Update to 2022-03-19 00:00

2025-04-16 18:23:40 +02:00 · 2022-03-19 00:00:06 +01:00 · 2022-03-19 00:00:06 +01:00 · 9ddd7b99c0
commit 9ddd7b99c0
parent 897e3c74b4
4 changed files with 40 additions and 13 deletions
--- a/roles/postgresql_server/defaults/main.yml
+++ b/roles/postgresql_server/defaults/main.yml
@ -80,3 +80,27 @@ pg_roles_to_remove: []

 # If defined, a Let's Encrypt cert will be obtained and used
 # pg_letsencrypt_cert: postgres.example.org
+
+# LDAP authentication
+# You can enable ldap auth, see https://www.postgresql.org/docs/current/auth-ldap.html
+# Note that only the search+bind mode is supported
+# Turn on or off ldap auth
+pg_ldap_auth: False
+# LDAP server to query. You can enter several servers separated by space
+pg_ldap_host: "{{ (ad_ldap_servers is defined) | ternary(ad_ldap_servers | join(' '), (ldap_uri is defined) | ternary(ldap_uri | urlsplit('hostname'), 'ldap.' ~ ansible_domain)) }}"
+# port of the ldap server
+pg_ldap_port: 389
+# Should starttls be used
+pg_ldap_starttls: True
+# Base DN where postgres will lookup your users
+pg_ldap_basedn: "{{ (ad_ldap_user_search_base is defined) | ternary(ad_ldap_user_search_base, (ldap_base is defined) | ternary(ldap_base, ansible_domain | regex_replace('\\.', ',DC='))) }}"
+# Bind DN and bind password for postgres to lookup users. If not defined, the lookup will be done anonymously
+# pg_ldap_binddn: postgres@{{ ansible_domain }}
+# pg_ldap_bindpasswd: S3cr3t.
+# The filter to search for user. $username will be replaced by the postgres user whose password is being verified
+pg_ldap_searchfilter: "{{ ad_auth | default(False) | ternary('(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(sAMAccountName=$username))', '(&(objectClass=inetOrgPerson)(uid=$username))') }}"
+# Connection type for which ldap auth will be attempted. Note that for security reason you shouldn't set it to host as it'd allow LDAP password
+# to be sent unencrypted over between the postgres client and server (even is the postgres server then uses TLS to check the password against the LDAP server)
+pg_ldap_conn_type: hostssl
+# Limit for which user / roles the ldap auth will be used (third field in pg_hba.conf)
+pg_ldap_roles: '+ldap_roles'
--- a/roles/postgresql_server/tasks/main.yml
+++ b/roles/postgresql_server/tasks/main.yml
@ -24,7 +24,7 @@
    - cert_path: /var/lib/pgsql/ssl/server.crt
    - cert_key_path: /var/lib/pgsql/ssl/server.key
    - cert_key_group: postgres
-    - cert_key_mode: 0640
+    - cert_key_mode: '640'
  tags: pg

 - name: Install dehydrated hook
--- a/roles/postgresql_server/templates/pg_hba.conf.j2
+++ b/roles/postgresql_server/templates/pg_hba.conf.j2
@ -2,4 +2,7 @@
 local    all    all        peer
 host    all    all    127.0.0.1/32    md5
 host    all    all    ::1/128    md5
+{% if pg_ldap_auth %}
+{{ pg_ldap_conn_type }}    all    {{ pg_ldap_roles }}    0.0.0.0/0    ldap ldapserver="{{ pg_ldap_host }}" ldapport={{ pg_ldap_port }} ldaptls={{ pg_ldap_starttls | ternary('1', '0') }} ldapbasedn="{{ pg_ldap_basedn }}" ldapbinddn="{{ pg_ldap_binddn }}" ldapbindpasswd="{{ pg_ldap_bindpasswd }}" ldapsearchfilter="{{ pg_ldap_searchfilter }}"
+{% endif %}
 host    all    all    0.0.0.0/0    md5
--- a/roles/sftpgo/tasks/conf.yml
+++ b/roles/sftpgo/tasks/conf.yml
@ -27,8 +27,8 @@
  vars:
    cert_path: "{{ sftpgo_root_dir }}/etc/ssl/ftpd.crt"
    cert_key_path: "{{ sftpgo_root_dir }}/etc/ssl/ftpd.key"
-    cert_group: "{{ sftpgo_user }}"
-    cert_mode: 640
+    cert_key_group: "{{ sftpgo_user }}"
+    cert_key_mode: 640
  tags: sftpgo

 - name: Generate self-signed certificate for webdavd
@ -36,8 +36,8 @@
  vars:
    cert_path: "{{ sftpgo_root_dir }}/etc/ssl/webdavd.crt"
    cert_key_path: "{{ sftpgo_root_dir }}/etc/ssl/webdavd.key"
-    cert_group: "{{ sftpgo_user }}"
-    cert_mode: 640
+    cert_key_group: "{{ sftpgo_user }}"
+    cert_key_mode: 640
  tags: sftpgo

 - name: Generate self-signed certificate for httpd
@ -45,8 +45,8 @@
  vars:
    cert_path: "{{ sftpgo_root_dir }}/etc/ssl/httpd.crt"
    cert_key_path: "{{ sftpgo_root_dir }}/etc/ssl/httpd.key"
-    cert_group: "{{ sftpgo_user }}"
-    cert_mode: 640
+    cert_key_group: "{{ sftpgo_user }}"
+    cert_key_mode: 640
  tags: sftpgo

 - name: Generate self-signed certificate for telemetry
@ -54,8 +54,8 @@
  vars:
    cert_path: "{{ sftpgo_root_dir }}/etc/ssl/telemetry.crt"
    cert_key_path: "{{ sftpgo_root_dir }}/etc/ssl/telemetry.key"
-    cert_group: "{{ sftpgo_user }}"
-    cert_mode: 640
+    cert_key_group: "{{ sftpgo_user }}"
+    cert_key_mode: 640
  tags: sftpgo

 - name: Set permissions on certificates