From 15911cbd6f7e8c3fd3ec39aed33a2e2fc2c15b9c Mon Sep 17 00:00:00 2001 From: Thomas Constans Date: Fri, 19 Jul 2019 14:54:26 +0200 Subject: [PATCH] role slapd: - setup ssl (WIP) - setup replication provider (WIP) - setup replication consumer (WIP) ssl and replication provider seems to be ok (need to test on clean machine) replication consumer needs more testing --- README.md | 11 +++++++ defaults/main.yml | 7 +++++ tasks/main.yml | 57 ++++++++++++++++++++++++++++++---- tasks/replication_consumer.yml | 19 ++++++++++++ tasks/replication_provider.yml | 45 +++++++++++++++++++++++++++ templates/ldap.conf | 3 ++ templates/ssl.ldif | 17 ++++++++++ vars/main.yml | 3 ++ 8 files changed, 156 insertions(+), 6 deletions(-) create mode 100644 tasks/replication_consumer.yml create mode 100644 tasks/replication_provider.yml create mode 100644 templates/ssl.ldif diff --git a/README.md b/README.md index 31877ff..4201591 100644 --- a/README.md +++ b/README.md @@ -23,6 +23,17 @@ defined in vars/main.yml and vars/CentOS.yml * ldap_user - slapd service account * import_data - bool - control wether we import initial data from LDIF files you will have put in templates subdirectory. Default No * ldap_schemas - list of additionnal schema names to load - default cosine + * ldap_replication_consumer - bool -true to setup a replication consumer + * ldap_replication_provider - bool -true to setup a replication provider + * ldap_replication_account - account used for replication + * ldap_replication_password - account password used for replication + - ldap_replication_provider_uri - ldap uri of provider server + * ldap_have_ssl - boolean - wether we use ssl or not + * ldap_ssl_dir - directory where certificates will be stored + * ldap_ssl_cert_path - {{ ldap_ssl_dir }}/{{ ansible_fqdn }}_fullchain.pem + * ldap_ssl_cacert_path - {{ ldap_ssl_dir }}/{{ ansible_fqdn }}_fullchain.pem + * ldap_ssl_key_path - {{ ldap_ssl_dir }}/{{ ansible_fqdn }}_privkey.pem + Dependencies ------------ diff --git a/defaults/main.yml b/defaults/main.yml index 0e559ab..a14c1ac 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,8 +2,15 @@ # defaults file for /etc/ansible/roles/slapd ldap_domain: example ldap_domain_ext: fr +ldap_provider_uri: "{{ ansible_fqdn }}" ldap_suffix: "{{ ldap_domain }},{{ ldap_domain_ext }}" ldap_root_dn: cn=root,{{ ldap_suffix }} import_data: false ldap_schemas: - cosine +ldap_have_ssl: true +ldap_ssl_dir: /etc/openldap/certs +ldap_ssl_cert_path: "{{ ldap_ssl_dir }}/{{ ansible_fqdn }}_fullchain.pem" +ldap_ssl_key_path: "{{ ldap_ssl_dir }}/{{ ansible_fqdn }}_privkey.pem" +ldap_ssl_cacert_path: "{{ ldap_ssl_dir }}/{{ ansible_fqdn }}_fullchain.pem" + diff --git a/tasks/main.yml b/tasks/main.yml index 8404894..3e4b8f5 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,6 @@ --- # tasks file for /etc/ansible/roles/slapd + - name: OS specific vars include_vars: "{{ ansible_distribution }}.yml" @@ -8,6 +9,12 @@ name: "{{ ldap_packages }}" state: present +- name: configure client + template: + src: ldap.conf + dest: /etc/openldap/ldap.conf + mode: 0644 + - name: activate service service: name: "{{ ldap_service }}" @@ -41,12 +48,6 @@ attributes: dc: "{{ ldap_domain }}" -- name: configure client - template: - src: ldap.conf - dest: /etc/openldap/ldap.conf - mode: 0644 - - name: create passwd file copy: dest: /root/.ldap.secrets @@ -79,3 +80,47 @@ command: "ldapadd -y /root/.ldap.secrets -xD {{ ldap_admin_dn }} -f {{ item .path}}" with_items: "{{ ldif_list.files }}" when: import_data == true + +- name: configure replication provider + include_tasks: replication_provider.yml + when: ldap_replication_provider + +- name: configure replication consumer + include_tasks: replication_consumer.yml + when: ldap_replication_consumer + +- name: open firewall + firewalld: + service: "{{ item }}" + permanent: yes + immediate: yes + state: enabled + loop: + - ldap + - ldaps + +# cannot use ldap_entry module because attr olcTLS* don't have equality matching +# rules ... +# instead send ldif and process ... + +- name: configure ssl + tags: ssl + block: + - name: ensure certificate and key files have correct permissions + file: + path: "{{ item }}" + group: ldap + mode: 0640 + loop: + - "{{ ldap_ssl_cert_path }}" + - "{{ ldap_ssl_key_path }}" + - "{{ ldap_ssl_cacert_path }}" + - name: send ldif file + template: + src: ssl.ldif + dest: /root/Ldif/ + + - name: import ldif + command: ldapmodify -c -Y EXTERNAL -H ldapi:/// -f /root/Ldif/ssl.ldif + when: ldap_have_ssl + diff --git a/tasks/replication_consumer.yml b/tasks/replication_consumer.yml new file mode 100644 index 0000000..eeed1ac --- /dev/null +++ b/tasks/replication_consumer.yml @@ -0,0 +1,19 @@ +--- +- name: add synrepl entry + ldap_attr: + dn: olcDatabase={2}hdb,cn=config + name: "{{ item.name }}" + values: "{{ item.value }}" + loop: + - name: olcSyncRepl + value: | + rid=001 + provider="{{ ldap_replication_provider_uri }}" + binddn="cn={{ ldap_replication_account }},{{ ldap_suffix }}" + bindmethod="simple" + credentials="{{ ldap_replication_password }}" + searchbase="{{ ldap_suffix }}" + type=refreshAndPersist + retry="10 +" + - name: olcUpdateRef + value: "{{ ldap_provider_uri }}" diff --git a/tasks/replication_provider.yml b/tasks/replication_provider.yml new file mode 100644 index 0000000..7c6c80a --- /dev/null +++ b/tasks/replication_provider.yml @@ -0,0 +1,45 @@ +--- +- name: create replication account + ldap_entry: + dn: "cn={{ ldap_replication_account }},{{ ldap_suffix }}" + objectClass: person + attributes: + sn: "{{ ldap_replication_account }}" + userPassword: "{{ ldap_replication_password }}" + params: "{{ ldap_auth }}" + +- name: check wether module is already loaded + command: ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config objectClass=olcModuleList olcmoduleload + register: ldap_result + +- name: add syncprov overlay module + ldap_entry: + dn: cn=module,cn=config + objectClass: olcModuleList + attributes: + cn: module + olcModuleLoad: syncprov.la + when: '"syncprov.la" not in ldap_result.stdout' + +- name: add syncprov overlay config + ldap_entry: + dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config + objectClass: olcSyncProvConfig + attributes: + olcOverlay: syncprov + olcSpCheckpoint: 100 10 + olcSpSessionLog: 200 + +- name: configure serverid + ldap_attr: + dn: cn=config + name: olcServerId + values: "{{ ldap_replication_server_id|default(42) }}" + +- name: add indexes for replication + ldap_attr: + dn: olcdatabase={2}hdb,cn=config + name: olcDbIndex + values: + - entryUUID eq + - entryCSN eq diff --git a/templates/ldap.conf b/templates/ldap.conf index 1e2016e..21648cc 100644 --- a/templates/ldap.conf +++ b/templates/ldap.conf @@ -1,2 +1,5 @@ URI ldap://localhost/ BASE {{ ldap_suffix }} +{%if ldap_have_ssl %} +TLS_CACERT {{ ldap_ssl_cacert_path }} +{%endif%} diff --git a/templates/ssl.ldif b/templates/ssl.ldif new file mode 100644 index 0000000..15c7813 --- /dev/null +++ b/templates/ssl.ldif @@ -0,0 +1,17 @@ +dn: cn=config +changetype: modify +replace: olcTLSCertificateFile +olcTLSCertificateFile: {{ ldap_ssl_cert_path }} +- +replace: olcTLSCertificateKeyfile +olcTLSCertificateKeyfile: {{ ldap_ssl_key_path }} +- +replace: olcTLSCipherSuite +olcTLSCipherSuite: TLSv1+RSA:!NULL +- +replace: olctlsverifyclient +olctlsverifyclient: never +- +replace: olctlscacertificatefile +olctlscacertificatefile: {{ ldap_ssl_cacert_path }} + diff --git a/vars/main.yml b/vars/main.yml index 13153d4..36579d4 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -5,3 +5,6 @@ ldap_domain_ext: net ldap_suffix: "dc={{ldap_domain}},dc={{ldap_domain_ext}}" ldap_admin_dn: "cn=manager,{{ldap_suffix}}" ldap_admin_password: "123Soleil" +ldap_auth: + bind_dn: "{{ ldap_admin_dn }}" + bind_pw: "{{ ldap_admin_password }}"