Do not deploy LDAP and KDC during installation as it adds too much complexity.
This commit is contained in:
Andreas B. Mundt
parent
284dadc2d3
commit
954ac5b0e6
4 changed files with 14 additions and 43 deletions
|
|
@ -47,6 +47,6 @@
|
||||||
- dhcp-dns-dnsmasq
|
- dhcp-dns-dnsmasq
|
||||||
- tftp-netboot-installer
|
- tftp-netboot-installer
|
||||||
- apt-cacher
|
- apt-cacher
|
||||||
- krb5-kdc-ldap
|
- { role: krb5-kdc-ldap, when: not run_in_installer|default(false)|bool }
|
||||||
- nfs-server
|
- { role: nfs-server, when: not run_in_installer|default(false)|bool }
|
||||||
- prepare4clients
|
- prepare4clients
|
||||||
|
|
|
||||||
|
|
@ -36,7 +36,8 @@
|
||||||
|
|
||||||
- name: prepare kerberos.openldap.ldif
|
- name: prepare kerberos.openldap.ldif
|
||||||
shell: gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.openldap.ldif.gz > /etc/ldap/schema/kerberos.openldap.ldif
|
shell: gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.openldap.ldif.gz > /etc/ldap/schema/kerberos.openldap.ldif
|
||||||
when: not krb5kdc.stat.exists
|
args:
|
||||||
|
creates: /etc/ldap/schema/kerberos.openldap.ldif
|
||||||
|
|
||||||
- name: activate kerberos.openldap.ldif schema
|
- name: activate kerberos.openldap.ldif schema
|
||||||
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/kerberos.openldap.ldif
|
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/kerberos.openldap.ldif
|
||||||
|
|
@ -48,7 +49,6 @@
|
||||||
objectClass: krbContainer
|
objectClass: krbContainer
|
||||||
bind_dn: "cn=admin,{{ basedn }}"
|
bind_dn: "cn=admin,{{ basedn }}"
|
||||||
bind_pw: "{{ ldap_admin_pwd }}"
|
bind_pw: "{{ ldap_admin_pwd }}"
|
||||||
when: not krb5kdc.stat.exists
|
|
||||||
|
|
||||||
- name: make sure we have a kdc object
|
- name: make sure we have a kdc object
|
||||||
ldap_entry:
|
ldap_entry:
|
||||||
|
|
@ -60,7 +60,6 @@
|
||||||
userPassword: "{{ kdc_service_pwd }}"
|
userPassword: "{{ kdc_service_pwd }}"
|
||||||
bind_dn: "cn=admin,{{ basedn }}"
|
bind_dn: "cn=admin,{{ basedn }}"
|
||||||
bind_pw: "{{ ldap_admin_pwd }}"
|
bind_pw: "{{ ldap_admin_pwd }}"
|
||||||
when: not krb5kdc.stat.exists
|
|
||||||
|
|
||||||
- name: make sure we have a kadmin object
|
- name: make sure we have a kadmin object
|
||||||
ldap_entry:
|
ldap_entry:
|
||||||
|
|
@ -72,7 +71,6 @@
|
||||||
userPassword: "{{ kadmin_service_pwd }}"
|
userPassword: "{{ kadmin_service_pwd }}"
|
||||||
bind_dn: "cn=admin,{{ basedn }}"
|
bind_dn: "cn=admin,{{ basedn }}"
|
||||||
bind_pw: "{{ ldap_admin_pwd }}"
|
bind_pw: "{{ ldap_admin_pwd }}"
|
||||||
when: not krb5kdc.stat.exists
|
|
||||||
|
|
||||||
- name: modify ACLs to account for KDC
|
- name: modify ACLs to account for KDC
|
||||||
ldap_attr:
|
ldap_attr:
|
||||||
|
|
@ -110,7 +108,13 @@
|
||||||
ldap_attr:
|
ldap_attr:
|
||||||
dn: "olcDatabase={1}mdb,cn=config"
|
dn: "olcDatabase={1}mdb,cn=config"
|
||||||
name: olcDbIndex
|
name: olcDbIndex
|
||||||
values: krbPrincipalName pres,sub,eq
|
values:
|
||||||
|
- objectClass eq
|
||||||
|
- cn,uid eq
|
||||||
|
- uidNumber,gidNumber eq
|
||||||
|
- member,memberUid eq
|
||||||
|
- krbPrincipalName pres,sub,eq
|
||||||
|
state: exact
|
||||||
when: not krb5kdc.stat.exists
|
when: not krb5kdc.stat.exists
|
||||||
|
|
||||||
- name: prepare password for kdc
|
- name: prepare password for kdc
|
||||||
|
|
@ -169,8 +173,6 @@
|
||||||
- ldap
|
- ldap
|
||||||
when: not krb5kdc.stat.exists
|
when: not krb5kdc.stat.exists
|
||||||
|
|
||||||
##############
|
|
||||||
|
|
||||||
- name: kerberize dummy user foo
|
- name: kerberize dummy user foo
|
||||||
command: kadmin.local -q 'add_principal -pw "{{ foo_pwd }}" -x dn="uid=foo,ou=people,{{ basedn }}" foo'
|
command: kadmin.local -q 'add_principal -pw "{{ foo_pwd }}" -x dn="uid=foo,ou=people,{{ basedn }}" foo'
|
||||||
register: kerberize_result
|
register: kerberize_result
|
||||||
|
|
@ -178,8 +180,6 @@
|
||||||
no_log: true
|
no_log: true
|
||||||
when: foo_pwd is defined and foo_pwd | length > 0
|
when: foo_pwd is defined and foo_pwd | length > 0
|
||||||
|
|
||||||
#############################
|
|
||||||
|
|
||||||
- name: allow services in firewalld
|
- name: allow services in firewalld
|
||||||
firewalld:
|
firewalld:
|
||||||
zone: internal
|
zone: internal
|
||||||
|
|
@ -190,14 +190,3 @@
|
||||||
- kerberos
|
- kerberos
|
||||||
- kadmin
|
- kadmin
|
||||||
- kpasswd
|
- kpasswd
|
||||||
when: not run_in_installer|default(false)|bool
|
|
||||||
|
|
||||||
## Use firewall-offline-cmd when run during installation:
|
|
||||||
|
|
||||||
- name: allow services in firewalld
|
|
||||||
command: >-
|
|
||||||
firewall-offline-cmd --zone=internal
|
|
||||||
--add-service=kerberos
|
|
||||||
--add-service=kadmin
|
|
||||||
--add-service=kpasswd
|
|
||||||
when: run_in_installer|default(false)|bool
|
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
when: ansible_domain | length == 0
|
when: ansible_domain | length == 0
|
||||||
|
|
||||||
- name: check if slapd is already there
|
- name: check if slapd is already there
|
||||||
stat: path=/usr/sbin/slapd
|
stat: path=/etc/ldap/slapd.d/slapd-config.ldif
|
||||||
register: slapd
|
register: slapd
|
||||||
|
|
||||||
- name: preseed ldap domain
|
- name: preseed ldap domain
|
||||||
|
|
@ -116,18 +116,9 @@
|
||||||
bind_pw: "{{ ldap_admin_pwd }}"
|
bind_pw: "{{ ldap_admin_pwd }}"
|
||||||
when: foo_pwd is defined and foo_pwd | length > 0
|
when: foo_pwd is defined and foo_pwd | length > 0
|
||||||
|
|
||||||
#############################
|
|
||||||
|
|
||||||
- name: allow ldap service in firewalld
|
- name: allow ldap service in firewalld
|
||||||
firewalld:
|
firewalld:
|
||||||
zone: internal
|
zone: internal
|
||||||
service: ldap
|
service: ldap
|
||||||
permanent: yes
|
permanent: yes
|
||||||
state: enabled
|
state: enabled
|
||||||
when: not run_in_installer|default(false)|bool
|
|
||||||
|
|
||||||
## Use firewall-offline-cmd when run during installation:
|
|
||||||
|
|
||||||
- name: allow ldap service in firewalld
|
|
||||||
command: "firewall-offline-cmd --zone=internal --add-service=ldap"
|
|
||||||
when: run_in_installer|default(false)|bool
|
|
||||||
|
|
|
||||||
|
|
@ -60,7 +60,7 @@
|
||||||
when: kadmin.stat.exists
|
when: kadmin.stat.exists
|
||||||
|
|
||||||
- name: copy home from /etc/skel for dummy user foo
|
- name: copy home from /etc/skel for dummy user foo
|
||||||
shell: cp -r /etc/skel {{ lan_homes }}/foo && chmod -R o-rwx {{ lan_homes }}/foo && chown -R foo:foo {{ lan_homes }}/foo
|
shell: cp -r /etc/skel {{ lan_homes }}/foo && chmod -R o-rwx {{ lan_homes }}/foo && chown -R 10000:10000 {{ lan_homes }}/foo
|
||||||
args:
|
args:
|
||||||
creates: "{{ lan_homes }}/foo"
|
creates: "{{ lan_homes }}/foo"
|
||||||
when: foo_pwd is defined and foo_pwd | length > 0
|
when: foo_pwd is defined and foo_pwd | length > 0
|
||||||
|
|
@ -76,18 +76,9 @@
|
||||||
notify: "restart dnsmasq"
|
notify: "restart dnsmasq"
|
||||||
when: dnsmasq.stat.exists
|
when: dnsmasq.stat.exists
|
||||||
|
|
||||||
#############################
|
|
||||||
|
|
||||||
- name: allow nfs service in firewalld
|
- name: allow nfs service in firewalld
|
||||||
firewalld:
|
firewalld:
|
||||||
zone: internal
|
zone: internal
|
||||||
service: nfs
|
service: nfs
|
||||||
permanent: yes
|
permanent: yes
|
||||||
state: enabled
|
state: enabled
|
||||||
when: not run_in_installer|default(false)|bool
|
|
||||||
|
|
||||||
## Use firewall-offline-cmd when run during installation:
|
|
||||||
|
|
||||||
- name: allow nfs service in firewalld
|
|
||||||
command: "firewall-offline-cmd --zone=internal --add-service=nfs"
|
|
||||||
when: run_in_installer|default(false)|bool
|
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue