uubk · F1rst-Unicorn · Sep 17, 2019 · Sep 17, 2019 · Sep 28, 2019 · Mar 5, 2020
diff --git a/README.md b/README.md
@@ -33,6 +33,7 @@ This role sets up 389ds in multi-master mode.
 | `auth_kerberos_admin_privs` | `[]` | Kerberos principals to grant administrative permissions to (see defaults/main.yml for format) |
 | `auth_ldap_store_pam` | `True` | Whether to actually store the generated 389ds PAM config. Useful if you want to customize it using another role |
 |`auth_kerberos_curves` | `edwards25519` | Curves to use for kerberos SPAKE |
+| `auth_ldap_use_memberof_plugin` | `False` | Whether to enable the `memberOf` LDAP plugin. |
 
 Users can be created by putting them into `auth_ldap_users` as a dict with the following format:
 ```
@@ -47,6 +48,14 @@ auth_ldap_users:
 ```
 After running the playbook, use `kadmin.local` on one of the servers and do `cpw foobar` to set a password.
 
+## FAQ
+
+### Enabling memberOf plugin
+If you enable the memberOf plugin by setting the `auth_ldap_user_memberof_plugin` variable to true, you need to pay attention to a few points:
+
+* The user objects that should have the memberOf need to have the `objectClass` `inetUser` set. More information about `inetUser` can be found [here](https://msg.wikidoc.info/index.php/InetUser_LDAP_Object_Class#targetText=InetUser%20LDAP%20Object%20Class&targetText=For%20Mail%3A,for%20creating%20a%20mail%20account.&targetText=Group%20entries%20may%20be%20extended%20with%20this%20class.).
+* If you're enabling memberOf on an existing database you will have to do an initial sync of the memberOf field, as described in section 5 [here](https://access.redhat.com/solutions/28282).
+
 ## License
 Apache 2.0, except for the included LDAP schemas:
  * `files/kerberos.ldif` is `CoPyRiGhT=(c) Copyright 2006, Novell, Inc.  All rights reserved` and has been extracted from the freely available openLDAP source.

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -85,7 +85,7 @@ auth_ldap_service_accounts:
     ktmode: "0640"
 
 # Permissions. This should give you a sensible default, tweak as needed
-auth_ldap_noncritical_filter: "dn || krbLastSuccessfulAuth || krbLastPwdChange || krbPasswordExpiration || krbLoginFailedCount || uid || objectClass || uidNumber || gidNumber || sn || homeDirectory || mail || givenName || cn || sendAlias || alias || mailboxTransport || canReceiveExternally || canSendExternally || mailboxQuota || primaryMail"
+auth_ldap_noncritical_filter: "dn || krbLastSuccessfulAuth || krbLastPwdChange || krbPasswordExpiration || krbLoginFailedCount || uid || objectClass || uidNumber || gidNumber || sn || homeDirectory || mail || givenName || cn || sendAlias || alias || mailboxTransport || canReceiveExternally || canSendExternally || mailboxQuota || primaryMail || memberOf"
 auth_ldap_noncritical_group_filter: "dn || objectClass || cn || member || memberUid || description || uniqueMember || alias || sendAlias"
 auth_ldap_permissions:
   - target: "{{ auth_ldap_domain_ldap }}"
@@ -122,5 +122,14 @@ auth_ldap_system_users:
     gid: 1000
     initialPassword: "{{ auth_kerberos_ldap_password }}"
 
+# `inetUser` is added, too, if the memberOf plugin is enabled
+auth_ldap_user_objectclasses:
+  - posixAccount
+  - top
+  - inetOrgPerson
+
 # Whether to actually store the pam kerberos passthrough config
 auth_ldap_store_pam: True
+
+# Whether to enable the memberOf plugin
+auth_ldap_use_memberof_plugin: False
diff --git a/tasks/389-acl.yml b/tasks/389-acl.yml
@@ -17,10 +17,7 @@
     ldap_entry:
       dn: "cn={{ item.name }},ou=TechnicalUsers,{{ auth_ldap_domain_ldap }}"
       server_uri: "{{ auth_ldap_ansible_url }}"
-      objectClass:
-        - posixAccount
-        - top
-        - inetOrgPerson
+      objectClass: "{{ auth_ldap_user_objectclasses }}"
       bind_dn: "cn=Directory Manager"
       bind_pw: "{{ auth_ldap_admin_pwd }}"
       state: present

diff --git a/tasks/389-replication.yml b/tasks/389-replication.yml
@@ -128,3 +128,20 @@
     with_dict:
       nsslapd-pluginEnabled: 'on'
     notify: restart dirsrv
+
+# Disable replication of the memberOf field in multi master setup
+# this should be done according to the documentation [here](https://access.redhat.com/solutions/28282)
+  - name: Configure replication for memberOf plugin
+    ldap_attr:
+      dn: "cn={{ item[0] }}-to-{{ item[1] }},cn=replica,cn={{ auth_ldap_domain_ldap | replace(\"=\", \"\\=\") | replace(\",\", \"\\,\")}},cn=mapping tree,cn=config" 
+      server_uri: "{{ auth_ldap_ansible_url }}"
+      bind_dn: "cn=Directory Manager"
+      bind_pw: "{{ auth_ldap_admin_pwd }}"
+      state: exact
+      name: "nsds5replicatedattributelist"
+      values: (objectclass=*) $ EXCLUDE memberof
+    when: (item[0] != item[1]) and (item[1] == ansible_fqdn)
+    with_cartesian:
+      - "{{ groups[auth_ldap_group] }}"
+      - "{{ groups[auth_ldap_group] }}"
+    notify: restart dirsrv
diff --git a/tasks/389-setup.yml b/tasks/389-setup.yml
@@ -292,5 +292,18 @@
       nsslapd-exclude-suffix: 'cn=config'
     notify: restart dirsrv
 
+  - name: Enable or disable Memberof Plugin
+    ldap_attr:
+      dn: "cn=MemberOf Plugin,cn=plugins,cn=config"
+      server_uri: "{{ auth_ldap_ansible_url }}"
+      bind_dn: "cn=Directory Manager"
+      bind_pw: "{{ auth_ldap_admin_pwd }}"
+      state: exact
+      name: "{{ item.key }}"
+      values: "{{ item.value }}"
+    with_dict:
+      nsslapd-pluginEnabled: "{% if auth_ldap_use_memberof_plugin %}on{% else %}off{% endif %}"
+    notify: restart dirsrv
+
   # If we changed the haproxy config, this will restart the server and activate it
   - meta: flush_handlers
diff --git a/tasks/content.yml b/tasks/content.yml
@@ -4,10 +4,7 @@
     ldap_entry:
       dn: "uid={{ item.id }},ou=Users,{{ auth_ldap_domain_ldap }}"
       server_uri: "{{ auth_ldap_ansible_url }}"
-      objectClass:
-        - posixAccount
-        - top
-        - inetOrgPerson
+      objectClass: "{{ auth_ldap_user_objectclasses }}"
       bind_dn: "cn=Directory Manager"
       bind_pw: "{{ auth_ldap_admin_pwd }}"
       state: present

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -22,6 +22,10 @@
       - ldap
       - kerberos
 
+  - import_tasks: variable-initialisation.yml
+    tags:
+      - ldap
+
   - import_tasks: 389-setup.yml
     tags:
       - ldap

diff --git a/tasks/variable-initialisation.yml b/tasks/variable-initialisation.yml
@@ -0,0 +1,6 @@
+---
+
+  - name: Add inetUser to system users
+    when: auth_ldap_use_memberof_plugin | bool
+    set_fact:
+      auth_ldap_user_objectclasses: "{{ auth_ldap_user_objectclasses + ['inetUser'] }}"
-Original file line number
+Diff line change
@@ Expand Up / @@ -22,6 +22,10 @@ @@
           - ldap
           - kerberos
+      - import_tasks: variable-initialisation.yml
+        tags:
+          - ldap
       - import_tasks: 389-setup.yml
         tags:
           - ldap
@@ Expand Down @@