Getting started
OpenLDAP features enabled by default
The debops.slapd
role enables and configures some of the OpenLDAP features
that otherwise are enabled dynamically and could have different names in the
LDAP directory on different installations due to the order in which they were
enabled. If you are planning to apply the role on an existing installation, you
should review the configuration before doing so - the OpenLDAP server usually
refuses the incorrect configuration outright, which should not affect the
existing installation, but that's not a 100% guarantee.
Access to service denied by default
The default configuration denies access to the OpenLDAP service from anywhere
through the firewall and TCP Wrappers, although the slapd daemon
will listen for connections on all interfaces. You can use the
slapd__*_allow
variables to define what IP addresses or subnets have access
to the LDAP service.
If you don't use the debops.ferm and the debops.tcpwrappers Ansible roles to control access to services, keep in mind that the OpenLDAP service will be available publicly. This might be important while designing the LDAP Access Control List and password policies.
You can control the default behaviour using the slapd__accept_any
boolean variable. Another option is to use an external firewall with IDS/IPS
systems that can analyze LDAP traffic. Access through a VPN connection, for
example using the debops.tinc Ansible role, can also be a good option
for limiting the exposure of LDAP directory directly to the Internet.
SASL authentication
The role uses the debops.saslauthd Ansible role to configure the saslauthd service which provides SASL authentication capability. PAM authentication is used by default to authenticate LDAP access via the UNIX accounts. If LDAP support is configured on the host by the debops.ldap role, the directory will be used for authentication instead.
Humans can authenticate themselves by specifying their account names without
a domain part, which are defined by the uid
attribute of their
inetOrgPerson
LDAP objects, looked up in the ou=People
subtree of the
LDAP directory.
Computers can authenticate to the LDAP directory by specifying an UNIX account
name and their FQDN domain name, for example sshd@host.example.org
, which
corresponds to the uid
and host
attributes of the account
LDAP
objects. Only hosts that have been registered in the LDAP directory
ou=Hosts
subtree can authenticate with this method.
The debops.saslauthd role defines the slapd
LDAP profile which
contains the LDAP search query and filtering rules which can be used for access
control to the OpenLDAP directory itself.
Authentication debugging and logs
By default the slapd log output is set to none
, which results in
minimal logs. If you need to debug or keep track of LDAP authentication and
search queries, you can easily configure slapd to do that through
the Ansible inventory, by adding a configuration file, for example in a cluster
of LDAP hosts:
---
# ansible/inventory/group_vars/slapd_cluster/slapd.yml
slapd__group_tasks:
- name: 'Configure the OpenLDAP server log level'
dn: 'cn=config'
attributes:
olcLogLevel: 'stats'
state: 'exact'
Make sure that the name
parameter corresponds to the correct
slapd option defined in the slapd__default_tasks
variable,
to modify it using Universal Configuration mechanism included in DebOps.
You can use journald to view the slapd logs:
journald -f -u slapd.service
Example inventory
To install and manage the OpenLDAP server on a host, you need to add it to the
[debops_service_slapd]
Ansible inventory group:
[debops_service_slapd]
hostname
Example playbook
If you are using this role without DebOps, here's an example Ansible playbook
that uses the debops.slapd
role:
---
- name: Manage OpenLDAP service
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_service_slapd' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: ferm
tags: [ 'role::ferm', 'skip::ferm' ]
ferm__dependent_rules:
- '{{ slapd__ferm__dependent_rules }}'
- role: tcpwrappers
tags: [ 'role::tcpwrappers', 'skip::tcpwrappers' ]
tcpwrappers__dependent_allow:
- '{{ slapd__tcpwrappers__dependent_allow }}'
- role: cron
tags: [ 'role::cron', 'skip::cron' ]
- role: logrotate
tags: [ 'role::logrotate', 'skip::logrotate' ]
logrotate__dependent_config:
- '{{ slapd__logrotate__dependent_config }}'
- role: python
tags: [ 'role::python', 'skip::python', 'role::ldap', 'role::slapd' ]
python__dependent_packages3:
- '{{ ldap__python__dependent_packages3 }}'
- '{{ slapd__python__dependent_packages3 }}'
python__dependent_packages2:
- '{{ ldap__python__dependent_packages2 }}'
- '{{ slapd__python__dependent_packages2 }}'
- role: ldap
tags: [ 'role::ldap', 'skip::ldap' ]
ldap__dependent_tasks:
- '{{ saslauthd__ldap__dependent_tasks }}'
when: slapd__saslauthd_enabled | bool
- role: saslauthd
tags: [ 'role::saslauthd', 'skip::saslauthd' ]
saslauthd__dependent_instances:
- '{{ slapd__saslauthd__dependent_instances }}'
when: slapd__saslauthd_enabled | bool
- role: slapd
tags: [ 'role::slapd', 'skip::slapd' ]
The included debops.ferm and debops.tcpwrappers Ansible roles are optional. They can be used for managing firewall and access rules to the LDAP service.
If you further want to enable LDAP transport layer security in debops.slapd
role, the debops.pki and debops.dhparam roles must also be
applied on the host. The debops.slapd
role will automatically detect and
use their configured environments if available.
Other resources
List of other useful resources related to the debops.slapd
Ansible role:
Manual pages: slapd(8), slapd-config(5)
LDAP for Rocket Scientists, an excellent book about LDAP and OpenLDAP
Debian LDAP Portal page in the Debian Wiki