jpp/ansible-roles
1
0
Fork 0
mirror of https://git.lapiole.org/dani/ansible-roles.git synced 2025-07-27 00:05:44 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update to 2022-04-04 17:00

Browse Source
This commit is contained in:
Daniel Berteaud
2022-04-04 17:00:09 +02:00
parent 3c169b625d
commit 85842b657d
7 changed files with 13 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
roles/postgresql_server/defaults/main.yml
View File

@@ -87,20 +87,20 @@ pg_roles_to_remove: []
# Turn on or off ldap auth
pg_ldap_auth: False
# LDAP server to query. You can enter several servers separated by space
pg_ldap_host: "{{ (ad_ldap_servers is defined) | ternary(ad_ldap_servers | join(' '), (ldap_uri is defined) | ternary(ldap_uri | urlsplit('hostname'), 'ldap.' ~ ansible_domain)) }}"
pg_ldap_host: "{{ (ad_ldap_servers is defined) | ternary(ad_ldap_servers | default('') | join(' '), (ldap_uri is defined) | ternary(ldap_uri | default('') | urlsplit('hostname'), 'ldap.' ~ ansible_domain)) }}"
# port of the ldap server
pg_ldap_port: 389
# Should starttls be used
pg_ldap_starttls: True
# Base DN where postgres will lookup your users
pg_ldap_basedn: "{{ (ad_ldap_user_search_base is defined) | ternary(ad_ldap_user_search_base, (ldap_base is defined) | ternary(ldap_base, ansible_domain | regex_replace('\\.', ',DC='))) }}"
pg_ldap_basedn: "{{ (ad_ldap_user_search_base is defined) | ternary(ad_ldap_user_search_base | default(''), (ldap_base is defined) | ternary(ldap_base | default(''), ansible_domain | regex_replace('\\.', ',DC='))) }}"
# Bind DN and bind password for postgres to lookup users. If not defined, the lookup will be done anonymously
# pg_ldap_binddn: postgres@{{ ansible_domain }}
# pg_ldap_bindpasswd: S3cr3t.
# The filter to search for user. $username will be replaced by the postgres user whose password is being verified
pg_ldap_searchfilter: "{{ ad_auth | default(False) | ternary('(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(sAMAccountName=$username))', '(&(objectClass=inetOrgPerson)(uid=$username))') }}"
# Connection type for which ldap auth will be attempted. Note that for security reason you shouldn't set it to host as it'd allow LDAP password
# to be sent unencrypted over between the postgres client and server (even is the postgres server then uses TLS to check the password against the LDAP server)
# to be sent unencrypted between the postgres client and server (even is the postgres server then uses TLS to check the password against the LDAP server)
pg_ldap_conn_type: hostssl
# Limit for which user / roles the ldap auth will be used (third field in pg_hba.conf)
pg_ldap_roles: '+ldap_roles'