slapd:

- adaptat to centos8 (wip)
 - paraméterize cache and checkpoint setting

README.md

@@ -3,6 +3,21 @@ Role Name
 
 install openldap servers on CentOS - should work on RH too
 
+TODO
+----
+
+make it work on CentOS8:
+difier form_slapd/vars/CentOS.yml : 
+ldap_packages:
+  - symas-openldap-servers
+  - symas-openldap-clients
+  - python3-ldap.x86_64
+ldap_service: slapd
+ldap_user: ldap
+
+dans form_slapd/templates/change_suffix_and_dit_admin.ldif remplacer hdb par mdb ligne 1
+
+dans form_slapd/tasks/main.yml remplacer hdb par mdb ligne 26
 Requirements
 ------------
 
@@ -30,6 +45,9 @@ defined in vars/main.yml and vars/CentOS.yml
   - ldap_replication_provider_uri - ldap uri of provider server
   * ldap_have_ssl    - boolean - wether we use ssl or not
   * ldap_ssl_dir     - directory where certificates will be stored
+  * ldap_cache_size: 3000
+  * ldap_idlcache_size: 60001024 30
+  * ldap_checkpoint: 1024 30
   * ldap_ssl_cert_path - {{ ldap_ssl_dir }}/{{ ansible_fqdn }}_fullchain.pem
   * ldap_ssl_cacert_path - {{ ldap_ssl_dir }}/{{ ansible_fqdn }}_fullchain.pem
   * ldap_ssl_key_path - {{ ldap_ssl_dir }}/{{ ansible_fqdn }}_privkey.pem

defaults/main.yml

@@ -2,19 +2,25 @@
 # defaults file for /etc/ansible/roles/slapd
 ldap_domain: example
 ldap_domain_ext: fr
+ldap_server: ldap://localhost
 ldap_secret_file: /root/.ldap.secret
 ldap_provider_uri: "{{ ansible_fqdn }}"
-ldap_suffix: "{{ ldap_domain }},{{ ldap_domain_ext }}"
+ldap_suffix: "dc={{ ldap_domain }},dc={{ ldap_domain_ext }}"
 import_data: false
+ldap_replication_consumer: false
+ldap_replication_provider: false
 ldap_schemas:
  - cosine
 ldap_have_ssl: true
-ldap_ssl_dir: /etc/openldap/certs
+ldap_ssl_dir: /etc/openldap/certs/
-ldap_ssl_cert_path: "{{ ldap_ssl_dir }}/{{ ansible_fqdn }}_fullchain.pem"
+ldap_ssl_cert_path: "{{ ldap_ssl_dir }}/cert.pem"
-ldap_ssl_key_path: "{{ ldap_ssl_dir }}/{{ ansible_fqdn }}_privkey.pem"
+ldap_ssl_key_path: "{{ ldap_ssl_dir }}/key.pem"
-ldap_ssl_cacert_path: "{{ ldap_ssl_dir }}/{{ ansible_fqdn }}_fullchain.pem"
+ldap_ssl_cacert_path: "{{ ldap_ssl_dir }}/cert.pem"
 ldap_admin_dn: "cn=manager,{{ldap_suffix}}"
 ldap_admin_password: "CHANGEME"
 ldap_auth:
   bind_dn: "{{ ldap_admin_dn }}"
   bind_pw: "{{ ldap_admin_password }}"
+ldap_cache_size: 3000
+ldap_idlcache_size: 6000
+ldap_checkpoint: 1024 30

tasks/main.yml

@@ -4,6 +4,17 @@
 - name: OS specific vars
   include_vars: "{{ ansible_distribution }}.yml"
 
+- name: CentOS8 stuff
+  block:
+  - name: CentOS 8 specific vars
+    include_vars: CentOS8.yml
+
+  - name: configure Symas repo for CentOS8
+    get_url:
+      url:  https://repo.symas.com/configs/SOFL/rhel8/sofl.repo
+      dest: /etc/yum.repos.d/sofl.repo
+  when: ansible_distribution_major_version == 8 and ansible_distribution =='CentOS'
+
 - name: install
   package:
     name: "{{ ldap_packages }}"
@@ -21,20 +32,55 @@
     state: started
     enabled: yes
 
-- name: configure main database - admin, suffix and cache
+- name: configure main database - admin, suffix, cache, acl
-  ldap_attr:
+  block:
-    dn: olcDatabase={2}hdb,cn=config
+  - name: remove existing acl
-    name: "{{ item.key }}"
+    ldap_attr:
-    values: "{{ item.value }}"
+      dn: olcDatabase={2}hdb,cn=config
-    state: exact
+      name: olcaccess
-  with_dict:
+      values: []
-    olcSuffix: "{{ ldap_suffix }}"
+      state: exact
-    olcRootDN: "{{ ldap_admin_dn }}"
+
-    olcRootPW: "{{ ldap_admin_password }}"
+  - name: admin, suffix and cache
-    olcDbCheckpoint: "1024 30"
+    ldap_attr:
-    olcDbCacheSize: 3000
+      dn: olcDatabase={2}hdb,cn=config
-    olcDbIDLCacheSize: 9000
+      name: "{{ item.key }}"
-  ignore_errors: true
+      values: "{{ item.value }}"
+      state: exact
+    with_dict:
+      olcSuffix: "{{ ldap_suffix }}"
+      olcRootDN: "{{ ldap_admin_dn }}"
+      olcRootPW: "{{ ldap_admin_password }}"
+      olcDbCheckpoint: "{{ ldap_checkpoint }}"
+      olcDbCacheSize: "{{ ldap_cache_size }}"
+      olcDbIDLCacheSize: "{{ ldap_idlcache_size }}"
+      olcAccess:
+        - >-
+          {0}to attrs=userPassword,mail
+          by self write
+          by anonymous auth
+          by * none
+        - >-
+          {1}to dn.sub={{ ldap_suffix }}
+          by users read
+          by * none
+    ignore_errors: true
+
+  - name: remove existing indexes
+    ldap_attr:
+      dn: olcDatabase={2}hdb,cn=config
+      values: []
+      name: olcDbIndex
+      state: exact
+
+  - name: add indexes
+    ldap_attr:
+      dn: olcDatabase={2}hdb,cn=config
+      name: "olcDbIndex"
+      values: "{{ item }}"
+    loop:
+      - objectClass pres,eq
+      - uid,mail eq
 
 - name: reconfigure slapd - access to cn=config and cn=monitor
   ldap_attr:
@@ -108,16 +154,6 @@
   include_tasks: replication_consumer.yml
   when: ldap_replication_consumer
 
-- name: open firewall
-  firewalld:
-    service: "{{ item }}"
-    permanent: yes
-    immediate: yes
-    state: enabled
-  loop:
-     - ldap
-     - ldaps
-
 # cannot use ldap_entry module because attr olcTLS* don't have equality matching
 # rules ...
 # instead send ldif and process ...

vars/CentOS8.yml

@@ -0,0 +1,6 @@
+ldap_packages:
+  - symas-openldap-servers
+  - symas-openldap-clients
+  - python3-ldap.x86_64
+ldap_service: slapd
+ldap_user: ldap