{"id":15080936,"url":"https://github.com/seb4itik/ansible-slapd","last_synced_at":"2026-01-03T21:04:42.202Z","repository":{"id":238998879,"uuid":"798219542","full_name":"seb4itik/ansible-slapd","owner":"seb4itik","description":"Configure an OpenLDAP slapd instance with Ansible","archived":false,"fork":false,"pushed_at":"2025-02-02T13:28:42.000Z","size":72,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-02-02T14:23:33.158Z","etag":null,"topics":["ansible-role","openldap","openldap-slapd","slapd"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/seb4itik.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-05-09T10:35:29.000Z","updated_at":"2025-02-02T13:24:43.000Z","dependencies_parsed_at":"2024-11-22T18:42:53.738Z","dependency_job_id":"43f72d15-8f2f-448e-be21-4b461ff27489","html_url":"https://github.com/seb4itik/ansible-slapd","commit_stats":{"total_commits":30,"total_committers":1,"mean_commits":30.0,"dds":0.0,"last_synced_commit":"8dfdff27ada1d323f4819b3a49fea7df082c3209"},"previous_names":["seb4itik/slapd","seb4itik/ansible-slapd"],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seb4itik%2Fansible-slapd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seb4itik%2Fansible-slapd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seb4itik%2Fansible-slapd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seb4itik%2Fansible-slapd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/seb4itik","download_url":"https://codeload.github.com/seb4itik/ansible-slapd/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243918630,"owners_count":20368745,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ansible-role","openldap","openldap-slapd","slapd"],"created_at":"2024-09-25T05:33:48.251Z","updated_at":"2026-01-03T21:04:42.110Z","avatar_url":"https://github.com/seb4itik.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Ansible role slapd\n\nThe best Ansible Role ;-) for installing and configuring OpenLDAP `slapd` with multiple backends.\n\n## Features\n\n- Idempotent (but see [Notes](#notes)).\n- Multiple backends.\n- Modules management.\n- Schemas management.\n- Overlay management.\n- SSL activation.\n- Monitor backend activation.\n- Apparmor aware (for Ubuntu).\n- Debian and Ubuntu friendly (anyone for Redhat likes and other platforms?).\n- Possibility to create a minimal DIT with root DN and first level organizational units.\n- A developer/maintainer willing to receive feedback and bug reports.\n\n\n## Requirements\n\n`community.general.json_query` needs `jmespath`:\n\n```\npip3 install jmespath\n```\n\nThis role must be run as `root` (for `EXTERNAL` authentification mechanism)\nbut will **not** `become` by itself.\n\n\n## Role Variables\n\n| Name | Default | Description |\n|-------------------------|----------------------|---------------------------------------------------------------------------------------|\n| `slapd_user` | `\"openldap\"` | System user for `slapd`. |\n| `slapd_group` | `\"{{ slapd_user }}\"` | Group user for `slapd`. |\n| `slapd_ssl` | `false` | Activate SSL (`ldaps:///`). |\n| `slapd_ssl_group` | `\"ssl-cert\"` | Group `slapd` will be added to if `slapd_ssl` (to access keys in `/etc/ssl/private`). |\n| `slapd_monitor` | `false` | Activate monitor backend (`cn=Monitor`). |\n| `slapd_monitor_admin` | required if `slapd_monitor` | DN that will have read access to `cn=Monitor`. |\n| `slapd_modules` | `[]` | List of modules to add. |\n| `slapd_module_path` | `\"/usr/lib/ldap\"` | Path to the directory of modules. |\n| `slapd_schemas` | `[]` | List of schemas to add (`.ldiff` or `.schema` format). |\n| `slapd_schema_path` | `\"/etc/ldap/schema\"` | Path to the directory of schemas. |\n| `slapd_apparmor_file` | `\"/etc/apparmor.d/usr.sbin.slapd\"`| Path to `slapd` apparmor profile file. |\n| `slapd_config_olc` | `{}` | Any parameter recognized by `slapd` in `cn=config`. |\n| `slapd_config_frontend` | `{}` | Any parameter recognized by `slapd` in `olcDatabase={-1}frontend,cn=config`. |\n| `slapd_config_config` | `{}` | Any parameter recognized by `slapd` in `olcDatabase={0}config,cn=config`. |\n| `slapd_config_backends` | `{}` | Description of backends to configure. |\n\n### slapd_ssl\n\nIf `slapd_ssl` is `true`:\n\n- `slapd` system user (`slapd_user`) will be added to group `slapd_ssl_group`;\n- `SLAPD_SERVICES` variable will be set to `\"ldap:/// ldaps:/// ldapi:///\"` in `/etc/defaults/slapd` file;\n- `slapd` service will be restarted.\n\nAt least, these parameters must be set in `slapd_config_olc`:\n\n- `olcTLSCertificateFile` (name of a file that should be under `/etc/ssl/certs`);\n- `olcTLSCertificateKeyFile` (name of a file that should be under `/etc/ssl/private`, owner `root`, group `ssl-cert`, mode `0640`);\n\n### slapd_config_backends\n\n`slapd_config_backends` is the list of backends to be in `slapd` configuration (except `olcDatabase={-1}frontend,cn=config`\nand `olcDatabase={0}config,cn=config` that will always exist).\n\nEach entry in this array is a dictionary with two to four members:\n\n- `db_type`: type of backend;\n- `overlays`: overlays for this backend (optional), must have `name` and `attributes` attributes;\n- `dit`: information for tree initialization, if present a root DN and optional organizational units will be created;\n- `attributes`: configuration attributes and values for this backend, at least `olcSuffix` attribute is mandatory,\n others may be required depending of the type of backend.\n\nCorresponding modules must be loaded for each `db_type` used:\n\n- `asyncmeta`: module `back_asyncmeta`;\n- `dnssrv`: module `back_dnssrv`;\n- `ldap`: module `back_ldap`;\n- `mdb`: module `back_mdb`;\n- `meta`: module `back_meta`;\n- `null`: module `back_null`;\n- `passwd`: module `back_passwd`;\n- `perl`: module `back_perl`;\n- `relay`: module `back_relay`;\n- `sock`: module `back_sock`;\n- `sql`: module `back_sql`.\n\n*Note: Only these backend types have been tested: `ldap`, `mdb`.*\n\nCorresponding modules must be loaded for each `overlay` used (supported overlays are: `accesslog`, `auditlog`,\n`autogroup`, `collect`, `constraint`, `dds`, `dyngroup`, `dynlist`, `homedir`, `lastbind`, `memberof`, `pcache`,\n`ppolicy`, `refint`, `remoteauth`, `retcode`, `rwm`, `sssvlv`, `syncprov`, `translucent`, `unique`, `valsort`).\n\nIf `dit` is there for a backend, it should be a dictionnary with a `root` mandatory key and\nan optional `organizational_units` key. `root` is also a dictionnary with mandatories `objectClass`\n(list of strings) and `attributes` keys (dictionnary). `organizational_units` is a list of strings\ncontaining the names for the organizational units to be created directly under the root record.\nThe root DN will be `attributes.olcSuffix` which is mandatory.\n\nExample:\n\n```\nslapd_config_backends:\n - db_type: \"mdb\"\n attributes:\n olcSuffix: \"o=Test Me,c=FR\"\n olcDbDirectory: \"/var/lib/ldap-test-me\"\n dit:\n root_record:\n objectClass:\n - \"organization\"\n attributes:\n o: \"Test Me\"\n organizational_units:\n - \"People\"\n - \"Group\"\n```\n\n\n## Dependencies\n\nCollection `community.general`.\n\n\n## Notes\n\nFor adding the schema `my-schema`, the file `my-schema.ldif` or `my-schema.schema` must exist\nin `/etc/ldap/schema` (or whatever `{{slapd_schema_path}}` is).\n\nDue to OpenLDAP `slapd` limitations, it's not possible to dynamically remove modules and\nschemas. So, even if you remove a module from `slapd_modules` or a schema from `slapd_schemas`,\nthis role will not try to remove them from the `slapd` configuration.\n\nRemoving configuration attributes from `slapd_config_olc`, `slapd_config_frontend`,\n`slapd_config_config`, `slapd_config_backends[*].attributes`, and\n`slapd_config_backends[*].overlays.attributes` will not remove them from `slapd`configuration.\nSee [this bug report](https://github.com/ansible-collections/community.general/issues/8354)\nfor `community.general.ldap_attrs`\n\nThe workaround for removing an attribute is to use `[]`. Exemple:\n\n```\n slapd_config_olc:\n olcLogLevel: []\n```\n\n\n## Example Playbooks\n\nMinimal playbook:\n\n```\n- name: Minimal playbook for role seb4itik.slapd\n hosts: ldap\n vars:\n slapd_modules:\n - \"back_mdb\"\n slapd_config_backends:\n - db_type: \"mdb\"\n attributes:\n olcSuffix: \"dc=test,dc=me\"\n olcDbDirectory: \"/var/lib/ldap-test-me\"\n olcRootDN: \"cn=admin,dc=test,dc=me\"\n olcRootPW: \"{{ vault.ldap.admin_dn_password }}\"\n roles:\n - \"seb4itik.slapd\"\n```\n\nMore complete example:\n\n```\n- name: Example playbook for role seb4itik.slapd\n hosts: ldap\n vars:\n slapd_ssl: true\n slapd_monitor: true\n slapd_monitor_admin: \"gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\"\n slapd_modules:\n - \"back_ldap\"\n - \"back_mdb\"\n - \"constraint\"\n slapd_schemas:\n - \"misc\"\n slapd_config_olc:\n olcLogLevel: 64\n olcTLSCertificateFile: \"/etc/ssl/certs/ldap1.test.me.crt\"\n olcTLSCertificateKeyFile: \"/etc/ssl/private/ldap1.test.me.key\"\n slapd_config_backends:\n - db_type: \"ldap\"\n attributes:\n olcSuffix: \"dc=another,dc=me\"\n olcDbURI: \"ldaps:///ldap1.another.me\"\n - db_type: \"mdb\"\n overlays:\n - name: \"constraint\"\n attributes:\n olcConstraintAttribute:\n - \"mail regex ^[[:alnum:]]+@mydomain.com$\"\n attributes:\n olcSuffix: \"dc=test,dc=me\"\n olcDbDirectory: \"/var/lib/ldap-test-me\"\n olcRootDN: \"cn=admin,dc=test,dc=me\"\n olcRootPW: \"{{ vault.ldap.admin_dn_password }}\"\n olcDbCheckpoint: \"512 30\"\n olcDbMaxSize: 2147483648 # 2 Go\n olcLastMod: \"TRUE\"\n olcSizeLimit: 1500\n olcLimits:\n - '{0}dn.base=\"cn=SyncRepl,ou=DIT Roles,dc=test,dc=me\" size=unlimited time=unlimited'\n olcDbIndex:\n - \"objectClass eq\"\n - \"cn,uid eq\"\n - \"uidNumber,gidNumber eq\"\n - \"member,uniqueMember,memberUid eq\"\n - \"sn eq,sub\"\n - \"givenName eq,sub\"\n - \"mail eq\"\n olcAccess:\n - '{0}to attrs=userPassword,shadowLastChange\n by dn.base=\"cn=admin,ou=DIT Roles,dc=test,dc=me\" write\n by dn.base=\"cn=pwadmin,ou=DIT Roles,dc=test,dc=me\" write\n by anonymous auth\n by self write\n by * none'\n - '{1}to dn.base=\"\"\n by * read'\n - '{2}to *\n by dn.base=\"cn=admin,ou=DIT Roles,dc=test,dc=me\" write\n by * read'\n roles:\n - \"seb4itik.slapd\"\n```\n\n\n## Tips \u0026 Tricks\n\n- For parameters such as `olcAccess`, `olcSyncrepl`, `olcLimits`, ... that are ordered lists,\nyou should prefix each item with `{N}`.\n- Be careful with the case of `olcSyncrepl` parameter!\n\n\n## TODO\n\n- Write tests (but problem between *Docker* and *systemd*).\n- Other platforms (Redhat, ...).\n- Optimisation: set_fact (all modules, all schemas, all suffixes...)\n- Idempotency in attributes (for replacing \"state: exact\")\n\n## License\n\nMIT\n\n\n## Author Information\n\n- [seb4itik](https://github.com/seb4itik)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fseb4itik%2Fansible-slapd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fseb4itik%2Fansible-slapd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fseb4itik%2Fansible-slapd/lists"}