From 4a829ed81a72546adf7f77fd33b2054f499dfbe8 Mon Sep 17 00:00:00 2001 From: Thomas Constans Date: Tue, 6 Feb 2024 10:35:56 +0100 Subject: [PATCH] committinh old changes --- README.md | 2 - defaults/main.yml | 9 ++- tasks/import_ldap_schema.yml | 2 +- tasks/main.yml | 71 +++++++++++----------- tasks/replication_consumer.yml | 2 +- tasks/replication_provider.yml | 4 +- templates/change_suffix_and_dit_admin.ldif | 4 +- vars/CentOS.yml | 2 - vars/CentOS8.yml | 2 - vars/Rocky.yml | 1 + 10 files changed, 46 insertions(+), 53 deletions(-) create mode 120000 vars/Rocky.yml diff --git a/README.md b/README.md index c0f34da..59f75f2 100644 --- a/README.md +++ b/README.md @@ -32,14 +32,12 @@ defined in vars/main.yml and vars/CentOS.yml * ldap_suffix - constructed from variables above example.net * ldap_admin_dn - cn=manager,{{ ldap_suffix }} * ldap_admin_password - 123Soleil - should be in a vault ...) - * ldap_admin_ssha_password -slappasswd -s version of above password * ldap_secret_file - default to /root/.ldap.secret * ldap_packages - liste of packages - should be the only thing to change to adapt to other distro * ldap_service - name of service unit file - slapd * ldap_user - slapd service account * ldap_schemas - list of additionnal schema names to load - default cosine - * ldap_backup_dir - default /srv/backups/ldap * ldap_replication_consumer - bool -true to setup a replication consumer * ldap_replication_provider - bool -true to setup a replication provider * ldap_replication_account - account used for replication diff --git a/defaults/main.yml b/defaults/main.yml index c4790a3..08fab4a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -12,13 +12,12 @@ ldap_replication_provider: false ldap_schemas: - cosine ldap_have_ssl: true -ldap_ssl_dir: "{{ ldap_config_dir }}/certs/" +ldap_ssl_dir: /etc/openldap/certs/ ldap_ssl_cert_path: "{{ ldap_ssl_dir }}/cert.pem" ldap_ssl_key_path: "{{ ldap_ssl_dir }}/key.pem" ldap_ssl_cacert_path: "{{ ldap_ssl_dir }}/cert.pem" ldap_admin_dn: "cn=manager,{{ldap_suffix}}" ldap_admin_password: "CHANGEME" -ldap_backup_dir: /srv/backups/ldap ldap_auth: bind_dn: "{{ ldap_admin_dn }}" bind_pw: "{{ ldap_admin_password }}" @@ -33,7 +32,7 @@ ldap_entries: olcModulePath: /usr/lib64/openldap/ olcModuleLoad: auditlog.la - - dn: "olcOverlay={0}auditlog,{{ ldap_database }},cn=config" + - dn: olcOverlay={0}auditlog,olcDatabase={2}hdb,cn=config objectClass: - olcOverlayConfig - olcAuditLogConfig @@ -48,7 +47,7 @@ ldap_entries: olcModulePath: /usr/lib64/openldap/ olcModuleLoad: memberof.la - - dn: "olcOverlay={1}memberof,{{ ldap_database }},cn=config" + - dn: olcOverlay={1}memberof,olcDatabase={2}hdb,cn=config objectClass: - olcConfig - olcOverlayConfig @@ -63,7 +62,7 @@ ldap_entries: olcModulePath: /usr/lib64/openldap/ olcModuleLoad: unique.la - - dn: "olcOverlay={2}unique,{{ ldap_database }},cn=config" + - dn: olcOverlay={2}unique,olcdatabase={2}hdb,cn=config objectClass: - olcOverlayConfig - olcUniqueConfig diff --git a/tasks/import_ldap_schema.yml b/tasks/import_ldap_schema.yml index 3424366..ead4b0d 100644 --- a/tasks/import_ldap_schema.yml +++ b/tasks/import_ldap_schema.yml @@ -4,6 +4,6 @@ changed_when: false - name: import additional schemas - command: "ldapadd -Y EXTERNAL -H ldapi:/// -f {{ ldap_config_dir }}/schema/{{ schema }}.ldif" + command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/{{ schema }}.ldif" when: schema not in ldap_schema_list.stdout diff --git a/tasks/main.yml b/tasks/main.yml index 75c3419..70a8229 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -23,7 +23,7 @@ - name: configure client template: src: ldap.conf - dest: "{{ ldap_config_dir }}/ldap.conf" + dest: /etc/openldap/ldap.conf mode: 0644 - name: activate service @@ -36,16 +36,47 @@ block: - name: remove existing acl ldap_attr: - dn: "{{ ldap_database }},cn=config" + dn: olcDatabase={2}hdb,cn=config name: olcaccess values: [] state: exact + - name: admin, suffix and cache + ldap_attr: + dn: olcDatabase={2}hdb,cn=config + name: "{{ item.key }}" + values: "{{ item.value }}" + state: exact + with_dict: + olcSuffix: "{{ ldap_suffix }}" + olcRootDN: "{{ ldap_admin_dn }}" + olcRootPW: "{{ ldap_admin_password }}" + olcDbCheckpoint: "{{ ldap_checkpoint }}" + olcDbCacheSize: "{{ ldap_cache_size }}" + olcDbIDLCacheSize: "{{ ldap_idlcache_size }}" + olcAccess: + - >- + {0}to attrs=userPassword,mail + by self write + by anonymous auth + by * none + - >- + {1}to dn.sub={{ ldap_suffix }} + by users read + by * none + ignore_errors: true + + - name: remove existing indexes + ldap_attr: + dn: olcDatabase={2}hdb,cn=config + values: [] + name: olcDbIndex + state: exact + - name: add indexes ldap_attr: - dn: "{{ ldap_database }},cn=config" + dn: olcDatabase={2}hdb,cn=config name: "olcDbIndex" - state: exact values: "{{ item }}" loop: - objectClass pres,eq @@ -64,7 +95,6 @@ loop: - olcDatabase={0}config,cn=config - olcDatabase={1}monitor,cn=config - ignore_errors: true - name: load additionnal schema include_tasks: import_ldap_schema.yml @@ -170,34 +200,3 @@ loop: "{{ ldap_entries }}" when: ldap_entries is defined ignore_errors: true - -- name: create root bin and backup dirs - tags: backup - file: - path: "{{ item }}" - state: directory - owner: root - group: root - mode: 0700 - loop: - - "{{ ldap_backup_dir }}" - - /root/bin - -- name: deploy backup script - tags: backup - copy: - src: /home/tom/Documents/Opendoor/Developpement/Scripts/ldap_backup.sh - dest: /root/bin - mode: 0700 - -- name: backup script cron - tags: backup - cron: - name: ldap_backup - cron_file: ldap_backup - user: root - hour: "02" - minute: "{{ 59 | random ( seed=inventory_hostname ) }}" - job: "/root/bin/ldap_backup.sh {{ ldap_backup_dir }}" - - diff --git a/tasks/replication_consumer.yml b/tasks/replication_consumer.yml index 7a9f28c..eeed1ac 100644 --- a/tasks/replication_consumer.yml +++ b/tasks/replication_consumer.yml @@ -1,7 +1,7 @@ --- - name: add synrepl entry ldap_attr: - dn: "{{ ldap_database }},cn=config" + dn: olcDatabase={2}hdb,cn=config name: "{{ item.name }}" values: "{{ item.value }}" loop: diff --git a/tasks/replication_provider.yml b/tasks/replication_provider.yml index f9875b6..7c6c80a 100644 --- a/tasks/replication_provider.yml +++ b/tasks/replication_provider.yml @@ -23,7 +23,7 @@ - name: add syncprov overlay config ldap_entry: - dn: "olcOverlay=syncprov,{{ ldap_database }},cn=config" + dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config objectClass: olcSyncProvConfig attributes: olcOverlay: syncprov @@ -38,7 +38,7 @@ - name: add indexes for replication ldap_attr: - dn: "{{ ldap_database }},cn=config" + dn: olcdatabase={2}hdb,cn=config name: olcDbIndex values: - entryUUID eq diff --git a/templates/change_suffix_and_dit_admin.ldif b/templates/change_suffix_and_dit_admin.ldif index f729b38..ff12294 100644 --- a/templates/change_suffix_and_dit_admin.ldif +++ b/templates/change_suffix_and_dit_admin.ldif @@ -1,4 +1,4 @@ -dn: "{{ ldap_database }},cn=config" +dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcsuffix olcsuffix: {{ ldap_suffix }} @@ -7,7 +7,7 @@ replace: olcrootdn olcrootdn: {{ ldap_admin_dn }} - replace: olcrootpw -olcrootpw: {{ ldap_admin_ssha_password }} +olcrootpw: {{ ldap_admin_password }} dn: olcDatabase={0}config,cn=config changetype: modify diff --git a/vars/CentOS.yml b/vars/CentOS.yml index ba45d2a..7fc2d15 100644 --- a/vars/CentOS.yml +++ b/vars/CentOS.yml @@ -1,5 +1,3 @@ -ldap_database: 'olcdatabase={2}hdb' -ldap_config_dir: /etc/openldap ldap_packages: - openldap-servers - openldap-clients diff --git a/vars/CentOS8.yml b/vars/CentOS8.yml index 4b496c5..880af68 100644 --- a/vars/CentOS8.yml +++ b/vars/CentOS8.yml @@ -1,5 +1,3 @@ -ldap_database: 'olcdatabase={2}hdb' -ldap_config_dir: /etc/openldap ldap_packages: - symas-openldap-servers - symas-openldap-clients diff --git a/vars/Rocky.yml b/vars/Rocky.yml new file mode 120000 index 0000000..977af6d --- /dev/null +++ b/vars/Rocky.yml @@ -0,0 +1 @@ +CentOS8.yml \ No newline at end of file