1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
- name: create custom schema directory
file:
path: '{{ freeipa_custom_schema_dir }}'
state: directory
recurse: yes
- name: copy jid schema
copy:
src: '{{ freeipa_custom_schema_dir[1:] }}/jid.ldif'
dest: '{{ freeipa_custom_schema_dir }}/jid.ldif'
- name: check if JIDObject exists in schema
shell: ldapsearch -QLLL -s base -b cn=schema objectclasses | grep -q JIDObject
changed_when: no
failed_when: no
register: ldapsearch_jidobject
- block:
- name: extend freeipa schema for JIDs
command: ipa-ldap-updater --schema-file '{{ freeipa_custom_schema_dir }}/jid.ldif'
- name: restart httpd
systemd:
name: httpd
state: restarted
when: ldapsearch_jidobject.rc != 0
- name: add index to jid attribute
ldap_entry:
dn: 'cn=jid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config'
objectClass:
- top
- nsIndex
attributes:
cn: jid
nsSystemIndex: false
nsIndexType: eq
bind_dn: cn=Directory Manager
bind_pw: '{{ freeipa_ds_password }}'
server_uri: ldaps://{{ ipa_host }}
register: jid_index
- name: regenerate indexes for jid attribute
ldap_entry:
dn: cn=jidindex,cn=index,cn=tasks,cn=config
objectClass:
- top
- extensibleObject
attributes:
cn: jidindex
nsInstance: userRoot
nsIndexAttribute: 'jid:eq'
bind_dn: cn=Directory Manager
bind_pw: '{{ freeipa_ds_password }}'
server_uri: ldaps://{{ ipa_host }}
when: jid_index.changed
- name: add default user object classes
ldap_attrs:
dn: cn=ipaConfig,cn=etc,{{ freeipa_basedn }}
attributes:
ipaUserObjectClasses:
- mailRecipient
- JIDObject
state: present
bind_dn: cn=Directory Manager
bind_pw: '{{ freeipa_ds_password }}'
server_uri: ldaps://{{ ipa_host }}
- name: add default group object classes
ldap_attrs:
dn: cn=ipaConfig,cn=etc,{{ freeipa_basedn }}
attributes:
ipaGroupObjectClasses:
- mailRecipient
state: present
bind_dn: cn=Directory Manager
bind_pw: '{{ freeipa_ds_password }}'
server_uri: ldaps://{{ ipa_host }}
- name: allow read access to custom user attributes
ipapermission:
ipaadmin_principal: '{{ ipa_user }}'
ipaadmin_password: '{{ ipa_pass }}'
name: 'System: Read User Addressbook Attributes'
attrs:
- mailAlternateAddress
- jid
action: member
state: present
- name: allow read access to custom group attributes
ipapermission:
ipaadmin_principal: '{{ ipa_user }}'
ipaadmin_password: '{{ ipa_pass }}'
name: 'System: Read Groups'
attrs:
- mail
- mailAlternateAddress
action: member
state: present
|