Implement LDAP server role.
This commit is contained in:
Andreas B. Mundt
parent
b3b8d3d342
commit
0597d178e0
4 changed files with 156 additions and 0 deletions
14
mainserver.yml
Normal file
14
mainserver.yml
Normal file
|
|
@ -0,0 +1,14 @@
|
||||||
|
---
|
||||||
|
# This playbook deploys the mainserver
|
||||||
|
|
||||||
|
- name: apply configuration to the mainserver
|
||||||
|
hosts: all
|
||||||
|
remote_user: andi
|
||||||
|
become: yes
|
||||||
|
vars:
|
||||||
|
foo_pwd: 123
|
||||||
|
|
||||||
|
roles:
|
||||||
|
- ldap
|
||||||
|
# - krb5-kdc-ldap
|
||||||
|
|
||||||
4
roles/ldap/defaults/main.yml
Normal file
4
roles/ldap/defaults/main.yml
Normal file
|
|
@ -0,0 +1,4 @@
|
||||||
|
ldap_admin_pwd: "{{ lookup('password', '/tmp/ldap_admin.pwd length=24') }}"
|
||||||
|
ldap_pwd_file: "/root/ldap-admin.pwd"
|
||||||
|
ldap_domain: "{{ ansible_domain | default('intern', true) }}"
|
||||||
|
basedn: "{{ 'dc=' + ( ldap_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
|
||||||
28
roles/ldap/files/slapd-config.ldif
Normal file
28
roles/ldap/files/slapd-config.ldif
Normal file
|
|
@ -0,0 +1,28 @@
|
||||||
|
#### LDAP Overlays slapd ####
|
||||||
|
#### Attribute Uniqueness ####
|
||||||
|
|
||||||
|
dn: cn=module,cn=config
|
||||||
|
objectClass: olcModuleList
|
||||||
|
cn: module
|
||||||
|
olcModulePath: /usr/lib/ldap
|
||||||
|
olcModuleLoad: unique
|
||||||
|
|
||||||
|
dn: olcOverlay=unique,olcDatabase={1}mdb,cn=config
|
||||||
|
objectClass: olcOverlayConfig
|
||||||
|
objectClass: olcUniqueConfig
|
||||||
|
olcOverlay: unique
|
||||||
|
olcUniqueAttribute: uid uidNumber mail
|
||||||
|
|
||||||
|
|
||||||
|
#### Password Hashing ####
|
||||||
|
|
||||||
|
dn: cn=module,cn=config
|
||||||
|
objectClass: olcModuleList
|
||||||
|
cn: module
|
||||||
|
olcModuleLoad: ppolicy
|
||||||
|
|
||||||
|
dn: olcOverlay=ppolicy,olcDatabase={1}mdb,cn=config
|
||||||
|
objectClass: olcOverlayConfig
|
||||||
|
objectClass: olcPPolicyConfig
|
||||||
|
olcOverlay: ppolicy
|
||||||
|
olcPPolicyHashCleartext: TRUE
|
||||||
110
roles/ldap/tasks/main.yml
Normal file
110
roles/ldap/tasks/main.yml
Normal file
|
|
@ -0,0 +1,110 @@
|
||||||
|
## Install and configure slapd (if not done yet),
|
||||||
|
## run most tasks only on slapd installation.
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: check if slapd is already there
|
||||||
|
stat: path=/usr/sbin/slapd
|
||||||
|
register: slapd
|
||||||
|
|
||||||
|
- name: preseed ldap domain
|
||||||
|
debconf:
|
||||||
|
name: slapd
|
||||||
|
question: slapd/domain
|
||||||
|
value: "{{ ldap_domain }}"
|
||||||
|
vtype: string
|
||||||
|
when: not slapd.stat.exists
|
||||||
|
|
||||||
|
- name: preseed slapd admin password1
|
||||||
|
debconf:
|
||||||
|
name: slapd
|
||||||
|
question: slapd/password1
|
||||||
|
value: "{{ ldap_admin_pwd }}"
|
||||||
|
vtype: password
|
||||||
|
no_log: true
|
||||||
|
when: not slapd.stat.exists
|
||||||
|
|
||||||
|
- name: preseed slapd admin password2
|
||||||
|
debconf:
|
||||||
|
name: slapd
|
||||||
|
question: slapd/password2
|
||||||
|
value: "{{ ldap_admin_pwd }}"
|
||||||
|
vtype: password
|
||||||
|
no_log: true
|
||||||
|
when: not slapd.stat.exists
|
||||||
|
|
||||||
|
- name: dump admin password
|
||||||
|
shell: echo -n "{{ ldap_admin_pwd }}" > "{{ ldap_pwd_file }}" ; chmod 0600 "{{ ldap_pwd_file }}"
|
||||||
|
no_log: true
|
||||||
|
when: not slapd.stat.exists
|
||||||
|
|
||||||
|
- name: install slapd and python-ldap
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- slapd
|
||||||
|
- python-ldap
|
||||||
|
state: latest
|
||||||
|
|
||||||
|
- name: make initial slapd configuration available
|
||||||
|
copy:
|
||||||
|
src: slapd-config.ldif
|
||||||
|
dest: /etc/ldap/slapd.d/slapd-config.ldif
|
||||||
|
when: not slapd.stat.exists
|
||||||
|
|
||||||
|
- name: activate ppolicy schema
|
||||||
|
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
|
||||||
|
when: not slapd.stat.exists
|
||||||
|
|
||||||
|
- name: initialize slapd if it has just been installed
|
||||||
|
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-config.ldif
|
||||||
|
when: not slapd.stat.exists
|
||||||
|
|
||||||
|
|
||||||
|
#######################################################################################
|
||||||
|
|
||||||
|
## Prepare user directories
|
||||||
|
- name: make sure we have a people entry for users
|
||||||
|
ldap_entry:
|
||||||
|
dn: "ou=people,{{ basedn }}"
|
||||||
|
objectClass: organizationalUnit
|
||||||
|
bind_dn: "cn=admin,{{ basedn }}"
|
||||||
|
bind_pw: "{{ ldap_admin_pwd }}"
|
||||||
|
|
||||||
|
- name: make sure we have a group entry for users
|
||||||
|
ldap_entry:
|
||||||
|
dn: "ou=groups,{{ basedn }}"
|
||||||
|
objectClass: organizationalUnit
|
||||||
|
bind_dn: "cn=admin,{{ basedn }}"
|
||||||
|
bind_pw: "{{ ldap_admin_pwd }}"
|
||||||
|
|
||||||
|
|
||||||
|
## Add user
|
||||||
|
- name: add dummy user foo
|
||||||
|
ldap_entry:
|
||||||
|
dn: "uid=foo,ou=people,{{ basedn }}"
|
||||||
|
objectClass:
|
||||||
|
- inetOrgPerson
|
||||||
|
- posixAccount
|
||||||
|
attributes:
|
||||||
|
cn: foo
|
||||||
|
sn: bar
|
||||||
|
userPassword: "{{ foo_pwd }}"
|
||||||
|
uidNumber: 10000
|
||||||
|
gidNumber: 10000
|
||||||
|
homeDirectory: /home/foo
|
||||||
|
bind_dn: "cn=admin,{{ basedn }}"
|
||||||
|
bind_pw: "{{ ldap_admin_pwd }}"
|
||||||
|
when: foo_pwd is defined
|
||||||
|
|
||||||
|
- name: add dummy group foo
|
||||||
|
ldap_entry:
|
||||||
|
dn: "cn=foo,ou=groups,{{ basedn }}"
|
||||||
|
objectClass:
|
||||||
|
- posixGroup
|
||||||
|
attributes:
|
||||||
|
gidNumber: 10000
|
||||||
|
bind_dn: "cn=admin,{{ basedn }}"
|
||||||
|
bind_pw: "{{ ldap_admin_pwd }}"
|
||||||
|
when: foo_pwd is defined
|
||||||
|
|
||||||
|
## ldapaddgroup tom
|
||||||
|
## ldapadduser tom tom
|
||||||
Loading…
Add table
Reference in a new issue