make it work basically on debian

2024-02-06 12:10:08 +01:00
parent 4a829ed81a
commit c26cb5f4ac
9 changed files with 75 additions and 69 deletions
--- a/tasks/import_ldap_schema.yml
+++ b/tasks/import_ldap_schema.yml
@@ -4,6 +4,6 @@
  changed_when: false

 - name: import additional schemas
-  command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/{{ schema }}.ldif"
+  command: "ldapadd -Y EXTERNAL -H ldapi:/// -f {{ ldap_config_dir }}/schema/{{ schema }}.ldif"
  when: schema not in ldap_schema_list.stdout

--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,8 +1,15 @@
 ---
 # tasks file for /etc/ansible/roles/slapd

+- name: get admin password from keepass
+  set_fact:
+    ldap_admin_dn: "{{ lookup( 'viczem.keepass.keepass', '{{ group_names[0]}}/{{ inventory_hostname }}_ldap_admin', 'username' ) }}"
+    ldap_admin_password: "{{ lookup( 'viczem.keepass.keepass', '{{ group_names[0]}}/{{ inventory_hostname }}_ldap_admin', 'password' ) }}"
+  tags: always
+
 - name: OS specific vars
  include_vars: "{{ ansible_distribution }}.yml"
+  tags: always

 - name: CentOS8 stuff
  block:
@@ -14,6 +21,7 @@
      url:  https://repo.symas.com/configs/SOFL/rhel8/sofl.repo
      dest: /etc/yum.repos.d/sofl.repo
  when: ansible_distribution_major_version == 8 and ansible_distribution =='CentOS'
+  tags: always

 - name: install
  package:
@@ -23,7 +31,7 @@
 - name: configure client
  template:
    src: ldap.conf
-    dest: /etc/openldap/ldap.conf
+    dest: "{{ ldap_config_dir }}/"
    mode: 0644

 - name: activate service
@@ -32,28 +40,28 @@
    state: started
    enabled: yes

- name: configure main database - admin, suffix, cache, acl
-  block:
-  - name: remove existing acl
-    ldap_attr:
-      dn: olcDatabase={2}hdb,cn=config
-      name: olcaccess
-      values: []
-      state: exact
+- name: configure main database - suffix
+  community.general.ldap_attrs:
+    dn: "{{ ldap_database }}"
+    attributes:
+      olcSuffix: "{{ ldap_suffix }}"
+    state: exact
+  tags: wip

-  - name: admin, suffix and cache
-    ldap_attr:
-      dn: olcDatabase={2}hdb,cn=config
-      name: "{{ item.key }}"
-      values: "{{ item.value }}"
-      state: exact
-    with_dict:
+- name: configure main database - admin
+  community.general.ldap_attrs:
+    dn: "{{ ldap_database }}"
+    attributes:
      olcSuffix: "{{ ldap_suffix }}"
      olcRootDN: "{{ ldap_admin_dn }}"
      olcRootPW: "{{ ldap_admin_password }}"
-      olcDbCheckpoint: "{{ ldap_checkpoint }}"
-      olcDbCacheSize: "{{ ldap_cache_size }}"
-      olcDbIDLCacheSize: "{{ ldap_idlcache_size }}"
+    state: exact
+  tags: wip
+
+- name: configure main database - acl
+  community.general.ldap_attrs:
+    dn: "{{ ldap_database }}"
+    attributes:
      olcAccess:
        - >-
          {0}to attrs=userPassword,mail
@@ -64,37 +72,32 @@
          {1}to dn.sub={{ ldap_suffix }}
          by users read
          by * none
-    ignore_errors: true
-
-  - name: remove existing indexes
-    ldap_attr:
-      dn: olcDatabase={2}hdb,cn=config
-      values: []
-      name: olcDbIndex
-      state: exact
-
-  - name: add indexes
-    ldap_attr:
-      dn: olcDatabase={2}hdb,cn=config
-      name: "olcDbIndex"
-      values: "{{ item }}"
-    loop:
-      - objectClass pres,eq
-      - uid,mail eq
-
- name: reconfigure slapd - access to cn=config and cn=monitor
-  ldap_attr:
-    dn: "{{ item }}"
-    name: olcAccess
-    values:
-      >-
-      to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
-      by dn.base={{ ldap_admin_dn }}  manage
-      by * none
    state: exact
-  loop:
-  - olcDatabase={0}config,cn=config
-  - olcDatabase={1}monitor,cn=config
+    ordered: true
+  tags: wip
+
+- name: reconfigure slapd - access to cn=config
+  ldap_attrs:
+    dn: olcDatabase={0}config,cn=config
+    attributes:
+      olcAccess:
+      - >-
+        to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+        by dn.base={{ ldap_admin_dn }}  manage
+        by * none
+    state: exact
+
+- name: reconfigure slapd - access to cn=monitor
+  ldap_attrs:
+    dn: olcDatabase={1}monitor,cn=config
+    attributes:
+      olcAccess:
+      - >-
+        to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+        by dn.base={{ ldap_admin_dn }}  manage
+        by * none
+    state: exact
+  when: ansible_os_family == 'RedHat'

 - name: load additionnal schema
  include_tasks: import_ldap_schema.yml
@@ -169,7 +172,7 @@
      dest: /root/

  - name: import ldif
-    command: ldapmodify  -c -Y EXTERNAL -H ldapi:/// -f /root/ssl.ldif
+    command: ldapmodify  -c -y {{ ldap_secret_file }} -xD {{ ldap_admin_dn }}  -f /root/ssl.ldif

  - name: configure url
    lineinfile:
--- a/tasks/replication_consumer.yml
+++ b/tasks/replication_consumer.yml
@@ -1,7 +1,7 @@
 ---
 - name: add synrepl entry
  ldap_attr:
-    dn: olcDatabase={2}hdb,cn=config
+    dn: "{{ ldap_database }}"
    name: "{{ item.name }}"
    values: "{{ item.value }}"
  loop:
--- a/tasks/replication_provider.yml
+++ b/tasks/replication_provider.yml
@@ -23,7 +23,7 @@

 - name: add syncprov overlay config
  ldap_entry:
-    dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
+    dn: olcOverlay=syncprov,{{ ldap_database }}
    objectClass: olcSyncProvConfig
    attributes:
      olcOverlay: syncprov