--- # tasks file for /etc/ansible/roles/slapd - name: get admin password from keepass ansible.builtin.set_fact: ldap_admin_dn: "{{ lookup( 'viczem.keepass.keepass', '{{ group_names[0]}}/{{ inventory_hostname }}_ldap_admin', 'username' ) }}" ldap_admin_password: "{{ lookup( 'viczem.keepass.keepass', '{{ group_names[0]}}/{{ inventory_hostname }}_ldap_admin', 'password' ) }}" tags: always when: ldap_admin_dn is not defined or ldap_admin_password is not defined - name: OS specific vars ansible.builtin.include_vars: "{{ ansible_distribution }}.yml" tags: always - name: CentOS8 stuff block: - name: CentOS 8 specific vars ansible.builtin.include_vars: CentOS8.yml - name: configure Symas repo for CentOS8 ansible.builtin.get_url: url: https://repo.symas.com/configs/SOFL/rhel8/sofl.repo dest: /etc/yum.repos.d/sofl.repo when: ansible_distribution_major_version == 8 and ansible_distribution =='CentOS' tags: always - name: install ansible.builtin.package: name: "{{ ldap_packages }}" state: present - name: configure client ansible.builtin.template: src: ldap.conf dest: "{{ ldap_config_dir }}/" mode: 0644 - name: activate service ansible.builtin.service: name: "{{ ldap_service }}" state: started enabled: yes - name: configure main database - suffix community.general.ldap_attrs: dn: "{{ ldap_database }}" attributes: olcSuffix: "{{ ldap_suffix }}" state: exact - name: configure main database - admin community.general.ldap_attrs: dn: "{{ ldap_database }}" attributes: olcSuffix: "{{ ldap_suffix }}" olcRootDN: "{{ ldap_admin_dn }}" olcRootPW: "{{ ldap_admin_password }}" state: exact - name: configure main database - acl community.general.ldap_attrs: dn: "{{ ldap_database }}" attributes: olcAccess: - >- {0}to attrs=userPassword,mail by self write by anonymous auth by * none - >- {1}to dn.sub={{ ldap_suffix }} by users read by * none state: exact ordered: true - name: reconfigure slapd - access to cn=config community.general.ldap_attrs: dn: olcDatabase={0}config,cn=config attributes: olcAccess: - >- to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn.base={{ ldap_admin_dn }} manage by * none state: exact - name: reconfigure slapd - access to cn=monitor community.general.ldap_attrs: dn: olcDatabase={1}monitor,cn=config attributes: olcAccess: - >- to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn.base={{ ldap_admin_dn }} manage by * none state: exact when: ansible_os_family == 'RedHat' - name: load additionnal schema ansible.builtin.include_tasks: import_ldap_schema.yml loop: "{{ ldap_schemas }}" loop_control: loop_var: schema - name: create suffix community.general.ldap_entry: server_uri: ldap://localhost bind_dn: "{{ ldap_admin_dn }}" bind_pw: "{{ ldap_admin_password }}" dn: "{{ ldap_suffix }}" objectClass: domain attributes: dc: "{{ ldap_domain }}" - name: create passwd file ansible.builtin.copy: dest: "{{ ldap_secret_file }}" mode: 0600 content: "{{ ldap_admin_password }}" - name: import data block: - name: create initial directory ansible.builtin.file: path: /root/Ldif state: directory mode: 0700 - name: send ldif files ansible.builtin.template: src: "{{ item }}" dest: /root/Ldif/ mode: 0600 loop: "{{ ldap_ldif_files }}" - name: get list of ldif files ansible.builtin.find: paths: /root/Ldif patterns: "*.ldif" file_type: file register: ldif_list - name: import ldif files ansible.builtin.command: "ldapadd -c -y {{ ldap_secret_file }} -xD {{ ldap_admin_dn }} -f {{ item .path }}" with_items: "{{ ldif_list.files }}" ignore_errors: true when: ldap_ldif_files is defined - name: configure replication provider ansible.builtin.include_tasks: replication_provider.yml when: ldap_replication_provider - name: configure replication consumer ansible.builtin.include_tasks: replication_consumer.yml when: ldap_replication_consumer # cannot use ldap_entry module because attr olcTLS* don't have equality matching # rules ... # instead send ldif and process ... - name: configure ssl tags: ssl block: - name: send ldif file ansible.builtin.template: src: ssl.ldif dest: /root/ - name: import ldif ansible.builtin.command: ldapmodify -c -y {{ ldap_secret_file }} -xD {{ ldap_admin_dn }} -f /root/ssl.ldif - name: configure url - Debian when: ansible_os_family == 'Debian' ansible.builtin.lineinfile: path: /etc/default/slapd regexp: '^SLAPD_SERVICES="ldap:/// ldapi:///"' line: 'SLAPD_SERVICES="ldapi:/// ldap:/// ldaps:///"' state: present notify: restart_slapd - name: configure url - RH when: ansible_os_family == 'RedHat' ansible.builtin.lineinfile: path: /etc/sysconfig/slapd regexp: '^SLAPD_URLS="ldapi:/// ldap:///"' line: 'SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"' state: present notify: restart_slapd - name: remove ldif ansible.builtin.file: path: /root/ssl.ldif state: absent when: ldap_have_ssl - name: configure ldap aliases - 0/1 tags: shell ansible.builtin.template: src: ldap_aliases.sh dest: /root/.ldap_aliases.sh - name: configure ldap aliases - 1/1 tags: shell ansible.builtin.lineinfile: path: /root/.bashrc create: true line: source /root/.ldap_aliases.sh - name: add some entries community.general.ldap_entry: dn: "{{ item.dn }}" objectClass: "{{ item.objectClass }}" attributes: "{{ item.attributes }}" state: present loop: "{{ ldap_entries }}" when: ldap_entries is defined ignore_errors: true - name: touch /var/log/ldapaudit.log ansible.builtin.file: path: /var/log/ldapaudit.log owner: "{{ ldap_user }}" group: "{{ ldap_user }}" state: touch tags: auditlog - name: rotate /var/log/ldapaudit.log tags: auditlog ansible.builtin.template: src: logrotate_auditlog dest: /etc/logrotate.d/ - name: setup backup ansible.builtin.import_tasks: backup.yml tags: backup_ldap