feat: implemant openldap and migration
This commit is contained in:
parent
80f489422a
commit
f8bc026165
@ -1,5 +1,5 @@
|
||||
sssd_configure: true
|
||||
# sssd_configure is False by default - by default nothing is done by this role.
|
||||
ldap_search_base: "dc=ducamps,dc=win"
|
||||
ldap_uri: "ldaps://ldap.ducamps.eu"
|
||||
ldap_sudo_search_base: "ou=sudoers,dc=ducamps,dc=win"
|
||||
ldap_search_base: "dc=ducamps,dc=eu"
|
||||
ldap_uri: "ldaps://ldaps.service.consul"
|
||||
ldap_sudo_search_base: "ou=sudoers,dc=ducamps,dc=eu"
|
||||
|
@ -1,11 +1,11 @@
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
34356264306639303930393736376562653636383538623131343939323563653938616534623163
|
||||
6536366261666662376533393836626664373766313439660a363331326231303638626165393164
|
||||
63323063623365393566643230653964393565636430303365653233323931646236366664346430
|
||||
3162383233656139320a323133323262386638363738346336613862626539386538633864613131
|
||||
30306539376639303365323665613732616138346530346162633761386466626238373065316230
|
||||
38396662363364336134306130616661643835616161313535613331303133383334393333653335
|
||||
66363538313631373736396333363837376664616166663665343030336232346237333965303861
|
||||
36613763666135393531653637616463333461343232366137656336383239623166633338646561
|
||||
39336563636665396666663339306534643661366264623061626661343762373037383037373561
|
||||
3431656130306133323436616531343034366665636434333362
|
||||
61653964333030326633346130613633373333663037316165313436336235376362346237383463
|
||||
3835663564663137643565636431353465386338363665620a343031373230623564616635373337
|
||||
38653431623135313436643737633932656236666562623837303262323838663564343862653835
|
||||
3332346662383935300a646437326262613231616137393664633963623832393633646530613037
|
||||
35326335333432383939346132356465313164336434316439633236396465333366666435353535
|
||||
35646465313336336466653964303533373133613861626634623363623036643363323063616630
|
||||
64636135323431653235643364316238666135626230316537363132313138656532306636333734
|
||||
64356532653432613535623761303634353964633162333465393135653338323437336362616164
|
||||
63313430303438323535346331386463393535376564346564643363626434626432333031653838
|
||||
3332616466306466336161393066633239363463363863323739
|
||||
|
31
nomad-job/openldap/memberofOverlay.ldif
Normal file
31
nomad-job/openldap/memberofOverlay.ldif
Normal file
@ -0,0 +1,31 @@
|
||||
dn: cn=module,cn=config
|
||||
cn: module
|
||||
objectClass: olcModuleList
|
||||
olcModuleLoad: memberof
|
||||
olcModuleLoad: refint
|
||||
olcModulePath: /opt/bitnami/openldap/lib/openldap
|
||||
|
||||
dn: olcOverlay={0}memberof,olcDatabase={2}mdb,cn=config
|
||||
objectClass: olcConfig
|
||||
objectClass: olcMemberOf
|
||||
objectClass: olcOverlayConfig
|
||||
objectClass: top
|
||||
olcOverlay: memberof
|
||||
olcMemberOfDangling: ignore
|
||||
olcMemberOfRefInt: TRUE
|
||||
olcMemberOfGroupOC: groupOfNames
|
||||
olcMemberOfMemberAD: member
|
||||
olcMemberOfMemberOfAD: memberOf
|
||||
|
||||
|
||||
dn: olcOverlay={1}refint,olcDatabase={2}mdb,cn=config
|
||||
objectClass: olcConfig
|
||||
objectClass: olcOverlayConfig
|
||||
objectClass: olcRefintConfig
|
||||
objectClass: top
|
||||
olcOverlay: {1}refint
|
||||
olcRefintAttribute: memberof
|
||||
olcRefintAttribute: member
|
||||
olcRefintAttribute: manager
|
||||
olcRefintAttribute: owner
|
||||
|
164
nomad-job/openldap/openldap.nomad.hcl
Normal file
164
nomad-job/openldap/openldap.nomad.hcl
Normal file
@ -0,0 +1,164 @@
|
||||
|
||||
job "openldap" {
|
||||
datacenters = ["homelab"]
|
||||
priority = 90
|
||||
type = "service"
|
||||
meta {
|
||||
forcedeploy = "1"
|
||||
}
|
||||
constraint {
|
||||
attribute = "${attr.cpu.arch}"
|
||||
value = "amd64"
|
||||
}
|
||||
vault {
|
||||
policies = ["ldap"]
|
||||
}
|
||||
group "openldap" {
|
||||
network {
|
||||
mode = "host"
|
||||
port "ldap" {
|
||||
static = 389
|
||||
to = 1389
|
||||
}
|
||||
port "ldaps" {
|
||||
static = 636
|
||||
to = 1636
|
||||
}
|
||||
|
||||
}
|
||||
task "selfsignedCertificate" {
|
||||
lifecycle {
|
||||
hook= "prestart"
|
||||
sidecar = false
|
||||
}
|
||||
driver= "docker"
|
||||
config{
|
||||
image= "stakater/ssl-certs-generator"
|
||||
mount {
|
||||
type = "bind"
|
||||
source = "..${NOMAD_ALLOC_DIR}/data"
|
||||
target = "/certs"
|
||||
}
|
||||
}
|
||||
env {
|
||||
SSL_DNS="ldaps.service.consul,ldap.service.consul"
|
||||
}
|
||||
}
|
||||
task "openldap" {
|
||||
driver = "docker"
|
||||
service {
|
||||
name = "ldap"
|
||||
port = "ldap"
|
||||
tags = [
|
||||
]
|
||||
}
|
||||
service {
|
||||
name = "ldaps"
|
||||
port = "ldaps"
|
||||
tags = [
|
||||
]
|
||||
}
|
||||
|
||||
config {
|
||||
image = "bitnami/openldap"
|
||||
ports = ["ldap", "ldaps"]
|
||||
volumes = [
|
||||
"/mnt/diskstation/nomad/openldap:/bitnami/openldap",
|
||||
]
|
||||
|
||||
}
|
||||
env {
|
||||
LDAP_ADMIN_USERNAME = "admin"
|
||||
LDAP_ROOT = "dc=ducamps,dc=eu"
|
||||
LDAP_EXTRA_SCHEMAS = "cosine, inetorgperson"
|
||||
LDAP_CUSTOM_SCHEMA_DIR = "/local/schema"
|
||||
LDAP_CUSTOM_LDIF_DIR = "/local/ldif"
|
||||
LDAP_CONFIGURE_PPOLICY = "yes"
|
||||
LDAP_ALLOW_ANON_BINDING = "no"
|
||||
LDAP_LOGLEVEL = 64
|
||||
LDAP_ENABLE_TLS = "yes"
|
||||
LDAP_TLS_CERT_FILE = "${NOMAD_ALLOC_DIR}/data/cert.pem"
|
||||
LDAP_TLS_KEY_FILE = "${NOMAD_ALLOC_DIR}/data/key.pem"
|
||||
LDAP_TLS_CA_FILE = "${NOMAD_ALLOC_DIR}/data/ca.pem"
|
||||
|
||||
}
|
||||
#memberOf issue
|
||||
#https://github.com/bitnami/containers/issues/28335
|
||||
# https://tylersguides.com/guides/openldap-memberof-overlay
|
||||
|
||||
|
||||
template {
|
||||
data = file("memberofOverlay.ldif")
|
||||
destination = "local/schema/memberofOverlay.ldif"
|
||||
}
|
||||
template {
|
||||
data = file("smbkrb5pwd.ldif")
|
||||
destination = "local/smbkrb5pwd.ldif"
|
||||
}
|
||||
template {
|
||||
data = file("rfc2307bis.ldif")
|
||||
destination = "local/schema/rfc2307bis.ldif"
|
||||
}
|
||||
template {
|
||||
data = file("samba.ldif")
|
||||
destination = "local/schema/samba.ldif"
|
||||
}
|
||||
template {
|
||||
data = file("tree.ldif")
|
||||
destination = "local/ldif/tree.ldif"
|
||||
}
|
||||
resources {
|
||||
memory = 300
|
||||
}
|
||||
}
|
||||
}
|
||||
group ldpp-user-manager{
|
||||
network{
|
||||
mode = "host"
|
||||
port "http" {
|
||||
to = 80
|
||||
}
|
||||
}
|
||||
task ldap-user-manager {
|
||||
driver = "docker"
|
||||
service {
|
||||
name = "ldap-user-manager"
|
||||
port = "http"
|
||||
tags = [
|
||||
"traefik.enable=true",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.rule=Host(`ldap.ducamps.eu`)",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.domains[0].sans=ldap.ducamps.win",
|
||||
"traefik.http.routers.${NOMAD_JOB_NAME}.tls.certresolver=myresolver",
|
||||
]
|
||||
}
|
||||
config {
|
||||
image = "wheelybird/ldap-user-manager"
|
||||
ports = ["http"]
|
||||
}
|
||||
template {
|
||||
data = <<EOH
|
||||
SERVER_HOSTNAME="ldap.ducamps.eu"
|
||||
LDAP_URI="ldaps://ldaps.service.consul"
|
||||
LDAP_BASE_DN="dc=ducamps,dc=eu"
|
||||
LDAP_ADMIN_BIND_DN="cn=admin,dc=ducamps,dc=eu"
|
||||
LDAP_GROUP_MEMBERSHIP_ATTRIBUTE = "member"
|
||||
{{ with secret "secrets/data/nomad/ldap"}}
|
||||
LDAP_ADMIN_BIND_PWD="{{ .Data.data.admin}}"
|
||||
{{end}}
|
||||
LDAP_IGNORE_CERT_ERRORS="true"
|
||||
LDAP_REQUIRE_STARTTLS="false"
|
||||
LDAP_ADMINS_GROUP="LDAP Operators"
|
||||
LDAP_USER_OU="users"
|
||||
NO_HTTPS="true"
|
||||
EMAIL_DOMAIN="ducamps.eu"
|
||||
|
||||
EOH
|
||||
destination = "secrets/env"
|
||||
env = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
159
nomad-job/openldap/rfc2307bis.ldif
Normal file
159
nomad-job/openldap/rfc2307bis.ldif
Normal file
@ -0,0 +1,159 @@
|
||||
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
|
||||
# CRC32 6b6ad917
|
||||
dn: cn=rfc2307bis,cn=schema,cn=config
|
||||
objectClass: olcSchemaConfig
|
||||
cn: rfc2307bis
|
||||
olcAttributeTypes: {0}( 1.3.6.1.1.1.1.2 NAME 'gecos' DESC 'The GECOS field;
|
||||
the common name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
|
||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
|
||||
olcAttributeTypes: {1}( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'The absol
|
||||
ute path to the home directory' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4
|
||||
.1.1466.115.121.1.26 SINGLE-VALUE )
|
||||
olcAttributeTypes: {2}( 1.3.6.1.1.1.1.4 NAME 'loginShell' DESC 'The path to
|
||||
the login shell' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121
|
||||
.1.26 SINGLE-VALUE )
|
||||
olcAttributeTypes: {3}( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' EQUALITY int
|
||||
egerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.2
|
||||
7 SINGLE-VALUE )
|
||||
olcAttributeTypes: {4}( 1.3.6.1.1.1.1.6 NAME 'shadowMin' EQUALITY integerMat
|
||||
ch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGL
|
||||
E-VALUE )
|
||||
olcAttributeTypes: {5}( 1.3.6.1.1.1.1.7 NAME 'shadowMax' EQUALITY integerMat
|
||||
ch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGL
|
||||
E-VALUE )
|
||||
olcAttributeTypes: {6}( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' EQUALITY intege
|
||||
rMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 S
|
||||
INGLE-VALUE )
|
||||
olcAttributeTypes: {7}( 1.3.6.1.1.1.1.9 NAME 'shadowInactive' EQUALITY integ
|
||||
erMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
|
||||
SINGLE-VALUE )
|
||||
olcAttributeTypes: {8}( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' EQUALITY intege
|
||||
rMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 S
|
||||
INGLE-VALUE )
|
||||
olcAttributeTypes: {9}( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' EQUALITY integerM
|
||||
atch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SIN
|
||||
GLE-VALUE )
|
||||
olcAttributeTypes: {10}( 1.3.6.1.1.1.1.12 NAME 'memberUid' EQUALITY caseExac
|
||||
tMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
||||
olcAttributeTypes: {11}( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' EQUALITY
|
||||
caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
||||
olcAttributeTypes: {12}( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Net
|
||||
group triple' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYN
|
||||
TAX 1.3.6.1.4.1.1466.115.121.1.15 )
|
||||
olcAttributeTypes: {13}( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' DESC 'Service
|
||||
port number' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.
|
||||
3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {14}( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' DESC 'Ser
|
||||
vice protocol name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.12
|
||||
1.1.15 )
|
||||
olcAttributeTypes: {15}( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' DESC 'IP p
|
||||
rotocol number' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX
|
||||
1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {16}( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber' DESC 'ONC RPC
|
||||
number' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.
|
||||
4.1.1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {17}( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' DESC 'IPv4 add
|
||||
resses as a dotted decimal omitting leading zeros or IPv6 add
|
||||
resses as defined in RFC2373' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.
|
||||
1.1466.115.121.1.26 )
|
||||
olcAttributeTypes: {18}( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' DESC 'IP ne
|
||||
twork omitting leading zeros, eg. 192.168' EQUALITY caseIgnoreIA5Match SYNT
|
||||
AX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
|
||||
olcAttributeTypes: {19}( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' DESC 'IP ne
|
||||
tmask omitting leading zeros, eg. 255.255.255.0' EQUALITY caseIgnoreIA5Matc
|
||||
h SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
|
||||
olcAttributeTypes: {20}( 1.3.6.1.1.1.1.22 NAME 'macAddress' DESC 'MAC addres
|
||||
s in maximal, colon separated hex notation, eg. 00:00:92:90:e
|
||||
e:e2' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
olcAttributeTypes: {21}( 1.3.6.1.1.1.1.23 NAME 'bootParameter' DESC 'rpc.boo
|
||||
tparamd parameter' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1
|
||||
21.1.26 )
|
||||
olcAttributeTypes: {22}( 1.3.6.1.1.1.1.24 NAME 'bootFile' DESC 'Boot image n
|
||||
ame' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
|
||||
olcAttributeTypes: {23}( 1.3.6.1.1.1.1.26 NAME 'nisMapName' DESC 'Name of a
|
||||
generic NIS map' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
|
||||
.15{64} )
|
||||
olcAttributeTypes: {24}( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry' DESC 'A generic
|
||||
NIS entry' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{10
|
||||
24} SINGLE-VALUE )
|
||||
olcAttributeTypes: {25}( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey' DESC 'NIS publ
|
||||
ic key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SING
|
||||
LE-VALUE )
|
||||
olcAttributeTypes: {26}( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey' DESC 'NIS secr
|
||||
et key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SING
|
||||
LE-VALUE )
|
||||
olcAttributeTypes: {27}( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain'
|
||||
EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
|
||||
olcAttributeTypes: {28}( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'auto
|
||||
mount Map Name' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1
|
||||
5 SINGLE-VALUE )
|
||||
olcAttributeTypes: {29}( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'Automoun
|
||||
t Key value' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 S
|
||||
INGLE-VALUE )
|
||||
olcAttributeTypes: {30}( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC '
|
||||
Automount information' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.
|
||||
121.1.15 SINGLE-VALUE )
|
||||
olcObjectClasses: {0}( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Abstraction
|
||||
of an account with POSIX attributes' SUP top AUXILIARY MUST ( cn $ uid $ u
|
||||
idNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ ge
|
||||
cos $ description ) )
|
||||
olcObjectClasses: {1}( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' DESC 'Additional
|
||||
attributes for shadow passwords' SUP top AUXILIARY MUST uid MAY ( userPass
|
||||
word $ description $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarni
|
||||
ng $ shadowInactive $ shadowExpire $ shadowFlag ) )
|
||||
olcObjectClasses: {2}( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction o
|
||||
f a group of accounts' SUP top AUXILIARY MUST gidNumber MAY ( userPassword
|
||||
$ memberUid $ description ) )
|
||||
olcObjectClasses: {3}( 1.3.6.1.1.1.2.3 NAME 'ipService' DESC 'Abstraction an
|
||||
Internet Protocol service. Maps an IP port and protocol (suc
|
||||
h as tcp or udp) to one or more names; the distinguished valu
|
||||
e of the cn attribute denotes the services canonical
|
||||
name' SUP top STRUCTURAL MUST ( cn $ ipServicePort $ ipServiceProtoco
|
||||
l ) MAY description )
|
||||
olcObjectClasses: {4}( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' DESC 'Abstraction o
|
||||
f an IP protocol. Maps a protocol number to one or more names
|
||||
. The distinguished value of the cn attribute denotes the pro
|
||||
tocol canonical name' SUP top STRUCTURAL MUST ( cn $ ipProtocolNumber ) MAY
|
||||
description )
|
||||
olcObjectClasses: {5}( 1.3.6.1.1.1.2.5 NAME 'oncRpc' DESC 'Abstraction of an
|
||||
Open Network Computing (ONC) [RFC1057] Remote Procedure Call
|
||||
(RPC) binding. This class maps an ONC RPC number to a name.
|
||||
The distinguished value of the cn attribute denotes
|
||||
the RPC service canonical name' SUP top STRUCTURAL MUST ( cn $ oncRpcNumbe
|
||||
r ) MAY description )
|
||||
olcObjectClasses: {6}( 1.3.6.1.1.1.2.6 NAME 'ipHost' DESC 'Abstraction of a
|
||||
host, an IP device. The distinguished value of the cn attribu
|
||||
te denotes the hosts canonical name. Device SHOULD be used as a
|
||||
structural class' SUP top AUXILIARY MUST ( cn $ ipHostNumber ) MAY ( userPa
|
||||
ssword $ l $ description $ manager ) )
|
||||
olcObjectClasses: {7}( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Abstraction of
|
||||
a network. The distinguished value of the cn attribute denot
|
||||
es the network canonical name' SUP top STRUCTURAL MUST ipNetworkNumber MAY
|
||||
( cn $ ipNetmaskNumber $ l $ description $ manager ) )
|
||||
olcObjectClasses: {8}( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' DESC 'Abstraction
|
||||
of a netgroup. May refer to other netgroups' SUP top STRUCTUR
|
||||
AL MUST cn MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )
|
||||
olcObjectClasses: {9}( 1.3.6.1.1.1.2.9 NAME 'nisMap' DESC 'A generic abstrac
|
||||
tion of a NIS map' SUP top STRUCTURAL MUST nisMapName MAY description )
|
||||
olcObjectClasses: {10}( 1.3.6.1.1.1.2.10 NAME 'nisObject' DESC 'An entry in
|
||||
a NIS map' SUP top STRUCTURAL MUST ( cn $ nisMapEntry $ nisMapName ) )
|
||||
olcObjectClasses: {11}( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' DESC 'A device
|
||||
with a MAC address; device SHOULD be used as a structural cl
|
||||
ass' SUP top AUXILIARY MAY macAddress )
|
||||
olcObjectClasses: {12}( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' DESC 'A devic
|
||||
e with boot parameters; device SHOULD be used as a structural
|
||||
class' SUP top AUXILIARY MAY ( bootFile $ bootParameter ) )
|
||||
olcObjectClasses: {13}( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' DESC 'An object
|
||||
with a public and secret key' SUP top AUXILIARY MUST ( cn $ nisPublicKey $
|
||||
nisSecretKey ) MAY ( uidNumber $ description ) )
|
||||
olcObjectClasses: {14}( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' DESC 'Associ
|
||||
ates a NIS domain with a naming context' SUP top AUXILIARY MUST nisDomain )
|
||||
olcObjectClasses: {15}( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTU
|
||||
RAL MUST automountMapName MAY description )
|
||||
olcObjectClasses: {16}( 1.3.6.1.1.1.2.17 NAME 'automount' DESC 'Automount in
|
||||
formation' SUP top STRUCTURAL MUST ( automountKey $ automountInformation )
|
||||
MAY description )
|
||||
olcObjectClasses: {17}( 1.3.6.1.1.1.2.18 NAME 'groupOfMembers' DESC 'A group
|
||||
with members (DNs)' SUP top STRUCTURAL MUST cn MAY ( businessCategory $ se
|
||||
eAlso $ owner $ ou $ o $ description $ member ) )
|
||||
|
225
nomad-job/openldap/samba.ldif
Normal file
225
nomad-job/openldap/samba.ldif
Normal file
@ -0,0 +1,225 @@
|
||||
dn: cn=samba,cn=schema,cn=config
|
||||
objectClass: olcSchemaConfig
|
||||
cn: samba
|
||||
olcAttributeTypes: {0}( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'L
|
||||
anManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.1
|
||||
21.1.26{32} SINGLE-VALUE )
|
||||
olcAttributeTypes: {1}( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'M
|
||||
D4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4
|
||||
.1.1466.115.121.1.26{32} SINGLE-VALUE )
|
||||
olcAttributeTypes: {2}( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC 'Ac
|
||||
count Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
||||
{16} SINGLE-VALUE )
|
||||
olcAttributeTypes: {3}( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'T
|
||||
imestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6.1.4.
|
||||
1.1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {4}( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DESC
|
||||
'Timestamp of when the user is allowed to update the password' EQUALITY integ
|
||||
erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {5}( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DESC
|
||||
'Timestamp of when the password will expire' EQUALITY integerMatch SYNTAX 1.
|
||||
3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {6}( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC 'Ti
|
||||
mestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
|
||||
1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {7}( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'T
|
||||
imestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.12
|
||||
1.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {8}( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC '
|
||||
Timestamp of when the user will be logged off automatically' EQUALITY integer
|
||||
Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {9}( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' D
|
||||
ESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.146
|
||||
6.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {10}( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' D
|
||||
ESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.
|
||||
6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {11}( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC '
|
||||
Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
|
||||
{42} SINGLE-VALUE )
|
||||
olcAttributeTypes: {12}( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'D
|
||||
river letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTAX 1.
|
||||
3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE )
|
||||
olcAttributeTypes: {13}( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DESC
|
||||
'Logon script path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
|
||||
1.15{255} SINGLE-VALUE )
|
||||
olcAttributeTypes: {14}( 1.3.6.1.4.1.7165.2.1.35 NAME 'sambaProfilePath' DESC
|
||||
'Roaming profile path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1
|
||||
21.1.15{255} SINGLE-VALUE )
|
||||
olcAttributeTypes: {15}( 1.3.6.1.4.1.7165.2.1.36 NAME 'sambaUserWorkstations'
|
||||
DESC 'List of user workstations the user is allowed to logon to' EQUALITY cas
|
||||
eIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{255} SINGLE-VALUE )
|
||||
olcAttributeTypes: {16}( 1.3.6.1.4.1.7165.2.1.37 NAME 'sambaHomePath' DESC 'Ho
|
||||
me directory UNC path' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.1
|
||||
21.1.15{128} )
|
||||
olcAttributeTypes: {17}( 1.3.6.1.4.1.7165.2.1.38 NAME 'sambaDomainName' DESC '
|
||||
Windows NT domain to which the user belongs' EQUALITY caseIgnoreMatch SYNTAX
|
||||
1.3.6.1.4.1.1466.115.121.1.15{128} )
|
||||
olcAttributeTypes: {18}( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial' DESC '
|
||||
Base64 encoded user parameter string' EQUALITY caseExactMatch SYNTAX 1.3.6.1.
|
||||
4.1.1466.115.121.1.15{1050} )
|
||||
olcAttributeTypes: {19}( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory' D
|
||||
ESC 'Concatenated MD5 hashes of the salted NT passwords used on this account'
|
||||
EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{32} )
|
||||
olcAttributeTypes: {20}( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID' DESC 'Securit
|
||||
y ID' EQUALITY caseIgnoreIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1
|
||||
.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
|
||||
olcAttributeTypes: {21}( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' D
|
||||
ESC 'Primary Group Security ID' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.
|
||||
1.1466.115.121.1.26{64} SINGLE-VALUE )
|
||||
olcAttributeTypes: {22}( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'Sec
|
||||
urity ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.
|
||||
26{64} )
|
||||
olcAttributeTypes: {23}( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC 'N
|
||||
T Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING
|
||||
LE-VALUE )
|
||||
olcAttributeTypes: {24}( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DESC
|
||||
'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.
|
||||
1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {25}( 1.3.6.1.4.1.7165.2.1.22 NAME 'sambaNextGroupRid' DESC
|
||||
'Next NT rid to give out for groups' EQUALITY integerMatch SYNTAX 1.3.6.1.4.
|
||||
1.1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {26}( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'Nex
|
||||
t NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1
|
||||
466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {27}( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBase
|
||||
' DESC 'Base at which the samba RID generation algorithm should operate' EQUA
|
||||
LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {28}( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC 'S
|
||||
hare Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SING
|
||||
LE-VALUE )
|
||||
olcAttributeTypes: {29}( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC '
|
||||
Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
|
||||
1.3.6.1.4.1.1466.115.121.1.15{256} )
|
||||
olcAttributeTypes: {30}( 1.3.6.1.4.1.7165.2.1.43 NAME 'sambaBoolOption' DESC '
|
||||
A boolean option' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 S
|
||||
INGLE-VALUE )
|
||||
olcAttributeTypes: {31}( 1.3.6.1.4.1.7165.2.1.44 NAME 'sambaIntegerOption' DES
|
||||
C 'An integer option' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
|
||||
.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {32}( 1.3.6.1.4.1.7165.2.1.45 NAME 'sambaStringOption' DESC
|
||||
'A string option' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121
|
||||
.1.26 SINGLE-VALUE )
|
||||
olcAttributeTypes: {33}( 1.3.6.1.4.1.7165.2.1.46 NAME 'sambaStringListOption'
|
||||
DESC 'A string list option' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.
|
||||
115.121.1.15 )
|
||||
olcAttributeTypes: {34}( 1.3.6.1.4.1.7165.2.1.53 NAME 'sambaTrustFlags' DESC '
|
||||
Trust Password Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115
|
||||
.121.1.26 )
|
||||
olcAttributeTypes: {35}( 1.3.6.1.4.1.7165.2.1.58 NAME 'sambaMinPwdLength' DESC
|
||||
'Minimal password length (default: 5)' EQUALITY integerMatch SYNTAX 1.3.6.1.
|
||||
4.1.1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {36}( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength'
|
||||
DESC 'Length of Password History Entries (default: 0 => off)' EQUALITY intege
|
||||
rMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {37}( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' DES
|
||||
C 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQU
|
||||
ALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {38}( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC 'M
|
||||
aximum password age, in seconds (default: -1 => never expire passwords)' EQUA
|
||||
LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {39}( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'M
|
||||
inimum password age, in seconds (default: 0 => allow immediate password chang
|
||||
e)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {40}( 1.3.6.1.4.1.7165.2.1.63 NAME 'sambaLockoutDuration' D
|
||||
ESC 'Lockout duration in minutes (default: 30, -1 => forever)' EQUALITY integ
|
||||
erMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {41}( 1.3.6.1.4.1.7165.2.1.64 NAME 'sambaLockoutObservation
|
||||
Window' DESC 'Reset time after lockout in minutes (default: 30)' EQUALITY int
|
||||
egerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {42}( 1.3.6.1.4.1.7165.2.1.65 NAME 'sambaLockoutThreshold'
|
||||
DESC 'Lockout users after bad logon attempts (default: 0 => off)' EQUALITY in
|
||||
tegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {43}( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DESC
|
||||
'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUALITY
|
||||
integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {44}( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwdCh
|
||||
ange' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY inte
|
||||
gerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {45}( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPassword'
|
||||
DESC 'Clear text password (used for trusted domain passwords)' EQUALITY octe
|
||||
tStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
|
||||
olcAttributeTypes: {46}( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTextP
|
||||
assword' DESC 'Previous clear text password (used for trusted domain password
|
||||
s)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
|
||||
olcAttributeTypes: {47}( 1.3.6.1.4.1.7165.2.1.70 NAME 'sambaTrustType' DESC 'T
|
||||
ype of trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SING
|
||||
LE-VALUE )
|
||||
olcAttributeTypes: {48}( 1.3.6.1.4.1.7165.2.1.71 NAME 'sambaTrustAttributes' D
|
||||
ESC 'Trust attributes for a trusted domain' EQUALITY integerMatch SYNTAX 1.3.
|
||||
6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {49}( 1.3.6.1.4.1.7165.2.1.72 NAME 'sambaTrustDirection' DE
|
||||
SC 'Direction of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.1
|
||||
21.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {50}( 1.3.6.1.4.1.7165.2.1.73 NAME 'sambaTrustPartner' DESC
|
||||
'Fully qualified name of the domain with which a trust exists' EQUALITY case
|
||||
IgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
|
||||
olcAttributeTypes: {51}( 1.3.6.1.4.1.7165.2.1.74 NAME 'sambaFlatName' DESC 'Ne
|
||||
tBIOS name of a domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.
|
||||
121.1.15{128} )
|
||||
olcAttributeTypes: {52}( 1.3.6.1.4.1.7165.2.1.75 NAME 'sambaTrustAuthOutgoing'
|
||||
DESC 'Authentication information for the outgoing portion of a trust' EQUALIT
|
||||
Y caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
|
||||
olcAttributeTypes: {53}( 1.3.6.1.4.1.7165.2.1.76 NAME 'sambaTrustAuthIncoming'
|
||||
DESC 'Authentication information for the incoming portion of a trust' EQUALIT
|
||||
Y caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
|
||||
olcAttributeTypes: {54}( 1.3.6.1.4.1.7165.2.1.77 NAME 'sambaSecurityIdentifier
|
||||
' DESC 'SID of a trusted domain' EQUALITY caseIgnoreIA5Match SUBSTR caseExact
|
||||
IA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
|
||||
olcAttributeTypes: {55}( 1.3.6.1.4.1.7165.2.1.78 NAME 'sambaTrustForestTrustIn
|
||||
fo' DESC 'Forest trust information for a trusted domain object' EQUALITY case
|
||||
ExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} )
|
||||
olcAttributeTypes: {56}( 1.3.6.1.4.1.7165.2.1.79 NAME 'sambaTrustPosixOffset'
|
||||
DESC 'POSIX offset of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.
|
||||
115.121.1.27 SINGLE-VALUE )
|
||||
olcAttributeTypes: {57}( 1.3.6.1.4.1.7165.2.1.80 NAME 'sambaSupportedEncryptio
|
||||
nTypes' DESC 'Supported encryption types of a trust' EQUALITY integerMatch SY
|
||||
NTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
|
||||
olcObjectClasses: {0}( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'Sam
|
||||
ba 3.0 Auxilary SAM Account' SUP top AUXILIARY MUST ( uid $ sambaSID ) MAY (
|
||||
cn $ sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ sambaLogonTime $ s
|
||||
ambaLogoffTime $ sambaKickoffTime $ sambaPwdCanChange $ sambaPwdMustChange $
|
||||
sambaAcctFlags $ displayName $ sambaHomePath $ sambaHomeDrive $ sambaLogonScr
|
||||
ipt $ sambaProfilePath $ description $ sambaUserWorkstations $ sambaPrimaryGr
|
||||
oupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCount $ sambaBad
|
||||
PasswordTime $ sambaPasswordHistory $ sambaLogonHours ) )
|
||||
olcObjectClasses: {1}( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' DESC 'S
|
||||
amba Group Mapping' SUP top AUXILIARY MUST ( gidNumber $ sambaSID $ sambaGrou
|
||||
pType ) MAY ( displayName $ description $ sambaSIDList ) )
|
||||
olcObjectClasses: {2}( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' DESC
|
||||
'Samba Trust Password' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaNTPas
|
||||
sword $ sambaTrustFlags ) MAY ( sambaSID $ sambaPwdLastSet ) )
|
||||
olcObjectClasses: {3}( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPasswor
|
||||
d' DESC 'Samba Trusted Domain Password' SUP top STRUCTURAL MUST ( sambaDomain
|
||||
Name $ sambaSID $ sambaClearTextPassword $ sambaPwdLastSet ) MAY sambaPreviou
|
||||
sClearTextPassword )
|
||||
olcObjectClasses: {4}( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' DESC 'Samba D
|
||||
omain Information' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID ) MAY
|
||||
( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidB
|
||||
ase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaM
|
||||
axPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObservationWin
|
||||
dow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachinePwdChange
|
||||
) )
|
||||
olcObjectClasses: {5}( 1.3.6.1.4.1.7165.2.2.7 NAME 'sambaUnixIdPool' DESC 'Poo
|
||||
l for allocating UNIX uids/gids' SUP top AUXILIARY MUST ( uidNumber $ gidNumb
|
||||
er ) )
|
||||
olcObjectClasses: {6}( 1.3.6.1.4.1.7165.2.2.8 NAME 'sambaIdmapEntry' DESC 'Map
|
||||
ping from a SID to an ID' SUP top AUXILIARY MUST sambaSID MAY ( uidNumber $ g
|
||||
idNumber ) )
|
||||
olcObjectClasses: {7}( 1.3.6.1.4.1.7165.2.2.9 NAME 'sambaSidEntry' DESC 'Struc
|
||||
tural Class for a SID' SUP top STRUCTURAL MUST sambaSID )
|
||||
olcObjectClasses: {8}( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' DESC 'Samba
|
||||
Configuration Section' SUP top AUXILIARY MAY description )
|
||||
olcObjectClasses: {9}( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' DESC 'Samba S
|
||||
hare Section' SUP top STRUCTURAL MUST sambaShareName MAY description )
|
||||
olcObjectClasses: {10}( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' DESC
|
||||
'Samba Configuration Option' SUP top STRUCTURAL MUST sambaOptionName MAY ( sa
|
||||
mbaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringListoptio
|
||||
n $ description ) )
|
||||
olcObjectClasses: {11}( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' DESC
|
||||
'Samba Trusted Domain Object' SUP top STRUCTURAL MUST cn MAY ( sambaTrustTyp
|
||||
e $ sambaTrustAttributes $ sambaTrustDirection $ sambaTrustPartner $ sambaFla
|
||||
tName $ sambaTrustAuthOutgoing $ sambaTrustAuthIncoming $ sambaSecurityIdenti
|
||||
fier $ sambaTrustForestTrustInfo $ sambaTrustPosixOffset $ sambaSupportedEncr
|
||||
yptionTypes) )
|
||||
|
15
nomad-job/openldap/smbkrb5pwd.ldif
Normal file
15
nomad-job/openldap/smbkrb5pwd.ldif
Normal file
@ -0,0 +1,15 @@
|
||||
dn: cn=module,cn=config
|
||||
changetype: add
|
||||
cn: module
|
||||
objectClass: olcModuleList
|
||||
olcModuleLoad: smbkrb5pwd
|
||||
# olcModuleLoad: smbkrb5pwd_srv
|
||||
|
||||
dn: olcOverlay=smbkrb5pwd,olcDatabase={2}mdb,cn=config
|
||||
changetype: add
|
||||
objectClass: top
|
||||
objectClass: olcOverlayConfig
|
||||
objectClass: olcSmbKrb5PwdConfig
|
||||
olcOverlay: smbkrb5pwd
|
||||
olcSmbKrb5PwdEnable: samba
|
||||
|
368
nomad-job/openldap/tree.ldif
Normal file
368
nomad-job/openldap/tree.ldif
Normal file
@ -0,0 +1,368 @@
|
||||
version: 1
|
||||
|
||||
dn: dc=ducamps,dc=eu
|
||||
objectClass: dcObject
|
||||
objectClass: organization
|
||||
dc: ducamps
|
||||
o: ducamps
|
||||
|
||||
dn: ou=users,dc=ducamps,dc=eu
|
||||
objectClass: organizationalUnit
|
||||
ou: users
|
||||
|
||||
dn: ou=groups,dc=ducamps,dc=eu
|
||||
objectClass: organizationalUnit
|
||||
ou: groups
|
||||
|
||||
dn: cn=lastGID,dc=ducamps,dc=eu
|
||||
objectClass: device
|
||||
objectClass: top
|
||||
cn: lastGID
|
||||
description: Records the last GID used to create a Posix group. This prevent
|
||||
s the re-use of a GID from a deleted group.
|
||||
serialNumber: 1000019
|
||||
|
||||
dn: cn=lastUID,dc=ducamps,dc=eu
|
||||
objectClass: device
|
||||
objectClass: top
|
||||
cn: lastUID
|
||||
description: Records the last UID used to create a Posix account. This preve
|
||||
nts the re-use of a UID from a deleted account.
|
||||
serialNumber: 1000006
|
||||
|
||||
|
||||
dn: uid=hubert,ou=users,dc=ducamps,dc=eu
|
||||
objectClass: extensibleObject
|
||||
objectClass: inetOrgPerson
|
||||
objectClass: organizationalPerson
|
||||
objectClass: person
|
||||
objectClass: posixAccount
|
||||
objectClass: shadowAccount
|
||||
objectClass: top
|
||||
cn: hubert
|
||||
gidNumber: 1000001
|
||||
homeDirectory: /home/hubert
|
||||
sn: hubert
|
||||
uid: hubert
|
||||
uidNumber: 1000003
|
||||
displayName: hubert
|
||||
loginShell: /bin/sh
|
||||
mail: hubertducamps@gmail.com
|
||||
shadowExpire: -1
|
||||
shadowFlag: 0
|
||||
shadowInactive: 0
|
||||
shadowLastChange: 19136
|
||||
shadowMax: 99999
|
||||
shadowMin: 0
|
||||
shadowWarning: 7
|
||||
|
||||
dn: uid=olivier,ou=users,dc=ducamps,dc=eu
|
||||
objectClass: extensibleObject
|
||||
objectClass: inetOrgPerson
|
||||
objectClass: organizationalPerson
|
||||
objectClass: person
|
||||
objectClass: posixAccount
|
||||
objectClass: shadowAccount
|
||||
objectClass: top
|
||||
cn: olivier
|
||||
gidNumber: 1000001
|
||||
homeDirectory: /home/olivier
|
||||
sn: olivier
|
||||
uid: olivier
|
||||
uidNumber: 1000002
|
||||
displayName: olivier
|
||||
loginShell: /bin/sh
|
||||
mail: olivier@ducamps.eu
|
||||
shadowExpire: -1
|
||||
shadowFlag: 0
|
||||
shadowInactive: 0
|
||||
shadowLastChange: 18857
|
||||
shadowMax: 99999
|
||||
shadowMin: 0
|
||||
shadowWarning: 7
|
||||
|
||||
dn: uid=vincent,ou=users,dc=ducamps,dc=eu
|
||||
objectClass: extensibleObject
|
||||
objectClass: inetOrgPerson
|
||||
objectClass: organizationalPerson
|
||||
objectClass: person
|
||||
objectClass: posixAccount
|
||||
objectClass: shadowAccount
|
||||
objectClass: top
|
||||
cn: vincent
|
||||
gidNumber: 1000001
|
||||
homeDirectory: /home/vincent
|
||||
sn: vincent
|
||||
uid: vincent
|
||||
uidNumber: 1000001
|
||||
displayName: vincent
|
||||
loginShell: /bin/zsh
|
||||
mail: vincent@ducamps.eu
|
||||
shadowExpire: -1
|
||||
shadowFlag: 0
|
||||
shadowInactive: 0
|
||||
shadowLastChange: 19213
|
||||
shadowMax: 99999
|
||||
shadowMin: 0
|
||||
shadowWarning: 7
|
||||
|
||||
dn: uid=vaultServiceAccount,ou=users,dc=ducamps,dc=eu
|
||||
objectClass: extensibleObject
|
||||
objectClass: inetOrgPerson
|
||||
objectClass: organizationalPerson
|
||||
objectClass: person
|
||||
objectClass: posixAccount
|
||||
objectClass: shadowAccount
|
||||
objectClass: top
|
||||
cn: vaultServiceAccount
|
||||
gidNumber: 1000001
|
||||
homeDirectory: /home/vaultServiceAccount
|
||||
sn: vaultServiceAccount
|
||||
uid: vaultServiceAccount
|
||||
uidNumber: 1000005
|
||||
displayName: vaultServiceAccount
|
||||
loginShell: /bin/sh
|
||||
shadowExpire: -1
|
||||
shadowFlag: 0
|
||||
shadowInactive: 0
|
||||
shadowLastChange: 19213
|
||||
shadowMax: 99999
|
||||
shadowMin: 0
|
||||
shadowWarning: 7
|
||||
|
||||
dn: uid=supysonicServiceAccount,ou=users,dc=ducamps,dc=eu
|
||||
objectClass: extensibleObject
|
||||
objectClass: inetOrgPerson
|
||||
objectClass: organizationalPerson
|
||||
objectClass: person
|
||||
objectClass: posixAccount
|
||||
objectClass: shadowAccount
|
||||
objectClass: top
|
||||
cn: supysonicServiceAccount
|
||||
gidNumber: 1000001
|
||||
homeDirectory: /home/supysonicServiceAccount
|
||||
sn: supysonicServiceAccount
|
||||
uid: supysonicServiceAccount
|
||||
uidNumber: 1000006
|
||||
displayName: supysonicServiceAccount
|
||||
loginShell: /bin/sh
|
||||
shadowExpire: -1
|
||||
shadowFlag: 0
|
||||
shadowInactive: 0
|
||||
shadowLastChange: 19437
|
||||
shadowMax: 99999
|
||||
shadowMin: 100000
|
||||
shadowWarning: 7
|
||||
|
||||
dn: cn=na_a,ou=groups,dc=ducamps,dc=eu
|
||||
objectClass: extensibleObject
|
||||
objectClass: groupOfNames
|
||||
objectClass: posixGroup
|
||||
objectClass: top
|
||||
cn: na_a
|
||||
gidNumber: 1000011
|
||||
member: cn=Directory Consumers,ou=groups,dc=ducamps,dc=eu
|
||||
member: uid=vincent,ou=users,dc=ducamps,dc=eu
|
||||
displayName: na_a
|
||||
memberUid: vincent
|
||||
|
||||
dn: cn=NAS_user,ou=groups,dc=ducamps,dc=eu
|
||||
objectClass: extensibleObject
|
||||
objectClass: groupOfNames
|
||||
objectClass: posixGroup
|
||||
objectClass: top
|
||||
cn: NAS_user
|
||||
gidNumber: 1000013
|
||||
member: uid=hubert,ou=users,dc=ducamps,dc=eu
|
||||
member: uid=loic,ou=users,dc=ducamps,dc=eu
|
||||
member: uid=olivier,ou=users,dc=ducamps,dc=eu
|
||||
member: uid=vincent,ou=users,dc=ducamps,dc=eu
|
||||
displayName: NAS_user
|
||||
memberUid: admin
|
||||
memberUid: hubert
|
||||
memberUid: loic
|
||||
memberUid: olivier
|
||||
memberUid: vincent
|
||||
|
||||
dn: cn=NAS_ebook,ou=groups,dc=ducamps,dc=eu
|
||||
objectClass: extensibleObject
|
||||
objectClass: groupOfNames
|
||||
objectClass: posixGroup
|
||||
objectClass: top
|
||||
cn: NAS_ebook
|
||||
gidNumber: 1000006
|
||||
member: uid=vincent,ou=users,dc=ducamps,dc=eu
|
||||
description: group owner of ebook folder
|
||||
displayName: NAS_ebook
|
||||
memberUid: admin
|
||||
memberUid: vincent
|
||||
|
||||
dn: cn=NAS_media,ou=groups,dc=ducamps,dc=eu
|
||||
objectClass: extensibleObject
|
||||
objectClass: groupOfNames
|
||||
objectClass: posixGroup
|
||||
objectClass: top
|
||||
cn: NAS_media
|
||||
gidNumber: 1000003
|
||||
member: uid=vincent,ou=users,dc=ducamps,dc=eu
|
||||
description: group owner of media folder
|
||||
displayName: media
|
||||
memberUid: admin
|
||||
memberUid: vincent
|
||||
|
||||
dn: cn=NAS_music,ou=groups,dc=ducamps,dc=eu
|
||||
objectClass: extensibleObject
|
||||
objectClass: groupOfNames
|
||||
objectClass: posixGroup
|
||||
objectClass: top
|
||||
cn: NAS_music
|
||||
gidNumber: 1000005
|
||||
member: uid=vincent,ou=users,dc=ducamps,dc=eu
|
||||
description: group owner of Music folder
|
||||
displayName: NAS_music
|
||||
memberUid: admin
|
||||
memberUid: vincent
|
||||
|
||||
dn: cn=NAS_photo,ou=groups,dc=ducamps,dc=eu
|
||||
objectClass: extensibleObject
|
||||
objectClass: groupOfNames
|
||||
objectClass: posixGroup
|
||||
objectClass: top
|
||||
cn: NAS_photo
|
||||
gidNumber: 1000004
|
||||
member: uid=hubert,ou=users,dc=ducamps,dc=eu
|
||||
member: uid=olivier,ou=users,dc=ducamps,dc=eu
|
||||
member: uid=vincent,ou=users,dc=ducamps,dc=eu
|
||||
description: group owner of photo folder
|
||||
displayName: photo
|
||||
memberUid: admin
|
||||
memberUid: hubert
|
||||
memberUid: olivier
|
||||
memberUid: vincent
|
||||
|
||||
dn: cn=serverAdmin,ou=groups,dc=ducamps,dc=eu
|
||||
objectClass: extensibleObject
|
||||
objectClass: groupOfNames
|
||||
objectClass: posixGroup
|
||||
objectClass: top
|
||||
cn: serverAdmin
|
||||
gidNumber: 1000016
|
||||
member: uid=vincent,ou=users,dc=ducamps,dc=eu
|
||||
displayName: server_admin
|
||||
memberUid: vincent
|
||||
|
||||
dn: cn=vault_admin,ou=groups,dc=ducamps,dc=eu
|
||||
objectClass: extensibleObject
|
||||
objectClass: groupOfNames
|
||||
objectClass: posixGroup
|
||||
objectClass: top
|
||||
cn: vault_admin
|
||||
gidNumber: 1000014
|
||||
member: uid=vincent,ou=users,dc=ducamps,dc=eu
|
||||
displayName: vaultaccess
|
||||
memberUid: vincent
|
||||
|
||||
dn: cn=NAS_download,ou=groups,dc=ducamps,dc=eu
|
||||
objectClass: extensibleObject
|
||||
objectClass: groupOfNames
|
||||
objectClass: posixGroup
|
||||
objectClass: top
|
||||
cn: NAS_download
|
||||
gidNumber: 1000007
|
||||
member: uid=olivier,ou=users,dc=ducamps,dc=eu
|
||||
member: uid=vincent,ou=users,dc=ducamps,dc=eu
|
||||
description: group owner du dossier download
|
||||
displayName: NAS_download
|
||||
memberUid: olivier
|
||||
memberUid: vincent
|
||||
|
||||
dn: cn=JellyfinUsers,ou=groups,dc=ducamps,dc=eu
|
||||
objectClass: extensibleObject
|
||||
objectClass: groupOfNames
|
||||
objectClass: posixGroup
|
||||
objectClass: top
|
||||
cn: JellyfinUsers
|
||||
gidNumber: 1000012
|
||||
member: uid=hubert,ou=users,dc=ducamps,dc=eu
|
||||
member: uid=loic,ou=users,dc=ducamps,dc=eu
|
||||
member: uid=olivier,ou=users,dc=ducamps,dc=eu
|
||||
member: uid=vincent,ou=users,dc=ducamps,dc=eu
|
||||
displayName: JellyfinUsers
|
||||
memberUid: admin
|
||||
memberUid: loic
|
||||
memberUid: olivier
|
||||
memberUid: vincent
|
||||
|
||||
dn: cn=administrators,ou=groups,dc=ducamps,dc=eu
|
||||
objectClass: extensibleObject
|
||||
objectClass: groupOfNames
|
||||
objectClass: posixGroup
|
||||
objectClass: top
|
||||
cn: administrators
|
||||
gidNumber: 1000002
|
||||
member: uid=vincent,ou=users,dc=ducamps,dc=eu
|
||||
description: System default admin group
|
||||
displayName: administrators
|
||||
memberUid: vincent
|
||||
|
||||
dn: cn=LDAP Operators,ou=groups,dc=ducamps,dc=eu
|
||||
objectClass: extensibleObject
|
||||
objectClass: groupOfNames
|
||||
objectClass: posixGroup
|
||||
objectClass: top
|
||||
cn: Directory Operators
|
||||
cn: LDAP Operators
|
||||
gidNumber: 1000000
|
||||
member: uid=vincent,ou=users,dc=ducamps,dc=eu
|
||||
description: Directory default admin group
|
||||
displayName: Directory Operators
|
||||
memberUid: vincent
|
||||
|
||||
dn: cn=SupysonicUsers,ou=groups,dc=ducamps,dc=eu
|
||||
objectClass: extensibleObject
|
||||
objectClass: groupOfNames
|
||||
objectClass: posixGroup
|
||||
objectClass: top
|
||||
cn: SupysonicUsers
|
||||
gidNumber: 1000018
|
||||
member: uid=hubert,ou=users,dc=ducamps,dc=eu
|
||||
member: uid=olivier,ou=users,dc=ducamps,dc=eu
|
||||
member: uid=vincent,ou=users,dc=ducamps,dc=eu
|
||||
displayName: SupysonicUsers
|
||||
memberUid: hubert
|
||||
memberUid: olivier
|
||||
memberUid: vincent
|
||||
|
||||
dn: cn=SupysonicAdmins,ou=groups,dc=ducamps,dc=eu
|
||||
objectClass: extensibleObject
|
||||
objectClass: groupOfNames
|
||||
objectClass: posixGroup
|
||||
objectClass: top
|
||||
cn: SupysonicAdmins
|
||||
gidNumber: 1000019
|
||||
member: uid=vincent,ou=users,dc=ducamps,dc=eu
|
||||
displayName: SupysonicAdmins
|
||||
memberUid: vincent
|
||||
|
||||
dn: cn=workstationAdmin,ou=groups,dc=ducamps,dc=eu
|
||||
objectClass: extensibleObject
|
||||
objectClass: groupOfNames
|
||||
objectClass: posixGroup
|
||||
objectClass: top
|
||||
cn: workstationAdmin
|
||||
gidNumber: 1000017
|
||||
member: uid=vincent,ou=users,dc=ducamps,dc=eu
|
||||
displayName: workstation_admin
|
||||
memberUid: vincent
|
||||
|
||||
dn: cn=JellyfinAdministrator,ou=groups,dc=ducamps,dc=eu
|
||||
objectClass: extensibleObject
|
||||
objectClass: groupOfNames
|
||||
objectClass: posixGroup
|
||||
objectClass: top
|
||||
cn: JellyfinAdministrator
|
||||
gidNumber: 1000015
|
||||
member: uid=vincent,ou=users,dc=ducamps,dc=eu
|
||||
displayName: JellyfinAdministrator
|
||||
memberUid: vincent
|
||||
|
@ -105,10 +105,10 @@ http {
|
||||
SUPYSONIC_DAEMON_ENABLED = "true"
|
||||
SUPYSONIC_WEBAPP_LOG_LEVEL = "DEBUG"
|
||||
SUPYSONIC_DAEMON_LOG_LEVEL = "INFO"
|
||||
SUPYSONIC_LDAP_SERVER = "LDAP://ldap.ducamps.eu"
|
||||
SUPYSONIC_LDAP_BASE_DN = "dc=ducamps,dc=win"
|
||||
SUPYSONIC_LDAP_USER_FILTER = "(&(memberOf=CN=SupysonicUsers,cn=groups,dc=ducamps,dc=win))"
|
||||
SUPYSONIC_LDAP_ADMIN_FILTER= "(&(memberOf=CN=SupysonicAdmins,cn=groups,dc=ducamps,dc=win))"
|
||||
SUPYSONIC_LDAP_SERVER = "LDAPS://ldaps.service.consul"
|
||||
SUPYSONIC_LDAP_BASE_DN = "dc=ducamps,dc=eu"
|
||||
SUPYSONIC_LDAP_USER_FILTER = "(&(memberOf=cn=SupysonicUsers,ou=groups,dc=ducamps,dc=eu))"
|
||||
SUPYSONIC_LDAP_ADMIN_FILTER= "(&(memberOf=cn=SupysonicAdmins,ou=groups,dc=ducamps,dc=eu))"
|
||||
}
|
||||
|
||||
template {
|
||||
|
@ -78,7 +78,7 @@ resource "hetznerdns_record" "rootalias" {
|
||||
resource "powerdns_record" "mail" {
|
||||
zone= powerdns_zone.ducampseu.name
|
||||
type= "MX"
|
||||
name= "${powerdns_zone.ducampseu.name}"
|
||||
name= powerdns_zone.ducampseu.name
|
||||
ttl= 1700
|
||||
records = ["10 ${var.localEndpoint}"]
|
||||
}
|
||||
@ -113,10 +113,3 @@ resource "powerdns_record" "diskstation" {
|
||||
ttl= 1700
|
||||
records = ["192.168.1.10"]
|
||||
}
|
||||
resource "powerdns_record" "ldap" {
|
||||
zone= powerdns_zone.ducampseu.name
|
||||
type= "A"
|
||||
name= "ldap.${powerdns_zone.ducampseu.name}"
|
||||
ttl= 1700
|
||||
records = ["192.168.1.10"]
|
||||
}
|
||||
|
@ -34,7 +34,8 @@ variable cnameList{
|
||||
"vault",
|
||||
"vikunja",
|
||||
"www",
|
||||
"mail"
|
||||
"mail",
|
||||
"ldap"
|
||||
]
|
||||
}
|
||||
|
||||
|
@ -1,12 +1,13 @@
|
||||
resource "vault_ldap_auth_backend" "ldap" {
|
||||
path = "ldap"
|
||||
url = "ldap://ldap.ducamps.eu"
|
||||
userdn = "dc=ducamps,dc=win"
|
||||
url = "ldaps://ldaps.service.consul"
|
||||
userdn = "dc=ducamps,dc=eu"
|
||||
userattr = "uid"
|
||||
discoverdn = false
|
||||
groupdn = "cn=groups,dc=ducamps,dc=win"
|
||||
insecure_tls = true
|
||||
groupdn = "ou=groups,dc=ducamps,dc=eu"
|
||||
groupfilter = "(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))"
|
||||
binddn = "uid=vaultserviceaccount,cn=users,dc=ducamps,dc=win"
|
||||
binddn = "uid=vaultserviceaccount,ou=users,dc=ducamps,dc=eu"
|
||||
groupattr = "cn"
|
||||
bindpass = var.ldap_bindpass
|
||||
}
|
||||
|
@ -24,7 +24,8 @@ locals {
|
||||
"alertmanager",
|
||||
"vault-backup",
|
||||
"pdns",
|
||||
"torrent"
|
||||
"torrent",
|
||||
"ldap"
|
||||
]
|
||||
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user