make it work basically on debian

README.md

@@ -29,9 +29,11 @@ defined in vars/main.yml and vars/CentOS.yml
 
   * ldap_domain      - example
   * ldap_domain_ex   - net 
+  * ldap_config_dir  - /etc/openldap (RH) /etc/ldap (Debian)
+  * ldap_database    - olcDatabase={2}hdb,cn=config (RH) / olcDatabase={1}mdb,cn=config (Debian)
   * ldap_suffix      - constructed from variables above example.net
-  * ldap_admin_dn    - cn=manager,{{ ldap_suffix }}
+  * ldap_admin_dn    - cn=manager,{{ ldap_suffix }} - read from keepass ldap_admin
-  * ldap_admin_password - 123Soleil - should be in a vault ...)
+  * ldap_admin_password - 123Soleil - should be in a vault ...) - read from keepass
   * ldap_secret_file - default to /root/.ldap.secret
   * ldap_packages    - liste of packages - should be the only thing to change to
     adapt to other distro

defaults/main.yml

@@ -3,6 +3,7 @@
 ldap_domain: example
 ldap_domain_ext: fr
 ldap_server: ldap://localhost
+ldap_config_dir: /etc/openldap
 ldap_secret_file: /root/.ldap.secret
 ldap_provider_uri: "{{ ansible_fqdn }}"
 ldap_suffix: "dc={{ ldap_domain }},dc={{ ldap_domain_ext }}"
@@ -12,12 +13,10 @@ ldap_replication_provider: false
 ldap_schemas:
  - cosine
 ldap_have_ssl: true
-ldap_ssl_dir: /etc/openldap/certs/
+ldap_ssl_dir: "{{ ldap_config_dir }}/certs/"
 ldap_ssl_cert_path: "{{ ldap_ssl_dir }}/cert.pem"
 ldap_ssl_key_path: "{{ ldap_ssl_dir }}/key.pem"
 ldap_ssl_cacert_path: "{{ ldap_ssl_dir }}/cert.pem"
-ldap_admin_dn: "cn=manager,{{ldap_suffix}}"
-ldap_admin_password: "CHANGEME"
 ldap_auth:
   bind_dn: "{{ ldap_admin_dn }}"
   bind_pw: "{{ ldap_admin_password }}"
@@ -29,10 +28,10 @@ ldap_entries:
     objectClass: olcModuleList
     attributes:
       cn: module
-      olcModulePath: /usr/lib64/openldap/
+      olcModulePath: "{{ ldap_module_dir }}"
       olcModuleLoad: auditlog.la
 
-  - dn: olcOverlay={0}auditlog,olcDatabase={2}hdb,cn=config
+  - dn: "olcOverlay={0}auditlog,{{ ldap_database }}"
     objectClass: 
       - olcOverlayConfig
       - olcAuditLogConfig
@@ -44,10 +43,10 @@ ldap_entries:
     objectClass: olcModuleList
     attributes:
       cn: module
-      olcModulePath: /usr/lib64/openldap/
+      olcModulePath: "{{ ldap_module_dir }}"
       olcModuleLoad: memberof.la
 
-  - dn: olcOverlay={1}memberof,olcDatabase={2}hdb,cn=config
+  - dn: "olcOverlay={1}memberof,{{ ldap_database }}"
     objectClass:
       - olcConfig
       - olcOverlayConfig
@@ -59,10 +58,10 @@ ldap_entries:
     objectClass: olcModuleList
     attributes:
       cn: module
-      olcModulePath: /usr/lib64/openldap/
+      olcModulePath: "{{ ldap_module_dir }}"
       olcModuleLoad: unique.la
 
-  - dn: olcOverlay={2}unique,olcdatabase={2}hdb,cn=config
+  - dn: "olcOverlay={2}unique,{{ ldap_database }}"
     objectClass: 
       - olcOverlayConfig
       - olcUniqueConfig

tasks/import_ldap_schema.yml

@@ -4,6 +4,6 @@
   changed_when: false
 
 - name: import additional schemas
-  command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/{{ schema }}.ldif"
+  command: "ldapadd -Y EXTERNAL -H ldapi:/// -f {{ ldap_config_dir }}/schema/{{ schema }}.ldif"
   when: schema not in ldap_schema_list.stdout
 

tasks/main.yml

@@ -1,8 +1,15 @@
 ---
 # tasks file for /etc/ansible/roles/slapd
 
+- name: get admin password from keepass
+  set_fact:
+    ldap_admin_dn: "{{ lookup( 'viczem.keepass.keepass', '{{ group_names[0]}}/{{ inventory_hostname }}_ldap_admin', 'username' ) }}"
+    ldap_admin_password: "{{ lookup( 'viczem.keepass.keepass', '{{ group_names[0]}}/{{ inventory_hostname }}_ldap_admin', 'password' ) }}"
+  tags: always
+
 - name: OS specific vars
   include_vars: "{{ ansible_distribution }}.yml"
+  tags: always
 
 - name: CentOS8 stuff
   block:
@@ -14,6 +21,7 @@
       url:  https://repo.symas.com/configs/SOFL/rhel8/sofl.repo
       dest: /etc/yum.repos.d/sofl.repo
   when: ansible_distribution_major_version == 8 and ansible_distribution =='CentOS'
+  tags: always
 
 - name: install
   package:
@@ -23,7 +31,7 @@
 - name: configure client
   template:
     src: ldap.conf
-    dest: /etc/openldap/ldap.conf
+    dest: "{{ ldap_config_dir }}/"
     mode: 0644
 
 - name: activate service
@@ -32,28 +40,28 @@
     state: started
     enabled: yes
 
-- name: configure main database - admin, suffix, cache, acl
+- name: configure main database - suffix
-  block:
+  community.general.ldap_attrs:
-  - name: remove existing acl
+    dn: "{{ ldap_database }}"
-    ldap_attr:
+    attributes:
-      dn: olcDatabase={2}hdb,cn=config
+      olcSuffix: "{{ ldap_suffix }}"
-      name: olcaccess
+    state: exact
-      values: []
+  tags: wip
-      state: exact
 
-  - name: admin, suffix and cache
+- name: configure main database - admin
-    ldap_attr:
+  community.general.ldap_attrs:
-      dn: olcDatabase={2}hdb,cn=config
+    dn: "{{ ldap_database }}"
-      name: "{{ item.key }}"
+    attributes:
-      values: "{{ item.value }}"
-      state: exact
-    with_dict:
       olcSuffix: "{{ ldap_suffix }}"
       olcRootDN: "{{ ldap_admin_dn }}"
       olcRootPW: "{{ ldap_admin_password }}"
-      olcDbCheckpoint: "{{ ldap_checkpoint }}"
+    state: exact
-      olcDbCacheSize: "{{ ldap_cache_size }}"
+  tags: wip
-      olcDbIDLCacheSize: "{{ ldap_idlcache_size }}"
+
+- name: configure main database - acl
+  community.general.ldap_attrs:
+    dn: "{{ ldap_database }}"
+    attributes:
       olcAccess:
         - >-
           {0}to attrs=userPassword,mail
@@ -64,37 +72,32 @@
           {1}to dn.sub={{ ldap_suffix }}
           by users read
           by * none
-    ignore_errors: true
-
-  - name: remove existing indexes
-    ldap_attr:
-      dn: olcDatabase={2}hdb,cn=config
-      values: []
-      name: olcDbIndex
-      state: exact
-
-  - name: add indexes
-    ldap_attr:
-      dn: olcDatabase={2}hdb,cn=config
-      name: "olcDbIndex"
-      values: "{{ item }}"
-    loop:
-      - objectClass pres,eq
-      - uid,mail eq
-
-- name: reconfigure slapd - access to cn=config and cn=monitor
-  ldap_attr:
-    dn: "{{ item }}"
-    name: olcAccess
-    values:
-      >-
-      to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
-      by dn.base={{ ldap_admin_dn }}  manage
-      by * none
     state: exact
-  loop:
+    ordered: true
-  - olcDatabase={0}config,cn=config
+  tags: wip
-  - olcDatabase={1}monitor,cn=config
+
+- name: reconfigure slapd - access to cn=config
+  ldap_attrs:
+    dn: olcDatabase={0}config,cn=config
+    attributes:
+      olcAccess:
+      - >-
+        to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+        by dn.base={{ ldap_admin_dn }}  manage
+        by * none
+    state: exact
+
+- name: reconfigure slapd - access to cn=monitor
+  ldap_attrs:
+    dn: olcDatabase={1}monitor,cn=config
+    attributes:
+      olcAccess:
+      - >-
+        to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+        by dn.base={{ ldap_admin_dn }}  manage
+        by * none
+    state: exact
+  when: ansible_os_family == 'RedHat'
 
 - name: load additionnal schema
   include_tasks: import_ldap_schema.yml
@@ -169,7 +172,7 @@
       dest: /root/
 
   - name: import ldif
-    command: ldapmodify  -c -Y EXTERNAL -H ldapi:/// -f /root/ssl.ldif
+    command: ldapmodify  -c -y {{ ldap_secret_file }} -xD {{ ldap_admin_dn }}  -f /root/ssl.ldif
 
   - name: configure url
     lineinfile:

tasks/replication_consumer.yml

@@ -1,7 +1,7 @@
 ---
 - name: add synrepl entry
   ldap_attr:
-    dn: olcDatabase={2}hdb,cn=config
+    dn: "{{ ldap_database }}"
     name: "{{ item.name }}"
     values: "{{ item.value }}"
   loop:

tasks/replication_provider.yml

@@ -23,7 +23,7 @@
 
 - name: add syncprov overlay config
   ldap_entry:
-    dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
+    dn: olcOverlay=syncprov,{{ ldap_database }}
     objectClass: olcSyncProvConfig
     attributes:
       olcOverlay: syncprov

templates/change_suffix_and_dit_admin.ldif

@@ -1,4 +1,4 @@
-dn: olcDatabase={2}hdb,cn=config
+dn: {{ ldap_database }}
 changetype: modify
 replace: olcsuffix
 olcsuffix: {{ ldap_suffix }}

vars/CentOS8.yml

@@ -4,3 +4,5 @@ ldap_packages:
   - python3-ldap.x86_64
 ldap_service: slapd
 ldap_user: ldap
+ldap_database: olcDatabase={2}hdb,cn=config
+ldap_module_dir: /usr/lib64/openldap/

vars/Debian.yml

@@ -1,9 +1,9 @@
-ldap_database: 'olcdatabase={1}mdb'
+ldap_database: olcdatabase={1}mdb,cn=config
-ldap_config_dir: /etc/ldap
+ldap_config_dir: /etc/ldap/
+ldap_module_dir: /usr/lib/ldap/
 ldap_packages:
   - slapd
   - ldap-utils
-
+  - python3-ldap
-  - python-ldap
 ldap_service: slapd
 ldap_user: openldap