tom/ansible_slapd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

committinh old changes

Browse Source
This commit is contained in:
Thomas Constans
2024-02-06 10:35:56 +01:00
parent 9568139378
commit 4a829ed81a
10 changed files with 46 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -32,14 +32,12 @@ defined in vars/main.yml and vars/CentOS.yml
* ldap_suffix - constructed from variables above example.net * ldap_suffix - constructed from variables above example.net
* ldap_admin_dn - cn=manager,{{ ldap_suffix }} * ldap_admin_dn - cn=manager,{{ ldap_suffix }}
* ldap_admin_password - 123Soleil - should be in a vault ...) * ldap_admin_password - 123Soleil - should be in a vault ...)
* ldap_admin_ssha_password -slappasswd -s version of above password
* ldap_secret_file - default to /root/.ldap.secret * ldap_secret_file - default to /root/.ldap.secret
* ldap_packages - liste of packages - should be the only thing to change to * ldap_packages - liste of packages - should be the only thing to change to
adapt to other distro adapt to other distro
* ldap_service - name of service unit file - slapd * ldap_service - name of service unit file - slapd
* ldap_user - slapd service account * ldap_user - slapd service account
* ldap_schemas - list of additionnal schema names to load - default cosine * ldap_schemas - list of additionnal schema names to load - default cosine
* ldap_backup_dir - default /srv/backups/ldap
* ldap_replication_consumer - bool -true to setup a replication consumer * ldap_replication_consumer - bool -true to setup a replication consumer
* ldap_replication_provider - bool -true to setup a replication provider * ldap_replication_provider - bool -true to setup a replication provider
* ldap_replication_account - account used for replication * ldap_replication_account - account used for replication

9
defaults/main.yml
View File

@@ -12,13 +12,12 @@ ldap_replication_provider: false
ldap_schemas: ldap_schemas:
- cosine - cosine
ldap_have_ssl: true ldap_have_ssl: true
ldap_ssl_dir: "{{ ldap_config_dir }}/certs/" ldap_ssl_dir: /etc/openldap/certs/
ldap_ssl_cert_path: "{{ ldap_ssl_dir }}/cert.pem" ldap_ssl_cert_path: "{{ ldap_ssl_dir }}/cert.pem"
ldap_ssl_key_path: "{{ ldap_ssl_dir }}/key.pem" ldap_ssl_key_path: "{{ ldap_ssl_dir }}/key.pem"
ldap_ssl_cacert_path: "{{ ldap_ssl_dir }}/cert.pem" ldap_ssl_cacert_path: "{{ ldap_ssl_dir }}/cert.pem"
ldap_admin_dn: "cn=manager,{{ldap_suffix}}" ldap_admin_dn: "cn=manager,{{ldap_suffix}}"
ldap_admin_password: "CHANGEME" ldap_admin_password: "CHANGEME"
ldap_backup_dir: /srv/backups/ldap
ldap_auth: ldap_auth:
bind_dn: "{{ ldap_admin_dn }}" bind_dn: "{{ ldap_admin_dn }}"
bind_pw: "{{ ldap_admin_password }}" bind_pw: "{{ ldap_admin_password }}"
@@ -33,7 +32,7 @@ ldap_entries:
olcModulePath: /usr/lib64/openldap/ olcModulePath: /usr/lib64/openldap/
olcModuleLoad: auditlog.la olcModuleLoad: auditlog.la
- dn: "olcOverlay={0}auditlog,{{ ldap_database }},cn=config" - dn: olcOverlay={0}auditlog,olcDatabase={2}hdb,cn=config
objectClass: objectClass:
- olcOverlayConfig - olcOverlayConfig
- olcAuditLogConfig - olcAuditLogConfig
@@ -48,7 +47,7 @@ ldap_entries:
olcModulePath: /usr/lib64/openldap/ olcModulePath: /usr/lib64/openldap/
olcModuleLoad: memberof.la olcModuleLoad: memberof.la
- dn: "olcOverlay={1}memberof,{{ ldap_database }},cn=config" - dn: olcOverlay={1}memberof,olcDatabase={2}hdb,cn=config
objectClass: objectClass:
- olcConfig - olcConfig
- olcOverlayConfig - olcOverlayConfig
@@ -63,7 +62,7 @@ ldap_entries:
olcModulePath: /usr/lib64/openldap/ olcModulePath: /usr/lib64/openldap/
olcModuleLoad: unique.la olcModuleLoad: unique.la
- dn: "olcOverlay={2}unique,{{ ldap_database }},cn=config" - dn: olcOverlay={2}unique,olcdatabase={2}hdb,cn=config
objectClass: objectClass:
- olcOverlayConfig - olcOverlayConfig
- olcUniqueConfig - olcUniqueConfig

2
tasks/import_ldap_schema.yml
View File

@@ -4,6 +4,6 @@
changed_when: false changed_when: false
- name: import additional schemas - name: import additional schemas
command: "ldapadd -Y EXTERNAL -H ldapi:/// -f {{ ldap_config_dir }}/schema/{{ schema }}.ldif" command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/{{ schema }}.ldif"
when: schema not in ldap_schema_list.stdout when: schema not in ldap_schema_list.stdout

71
tasks/main.yml
View File

@@ -23,7 +23,7 @@
- name: configure client - name: configure client
template: template:
src: ldap.conf src: ldap.conf
dest: "{{ ldap_config_dir }}/ldap.conf" dest: /etc/openldap/ldap.conf
mode: 0644 mode: 0644
- name: activate service - name: activate service
@@ -36,16 +36,47 @@
block: block:
- name: remove existing acl - name: remove existing acl
ldap_attr: ldap_attr:
dn: "{{ ldap_database }},cn=config" dn: olcDatabase={2}hdb,cn=config
name: olcaccess name: olcaccess
values: [] values: []
state: exact state: exact
- name: admin, suffix and cache
ldap_attr:
dn: olcDatabase={2}hdb,cn=config
name: "{{ item.key }}"
values: "{{ item.value }}"
state: exact
with_dict:
olcSuffix: "{{ ldap_suffix }}"
olcRootDN: "{{ ldap_admin_dn }}"
olcRootPW: "{{ ldap_admin_password }}"
olcDbCheckpoint: "{{ ldap_checkpoint }}"
olcDbCacheSize: "{{ ldap_cache_size }}"
olcDbIDLCacheSize: "{{ ldap_idlcache_size }}"
olcAccess:
- >-
{0}to attrs=userPassword,mail
by self write
by anonymous auth
by * none
- >-
{1}to dn.sub={{ ldap_suffix }}
by users read
by * none
ignore_errors: true
- name: remove existing indexes
ldap_attr:
dn: olcDatabase={2}hdb,cn=config
values: []
name: olcDbIndex
state: exact
- name: add indexes - name: add indexes
ldap_attr: ldap_attr:
dn: "{{ ldap_database }},cn=config" dn: olcDatabase={2}hdb,cn=config
name: "olcDbIndex" name: "olcDbIndex"
state: exact
values: "{{ item }}" values: "{{ item }}"
loop: loop:
- objectClass pres,eq - objectClass pres,eq
@@ -64,7 +95,6 @@
loop: loop:
- olcDatabase={0}config,cn=config - olcDatabase={0}config,cn=config
- olcDatabase={1}monitor,cn=config - olcDatabase={1}monitor,cn=config
ignore_errors: true
- name: load additionnal schema - name: load additionnal schema
include_tasks: import_ldap_schema.yml include_tasks: import_ldap_schema.yml
@@ -170,34 +200,3 @@
loop: "{{ ldap_entries }}" loop: "{{ ldap_entries }}"
when: ldap_entries is defined when: ldap_entries is defined
ignore_errors: true ignore_errors: true
- name: create root bin and backup dirs
tags: backup
file:
path: "{{ item }}"
state: directory
owner: root
group: root
mode: 0700
loop:
- "{{ ldap_backup_dir }}"
- /root/bin
- name: deploy backup script
tags: backup
copy:
src: /home/tom/Documents/Opendoor/Developpement/Scripts/ldap_backup.sh
dest: /root/bin
mode: 0700
- name: backup script cron
tags: backup
cron:
name: ldap_backup
cron_file: ldap_backup
user: root
hour: "02"
minute: "{{ 59 | random ( seed=inventory_hostname ) }}"
job: "/root/bin/ldap_backup.sh {{ ldap_backup_dir }}"

2
tasks/replication_consumer.yml
View File

@@ -1,7 +1,7 @@
--- ---
- name: add synrepl entry - name: add synrepl entry
ldap_attr: ldap_attr:
dn: "{{ ldap_database }},cn=config" dn: olcDatabase={2}hdb,cn=config
name: "{{ item.name }}" name: "{{ item.name }}"
values: "{{ item.value }}" values: "{{ item.value }}"
loop: loop:

4
tasks/replication_provider.yml
View File

@@ -23,7 +23,7 @@
- name: add syncprov overlay config - name: add syncprov overlay config
ldap_entry: ldap_entry:
dn: "olcOverlay=syncprov,{{ ldap_database }},cn=config" dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
objectClass: olcSyncProvConfig objectClass: olcSyncProvConfig
attributes: attributes:
olcOverlay: syncprov olcOverlay: syncprov
@@ -38,7 +38,7 @@
- name: add indexes for replication - name: add indexes for replication
ldap_attr: ldap_attr:
dn: "{{ ldap_database }},cn=config" dn: olcdatabase={2}hdb,cn=config
name: olcDbIndex name: olcDbIndex
values: values:
- entryUUID eq - entryUUID eq

4
templates/change_suffix_and_dit_admin.ldif
View File

@@ -1,4 +1,4 @@
dn: "{{ ldap_database }},cn=config" dn: olcDatabase={2}hdb,cn=config
changetype: modify changetype: modify
replace: olcsuffix replace: olcsuffix
olcsuffix: {{ ldap_suffix }} olcsuffix: {{ ldap_suffix }}
@@ -7,7 +7,7 @@ replace: olcrootdn
olcrootdn: {{ ldap_admin_dn }} olcrootdn: {{ ldap_admin_dn }}
- -
replace: olcrootpw replace: olcrootpw
olcrootpw: {{ ldap_admin_ssha_password }} olcrootpw: {{ ldap_admin_password }}
dn: olcDatabase={0}config,cn=config dn: olcDatabase={0}config,cn=config
changetype: modify changetype: modify

2
vars/CentOS.yml
View File

@@ -1,5 +1,3 @@
ldap_database: 'olcdatabase={2}hdb'
ldap_config_dir: /etc/openldap
ldap_packages: ldap_packages:
- openldap-servers - openldap-servers
- openldap-clients - openldap-clients

2
vars/CentOS8.yml
View File

@@ -1,5 +1,3 @@
ldap_database: 'olcdatabase={2}hdb'
ldap_config_dir: /etc/openldap
ldap_packages: ldap_packages:
- symas-openldap-servers - symas-openldap-servers
- symas-openldap-clients - symas-openldap-clients

1
vars/Rocky.yml Symbolic link
View File

@@ -0,0 +1 @@
CentOS8.yml