on commit ef68a81

Please sign in to comment.
You can’t perform that action at this time.