role slapd:

- setup ssl (WIP) - setup replication provider (WIP) - setup replication consumer (WIP) ssl and replication provider seems to be ok (need to test on clean machine) replication consumer needs more testing
2019-07-19 14:54:26 +02:00
parent 2ee476a4ef
commit 15911cbd6f
8 changed files with 156 additions and 6 deletions
--- a/README.md
+++ b/README.md
@@ -23,6 +23,17 @@ defined in vars/main.yml and vars/CentOS.yml
  * ldap_user        - slapd service account
  * import_data      - bool - control wether we import initial data from LDIF files you will have put in templates subdirectory. Default No
  * ldap_schemas     - list of additionnal schema names to load - default cosine
+  * ldap_replication_consumer - bool -true to setup a replication consumer
+  * ldap_replication_provider - bool -true to setup a replication provider
+  * ldap_replication_account - account used for replication
+  * ldap_replication_password - account password  used for replication
+  - ldap_replication_provider_uri - ldap uri of provider server
+  * ldap_have_ssl    - boolean - wether we use ssl or not
+  * ldap_ssl_dir     - directory where certificates will be stored
+  * ldap_ssl_cert_path - {{ ldap_ssl_dir }}/{{ ansible_fqdn }}_fullchain.pem
+  * ldap_ssl_cacert_path - {{ ldap_ssl_dir }}/{{ ansible_fqdn }}_fullchain.pem
+  * ldap_ssl_key_path - {{ ldap_ssl_dir }}/{{ ansible_fqdn }}_privkey.pem
+

 Dependencies
 ------------
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -2,8 +2,15 @@
 # defaults file for /etc/ansible/roles/slapd
 ldap_domain: example
 ldap_domain_ext: fr
+ldap_provider_uri: "{{ ansible_fqdn }}"
 ldap_suffix: "{{ ldap_domain }},{{ ldap_domain_ext }}"
 ldap_root_dn: cn=root,{{ ldap_suffix }}
 import_data: false
 ldap_schemas:
 - cosine
+ldap_have_ssl: true
+ldap_ssl_dir: /etc/openldap/certs
+ldap_ssl_cert_path: "{{ ldap_ssl_dir }}/{{ ansible_fqdn }}_fullchain.pem"
+ldap_ssl_key_path: "{{ ldap_ssl_dir }}/{{ ansible_fqdn }}_privkey.pem"
+ldap_ssl_cacert_path: "{{ ldap_ssl_dir }}/{{ ansible_fqdn }}_fullchain.pem"
+
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,5 +1,6 @@
 ---
 # tasks file for /etc/ansible/roles/slapd
+
 - name: OS specific vars
  include_vars: "{{ ansible_distribution }}.yml"

@@ -8,6 +9,12 @@
    name: "{{ ldap_packages }}"
    state: present

+- name: configure client
+  template:
+    src: ldap.conf
+    dest: /etc/openldap/ldap.conf
+    mode: 0644
+
 - name: activate service
  service:
    name: "{{ ldap_service }}"
@@ -41,12 +48,6 @@
    attributes:
      dc: "{{ ldap_domain }}"

- name: configure client
-  template:
-    src: ldap.conf
-    dest: /etc/openldap/ldap.conf
-    mode: 0644
-
 - name: create passwd file
  copy:
    dest: /root/.ldap.secrets
@@ -79,3 +80,47 @@
    command: "ldapadd -y /root/.ldap.secrets -xD {{ ldap_admin_dn }} -f {{ item .path}}"
    with_items: "{{ ldif_list.files }}"
  when: import_data == true
+
+- name: configure replication provider
+  include_tasks: replication_provider.yml
+  when: ldap_replication_provider
+
+- name: configure replication consumer
+  include_tasks: replication_consumer.yml
+  when: ldap_replication_consumer
+
+- name: open firewall
+  firewalld:
+    service: "{{ item }}"
+    permanent: yes
+    immediate: yes
+    state: enabled
+  loop:
+     - ldap
+     - ldaps
+
+# cannot use ldap_entry module because attr olcTLS* don't have equality matching
+# rules ...
+# instead send ldif and process ...
+
+- name: configure ssl
+  tags: ssl
+  block:
+  - name: ensure certificate and key files have correct permissions
+    file:
+      path: "{{ item }}"
+      group: ldap
+      mode: 0640
+    loop:
+    - "{{ ldap_ssl_cert_path }}"
+    - "{{ ldap_ssl_key_path }}"
+    - "{{ ldap_ssl_cacert_path }}"
+  - name: send ldif file
+    template:
+      src: ssl.ldif
+      dest: /root/Ldif/
+
+  - name: import ldif
+    command: ldapmodify  -c -Y EXTERNAL -H ldapi:/// -f /root/Ldif/ssl.ldif
+  when: ldap_have_ssl
+
--- a/tasks/replication_consumer.yml
+++ b/tasks/replication_consumer.yml
@@ -0,0 +1,19 @@
+---
+- name: add synrepl entry
+  ldap_attr:
+    dn: olcDatabase={2}hdb,cn=config
+    name: "{{ item.name }}"
+    values: "{{ item.value }}"
+  loop:
+   - name: olcSyncRepl
+     value: |
+      rid=001
+       provider="{{ ldap_replication_provider_uri }}"
+       binddn="cn={{ ldap_replication_account }},{{ ldap_suffix }}"
+       bindmethod="simple"
+       credentials="{{ ldap_replication_password }}"
+       searchbase="{{ ldap_suffix }}"
+       type=refreshAndPersist
+       retry="10 +"
+   - name: olcUpdateRef
+     value: "{{ ldap_provider_uri }}"
--- a/tasks/replication_provider.yml
+++ b/tasks/replication_provider.yml
@@ -0,0 +1,45 @@
+---
+- name: create replication account
+  ldap_entry:
+    dn: "cn={{ ldap_replication_account }},{{ ldap_suffix }}"
+    objectClass: person
+    attributes:
+     sn: "{{ ldap_replication_account }}"
+     userPassword: "{{ ldap_replication_password }}"
+    params: "{{ ldap_auth }}"
+
+- name: check wether module is already loaded
+  command: ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config   objectClass=olcModuleList olcmoduleload
+  register: ldap_result
+
+- name: add syncprov overlay module
+  ldap_entry:
+    dn: cn=module,cn=config
+    objectClass: olcModuleList
+    attributes:
+      cn: module
+      olcModuleLoad: syncprov.la
+  when: '"syncprov.la" not in  ldap_result.stdout'
+
+- name: add syncprov overlay config
+  ldap_entry:
+    dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
+    objectClass: olcSyncProvConfig
+    attributes:
+      olcOverlay: syncprov
+      olcSpCheckpoint: 100 10
+      olcSpSessionLog: 200
+
+- name: configure serverid
+  ldap_attr:
+    dn: cn=config
+    name: olcServerId
+    values: "{{ ldap_replication_server_id|default(42) }}"
+
+- name: add indexes for replication
+  ldap_attr:
+    dn: olcdatabase={2}hdb,cn=config
+    name: olcDbIndex
+    values:
+    - entryUUID eq
+    - entryCSN eq
--- a/templates/ldap.conf
+++ b/templates/ldap.conf
@@ -1,2 +1,5 @@
 URI ldap://localhost/
 BASE {{ ldap_suffix }}
+{%if ldap_have_ssl %}
+TLS_CACERT {{ ldap_ssl_cacert_path }}
+{%endif%}
--- a/templates/ssl.ldif
+++ b/templates/ssl.ldif
@@ -0,0 +1,17 @@
+dn: cn=config
+changetype: modify
+replace: olcTLSCertificateFile
+olcTLSCertificateFile: {{ ldap_ssl_cert_path }}
+-
+replace: olcTLSCertificateKeyfile
+olcTLSCertificateKeyfile: {{ ldap_ssl_key_path }}
+-
+replace: olcTLSCipherSuite
+olcTLSCipherSuite: TLSv1+RSA:!NULL
+-
+replace: olctlsverifyclient
+olctlsverifyclient: never
+-
+replace: olctlscacertificatefile
+olctlscacertificatefile: {{ ldap_ssl_cacert_path }}
+
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -5,3 +5,6 @@ ldap_domain_ext: net
 ldap_suffix: "dc={{ldap_domain}},dc={{ldap_domain_ext}}"
 ldap_admin_dn: "cn=manager,{{ldap_suffix}}"
 ldap_admin_password: "123Soleil"
+ldap_auth:
+  bind_dn: "{{ ldap_admin_dn }}"
+  bind_pw: "{{ ldap_admin_password }}"