Re: errors with ldap/init-directory

On mar 31, Jan Kowalsky wrote: When I designed the 'ldap' role and how it is used within DebOps, I had an idea that different people could operate on the LDAP directory using their own credentials from separate Ansible Controllers. For example, you could have a helpdesk team that handled the deployment of user machines and using their credentials and ACL configuration they could add new ou=Hosts entries to the directory without involvement of the main administrators, essentially "joining the domain" (I think that's how it's done in the AD and FreeIPA?). Additionally at the time the 'root' UNIX account on the OpenLDAP server did not have management access to the main LDAP branch, only cn=config, due to ACLs set in OpenLDAP. This has subsequently changed and now the 'slapd' role can operate on the main directory tree. As for handling this in your envionment... The 'ldap' role has 'ldap__admin_delegate_to' variable which can be modified to delegate the tasks to another host. That way you should be able to setup an "admin" host inside of your network and run the tasks there over SSH. You would have to take care of the credentials - probably creating a separate "admin account" would be best, so that your own credentials are not put somewhere easily accessible. Check the "LDAP administrative access" section in the 'ldap' role defaults, and the corresponding documentation for more details. Let me know if you managed to handle this. Cheers, Maciej