Improved password management. Make sure the saved password is used after first setup.

kerberox.yml

@@ -30,7 +30,10 @@
 
   vars_prompt:
     - name: "foo_pwd"
-      prompt: "Provide a non-empty password for the test user 'foo'.\nLeave empty to continue without test user"
+      prompt:
+        In case you would like to prepare a test user 'foo' and have
+        not done so yet, provide foo's password here.  Leave empty to
+        just continue
       private: yes
 
 

roles/krb5-kdc-ldap/tasks/main.yml

@@ -48,7 +48,7 @@
     dn: "cn=kerberos,{{ basedn }}"
     objectClass: krbContainer
     bind_dn: "cn=admin,{{ basedn }}"
-    bind_pw: "{{ ldap_admin_pwd }}"
+    bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
 
 - name: make sure we have a kdc object
   ldap_entry:
@@ -59,7 +59,7 @@
     attributes:
       userPassword: "{{ kdc_service_pwd }}"
     bind_dn: "cn=admin,{{ basedn }}"
-    bind_pw: "{{ ldap_admin_pwd }}"
+    bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
 
 - name: make sure we have a kadmin object
   ldap_entry:
@@ -70,7 +70,7 @@
     attributes:
       userPassword: "{{ kadmin_service_pwd }}"
     bind_dn: "cn=admin,{{ basedn }}"
-    bind_pw: "{{ ldap_admin_pwd }}"
+    bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
 
 - name: modify ACLs to account for KDC
   ldap_attr:
@@ -137,7 +137,7 @@
     >-
       kdb5_ldap_util
       -D cn=admin,"{{ basedn }}"
-      -w "{{ ldap_admin_pwd }}"
+      -w "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
       -H ldapi:///
       create -s -subtrees "{{ basedn }}"
       -P "{{ kdc_master_pwd }}"

roles/ldap/tasks/main.yml

@@ -62,8 +62,13 @@
   command: ldapadd  -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-config.ldif
   when: not slapd.stat.exists
 
-
 #######################################################################################
+## Use the admin password saved to file from now on (available also after installation):
+- name: slurp admin password
+  slurp:
+    src: "{{ ldap_admin_pwd_file }}"
+  register: ldap_admin_pwd
+  no_log: true
 
 ## Prepare user directories
 - name: make sure we have a people entry for users
@@ -71,19 +76,19 @@
     dn: "ou=people,{{ basedn }}"
     objectClass: organizationalUnit
     bind_dn: "cn=admin,{{ basedn }}"
-    bind_pw: "{{ ldap_admin_pwd }}"
+    bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
 
 - name: make sure we have a group entry for users
   ldap_entry:
     dn: "ou=groups,{{ basedn }}"
     objectClass: organizationalUnit
     bind_dn: "cn=admin,{{ basedn }}"
-    bind_pw: "{{ ldap_admin_pwd }}"
+    bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
 
 - name: provide simple script to add/delete users
   template:
     src: debian-lan.j2
-    dest: /usr/local/sbin/debian-lan
+    dest: /usr/local/bin/debian-lan
     mode: 0744
 
 ## Add user
@@ -102,7 +107,7 @@
       homeDirectory: "{{ lan_homes }}/foo"
       loginShell: /bin/bash
     bind_dn: "cn=admin,{{ basedn }}"
-    bind_pw: "{{ ldap_admin_pwd }}"
+    bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
   when: foo_pwd is defined and foo_pwd | length > 0
 
 - name: add dummy group foo
@@ -113,7 +118,7 @@
     attributes:
       gidNumber: 10000
     bind_dn: "cn=admin,{{ basedn }}"
-    bind_pw: "{{ ldap_admin_pwd }}"
+    bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
   when: foo_pwd is defined and foo_pwd | length > 0
 
 - name: allow ldap service in firewalld