tom/ansible_slapd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

role slapd:

Browse Source 
- setup ssl (WIP)
- setup replication provider (WIP)
- setup replication consumer (WIP)

ssl and replication provider seems to be ok (need to test on clean machine)

replication consumer needs more testing
This commit is contained in:
Thomas Constans
2019-07-19 14:54:26 +02:00
parent 2ee476a4ef
commit 15911cbd6f
8 changed files with 156 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@@ -23,6 +23,17 @@ defined in vars/main.yml and vars/CentOS.yml
* ldap_user - slapd service account * ldap_user - slapd service account
* import_data - bool - control wether we import initial data from LDIF files you will have put in templates subdirectory. Default No * import_data - bool - control wether we import initial data from LDIF files you will have put in templates subdirectory. Default No
* ldap_schemas - list of additionnal schema names to load - default cosine * ldap_schemas - list of additionnal schema names to load - default cosine
* ldap_replication_consumer - bool -true to setup a replication consumer
* ldap_replication_provider - bool -true to setup a replication provider
* ldap_replication_account - account used for replication
* ldap_replication_password - account password used for replication
- ldap_replication_provider_uri - ldap uri of provider server
* ldap_have_ssl - boolean - wether we use ssl or not
* ldap_ssl_dir - directory where certificates will be stored
* ldap_ssl_cert_path - {{ ldap_ssl_dir }}/{{ ansible_fqdn }}_fullchain.pem
* ldap_ssl_cacert_path - {{ ldap_ssl_dir }}/{{ ansible_fqdn }}_fullchain.pem
* ldap_ssl_key_path - {{ ldap_ssl_dir }}/{{ ansible_fqdn }}_privkey.pem
Dependencies Dependencies
------------ ------------

7
defaults/main.yml
View File

@@ -2,8 +2,15 @@
# defaults file for /etc/ansible/roles/slapd # defaults file for /etc/ansible/roles/slapd
ldap_domain: example ldap_domain: example
ldap_domain_ext: fr ldap_domain_ext: fr
ldap_provider_uri: "{{ ansible_fqdn }}"
ldap_suffix: "{{ ldap_domain }},{{ ldap_domain_ext }}" ldap_suffix: "{{ ldap_domain }},{{ ldap_domain_ext }}"
ldap_root_dn: cn=root,{{ ldap_suffix }} ldap_root_dn: cn=root,{{ ldap_suffix }}
import_data: false import_data: false
ldap_schemas: ldap_schemas:
- cosine - cosine
ldap_have_ssl: true
ldap_ssl_dir: /etc/openldap/certs
ldap_ssl_cert_path: "{{ ldap_ssl_dir }}/{{ ansible_fqdn }}_fullchain.pem"
ldap_ssl_key_path: "{{ ldap_ssl_dir }}/{{ ansible_fqdn }}_privkey.pem"
ldap_ssl_cacert_path: "{{ ldap_ssl_dir }}/{{ ansible_fqdn }}_fullchain.pem"

57
tasks/main.yml
View File

@@ -1,5 +1,6 @@
--- ---
# tasks file for /etc/ansible/roles/slapd # tasks file for /etc/ansible/roles/slapd
- name: OS specific vars - name: OS specific vars
include_vars: "{{ ansible_distribution }}.yml" include_vars: "{{ ansible_distribution }}.yml"
@@ -8,6 +9,12 @@
name: "{{ ldap_packages }}" name: "{{ ldap_packages }}"
state: present state: present
- name: configure client
template:
src: ldap.conf
dest: /etc/openldap/ldap.conf
mode: 0644
- name: activate service - name: activate service
service: service:
name: "{{ ldap_service }}" name: "{{ ldap_service }}"
@@ -41,12 +48,6 @@
attributes: attributes:
dc: "{{ ldap_domain }}" dc: "{{ ldap_domain }}"
- name: configure client
template:
src: ldap.conf
dest: /etc/openldap/ldap.conf
mode: 0644
- name: create passwd file - name: create passwd file
copy: copy:
dest: /root/.ldap.secrets dest: /root/.ldap.secrets
@@ -79,3 +80,47 @@
command: "ldapadd -y /root/.ldap.secrets -xD {{ ldap_admin_dn }} -f {{ item .path}}" command: "ldapadd -y /root/.ldap.secrets -xD {{ ldap_admin_dn }} -f {{ item .path}}"
with_items: "{{ ldif_list.files }}" with_items: "{{ ldif_list.files }}"
when: import_data == true when: import_data == true
- name: configure replication provider
include_tasks: replication_provider.yml
when: ldap_replication_provider
- name: configure replication consumer
include_tasks: replication_consumer.yml
when: ldap_replication_consumer
- name: open firewall
firewalld:
service: "{{ item }}"
permanent: yes
immediate: yes
state: enabled
loop:
- ldap
- ldaps
# cannot use ldap_entry module because attr olcTLS* don't have equality matching
# rules ...
# instead send ldif and process ...
- name: configure ssl
tags: ssl
block:
- name: ensure certificate and key files have correct permissions
file:
path: "{{ item }}"
group: ldap
mode: 0640
loop:
- "{{ ldap_ssl_cert_path }}"
- "{{ ldap_ssl_key_path }}"
- "{{ ldap_ssl_cacert_path }}"
- name: send ldif file
template:
src: ssl.ldif
dest: /root/Ldif/
- name: import ldif
command: ldapmodify -c -Y EXTERNAL -H ldapi:/// -f /root/Ldif/ssl.ldif
when: ldap_have_ssl

19
tasks/replication_consumer.yml Normal file
View File

@@ -0,0 +1,19 @@
---
- name: add synrepl entry
ldap_attr:
dn: olcDatabase={2}hdb,cn=config
name: "{{ item.name }}"
values: "{{ item.value }}"
loop:
- name: olcSyncRepl
value: |
rid=001
provider="{{ ldap_replication_provider_uri }}"
binddn="cn={{ ldap_replication_account }},{{ ldap_suffix }}"
bindmethod="simple"
credentials="{{ ldap_replication_password }}"
searchbase="{{ ldap_suffix }}"
type=refreshAndPersist
retry="10 +"
- name: olcUpdateRef
value: "{{ ldap_provider_uri }}"

45
tasks/replication_provider.yml Normal file
View File

@@ -0,0 +1,45 @@
---
- name: create replication account
ldap_entry:
dn: "cn={{ ldap_replication_account }},{{ ldap_suffix }}"
objectClass: person
attributes:
sn: "{{ ldap_replication_account }}"
userPassword: "{{ ldap_replication_password }}"
params: "{{ ldap_auth }}"
- name: check wether module is already loaded
command: ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config objectClass=olcModuleList olcmoduleload
register: ldap_result
- name: add syncprov overlay module
ldap_entry:
dn: cn=module,cn=config
objectClass: olcModuleList
attributes:
cn: module
olcModuleLoad: syncprov.la
when: '"syncprov.la" not in ldap_result.stdout'
- name: add syncprov overlay config
ldap_entry:
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcSyncProvConfig
attributes:
olcOverlay: syncprov
olcSpCheckpoint: 100 10
olcSpSessionLog: 200
- name: configure serverid
ldap_attr:
dn: cn=config
name: olcServerId
values: "{{ ldap_replication_server_id|default(42) }}"
- name: add indexes for replication
ldap_attr:
dn: olcdatabase={2}hdb,cn=config
name: olcDbIndex
values:
- entryUUID eq
- entryCSN eq

3
templates/ldap.conf
View File

@@ -1,2 +1,5 @@
URI ldap://localhost/ URI ldap://localhost/
BASE {{ ldap_suffix }} BASE {{ ldap_suffix }}
{%if ldap_have_ssl %}
TLS_CACERT {{ ldap_ssl_cacert_path }}
{%endif%}

17
templates/ssl.ldif Normal file
View File

@@ -0,0 +1,17 @@
dn: cn=config
changetype: modify
replace: olcTLSCertificateFile
olcTLSCertificateFile: {{ ldap_ssl_cert_path }}
-
replace: olcTLSCertificateKeyfile
olcTLSCertificateKeyfile: {{ ldap_ssl_key_path }}
-
replace: olcTLSCipherSuite
olcTLSCipherSuite: TLSv1+RSA:!NULL
-
replace: olctlsverifyclient
olctlsverifyclient: never
-
replace: olctlscacertificatefile
olctlscacertificatefile: {{ ldap_ssl_cacert_path }}

3
vars/main.yml
View File

@@ -5,3 +5,6 @@ ldap_domain_ext: net
ldap_suffix: "dc={{ldap_domain}},dc={{ldap_domain_ext}}" ldap_suffix: "dc={{ldap_domain}},dc={{ldap_domain_ext}}"
ldap_admin_dn: "cn=manager,{{ldap_suffix}}" ldap_admin_dn: "cn=manager,{{ldap_suffix}}"
ldap_admin_password: "123Soleil" ldap_admin_password: "123Soleil"
ldap_auth:
bind_dn: "{{ ldap_admin_dn }}"
bind_pw: "{{ ldap_admin_password }}"