Add support for slapd on bookworm

ansible/plugins/lookup/file_src.py

@@ -90,7 +90,10 @@ def run(self, terms, inject=None, **kwargs):
                 project_dir = debops.projectdir.ProjectDir(
                         config=project_config)
                 project_root = project_dir.path
-                config = project_dir.config.get(['views', 'system'])
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
             except NameError:
                 try:
                     project_root = find_debops_project(required=False)
@@ -151,7 +154,10 @@ def run(self, terms, variables=None, **kwargs):
                 project_dir = debops.projectdir.ProjectDir(
                         config=project_config)
                 project_root = project_dir.path
-                config = project_dir.config.get(['views', 'system'])
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
             except NameError:
                 try:
                     project_root = find_debops_project(required=False)

ansible/plugins/lookup/task_src.py

@@ -90,7 +90,10 @@ def run(self, terms, inject=None, **kwargs):
                 project_dir = debops.projectdir.ProjectDir(
                         config=project_config)
                 project_root = project_dir.path
-                config = project_dir.config.get(['views', 'system'])
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
             except NameError:
                 try:
                     project_root = find_debops_project(required=False)
@@ -151,7 +154,10 @@ def run(self, terms, variables=None, **kwargs):
                 project_dir = debops.projectdir.ProjectDir(
                         config=project_config)
                 project_root = project_dir.path
-                config = project_dir.config.get(['views', 'system'])
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
             except NameError:
                 try:
                     project_root = find_debops_project(required=False)

ansible/plugins/lookup/template_src.py

@@ -90,7 +90,10 @@ def run(self, terms, inject=None, **kwargs):
                 project_dir = debops.projectdir.ProjectDir(
                         config=project_config)
                 project_root = project_dir.path
-                config = project_dir.config.get(['views', 'system'])
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
             except NameError:
                 try:
                     project_root = find_debops_project(required=False)
@@ -152,7 +155,10 @@ def run(self, terms, variables=None, **kwargs):
                 project_dir = debops.projectdir.ProjectDir(
                         config=project_config)
                 project_root = project_dir.path
-                config = project_dir.config.get(['views', 'system'])
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
             except NameError:
                 try:
                     project_root = find_debops_project(required=False)

ansible/roles/ansible_plugins/lookup_plugins/file_src.py

@@ -90,7 +90,10 @@ def run(self, terms, inject=None, **kwargs):
                 project_dir = debops.projectdir.ProjectDir(
                         config=project_config)
                 project_root = project_dir.path
-                config = project_dir.config.get(['views', 'system'])
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
             except NameError:
                 try:
                     project_root = find_debops_project(required=False)
@@ -151,7 +154,10 @@ def run(self, terms, variables=None, **kwargs):
                 project_dir = debops.projectdir.ProjectDir(
                         config=project_config)
                 project_root = project_dir.path
-                config = project_dir.config.get(['views', 'system'])
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
             except NameError:
                 try:
                     project_root = find_debops_project(required=False)

ansible/roles/ansible_plugins/lookup_plugins/task_src.py

@@ -90,7 +90,10 @@ def run(self, terms, inject=None, **kwargs):
                 project_dir = debops.projectdir.ProjectDir(
                         config=project_config)
                 project_root = project_dir.path
-                config = project_dir.config.get(['views', 'system'])
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
             except NameError:
                 try:
                     project_root = find_debops_project(required=False)
@@ -151,7 +154,10 @@ def run(self, terms, variables=None, **kwargs):
                 project_dir = debops.projectdir.ProjectDir(
                         config=project_config)
                 project_root = project_dir.path
-                config = project_dir.config.get(['views', 'system'])
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
             except NameError:
                 try:
                     project_root = find_debops_project(required=False)

ansible/roles/ansible_plugins/lookup_plugins/template_src.py

@@ -90,7 +90,10 @@ def run(self, terms, inject=None, **kwargs):
                 project_dir = debops.projectdir.ProjectDir(
                         config=project_config)
                 project_root = project_dir.path
-                config = project_dir.config.get(['views', 'system'])
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
             except NameError:
                 try:
                     project_root = find_debops_project(required=False)
@@ -152,7 +155,10 @@ def run(self, terms, variables=None, **kwargs):
                 project_dir = debops.projectdir.ProjectDir(
                         config=project_config)
                 project_root = project_dir.path
-                config = project_dir.config.get(['views', 'system'])
+                if project_dir.config.get(['project', 'type']) == 'modern':
+                    config = project_dir.config.get([])
+                else:
+                    config = project_dir.config.get(['views', 'system'])
             except NameError:
                 try:
                     project_root = find_debops_project(required=False)

ansible/roles/slapd/defaults/main.yml

@@ -2,7 +2,8 @@
 # .. vim: foldmarker=[[[,]]]:foldmethod=marker
 
 # .. Copyright (C) 2016-2020 Maciej Delmanowski <drybjed@gmail.com>
-# .. Copyright (C) 2016-2020 DebOps <https://debops.org/>
+# .. Copyright (C) 2023 David Härdeman <david@hardeman.nu>
+# .. Copyright (C) 2016-2023 DebOps <https://debops.org/>
 # .. SPDX-License-Identifier: GPL-3.0-only
 
 # .. _slapd__ref_defaults:
@@ -63,11 +64,14 @@ slapd__default_schemas:
   - '{{ slapd__debops_schema_path + "/orgstructure.schema" }}'
 
   # Password Policy schema, included in the 'slapd' APT package
-  - '/etc/ldap/schema/ppolicy.schema'
+  # This schema is built-in since OpenLDAP 2.5.x
+  - '{{ "/etc/ldap/schema/ppolicy.schema"
+        if ansible_distribution_release in ["buster", "bullseye", "focal"]
+        else [] }}'
 
   # Support for 'host' and 'authorizedService' attributes, useful for granular
   # access control to services and machines
-  - '/etc/ldap/schema/fusiondirectory/ldapns.schema'
+  - '{{ slapd__debops_schema_path + "/ldapns.schema" }}'
 
   # Custom schema which defines a 'groupOfEntries' LDAP object which can create
   # empty groups
@@ -77,7 +81,7 @@ slapd__default_schemas:
   - '{{ slapd__debops_schema_path + "/openssh-lpk.schema" }}'
 
   # Support for 'sudo' rules in LDAP directory
-  - '/etc/ldap/schema/fusiondirectory/sudo.schema'
+  - '{{ slapd__debops_schema_path + "/sudo.schema" }}'
 
   # Support for 'eduPerson' and 'eduOrg' schema, included in DebOps
   - '{{ slapd__debops_schema_path + "/eduperson.schema" }}'
@@ -151,32 +155,26 @@ slapd__combined_schemas: '{{ slapd__default_schemas
 # .. envvar:: slapd__base_packages [[[
 #
 # List of required APT packages for OpenLDAP service.
-slapd__base_packages: [ 'slapd', 'ldap-utils', 'ssl-cert', 'libldap-common' ]
-
-                                                                   # ]]]
-# .. envvar:: slapd__rfc2307bis_packages [[[
-#
-# List of APT packages to install in preparation to use ``rfc2307bis`` schema
-# instead of the ``nis`` schema.
-slapd__rfc2307bis_packages: [ 'fusiondirectory-schema' ]
+slapd__base_packages:
+  - 'slapd'
+  - 'ldap-utils'
+  - 'ssl-cert'
+  - 'libldap-common'
+  - 'schema2ldif'
 
                                                                    # ]]]
 # .. envvar:: slapd__schema_packages [[[
 #
-# List of APT packages that contain LDAP schemas loaded into the directory by
-# the server. Debian has multiple ``fusiondirectory-*-schema`` and
-# ``gosa-*-schema`` packages that conflict with each other, therefore the list
-# of packages should be synchronized.
-slapd__schema_packages:
-
-  # Support for 'sudo' rules in LDAP
-  - 'fusiondirectory-plugin-sudo-schema'
+# List of APT packages that contain LDAP schemas to be loaded into the
+# directory by the server.
+slapd__schema_packages: []
 
                                                                    # ]]]
 # .. envvar:: slapd__packages [[[
 #
 # List of additional APT packages to install with OpenLDAP service.
 slapd__packages: []
+
                                                                    # ]]]
                                                                    # ]]]
 # OpenLDAP UNIX environment [[[
@@ -539,7 +537,11 @@ slapd__default_tasks:
 
   - name: 'Enable AutoGroup overlay in the main database'
     dn: 'olcOverlay={10}autogroup,olcDatabase={1}mdb,cn=config'
-    objectClass: [ 'olcOverlayConfig', 'olcAutomaticGroups' ]
+    objectClass:
+      - 'olcOverlayConfig'
+      - '{{ "olcAutomaticGroups"
+            if ansible_distribution_release in ["buster", "bullseye", "focal"]
+            else "olcAutoGroupConfig" }}'
     attributes:
       olcOverlay: '{10}autogroup'
 
@@ -648,13 +650,25 @@ slapd__default_tasks:
         - 'mailAlternateAddress set "this/mailAlternateAddress & this/mail"'
     state: 'exact'
 
-  - name: 'Configure AutoGroup overlay in the main database'
+  - name: 'Configure AutoGroup overlay in the main database (old naming)'
     dn: 'olcOverlay={10}autogroup,olcDatabase={1}mdb,cn=config'
     attributes:
       olcAGattrSet:
         - '{0}groupOfURLs memberURL member'
       olcAGmemberOfAd: 'memberOf'
-    state: 'exact'
+    state: '{{ "exact"
+               if ansible_distribution_release in ["buster", "bullseye", "focal"]
+               else "ignore" }}'
+
+  - name: 'Configure AutoGroup overlay in the main database'
+    dn: 'olcOverlay={10}autogroup,olcDatabase={1}mdb,cn=config'
+    attributes:
+      olcAutoGroupAttrSet:
+        - '{0}groupOfURLs memberURL member'
+      olcAutoGroupMemberOfAd: 'memberOf'
+    state: '{{ "exact"
+               if ansible_distribution_release not in ["buster", "bullseye", "focal"]
+               else "ignore" }}'
 
   - name: 'Configure LastBind overlay in the main database'
     dn: 'olcOverlay={11}lastbind,olcDatabase={1}mdb,cn=config'
@@ -1079,7 +1093,6 @@ slapd__structure_tasks:
     objectClass: 'organizationalRole'
     attributes:
       cn: 'Hidden Object Viewer'
-      memberOf: '{{ ([ "cn=Hidden Objects", "ou=Groups" ] + slapd__base_dn) | join(",") }}'
       description: 'LDAP objects which can see hidden objects'
 
   - name: 'Create cn=Hidden Objects group'
@@ -1088,11 +1101,15 @@ slapd__structure_tasks:
     attributes:
       cn: 'Hidden Objects'
       member:
-        - '{{ ([ "cn=Hidden Objects", "ou=Groups" ] + slapd__base_dn) | join(",") }}'
-        - '{{ ([ "cn=Hidden Object Viewer", "ou=Roles" ] + slapd__base_dn) | join(",") }}'
-      memberOf: '{{ ([ "cn=Hidden Objects", "ou=Groups" ] + slapd__base_dn) | join(",") }}'
+        - '{{ (["cn=Hidden Object Viewer", "ou=Roles"] + slapd__base_dn) | join(",") }}'
       description: 'LDAP objects which are accessible only by privileged accounts'
 
+  - name: 'Add cn=Hidden Objects group to itself'
+    dn: '{{ ["cn=Hidden Objects", "ou=Groups"] + slapd__base_dn }}'
+    attributes:
+      member:
+        - '{{ (["cn=Hidden Objects", "ou=Groups"] + slapd__base_dn) | join(",") }}'
+
   - name: 'Create cn=UNIX SSH users group'
     dn: '{{ [ "cn=UNIX SSH users", "ou=Groups" ] + slapd__base_dn }}'
     objectClass: [ 'groupOfEntries', 'posixGroup', 'posixGroupId',
@@ -1183,6 +1200,7 @@ slapd__combined_tasks: '{{ slapd__default_tasks
                            + slapd__tasks
                            + slapd__group_tasks
                            + slapd__host_tasks }}'
+
                                                                    # ]]]
                                                                    # ]]]
 # Backup snapshots [[[
@@ -1236,8 +1254,8 @@ slapd__ports:
   # Plaintext and StartTLS connections on port 389/tcp
   - 'ldap'
 
-  # Encrypted SSL connections on port 636/tcp (deprecated)
-  - '{{ "ldaps" if slapd__pki|bool else [] }}'
+  # Encrypted SSL connections on port 636/tcp
+  - '{{ "ldaps" if slapd__pki | bool else [] }}'
 
                                                                    # ]]]
 # .. envvar:: slapd__accept_any [[[
@@ -1292,6 +1310,7 @@ slapd__group_allow: []
 # List of IP addresses or CIDR subnets which should have access to the OpenLDAP
 # server, defined on specific hosts in the Ansible inventory.
 slapd__host_allow: []
+
                                                                    # ]]]
                                                                    # ]]]
 # LDAP Access Control List tests [[[
@@ -1596,6 +1615,7 @@ slapd__slapacl_combined_tests: '{{ slapd__slapacl_default_tests
                                    + slapd__slapacl_tests
                                    + slapd__slapacl_group_tests
                                    + slapd__slapacl_host_tests }}'
+
                                                                    # ]]]
                                                                    # ]]]
 # Configuration variables for other Ansible roles [[[
@@ -1711,5 +1731,6 @@ slapd__saslauthd__dependent_instances:
     socket_path: '/var/lib/slapd/saslauthd'
     socket_group: '{{ slapd__group }}'
     ldap_profile: 'slapd'
+
                                                                    # ]]]
                                                                    # ]]]

ansible/roles/slapd/files/etc/ldap/schema/debops/ldapns.schema

@@ -0,0 +1,30 @@
+# SPDX-License-Identifier: GPL-2+
+#
+# Copied from Debian package: fusiondirectory-schema
+# Also available from: https://github.com/fusiondirectory/fusiondirectory/blob/fusiondirectory-1.0.19-security-debian/contrib/openldap/ldapns.schema
+# With the license here: https://github.com/fusiondirectory/fusiondirectory/blob/fusiondirectory-1.0.19-security-debian/COPYING
+
+
+# $Id: ldapns.schema,v 1.3 2003/05/29 12:57:29 lukeh Exp $
+
+# LDAP Name Service Additional Schema
+
+# http://www.iana.org/assignments/gssapi-service-names
+
+attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
+	DESC 'IANA GSS-API authorized service name'
+	EQUALITY caseIgnoreMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
+
+objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
+	DESC 'Auxiliary object class for adding authorizedService attribute'
+	SUP top
+	AUXILIARY
+	MAY authorizedService )
+
+objectclass ( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject'
+	DESC 'Auxiliary object class for adding host attribute'
+	SUP top
+	AUXILIARY
+	MAY host )
+