From 313d9e12e509f6225e5457bcc3a6a671c960feb5 Mon Sep 17 00:00:00 2001 From: Thomas Constans Date: Tue, 8 Oct 2019 23:03:15 +0200 Subject: [PATCH] slapd: mise au point, reglage acl sur cn=config --- README.md | 1 + defaults/main.yml | 1 + handlers/main.yml | 6 ++- tasks/import_ldap_schema.yml | 2 +- tasks/inject_ldif.yml | 9 ---- tasks/main.yml | 50 ++++++++++++++++------ templates/change_suffix_and_dit_admin.ldif | 4 ++ templates/ldap.conf | 6 ++- templates/ldap_aliases.sh | 4 ++ 9 files changed, 59 insertions(+), 24 deletions(-) delete mode 100644 tasks/inject_ldif.yml create mode 100644 templates/ldap_aliases.sh diff --git a/README.md b/README.md index d5a3c95..c1c3a63 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ defined in vars/main.yml and vars/CentOS.yml * ldap_suffix - constructed from variables above example.net * ldap_admin_dn - cn=manager,{{ ldap_suffix }} * ldap_admin_password - 123Soleil - should be in a vault ...) + * ldap_secret_file - default to /root/.ldap.secret * ldap_packages - liste of packages - should be the only thing to change to adapt to other distro * ldap_service - name of service unit file - slapd diff --git a/defaults/main.yml b/defaults/main.yml index ac995c1..3c704dd 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -2,6 +2,7 @@ # defaults file for /etc/ansible/roles/slapd ldap_domain: example ldap_domain_ext: fr +ldap_secret_file: /root/.ldap.secret ldap_provider_uri: "{{ ansible_fqdn }}" ldap_suffix: "{{ ldap_domain }},{{ ldap_domain_ext }}" import_data: false diff --git a/handlers/main.yml b/handlers/main.yml index 181e59e..d532084 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,2 +1,6 @@ --- -# handlers file for /etc/ansible/roles/slapd \ No newline at end of file +# handlers file for /etc/ansible/roles/slapd +- name: restart_slapd + service: + name: slapd + state: restarted \ No newline at end of file diff --git a/tasks/import_ldap_schema.yml b/tasks/import_ldap_schema.yml index 8e77aae..ead4b0d 100644 --- a/tasks/import_ldap_schema.yml +++ b/tasks/import_ldap_schema.yml @@ -1,7 +1,7 @@ - name: check if schema is loaded command: "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn" register: ldap_schema_list - changed_when + changed_when: false - name: import additional schemas command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/{{ schema }}.ldif" diff --git a/tasks/inject_ldif.yml b/tasks/inject_ldif.yml deleted file mode 100644 index 9d82309..0000000 --- a/tasks/inject_ldif.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: copy ldif files - copy: - src: "{{ ldap_ldif_dir }}/{{ ldif }}" - dest: "/root/Ldif/{{ ldif }}" - -- name: import additional schemas - command: "ldapadd -s /root/.ldap.secret -D {{ ldap_admin_dn }} -x /root/Ldif/{{ ldif }} -c" - ignore_error: true - diff --git a/tasks/main.yml b/tasks/main.yml index 50a7f00..e25d487 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -32,6 +32,17 @@ olcRootDN: "{{ ldap_admin_dn }}" olcRootPW: "{{ ldap_admin_password }}" +- name: reconfigure slapd - access to cn=config + ldap_attr: + dn: olcDatabase={0}config,cn=config + name: olcAccess + values: + >- + to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage + by dn.base={{ ldap_admin_dn }} manage + by * none + state: exact + - name: load additionnal schema include_tasks: import_ldap_schema.yml loop: "{{ ldap_schemas }}" @@ -50,7 +61,7 @@ - name: create passwd file copy: - dest: /root/.ldap.secrets + dest: "{{ ldap_secret_file }}" mode: 0600 content: "{{ ldap_admin_password }}" @@ -78,10 +89,11 @@ register: ldif_list - name: import ldif files - command: "ldapadd -y -c /root/.ldap.secrets -xD {{ ldap_admin_dn }} -f {{ item .path}}" + command: "ldapadd -c -y /root/.ldap.secret -xD {{ ldap_admin_dn }} -f {{ item .path}}" with_items: "{{ ldif_list.files }}" ignore_errors: true when: ldap_ldif_files is defined + tags: wip - name: configure replication provider include_tasks: replication_provider.yml @@ -117,17 +129,31 @@ - "{{ ldap_ssl_cert_path }}" - "{{ ldap_ssl_key_path }}" - "{{ ldap_ssl_cacert_path }}" - - name: send ldif file - template: - src: ssl.ldif - dest: /root/ - - name: import ldif - command: ldapmodify -c -Y EXTERNAL -H ldapi:/// -f /root/ssl.ldif +- name: send ldif file + template: + src: ssl.ldif + dest: /root/ - - name: remove ldif - file: - path: /root/ssl.ldif - state: absent +- name: import ldif + command: ldapmodify -c -Y EXTERNAL -H ldapi:/// -f /root/ssl.ldif + +- name: configure url + lineinfile: + path: /etc/sysconfig/slapd + regexp: '^SLAPD_URLS="ldapi:/// ldap:///"' + line: 'SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"' + state: present + notify: restart_slapd + +- name: remove ldif + file: + path: /root/ssl.ldif + state: absent when: ldap_have_ssl +- name: configure ldap aliases + tags: shell + template: + src: ldap_aliases.sh + dest: /etc/profile.d/ diff --git a/templates/change_suffix_and_dit_admin.ldif b/templates/change_suffix_and_dit_admin.ldif index 1436ed8..ff12294 100644 --- a/templates/change_suffix_and_dit_admin.ldif +++ b/templates/change_suffix_and_dit_admin.ldif @@ -9,3 +9,7 @@ olcrootdn: {{ ldap_admin_dn }} replace: olcrootpw olcrootpw: {{ ldap_admin_password }} +dn: olcDatabase={0}config,cn=config +changetype: modify +replace: olcAccess +olcAccess: to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn.base={{ ldap_admin_dn }} manage by * none diff --git a/templates/ldap.conf b/templates/ldap.conf index 21648cc..1063c8b 100644 --- a/templates/ldap.conf +++ b/templates/ldap.conf @@ -1,5 +1,9 @@ -URI ldap://localhost/ BASE {{ ldap_suffix }} {%if ldap_have_ssl %} +URI ldaps://{{ ldap_server }} TLS_CACERT {{ ldap_ssl_cacert_path }} +TLS_REQCERT allow +URI ldap://localhost/ +{%else%} +URI ldap://localhost {%endif%} diff --git a/templates/ldap_aliases.sh b/templates/ldap_aliases.sh new file mode 100644 index 0000000..8579b38 --- /dev/null +++ b/templates/ldap_aliases.sh @@ -0,0 +1,4 @@ +alias ldm="ldapmodify -x -D {{ ldap_admin_dn }} -y {{ ldap_secret_file }}" +alias lda="ldapadd -x -D {{ ldap_admin_dn }} -y {{ ldap_secret_file }}" +alias lds="ldapsearch -xLLL -D {{ ldap_admin_dn }} -y {{ ldap_secret_file }}" +alias ldrm="ldapdelete -x -D {{ ldap_admin_dn }} -y {{ ldap_secret_file }}"