From 0597d178e06c6ee0c94e45ac8a2a3d17b04b1397 Mon Sep 17 00:00:00 2001
From: "Andreas B. Mundt" <andi@debian.org>
Date: Sun, 17 Nov 2019 11:31:55 +0100
Subject: [PATCH] Implement LDAP server role.

---
 mainserver.yml                     |  14 ++++
 roles/ldap/defaults/main.yml       |   4 ++
 roles/ldap/files/slapd-config.ldif |  28 ++++++++
 roles/ldap/tasks/main.yml          | 110 +++++++++++++++++++++++++++++
 4 files changed, 156 insertions(+)
 create mode 100644 mainserver.yml
 create mode 100644 roles/ldap/defaults/main.yml
 create mode 100644 roles/ldap/files/slapd-config.ldif
 create mode 100644 roles/ldap/tasks/main.yml

diff --git a/mainserver.yml b/mainserver.yml
new file mode 100644
index 0000000..88a1401
--- /dev/null
+++ b/mainserver.yml
@@ -0,0 +1,14 @@
+---
+# This playbook deploys the mainserver
+
+- name: apply configuration to the mainserver
+  hosts: all
+  remote_user: andi
+  become: yes
+  vars:
+    foo_pwd: 123
+    
+  roles:
+    - ldap
+#    - krb5-kdc-ldap
+
diff --git a/roles/ldap/defaults/main.yml b/roles/ldap/defaults/main.yml
new file mode 100644
index 0000000..8c16cfc
--- /dev/null
+++ b/roles/ldap/defaults/main.yml
@@ -0,0 +1,4 @@
+ldap_admin_pwd: "{{ lookup('password', '/tmp/ldap_admin.pwd length=24') }}"
+ldap_pwd_file: "/root/ldap-admin.pwd"
+ldap_domain: "{{ ansible_domain | default('intern', true) }}"
+basedn: "{{ 'dc=' + ( ldap_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
diff --git a/roles/ldap/files/slapd-config.ldif b/roles/ldap/files/slapd-config.ldif
new file mode 100644
index 0000000..4770d3b
--- /dev/null
+++ b/roles/ldap/files/slapd-config.ldif
@@ -0,0 +1,28 @@
+#### LDAP Overlays slapd ####
+#### Attribute Uniqueness ####
+
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModulePath: /usr/lib/ldap
+olcModuleLoad: unique
+
+dn: olcOverlay=unique,olcDatabase={1}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcUniqueConfig
+olcOverlay: unique
+olcUniqueAttribute: uid uidNumber mail
+
+
+#### Password Hashing ####
+
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModuleLoad: ppolicy
+
+dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcPPolicyConfig
+olcOverlay: ppolicy
+olcPPolicyHashCleartext: TRUE
diff --git a/roles/ldap/tasks/main.yml b/roles/ldap/tasks/main.yml
new file mode 100644
index 0000000..a775111
--- /dev/null
+++ b/roles/ldap/tasks/main.yml
@@ -0,0 +1,110 @@
+## Install and configure slapd (if not done yet),
+##  run most tasks only on slapd installation.
+---
+
+- name: check if slapd is already there
+  stat: path=/usr/sbin/slapd
+  register: slapd
+
+- name: preseed ldap domain
+  debconf:
+    name: slapd
+    question:  slapd/domain
+    value: "{{ ldap_domain }}"
+    vtype: string
+  when: not slapd.stat.exists
+
+- name: preseed slapd admin password1
+  debconf:
+    name: slapd
+    question: slapd/password1
+    value: "{{ ldap_admin_pwd }}"
+    vtype: password
+  no_log: true
+  when: not slapd.stat.exists
+
+- name: preseed slapd admin password2
+  debconf:
+    name: slapd
+    question: slapd/password2
+    value: "{{ ldap_admin_pwd }}"
+    vtype: password
+  no_log: true
+  when: not slapd.stat.exists
+
+- name: dump admin password
+  shell: echo -n "{{ ldap_admin_pwd }}" > "{{ ldap_pwd_file }}" ; chmod 0600 "{{ ldap_pwd_file }}"
+  no_log: true
+  when: not slapd.stat.exists
+
+- name: install slapd and python-ldap
+  apt:
+    name:
+      - slapd
+      - python-ldap
+    state: latest
+
+- name: make initial slapd configuration available
+  copy:
+    src: slapd-config.ldif
+    dest: /etc/ldap/slapd.d/slapd-config.ldif
+  when: not slapd.stat.exists
+
+- name: activate ppolicy schema
+  command: ldapadd  -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
+  when: not slapd.stat.exists
+
+- name: initialize slapd if it has just been installed
+  command: ldapadd  -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-config.ldif
+  when: not slapd.stat.exists
+
+
+#######################################################################################
+
+## Prepare user directories
+- name: make sure we have a people entry for users
+  ldap_entry:
+    dn: "ou=people,{{ basedn }}"
+    objectClass: organizationalUnit
+    bind_dn: "cn=admin,{{ basedn }}"
+    bind_pw: "{{ ldap_admin_pwd }}"
+
+- name: make sure we have a group entry for users
+  ldap_entry:
+    dn: "ou=groups,{{ basedn }}"
+    objectClass: organizationalUnit
+    bind_dn: "cn=admin,{{ basedn }}"
+    bind_pw: "{{ ldap_admin_pwd }}"
+
+
+## Add user
+- name: add dummy user foo
+  ldap_entry:
+    dn: "uid=foo,ou=people,{{ basedn }}"
+    objectClass:
+      - inetOrgPerson
+      - posixAccount
+    attributes:
+      cn: foo
+      sn: bar
+      userPassword: "{{ foo_pwd }}"
+      uidNumber: 10000
+      gidNumber: 10000
+      homeDirectory: /home/foo
+    bind_dn: "cn=admin,{{ basedn }}"
+    bind_pw: "{{ ldap_admin_pwd }}"
+  when: foo_pwd is defined
+
+- name: add dummy group foo
+  ldap_entry:
+    dn: "cn=foo,ou=groups,{{ basedn }}"
+    objectClass:
+      - posixGroup
+    attributes:
+      gidNumber: 10000
+    bind_dn: "cn=admin,{{ basedn }}"
+    bind_pw: "{{ ldap_admin_pwd }}"
+  when: foo_pwd is defined
+
+## ldapaddgroup tom
+## ldapadduser tom tom