committinh old changes

2024-02-06 10:35:56 +01:00
parent 9568139378
commit 4a829ed81a
10 changed files with 46 additions and 53 deletions
--- a/README.md
+++ b/README.md
@@ -32,14 +32,12 @@ defined in vars/main.yml and vars/CentOS.yml
  * ldap_suffix      - constructed from variables above example.net
  * ldap_admin_dn    - cn=manager,{{ ldap_suffix }}
  * ldap_admin_password - 123Soleil - should be in a vault ...)
-  * ldap_admin_ssha_password -slappasswd -s version of above password
  * ldap_secret_file - default to /root/.ldap.secret
  * ldap_packages    - liste of packages - should be the only thing to change to
    adapt to other distro
  * ldap_service     - name of service unit file - slapd
  * ldap_user        - slapd service account
  * ldap_schemas     - list of additionnal schema names to load - default cosine
-  * ldap_backup_dir  - default /srv/backups/ldap
  * ldap_replication_consumer - bool -true to setup a replication consumer
  * ldap_replication_provider - bool -true to setup a replication provider
  * ldap_replication_account - account used for replication
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -12,13 +12,12 @@ ldap_replication_provider: false
 ldap_schemas:
 - cosine
 ldap_have_ssl: true
-ldap_ssl_dir: "{{ ldap_config_dir }}/certs/"
+ldap_ssl_dir: /etc/openldap/certs/
 ldap_ssl_cert_path: "{{ ldap_ssl_dir }}/cert.pem"
 ldap_ssl_key_path: "{{ ldap_ssl_dir }}/key.pem"
 ldap_ssl_cacert_path: "{{ ldap_ssl_dir }}/cert.pem"
 ldap_admin_dn: "cn=manager,{{ldap_suffix}}"
 ldap_admin_password: "CHANGEME"
-ldap_backup_dir: /srv/backups/ldap
 ldap_auth:
  bind_dn: "{{ ldap_admin_dn }}"
  bind_pw: "{{ ldap_admin_password }}"
@@ -33,7 +32,7 @@ ldap_entries:
      olcModulePath: /usr/lib64/openldap/
      olcModuleLoad: auditlog.la

-  - dn: "olcOverlay={0}auditlog,{{ ldap_database }},cn=config"
+  - dn: olcOverlay={0}auditlog,olcDatabase={2}hdb,cn=config
    objectClass: 
      - olcOverlayConfig
      - olcAuditLogConfig
@@ -48,7 +47,7 @@ ldap_entries:
      olcModulePath: /usr/lib64/openldap/
      olcModuleLoad: memberof.la

-  - dn: "olcOverlay={1}memberof,{{ ldap_database }},cn=config"
+  - dn: olcOverlay={1}memberof,olcDatabase={2}hdb,cn=config
    objectClass:
      - olcConfig
      - olcOverlayConfig
@@ -63,7 +62,7 @@ ldap_entries:
      olcModulePath: /usr/lib64/openldap/
      olcModuleLoad: unique.la

-  - dn: "olcOverlay={2}unique,{{ ldap_database }},cn=config"
+  - dn: olcOverlay={2}unique,olcdatabase={2}hdb,cn=config
    objectClass: 
      - olcOverlayConfig
      - olcUniqueConfig
--- a/tasks/import_ldap_schema.yml
+++ b/tasks/import_ldap_schema.yml
@@ -4,6 +4,6 @@
  changed_when: false

 - name: import additional schemas
-  command: "ldapadd -Y EXTERNAL -H ldapi:/// -f {{ ldap_config_dir }}/schema/{{ schema }}.ldif"
+  command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/{{ schema }}.ldif"
  when: schema not in ldap_schema_list.stdout

--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -23,7 +23,7 @@
 - name: configure client
  template:
    src: ldap.conf
-    dest: "{{ ldap_config_dir }}/ldap.conf"
+    dest: /etc/openldap/ldap.conf
    mode: 0644

 - name: activate service
@@ -36,16 +36,47 @@
  block:
  - name: remove existing acl
    ldap_attr:
-      dn: "{{ ldap_database }},cn=config"
+      dn: olcDatabase={2}hdb,cn=config
      name: olcaccess
      values: []
      state: exact

+  - name: admin, suffix and cache
+    ldap_attr:
+      dn: olcDatabase={2}hdb,cn=config
+      name: "{{ item.key }}"
+      values: "{{ item.value }}"
+      state: exact
+    with_dict:
+      olcSuffix: "{{ ldap_suffix }}"
+      olcRootDN: "{{ ldap_admin_dn }}"
+      olcRootPW: "{{ ldap_admin_password }}"
+      olcDbCheckpoint: "{{ ldap_checkpoint }}"
+      olcDbCacheSize: "{{ ldap_cache_size }}"
+      olcDbIDLCacheSize: "{{ ldap_idlcache_size }}"
+      olcAccess:
+        - >-
+          {0}to attrs=userPassword,mail
+          by self write
+          by anonymous auth
+          by * none
+        - >-
+          {1}to dn.sub={{ ldap_suffix }}
+          by users read
+          by * none
+    ignore_errors: true
+
+  - name: remove existing indexes
+    ldap_attr:
+      dn: olcDatabase={2}hdb,cn=config
+      values: []
+      name: olcDbIndex
+      state: exact
+
  - name: add indexes
    ldap_attr:
-      dn: "{{ ldap_database }},cn=config"
+      dn: olcDatabase={2}hdb,cn=config
      name: "olcDbIndex"
-      state: exact
      values: "{{ item }}"
    loop:
      - objectClass pres,eq
@@ -64,7 +95,6 @@
  loop:
  - olcDatabase={0}config,cn=config
  - olcDatabase={1}monitor,cn=config
-  ignore_errors: true

 - name: load additionnal schema
  include_tasks: import_ldap_schema.yml
@@ -170,34 +200,3 @@
  loop: "{{ ldap_entries }}"
  when: ldap_entries is defined
  ignore_errors: true
-
- name: create root bin and backup dirs
-  tags: backup
-  file:
-    path: "{{ item }}"
-    state: directory
-    owner: root
-    group: root
-    mode: 0700
-  loop:
-  - "{{ ldap_backup_dir }}"
-  - /root/bin
-
- name: deploy backup script
-  tags: backup
-  copy:
-    src: /home/tom/Documents/Opendoor/Developpement/Scripts/ldap_backup.sh
-    dest: /root/bin
-    mode: 0700
-
- name: backup script cron
-  tags: backup
-  cron:
-    name: ldap_backup
-    cron_file: ldap_backup
-    user: root
-    hour: "02"
-    minute: "{{ 59 | random ( seed=inventory_hostname ) }}"
-    job: "/root/bin/ldap_backup.sh {{ ldap_backup_dir }}"
-
-
--- a/tasks/replication_consumer.yml
+++ b/tasks/replication_consumer.yml
@@ -1,7 +1,7 @@
 ---
 - name: add synrepl entry
  ldap_attr:
-    dn: "{{ ldap_database }},cn=config"
+    dn: olcDatabase={2}hdb,cn=config
    name: "{{ item.name }}"
    values: "{{ item.value }}"
  loop:
--- a/tasks/replication_provider.yml
+++ b/tasks/replication_provider.yml
@@ -23,7 +23,7 @@

 - name: add syncprov overlay config
  ldap_entry:
-    dn: "olcOverlay=syncprov,{{ ldap_database }},cn=config"
+    dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
    objectClass: olcSyncProvConfig
    attributes:
      olcOverlay: syncprov
@@ -38,7 +38,7 @@

 - name: add indexes for replication
  ldap_attr:
-    dn: "{{ ldap_database }},cn=config"
+    dn: olcdatabase={2}hdb,cn=config
    name: olcDbIndex
    values:
    - entryUUID eq
--- a/templates/change_suffix_and_dit_admin.ldif
+++ b/templates/change_suffix_and_dit_admin.ldif
@@ -1,4 +1,4 @@
-dn: "{{ ldap_database }},cn=config"
+dn: olcDatabase={2}hdb,cn=config
 changetype: modify
 replace: olcsuffix
 olcsuffix: {{ ldap_suffix }}
@@ -7,7 +7,7 @@ replace: olcrootdn
 olcrootdn: {{ ldap_admin_dn }}
 -
 replace: olcrootpw
-olcrootpw: {{ ldap_admin_ssha_password }}
+olcrootpw: {{ ldap_admin_password }}

 dn: olcDatabase={0}config,cn=config
 changetype: modify
--- a/vars/CentOS.yml
+++ b/vars/CentOS.yml
@@ -1,5 +1,3 @@
-ldap_database: 'olcdatabase={2}hdb'
-ldap_config_dir: /etc/openldap
 ldap_packages:
  - openldap-servers
  - openldap-clients
--- a/vars/CentOS8.yml
+++ b/vars/CentOS8.yml
@@ -1,5 +1,3 @@
-ldap_database: 'olcdatabase={2}hdb'
-ldap_config_dir: /etc/openldap
 ldap_packages:
  - symas-openldap-servers
  - symas-openldap-clients
--- a/vars/Rocky.yml
+++ b/vars/Rocky.yml
@@ -0,0 +1 @@
+CentOS8.yml