path: root/docs/README.LDAP.md

Overview
========

Our playbooks currently have two sets of variables in use for services
that require LDAP authentication:

- ssh_ldap_*

  Provides system level (NSS) LDAP support on our servers and is used
  to authenticate ssh access to our servers.

- apache_ldap_*

  Provides access to various web services (private servers and private gerrit).
  through Apache's mod_authnz_external and a custom lookup tool that uses
  python-ldap

They have been separated due to the fact that although they are generally
accessing the same servers, they may use different bind or base DNs with
different access permissions or expect different query results.


Adding New Hosts/Groups That Use LDAP
=====================================

The general pattern for setting the defaults for these variables is:

  1. in the defaults file for the role (ie, roles/ssh-ldap/defaults/main.yml)
  2. overrides go in the hosts vars file (or secrets hosts vars)

Please avoid overriding vars at the playbook/role level and keep any changes
you need in the hosts vars.


Even More LDAP
==============

If you need to add support for a third set of LDAP values for a new role:

  1. make sure the variable name has a service-specific prefix (ie, ssh_ldap).
     Do *NOT* just "ldap_whatever".
  2. follow the same pattern as above... defaults in a defaults/main.yml file,
     override in hosts vars


Caching Public Keys
===================

By default, each server where ssh-ldap is installed will attempt to sync a
list of all users and their private keys at install and periodically through
a cron job.  The sshldap_cache_url is an optional location to download a
tarball with this information instead of having to pull it from the upstream
LDAP sources.  It's meant for situations like our Austin colo where
we don't want (or can't have) a system talking directly to our LDAP
servers so we need to setup a slave proxy for them.