Implement LDAP server role.
This commit is contained in:
Andreas B. Mundt
parent
b3b8d3d342
commit
0597d178e0
4 changed files with 156 additions and 0 deletions
14
mainserver.yml
Normal file
14
mainserver.yml
Normal file
|
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
# This playbook deploys the mainserver
|
||||
|
||||
- name: apply configuration to the mainserver
|
||||
hosts: all
|
||||
remote_user: andi
|
||||
become: yes
|
||||
vars:
|
||||
foo_pwd: 123
|
||||
|
||||
roles:
|
||||
- ldap
|
||||
# - krb5-kdc-ldap
|
||||
|
||||
4
roles/ldap/defaults/main.yml
Normal file
4
roles/ldap/defaults/main.yml
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
ldap_admin_pwd: "{{ lookup('password', '/tmp/ldap_admin.pwd length=24') }}"
|
||||
ldap_pwd_file: "/root/ldap-admin.pwd"
|
||||
ldap_domain: "{{ ansible_domain | default('intern', true) }}"
|
||||
basedn: "{{ 'dc=' + ( ldap_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
|
||||
28
roles/ldap/files/slapd-config.ldif
Normal file
28
roles/ldap/files/slapd-config.ldif
Normal file
|
|
@ -0,0 +1,28 @@
|
|||
#### LDAP Overlays slapd ####
|
||||
#### Attribute Uniqueness ####
|
||||
|
||||
dn: cn=module,cn=config
|
||||
objectClass: olcModuleList
|
||||
cn: module
|
||||
olcModulePath: /usr/lib/ldap
|
||||
olcModuleLoad: unique
|
||||
|
||||
dn: olcOverlay=unique,olcDatabase={1}mdb,cn=config
|
||||
objectClass: olcOverlayConfig
|
||||
objectClass: olcUniqueConfig
|
||||
olcOverlay: unique
|
||||
olcUniqueAttribute: uid uidNumber mail
|
||||
|
||||
|
||||
#### Password Hashing ####
|
||||
|
||||
dn: cn=module,cn=config
|
||||
objectClass: olcModuleList
|
||||
cn: module
|
||||
olcModuleLoad: ppolicy
|
||||
|
||||
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
|
||||
objectClass: olcOverlayConfig
|
||||
objectClass: olcPPolicyConfig
|
||||
olcOverlay: ppolicy
|
||||
olcPPolicyHashCleartext: TRUE
|
||||
110
roles/ldap/tasks/main.yml
Normal file
110
roles/ldap/tasks/main.yml
Normal file
|
|
@ -0,0 +1,110 @@
|
|||
## Install and configure slapd (if not done yet),
|
||||
## run most tasks only on slapd installation.
|
||||
---
|
||||
|
||||
- name: check if slapd is already there
|
||||
stat: path=/usr/sbin/slapd
|
||||
register: slapd
|
||||
|
||||
- name: preseed ldap domain
|
||||
debconf:
|
||||
name: slapd
|
||||
question: slapd/domain
|
||||
value: "{{ ldap_domain }}"
|
||||
vtype: string
|
||||
when: not slapd.stat.exists
|
||||
|
||||
- name: preseed slapd admin password1
|
||||
debconf:
|
||||
name: slapd
|
||||
question: slapd/password1
|
||||
value: "{{ ldap_admin_pwd }}"
|
||||
vtype: password
|
||||
no_log: true
|
||||
when: not slapd.stat.exists
|
||||
|
||||
- name: preseed slapd admin password2
|
||||
debconf:
|
||||
name: slapd
|
||||
question: slapd/password2
|
||||
value: "{{ ldap_admin_pwd }}"
|
||||
vtype: password
|
||||
no_log: true
|
||||
when: not slapd.stat.exists
|
||||
|
||||
- name: dump admin password
|
||||
shell: echo -n "{{ ldap_admin_pwd }}" > "{{ ldap_pwd_file }}" ; chmod 0600 "{{ ldap_pwd_file }}"
|
||||
no_log: true
|
||||
when: not slapd.stat.exists
|
||||
|
||||
- name: install slapd and python-ldap
|
||||
apt:
|
||||
name:
|
||||
- slapd
|
||||
- python-ldap
|
||||
state: latest
|
||||
|
||||
- name: make initial slapd configuration available
|
||||
copy:
|
||||
src: slapd-config.ldif
|
||||
dest: /etc/ldap/slapd.d/slapd-config.ldif
|
||||
when: not slapd.stat.exists
|
||||
|
||||
- name: activate ppolicy schema
|
||||
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
|
||||
when: not slapd.stat.exists
|
||||
|
||||
- name: initialize slapd if it has just been installed
|
||||
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-config.ldif
|
||||
when: not slapd.stat.exists
|
||||
|
||||
|
||||
#######################################################################################
|
||||
|
||||
## Prepare user directories
|
||||
- name: make sure we have a people entry for users
|
||||
ldap_entry:
|
||||
dn: "ou=people,{{ basedn }}"
|
||||
objectClass: organizationalUnit
|
||||
bind_dn: "cn=admin,{{ basedn }}"
|
||||
bind_pw: "{{ ldap_admin_pwd }}"
|
||||
|
||||
- name: make sure we have a group entry for users
|
||||
ldap_entry:
|
||||
dn: "ou=groups,{{ basedn }}"
|
||||
objectClass: organizationalUnit
|
||||
bind_dn: "cn=admin,{{ basedn }}"
|
||||
bind_pw: "{{ ldap_admin_pwd }}"
|
||||
|
||||
|
||||
## Add user
|
||||
- name: add dummy user foo
|
||||
ldap_entry:
|
||||
dn: "uid=foo,ou=people,{{ basedn }}"
|
||||
objectClass:
|
||||
- inetOrgPerson
|
||||
- posixAccount
|
||||
attributes:
|
||||
cn: foo
|
||||
sn: bar
|
||||
userPassword: "{{ foo_pwd }}"
|
||||
uidNumber: 10000
|
||||
gidNumber: 10000
|
||||
homeDirectory: /home/foo
|
||||
bind_dn: "cn=admin,{{ basedn }}"
|
||||
bind_pw: "{{ ldap_admin_pwd }}"
|
||||
when: foo_pwd is defined
|
||||
|
||||
- name: add dummy group foo
|
||||
ldap_entry:
|
||||
dn: "cn=foo,ou=groups,{{ basedn }}"
|
||||
objectClass:
|
||||
- posixGroup
|
||||
attributes:
|
||||
gidNumber: 10000
|
||||
bind_dn: "cn=admin,{{ basedn }}"
|
||||
bind_pw: "{{ ldap_admin_pwd }}"
|
||||
when: foo_pwd is defined
|
||||
|
||||
## ldapaddgroup tom
|
||||
## ldapadduser tom tom
|
||||
Loading…
Add table
Reference in a new issue