[slapd] soyouz, query and regex

group_vars/ldap_server.yml

@@ -1,7 +1,8 @@
 ---
 
 glob_slapd:
-  master_ip: 172.16.10.1
+  master_ip: "{{ query('ldap', 'ipv4', 'tealc', 'adm') | first }}"
+  regex: "^(role:(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius|backup)|ecdsa-sha2-nistp256:.*|ssh-(ed25519|dss|rsa):.*)$"
   replication_credentials: "{{ vault_ldap_replication_credentials }}"
   private_key: "{{ vault_ldap_private_key }}"
   certificate: "{{ vault_ldap_certificate }}"

host_vars/daniel.adm.crans.org.yml

@@ -1,5 +1,5 @@
 ---
 loc_slapd:
-  ip: 172.16.10.12
+  ip: "{{ query('ldap', 'ipv4', 'daniel', 'adm') | first }}"
   replica: true
   replica_rid: 2

host_vars/jack.adm.crans.org.yml

@@ -1,5 +1,5 @@
 ---
 loc_slapd:
-  ip: 172.16.10.13
+  ip: "{{ query('ldap', 'ipv4', 'jack', 'adm') | first }}"
   replica: true
   replica_rid: 3

host_vars/sam.adm.crans.org.yml

@@ -1,5 +1,5 @@
 ---
 loc_slapd:
-  ip: 172.16.10.11
+  ip: "{{ query('ldap', 'ipv4', 'sam', 'adm') | first }}"
   replica: true
   replica_rid: 1

host_vars/sputnik.adm.crans.org

@@ -0,0 +1,5 @@
+---
+loc_slapd:
+  ip: "{{ query('ldap', 'ipv4', 'sputnik', 'adm') | first }}"
+  replica: true
+  replica_rid: 4

hosts

@@ -66,6 +66,7 @@ tealc.adm.crans.org
 sam.adm.crans.org
 daniel.adm.crans.org
 jack.adm.crans.org
+sputnik.adm.crans.org
 
 [linx]
 linx.adm.crans.org

ldap.yml

@@ -1,5 +0,0 @@
-#!/usr/bin/env ansible-playbook
----
-- hosts: daniel
-  roles:
-    - slapd

lookup_plugins/ldap.py

@@ -60,6 +60,21 @@ class LookupModule(LookupBase):
         result = [res.decode('utf-8') for res in result['ipHostNumber']]
         return result
 
+    def ipv4(self, host, vlan):
+        if isinstance(vlan, int):
+            network_query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, f"description={vlan}")
+            network_result = self.base.result(network_query_id)
+            vlan = network_result[1][0][1]['cn'][0].decode('utf-8')
+        if vlan == 'srv':
+            query_id = self.base.search(f"cn={host}.crans.org,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
+        else:
+            query_id = self.base.search(f"cn={host}.{vlan}.crans.org,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
+        result = self.base.result(query_id)
+        result = result[1][0][1]
+        result = [res.decode('utf-8') for res in result['ipHostNumber']]
+        result = [ res for res in result if type(ipaddress.ip_address(res)) is ipaddress.IPv4Address ]
+        return result
+
     def all_ip(self, host):
         """
         Retrieve all IP addresses of a device
@@ -141,6 +156,8 @@ class LookupModule(LookupBase):
             result = self.query(*terms[1:])
         elif terms[0] == 'ip':
             result = self.ip(*terms[1:])
+        elif terms[0] == 'ipv4':
+            result = self.ipv4(*terms[1:])
         elif terms[0] == 'all_ip':
             result = self.all_ip(*terms[1:])
         elif terms[0] == 'cn':

plays/root.yml

@@ -48,11 +48,7 @@
     - qemu-guest-agent
     - serial-tty
 
-- hosts: ldap_server
+- import_playbook: slapd.yml
-  vars:
-    slapd: '{{ glob_slapd | combine(loc_slapd | default({})) }}'
-  roles:
-    - slapd
 
 - hosts: server
   vars:

plays/slapd.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: ldap_server
+  vars:
+    slapd: '{{ glob_slapd | default({}) | combine(loc_slapd | default({})) }}'
+  roles:
+    - slapd

roles/slapd/templates/ldap/slapd.conf.j2

@@ -31,7 +31,7 @@ auditlog 		/var/log/openldap/auditlog.log
 
 moduleload constraint
 overlay constraint
-constraint_attribute description regex ^(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius)$
+constraint_attribute description regex {{ slapd.regex }}
   restrict=ldap:///ou=hosts,dc=crans,dc=org??one?(objectClass=device)
 constraint_attribute uid regex ^_
   restrict=ldap:///ou=passwd,dc=crans,dc=org??one?(objectClass=posixAccount)