tom/ansible_slapd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

make it work on debian12

Browse Source
This commit is contained in:
Thomas Constans
2025-05-13 13:54:40 +02:00
parent 2c8c7c8c73
commit 4b0312e471
8 changed files with 68 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -46,7 +46,7 @@ defined in vars/main.yml and vars/CentOS.yml
* ldap_schemas - list of additionnal schema names to load - default cosine * ldap_schemas - list of additionnal schema names to load - default cosine
* ldap_replication_consumer - bool -true to setup a replication consumer * ldap_replication_consumer - bool -true to setup a replication consumer
* ldap_replication_provider - bool -true to setup a replication provider * ldap_replication_provider - bool -true to setup a replication provider
* ldap_replication_account - account used for replication * ldap_replication_account_dn- account used for replication
* ldap_replication_password - account password used for replication * ldap_replication_password - account password used for replication
- ldap_replication_provider_uri - ldap uri of provider server - ldap_replication_provider_uri - ldap uri of provider server
* ldap_have_ssl - boolean - wether we use ssl or not * ldap_have_ssl - boolean - wether we use ssl or not

4
tasks/import_ldap_schema.yml
View File

@@ -1,9 +1,9 @@
- name: check if schema is loaded - name: check if schema is loaded
command: "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn" ansible.builtin.command: "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn"
register: ldap_schema_list register: ldap_schema_list
changed_when: false changed_when: false
- name: import additional schemas - name: import additional schemas
command: "ldapadd -Y EXTERNAL -H ldapi:/// -f {{ ldap_config_dir }}/schema/{{ schema }}.ldif" ansible.builtin.command: "ldapadd -Y EXTERNAL -H ldapi:/// -f {{ ldap_config_dir }}/schema/{{ schema }}.ldif"
when: schema not in ldap_schema_list.stdout when: schema not in ldap_schema_list.stdout

60
tasks/main.yml
View File

@@ -2,41 +2,41 @@
# tasks file for /etc/ansible/roles/slapd # tasks file for /etc/ansible/roles/slapd
- name: get admin password from keepass - name: get admin password from keepass
set_fact: ansible.builtin.set_fact:
ldap_admin_dn: "{{ lookup( 'viczem.keepass.keepass', '{{ group_names[0]}}/{{ inventory_hostname }}_ldap_admin', 'username' ) }}" ldap_admin_dn: "{{ lookup( 'viczem.keepass.keepass', '{{ group_names[0]}}/{{ inventory_hostname }}_ldap_admin', 'username' ) }}"
ldap_admin_password: "{{ lookup( 'viczem.keepass.keepass', '{{ group_names[0]}}/{{ inventory_hostname }}_ldap_admin', 'password' ) }}" ldap_admin_password: "{{ lookup( 'viczem.keepass.keepass', '{{ group_names[0]}}/{{ inventory_hostname }}_ldap_admin', 'password' ) }}"
tags: always tags: always
when: ldap_admin_dn is not defined or ldap_admin_password is not defined when: ldap_admin_dn is not defined or ldap_admin_password is not defined
- name: OS specific vars - name: OS specific vars
include_vars: "{{ ansible_distribution }}.yml" ansible.builtin.include_vars: "{{ ansible_distribution }}.yml"
tags: always tags: always
- name: CentOS8 stuff - name: CentOS8 stuff
block: block:
- name: CentOS 8 specific vars - name: CentOS 8 specific vars
include_vars: CentOS8.yml ansible.builtin.include_vars: CentOS8.yml
- name: configure Symas repo for CentOS8 - name: configure Symas repo for CentOS8
get_url: ansible.builtin.get_url:
url: https://repo.symas.com/configs/SOFL/rhel8/sofl.repo url: https://repo.symas.com/configs/SOFL/rhel8/sofl.repo
dest: /etc/yum.repos.d/sofl.repo dest: /etc/yum.repos.d/sofl.repo
when: ansible_distribution_major_version == 8 and ansible_distribution =='CentOS' when: ansible_distribution_major_version == 8 and ansible_distribution =='CentOS'
tags: always tags: always
- name: install - name: install
package: ansible.builtin.package:
name: "{{ ldap_packages }}" name: "{{ ldap_packages }}"
state: present state: present
- name: configure client - name: configure client
template: ansible.builtin.template:
src: ldap.conf src: ldap.conf
dest: "{{ ldap_config_dir }}/" dest: "{{ ldap_config_dir }}/"
mode: 0644 mode: 0644
- name: activate service - name: activate service
service: ansible.builtin.service:
name: "{{ ldap_service }}" name: "{{ ldap_service }}"
state: started state: started
enabled: yes enabled: yes
@@ -75,7 +75,7 @@
ordered: true ordered: true
- name: reconfigure slapd - access to cn=config - name: reconfigure slapd - access to cn=config
ldap_attrs: community.general.ldap_attrs:
dn: olcDatabase={0}config,cn=config dn: olcDatabase={0}config,cn=config
attributes: attributes:
olcAccess: olcAccess:
@@ -86,7 +86,7 @@
state: exact state: exact
- name: reconfigure slapd - access to cn=monitor - name: reconfigure slapd - access to cn=monitor
ldap_attrs: community.general.ldap_attrs:
dn: olcDatabase={1}monitor,cn=config dn: olcDatabase={1}monitor,cn=config
attributes: attributes:
olcAccess: olcAccess:
@@ -98,13 +98,13 @@
when: ansible_os_family == 'RedHat' when: ansible_os_family == 'RedHat'
- name: load additionnal schema - name: load additionnal schema
include_tasks: import_ldap_schema.yml ansible.builtin.include_tasks: import_ldap_schema.yml
loop: "{{ ldap_schemas }}" loop: "{{ ldap_schemas }}"
loop_control: loop_control:
loop_var: schema loop_var: schema
- name: create suffix - name: create suffix
ldap_entry: community.general.ldap_entry:
server_uri: ldap://localhost server_uri: ldap://localhost
bind_dn: "{{ ldap_admin_dn }}" bind_dn: "{{ ldap_admin_dn }}"
bind_pw: "{{ ldap_admin_password }}" bind_pw: "{{ ldap_admin_password }}"
@@ -114,7 +114,7 @@
dc: "{{ ldap_domain }}" dc: "{{ ldap_domain }}"
- name: create passwd file - name: create passwd file
copy: ansible.builtin.copy:
dest: "{{ ldap_secret_file }}" dest: "{{ ldap_secret_file }}"
mode: 0600 mode: 0600
content: "{{ ldap_admin_password }}" content: "{{ ldap_admin_password }}"
@@ -122,38 +122,38 @@
- name: import data - name: import data
block: block:
- name: create initial directory - name: create initial directory
file: ansible.builtin.file:
path: /root/Ldif path: /root/Ldif
state: directory state: directory
mode: 0700 mode: 0700
- name: send ldif files - name: send ldif files
template: ansible.builtin.template:
src: "{{ item }}" src: "{{ item }}"
dest: /root/Ldif/ dest: /root/Ldif/
mode: 0600 mode: 0600
loop: "{{ ldap_ldif_files }}" loop: "{{ ldap_ldif_files }}"
- name: get list of ldif files - name: get list of ldif files
find: ansible.builtin.find:
paths: /root/Ldif paths: /root/Ldif
patterns: "*.ldif" patterns: "*.ldif"
file_type: file file_type: file
register: ldif_list register: ldif_list
- name: import ldif files - name: import ldif files
command: "ldapadd -c -y {{ ldap_secret_file }} -xD {{ ldap_admin_dn }} -f {{ item .path }}" ansible.builtin.command: "ldapadd -c -y {{ ldap_secret_file }} -xD {{ ldap_admin_dn }} -f {{ item .path }}"
with_items: "{{ ldif_list.files }}" with_items: "{{ ldif_list.files }}"
ignore_errors: true ignore_errors: true
when: ldap_ldif_files is defined when: ldap_ldif_files is defined
- name: configure replication provider - name: configure replication provider
include_tasks: replication_provider.yml ansible.builtin.include_tasks: replication_provider.yml
when: ldap_replication_provider when: ldap_replication_provider
- name: configure replication consumer - name: configure replication consumer
include_tasks: replication_consumer.yml ansible.builtin.include_tasks: replication_consumer.yml
when: ldap_replication_consumer when: ldap_replication_consumer
# cannot use ldap_entry module because attr olcTLS* don't have equality matching # cannot use ldap_entry module because attr olcTLS* don't have equality matching
@@ -165,15 +165,25 @@
block: block:
- name: send ldif file - name: send ldif file
template: ansible.builtin.template:
src: ssl.ldif src: ssl.ldif
dest: /root/ dest: /root/
- name: import ldif - name: import ldif
command: ldapmodify -c -y {{ ldap_secret_file }} -xD {{ ldap_admin_dn }} -f /root/ssl.ldif ansible.builtin.command: ldapmodify -c -y {{ ldap_secret_file }} -xD {{ ldap_admin_dn }} -f /root/ssl.ldif
- name: configure url - name: configure url - Debian
lineinfile: when: ansible_os_family == 'Debian'
ansible.builtin.lineinfile:
path: /etc/default/slapd
regexp: '^SLAPD_SERVICES="ldap:/// ldapi:///"'
line: 'SLAPD_SERVICES="ldapi:/// ldap:/// ldaps:///"'
state: present
notify: restart_slapd
- name: configure url - RH
when: ansible_os_family == 'RedHat'
ansible.builtin.lineinfile:
path: /etc/sysconfig/slapd path: /etc/sysconfig/slapd
regexp: '^SLAPD_URLS="ldapi:/// ldap:///"' regexp: '^SLAPD_URLS="ldapi:/// ldap:///"'
line: 'SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"' line: 'SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"'
@@ -181,7 +191,7 @@
notify: restart_slapd notify: restart_slapd
- name: remove ldif - name: remove ldif
file: ansible.builtin.file:
path: /root/ssl.ldif path: /root/ssl.ldif
state: absent state: absent
when: ldap_have_ssl when: ldap_have_ssl
@@ -200,7 +210,7 @@
line: source /root/.ldap_aliases.sh line: source /root/.ldap_aliases.sh
- name: add some entries - name: add some entries
ldap_entry: community.general.ldap_entry:
dn: "{{ item.dn }}" dn: "{{ item.dn }}"
objectClass: "{{ item.objectClass }}" objectClass: "{{ item.objectClass }}"
attributes: "{{ item.attributes }}" attributes: "{{ item.attributes }}"
@@ -210,5 +220,5 @@
ignore_errors: true ignore_errors: true
- name: setup backup - name: setup backup
import_tasks: backup.yml ansible.builtin.import_tasks: backup.yml
tags: backup_ldap tags: backup_ldap

14
tasks/replication_consumer.yml
View File

@@ -1,19 +1,15 @@
--- ---
- name: add synrepl entry - name: add synrepl entry
ldap_attr: community.general.ldap_attrs:
dn: "{{ ldap_database }}" dn: "{{ ldap_database }}"
name: "{{ item.name }}" attributes:
values: "{{ item.value }}" olcSyncRepl: |
loop:
- name: olcSyncRepl
value: |
rid=001 rid=001
provider="{{ ldap_replication_provider_uri }}" provider="{{ ldap_replication_provider_uri }}"
binddn="cn={{ ldap_replication_account }},{{ ldap_suffix }}" binddn="{{ ldap_replication_account_dn }}"
bindmethod="simple" bindmethod="simple"
credentials="{{ ldap_replication_password }}" credentials="{{ ldap_replication_password }}"
searchbase="{{ ldap_suffix }}" searchbase="{{ ldap_suffix }}"
type=refreshAndPersist type=refreshAndPersist
retry="10 +" retry="10 +"
- name: olcUpdateRef olcUpdateRef: "{{ ldap_provider_uri }}"
value: "{{ ldap_provider_uri }}"

26
tasks/replication_provider.yml
View File

@@ -1,19 +1,19 @@
--- ---
- name: create replication account - name: create replication account
ldap_entry: community.general.ldap_entry:
dn: "cn={{ ldap_replication_account }},{{ ldap_suffix }}" dn: "{{ ldap_replication_account_dn }}"
objectClass: person objectClass: person
attributes: attributes:
sn: "{{ ldap_replication_account }}" sn: "Replication"
userPassword: "{{ ldap_replication_password }}" userPassword: "{{ ldap_replication_password }}"
params: "{{ ldap_auth }}" args: "{{ ldap_auth }}"
- name: check wether module is already loaded - name: check wether module is already loaded
command: ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config objectClass=olcModuleList olcmoduleload command: ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config objectClass=olcModuleList olcmoduleload
register: ldap_result register: ldap_result
- name: add syncprov overlay module - name: add syncprov overlay module
ldap_entry: community.general.ldap_entry:
dn: cn=module,cn=config dn: cn=module,cn=config
objectClass: olcModuleList objectClass: olcModuleList
attributes: attributes:
@@ -22,7 +22,7 @@
when: '"syncprov.la" not in ldap_result.stdout' when: '"syncprov.la" not in ldap_result.stdout'
- name: add syncprov overlay config - name: add syncprov overlay config
ldap_entry: community.general.ldap_entry:
dn: olcOverlay=syncprov,{{ ldap_database }} dn: olcOverlay=syncprov,{{ ldap_database }}
objectClass: olcSyncProvConfig objectClass: olcSyncProvConfig
attributes: attributes:
@@ -31,15 +31,15 @@
olcSpSessionLog: 200 olcSpSessionLog: 200
- name: configure serverid - name: configure serverid
ldap_attr: community.general.ldap_attrs:
dn: cn=config dn: cn=config
name: olcServerId attributes:
values: "{{ ldap_replication_server_id|default(42) }}" olcServerId: "{{ ldap_replication_server_id|default(42) }}"
- name: add indexes for replication - name: add indexes for replication
ldap_attr: community.general.ldap_attrs:
dn: olcdatabase={2}hdb,cn=config dn: "{{ ldap_database }}"
name: olcDbIndex attributes:
values: olcDbIndex:
- entryUUID eq - entryUUID eq
- entryCSN eq - entryCSN eq

9
templates/ssl.ldif
View File

@@ -3,15 +3,18 @@ changetype: modify
replace: olcTLSCertificateFile replace: olcTLSCertificateFile
olcTLSCertificateFile: {{ ldap_ssl_cert_path }} olcTLSCertificateFile: {{ ldap_ssl_cert_path }}
- -
replace: olcTLSCACertificatePath
olcTLSCACertificatePath: /etc/ssl/certs
-
replace: olcTLSCertificateKeyfile replace: olcTLSCertificateKeyfile
olcTLSCertificateKeyfile: {{ ldap_ssl_key_path }} olcTLSCertificateKeyfile: {{ ldap_ssl_key_path }}
- -
replace: olcTLSCipherSuite replace: olcTLSProtocolMin
olcTLSCipherSuite: TLSv1+RSA:!NULL olcTLSProtocolMin: 3.3
- -
replace: olctlsverifyclient replace: olctlsverifyclient
olctlsverifyclient: never olctlsverifyclient: never
- -
replace: olctlscacertificatefile replace: olctlscacertificatefile
olctlscacertificatefile: {{ ldap_ssl_cacert_path }} olctlscacertificatefile: {{ ldap_ssl_cert_path }}

2
vars/CentOS8.yml
View File

@@ -6,3 +6,5 @@ ldap_service: slapd
ldap_user: ldap ldap_user: ldap
ldap_database: olcDatabase={2}hdb,cn=config ldap_database: olcDatabase={2}hdb,cn=config
ldap_module_dir: /usr/lib64/openldap/ ldap_module_dir: /usr/lib64/openldap/
ldap_daemon_config: /etc/sysconfig/slapd
ldap_daemon_url: SLAPD_URLS

2
vars/Debian.yml
View File

@@ -7,3 +7,5 @@ ldap_packages:
- python3-ldap - python3-ldap
ldap_service: slapd ldap_service: slapd
ldap_user: openldap ldap_user: openldap
ldap_daemon_config: /etc/default/slapd
ldap_daemon_url: SLAPD_SERVICES=