Imported sources.

bootstrap/ldif/add-member.ldif

@@ -0,0 +1,6 @@
+dn: cn={{ name }},ou={{ group_ou }},{{ base_dn }}
+changeType: modify
+add: member
+{% for uid in uids -%}
+member: uid={{ uid }},ou={{ member_ou }},{{ base_dn }}
+{% endfor %}

bootstrap/ldif/admins.ldif

@@ -0,0 +1,9 @@
+dn: uid={{ uid }},ou=users,{{ base_dn }}
+objectClass: inetOrgPerson
+objectClass: shadowAccount
+uid: {{ uid }}
+givenName: {{ gn }}
+sn: {{ sn }}
+cn: {{ gn }} {{ sn }}
+mail: {{ mail }}
+userPassword: {{ password_hash }}

bootstrap/ldif/base.ldif

@@ -0,0 +1,19 @@
+dn: ou=users,{{ base_dn }}
+objectClass: organizationalUnit
+ou: users
+description: All users
+
+dn: ou=groups,{{ base_dn }}
+objectClass: organizationalUnit
+ou: groups
+description: Regular groups
+
+dn: ou=privileged-groups,{{ base_dn }}
+objectClass: organizationalUnit
+ou: privileged-groups
+description: Privileged groups
+
+dn: ou=service-accounts,{{ base_dn }}
+objectClass: organizationalUnit
+ou: service-accounts
+description: Service accounts

bootstrap/ldif/config-acl.ldif

@@ -0,0 +1,44 @@
+dn: olcDatabase={-1}frontend,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to *
+  by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+  by dn.exact="cn=admin,{{ base_dn }}" manage
+  by group.exact="cn=admins,ou=privileged-groups,{{ base_dn }}" manage
+  by * break
+olcAccess: {1}to dn.exact=""
+  by * read
+olcAccess: {2}to dn.base="cn=Subschema"
+  by * read
+
+dn: olcDatabase={0}config,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to *
+  by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+  by dn.exact="cn=admin,{{ base_dn }}" manage
+  by group.exact="cn=admins,ou=privileged-groups,{{ base_dn }}" manage
+  by * break
+
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to attrs=userPassword
+  by self write
+  by anonymous auth
+  by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+  by dn.exact="{{ admin_dn }}" manage
+  by group.exact="cn=admins,ou=privileged-groups,{{ base_dn }}" manage
+  by * none
+olcAccess: {1}to attrs=shadowLastChange
+  by self write
+  by * read
+olcAccess: {2}to dn.base=""
+  by * read
+olcAccess: {3}to *
+  by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+  by dn.exact="{{ admin_dn }}" manage
+  by dn.exact="cn=readonly,ou=service-accounts,{{ base_dn }}" read
+  by group.exact="cn=admins,ou=privileged-groups,{{ base_dn }}" manage
+  by self read
+  by * none

bootstrap/ldif/config-indexes.ldif

@@ -0,0 +1,7 @@
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+add: olcDbIndex
+olcDbIndex: mail eq,pres
+-
+add: olcDbIndex
+olcDbIndex: memberOf eq

bootstrap/ldif/config-memberof-module.ldif

@@ -0,0 +1,4 @@
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: memberof

bootstrap/ldif/config-memberof-overlay.ldif

@@ -0,0 +1,10 @@
+dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
+changetype: add
+objectClass: olcOverlayConfig
+objectClass: olcMemberOf
+olcOverlay: memberof
+olcMemberOfDangling: error
+olcMemberOfRefint: TRUE
+olcMemberOfGroupOC: groupOfNames
+olcMemberOfMemberAD: member
+olcMemberOfMemberOfAD: memberOf

bootstrap/ldif/config-performance.ldif

@@ -0,0 +1,9 @@
+dn: cn=config
+changetype: modify
+replace: olcThreads
+olcThreads: 4
+
+dn: olcDatabase={1}mdb,cn=config
+changetype: modify
+replace: olcDbMaxSize
+olcDbMaxSize: 134217728

bootstrap/ldif/config-tls.ldif

@@ -0,0 +1,13 @@
+dn: cn=config
+changetype: modify
+add: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/ldap/certs/ca_cert.pem
+-
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ldap/certs/server_cert.pem
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ldap/certs/server_key.pem
+-
+add: olcTLSVerifyClient
+olcTLSVerifyClient: never

bootstrap/ldif/group.ldif

@@ -0,0 +1,7 @@
+dn: cn={{ name }},ou={{ group_ou }},{{ base_dn }}
+objectClass: groupOfNames
+cn: {{ name }}
+description: {{ description }}
+{% for uid in uids -%}
+member: uid={{ uid }},ou={{ member_ou }},{{ base_dn }}
+{% endfor %}

bootstrap/ldif/posix-user.ldif

@@ -0,0 +1,14 @@
+dn: uid={{ uid }},ou=users,{{ base_dn }}
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: shadowAccount
+uid: {{ uid }}
+givenName: {{ gn }}
+sn: {{ sn }}
+cn: {{ gn }} {{ sn }}
+mail: {{ mail }}
+userPassword: {{ password_hash }}
+uidNumber: {{ uidNumber }}
+gidNumber: {{ gidNumber }}
+homeDirectory: /home/{{ uid }}
+loginShell: /usr/bin/bash

bootstrap/ldif/posix-users.ldif

@@ -0,0 +1,14 @@
+dn: uid={{ uid }},ou=users,{{ base_dn }}
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: shadowAccount
+uid: {{ uid }}
+givenName: {{ gn }}
+sn: {{ sn }}
+cn: {{ gn }} {{ sn }}
+mail: {{ mail }}
+userPassword: {{ password_hash }}
+uidNumber: {{ uidNumber }}
+gidNumber: {{ gidNumber }}
+homeDirectory: /home/{{ uid }}
+loginShell: /usr/bin/bash

bootstrap/ldif/service-accounts.ldif

@@ -0,0 +1,6 @@
+dn: cn=readonly,ou=service-accounts,{{ base_dn }}
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+cn: readonly
+description: Read-only service account
+userPassword: {{ password_hash }}

bootstrap/ldif/users.ldif

@@ -0,0 +1,9 @@
+dn: uid={{ uid }},ou=users,{{ base_dn }}
+objectClass: inetOrgPerson
+objectClass: shadowAccount
+uid: {{ uid }}
+givenName: {{ gn }}
+sn: {{ sn }}
+cn: {{ gn }} {{ sn }}
+mail: {{ mail }}
+userPassword: {{ password_hash }}