From 1f9af114de774fadfba2a3f97afc3879a1d3d74e Mon Sep 17 00:00:00 2001
From: Thomas Constans <thomas@opendoor.fr>
Date: Mon, 1 Mar 2021 14:54:56 +0100
Subject: [PATCH] make it work on debian

---
 README.md                                  |  1 +
 defaults/main.yml                          |  8 ++---
 tasks/import_ldap_schema.yml               |  2 +-
 tasks/main.yml                             | 40 +++-------------------
 tasks/replication_consumer.yml             |  2 +-
 tasks/replication_provider.yml             |  4 +--
 templates/change_suffix_and_dit_admin.ldif |  4 +--
 vars/CentOS.yml                            |  2 ++
 vars/CentOS8.yml                           |  2 ++
 vars/Debian.yml                            |  9 +++++
 10 files changed, 29 insertions(+), 45 deletions(-)
 create mode 100644 vars/Debian.yml

diff --git a/README.md b/README.md
index 59f75f2..c39ffc5 100644
--- a/README.md
+++ b/README.md
@@ -32,6 +32,7 @@ defined in vars/main.yml and vars/CentOS.yml
   * ldap_suffix      - constructed from variables above example.net
   * ldap_admin_dn    - cn=manager,{{ ldap_suffix }}
   * ldap_admin_password - 123Soleil - should be in a vault ...)
+  * ldap_admin_ssha_password -slappasswd -s version of above password
   * ldap_secret_file - default to /root/.ldap.secret
   * ldap_packages    - liste of packages - should be the only thing to change to
     adapt to other distro
diff --git a/defaults/main.yml b/defaults/main.yml
index 08fab4a..3d9289c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -12,7 +12,7 @@ ldap_replication_provider: false
 ldap_schemas:
  - cosine
 ldap_have_ssl: true
-ldap_ssl_dir: /etc/openldap/certs/
+ldap_ssl_dir: "{{ ldap_config_dir }}/certs/"
 ldap_ssl_cert_path: "{{ ldap_ssl_dir }}/cert.pem"
 ldap_ssl_key_path: "{{ ldap_ssl_dir }}/key.pem"
 ldap_ssl_cacert_path: "{{ ldap_ssl_dir }}/cert.pem"
@@ -32,7 +32,7 @@ ldap_entries:
       olcModulePath: /usr/lib64/openldap/
       olcModuleLoad: auditlog.la
 
-  - dn: olcOverlay={0}auditlog,olcDatabase={2}hdb,cn=config
+  - dn: "olcOverlay={0}auditlog,{{ ldap_database }},cn=config"
     objectClass: 
       - olcOverlayConfig
       - olcAuditLogConfig
@@ -47,7 +47,7 @@ ldap_entries:
       olcModulePath: /usr/lib64/openldap/
       olcModuleLoad: memberof.la
 
-  - dn: olcOverlay={1}memberof,olcDatabase={2}hdb,cn=config
+  - dn: "olcOverlay={1}memberof,{{ ldap_database }},cn=config"
     objectClass:
       - olcConfig
       - olcOverlayConfig
@@ -62,7 +62,7 @@ ldap_entries:
       olcModulePath: /usr/lib64/openldap/
       olcModuleLoad: unique.la
 
-  - dn: olcOverlay={2}unique,olcdatabase={2}hdb,cn=config
+  - dn: "olcOverlay={2}unique,{{ ldap_database }},cn=config"
     objectClass: 
       - olcOverlayConfig
       - olcUniqueConfig
diff --git a/tasks/import_ldap_schema.yml b/tasks/import_ldap_schema.yml
index ead4b0d..3424366 100644
--- a/tasks/import_ldap_schema.yml
+++ b/tasks/import_ldap_schema.yml
@@ -4,6 +4,6 @@
   changed_when: false
 
 - name: import additional schemas
-  command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/{{ schema }}.ldif"
+  command: "ldapadd -Y EXTERNAL -H ldapi:/// -f {{ ldap_config_dir }}/schema/{{ schema }}.ldif"
   when: schema not in ldap_schema_list.stdout
 
diff --git a/tasks/main.yml b/tasks/main.yml
index 70a8229..d51680c 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -23,7 +23,7 @@
 - name: configure client
   template:
     src: ldap.conf
-    dest: /etc/openldap/ldap.conf
+    dest: "{{ ldap_config_dir }}/ldap.conf"
     mode: 0644
 
 - name: activate service
@@ -36,47 +36,16 @@
   block:
   - name: remove existing acl
     ldap_attr:
-      dn: olcDatabase={2}hdb,cn=config
+      dn: "{{ ldap_database }},cn=config"
       name: olcaccess
       values: []
       state: exact
 
-  - name: admin, suffix and cache
-    ldap_attr:
-      dn: olcDatabase={2}hdb,cn=config
-      name: "{{ item.key }}"
-      values: "{{ item.value }}"
-      state: exact
-    with_dict:
-      olcSuffix: "{{ ldap_suffix }}"
-      olcRootDN: "{{ ldap_admin_dn }}"
-      olcRootPW: "{{ ldap_admin_password }}"
-      olcDbCheckpoint: "{{ ldap_checkpoint }}"
-      olcDbCacheSize: "{{ ldap_cache_size }}"
-      olcDbIDLCacheSize: "{{ ldap_idlcache_size }}"
-      olcAccess:
-        - >-
-          {0}to attrs=userPassword,mail
-          by self write
-          by anonymous auth
-          by * none
-        - >-
-          {1}to dn.sub={{ ldap_suffix }}
-          by users read
-          by * none
-    ignore_errors: true
-
-  - name: remove existing indexes
-    ldap_attr:
-      dn: olcDatabase={2}hdb,cn=config
-      values: []
-      name: olcDbIndex
-      state: exact
-
   - name: add indexes
     ldap_attr:
-      dn: olcDatabase={2}hdb,cn=config
+      dn: "{{ ldap_database }},cn=config"
       name: "olcDbIndex"
+      state: exact
       values: "{{ item }}"
     loop:
       - objectClass pres,eq
@@ -95,6 +64,7 @@
   loop:
   - olcDatabase={0}config,cn=config
   - olcDatabase={1}monitor,cn=config
+  ignore_errors: true
 
 - name: load additionnal schema
   include_tasks: import_ldap_schema.yml
diff --git a/tasks/replication_consumer.yml b/tasks/replication_consumer.yml
index eeed1ac..7a9f28c 100644
--- a/tasks/replication_consumer.yml
+++ b/tasks/replication_consumer.yml
@@ -1,7 +1,7 @@
 ---
 - name: add synrepl entry
   ldap_attr:
-    dn: olcDatabase={2}hdb,cn=config
+    dn: "{{ ldap_database }},cn=config"
     name: "{{ item.name }}"
     values: "{{ item.value }}"
   loop:
diff --git a/tasks/replication_provider.yml b/tasks/replication_provider.yml
index 7c6c80a..f9875b6 100644
--- a/tasks/replication_provider.yml
+++ b/tasks/replication_provider.yml
@@ -23,7 +23,7 @@
 
 - name: add syncprov overlay config
   ldap_entry:
-    dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
+    dn: "olcOverlay=syncprov,{{ ldap_database }},cn=config"
     objectClass: olcSyncProvConfig
     attributes:
       olcOverlay: syncprov
@@ -38,7 +38,7 @@
 
 - name: add indexes for replication
   ldap_attr:
-    dn: olcdatabase={2}hdb,cn=config
+    dn: "{{ ldap_database }},cn=config"
     name: olcDbIndex
     values:
     - entryUUID eq
diff --git a/templates/change_suffix_and_dit_admin.ldif b/templates/change_suffix_and_dit_admin.ldif
index ff12294..f729b38 100644
--- a/templates/change_suffix_and_dit_admin.ldif
+++ b/templates/change_suffix_and_dit_admin.ldif
@@ -1,4 +1,4 @@
-dn: olcDatabase={2}hdb,cn=config
+dn: "{{ ldap_database }},cn=config"
 changetype: modify
 replace: olcsuffix
 olcsuffix: {{ ldap_suffix }}
@@ -7,7 +7,7 @@ replace: olcrootdn
 olcrootdn: {{ ldap_admin_dn }}
 -
 replace: olcrootpw
-olcrootpw: {{ ldap_admin_password }}
+olcrootpw: {{ ldap_admin_ssha_password }}
 
 dn: olcDatabase={0}config,cn=config
 changetype: modify
diff --git a/vars/CentOS.yml b/vars/CentOS.yml
index 7fc2d15..ba45d2a 100644
--- a/vars/CentOS.yml
+++ b/vars/CentOS.yml
@@ -1,3 +1,5 @@
+ldap_database: 'olcdatabase={2}hdb'
+ldap_config_dir: /etc/openldap
 ldap_packages:
   - openldap-servers
   - openldap-clients
diff --git a/vars/CentOS8.yml b/vars/CentOS8.yml
index 880af68..4b496c5 100644
--- a/vars/CentOS8.yml
+++ b/vars/CentOS8.yml
@@ -1,3 +1,5 @@
+ldap_database: 'olcdatabase={2}hdb'
+ldap_config_dir: /etc/openldap
 ldap_packages:
   - symas-openldap-servers
   - symas-openldap-clients
diff --git a/vars/Debian.yml b/vars/Debian.yml
new file mode 100644
index 0000000..08842ca
--- /dev/null
+++ b/vars/Debian.yml
@@ -0,0 +1,9 @@
+ldap_database: 'olcdatabase={1}mdb'
+ldap_config_dir: /etc/ldap
+ldap_packages:
+  - slapd
+  - ldap-utils
+
+  - python-ldap
+ldap_service: slapd
+ldap_user: openldap