From 3b3303e96d515e5af809c0a4d3e2c8f619a56a7d Mon Sep 17 00:00:00 2001
From: "Andreas B. Mundt" <andi@debian.org>
Date: Thu, 28 Nov 2019 17:37:19 +0100
Subject: [PATCH] Kerberize LDAP access.

---
 roles/krb5-kdc-ldap/tasks/main.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/roles/krb5-kdc-ldap/tasks/main.yml b/roles/krb5-kdc-ldap/tasks/main.yml
index beeb4ac..13c9002 100644
--- a/roles/krb5-kdc-ldap/tasks/main.yml
+++ b/roles/krb5-kdc-ldap/tasks/main.yml
@@ -117,6 +117,15 @@
     state: exact
   when: not krb5kdc.stat.exists
 
+- name: add AuthzRegexp to map access via kerberos/GSSAPI
+  ldap_attr:
+    dn: "cn=config"
+    name: olcAuthzRegexp
+    values:
+      - "{0}uid=([^,]*),cn=gssapi,cn=auth     uid=$1,ou=people,{{ basedn }}"
+      - "{1}uid=([^,]*),cn=gs2-iakerb,cn=auth uid=$1,ou=people,{{ basedn }}"
+    state: exact
+
 - name: prepare password for kdc
   shell: echo "cn=kdc,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kdc_service_pwd }} | xxd -g0 -ps | sed 's/0a$//')" > /etc/krb5kdc/service.keyfile
   no_log: true
@@ -173,6 +182,13 @@
     - ldap
   when: not krb5kdc.stat.exists
 
+- name: allow slapd to read the keytab
+  file:
+    path: /etc/krb5.keytab
+    owner: root
+    group: openldap
+    mode: '0640'
+
 - name: "make 'kerberos' an alias hostname resolvable from the LAN"
   replace:
     path: /etc/hosts