feat: slapd group & systemd

roles/usermanagement/templates/ldap.conf

@@ -0,0 +1,2 @@
+BASE {{ ldap_bind_dn }}
+URI {{ ldap_connection_url }}

roles/usermanagement/templates/slapd-custom.service

@@ -0,0 +1,29 @@
+[Unit]
+Description=Slapd Custom Service
+
+[Service]
+
+Type=forking
+ExecStart=/usr/sbin/slapd -f /etc/ldap/slapd.conf -h "ldapi:/// ldap:///"
+
+User=openldap
+Group=openldap
+
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+Restart=on-failure
+
+PrivateTmp=yes
+ProtectSystem=full
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+NoNewPrivileges=yes
+MountFlags=private
+SystemCallArchitectures=native
+PrivateDevices=yes
+
+[Install]
+WantedBy=multi-user.target

roles/usermanagement/templates/slapd.conf

@@ -1,8 +1,8 @@
 modulepath /usr/lib/ldap/
 moduleload back_bdb.la
 
-pidfile         /var/run/slapd.pid
-argsfile        /var/run/slapd.args
+pidfile         /var/lib/ldap/slapd.pid
+argsfile        /var/lib/ldap/slapd.args
 
 include /etc/ldap/schema/core.schema
 include /etc/ldap/schema/cosine.schema
@@ -14,14 +14,15 @@ suffix      "{{ ldap_suffix }}"
 rootdn      "{{ ldap_bind_dn }}"
 rootpw      {SSHA}HISTORY_PURGED_SECRET
 
-TLSCACertificateFile  /etc/ssl/certs/ca-certificates.crt
-TLSCertificateFile    /etc/letsencrypt/live/ldap.atlantishq.de/cert.pem
-TLSCertificateKeyFile /etc/letsencrypt/live/ldap.atlantishq.de/privkey.pem
+#TLSCACertificateFile  /etc/ssl/certs/ca-certificates.crt
+#TLSCertificateFile    /etc/letsencrypt/live/ldap.atlantishq.de/cert.pem
+#TLSCertificateKeyFile /etc/letsencrypt/live/ldap.atlantishq.de/privkey.pem
 TLSVerifyClient try
 
 
 logfile /var/log/slapd.log
-loglevel -1
+#loglevel -1
+loglevel none
 
 directory /var/lib/ldap/
 cachesize 2000