Do not deploy LDAP and KDC during installation as it adds too much complexity.
This commit is contained in:
Andreas B. Mundt
parent
284dadc2d3
commit
954ac5b0e6
4 changed files with 14 additions and 43 deletions
|
|
@ -47,6 +47,6 @@
|
|||
- dhcp-dns-dnsmasq
|
||||
- tftp-netboot-installer
|
||||
- apt-cacher
|
||||
- krb5-kdc-ldap
|
||||
- nfs-server
|
||||
- { role: krb5-kdc-ldap, when: not run_in_installer|default(false)|bool }
|
||||
- { role: nfs-server, when: not run_in_installer|default(false)|bool }
|
||||
- prepare4clients
|
||||
|
|
|
|||
|
|
@ -36,7 +36,8 @@
|
|||
|
||||
- name: prepare kerberos.openldap.ldif
|
||||
shell: gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.openldap.ldif.gz > /etc/ldap/schema/kerberos.openldap.ldif
|
||||
when: not krb5kdc.stat.exists
|
||||
args:
|
||||
creates: /etc/ldap/schema/kerberos.openldap.ldif
|
||||
|
||||
- name: activate kerberos.openldap.ldif schema
|
||||
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/kerberos.openldap.ldif
|
||||
|
|
@ -48,7 +49,6 @@
|
|||
objectClass: krbContainer
|
||||
bind_dn: "cn=admin,{{ basedn }}"
|
||||
bind_pw: "{{ ldap_admin_pwd }}"
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: make sure we have a kdc object
|
||||
ldap_entry:
|
||||
|
|
@ -60,7 +60,6 @@
|
|||
userPassword: "{{ kdc_service_pwd }}"
|
||||
bind_dn: "cn=admin,{{ basedn }}"
|
||||
bind_pw: "{{ ldap_admin_pwd }}"
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: make sure we have a kadmin object
|
||||
ldap_entry:
|
||||
|
|
@ -72,7 +71,6 @@
|
|||
userPassword: "{{ kadmin_service_pwd }}"
|
||||
bind_dn: "cn=admin,{{ basedn }}"
|
||||
bind_pw: "{{ ldap_admin_pwd }}"
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: modify ACLs to account for KDC
|
||||
ldap_attr:
|
||||
|
|
@ -110,7 +108,13 @@
|
|||
ldap_attr:
|
||||
dn: "olcDatabase={1}mdb,cn=config"
|
||||
name: olcDbIndex
|
||||
values: krbPrincipalName pres,sub,eq
|
||||
values:
|
||||
- objectClass eq
|
||||
- cn,uid eq
|
||||
- uidNumber,gidNumber eq
|
||||
- member,memberUid eq
|
||||
- krbPrincipalName pres,sub,eq
|
||||
state: exact
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: prepare password for kdc
|
||||
|
|
@ -169,8 +173,6 @@
|
|||
- ldap
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
##############
|
||||
|
||||
- name: kerberize dummy user foo
|
||||
command: kadmin.local -q 'add_principal -pw "{{ foo_pwd }}" -x dn="uid=foo,ou=people,{{ basedn }}" foo'
|
||||
register: kerberize_result
|
||||
|
|
@ -178,8 +180,6 @@
|
|||
no_log: true
|
||||
when: foo_pwd is defined and foo_pwd | length > 0
|
||||
|
||||
#############################
|
||||
|
||||
- name: allow services in firewalld
|
||||
firewalld:
|
||||
zone: internal
|
||||
|
|
@ -190,14 +190,3 @@
|
|||
- kerberos
|
||||
- kadmin
|
||||
- kpasswd
|
||||
when: not run_in_installer|default(false)|bool
|
||||
|
||||
## Use firewall-offline-cmd when run during installation:
|
||||
|
||||
- name: allow services in firewalld
|
||||
command: >-
|
||||
firewall-offline-cmd --zone=internal
|
||||
--add-service=kerberos
|
||||
--add-service=kadmin
|
||||
--add-service=kpasswd
|
||||
when: run_in_installer|default(false)|bool
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@
|
|||
when: ansible_domain | length == 0
|
||||
|
||||
- name: check if slapd is already there
|
||||
stat: path=/usr/sbin/slapd
|
||||
stat: path=/etc/ldap/slapd.d/slapd-config.ldif
|
||||
register: slapd
|
||||
|
||||
- name: preseed ldap domain
|
||||
|
|
@ -116,18 +116,9 @@
|
|||
bind_pw: "{{ ldap_admin_pwd }}"
|
||||
when: foo_pwd is defined and foo_pwd | length > 0
|
||||
|
||||
#############################
|
||||
|
||||
- name: allow ldap service in firewalld
|
||||
firewalld:
|
||||
zone: internal
|
||||
service: ldap
|
||||
permanent: yes
|
||||
state: enabled
|
||||
when: not run_in_installer|default(false)|bool
|
||||
|
||||
## Use firewall-offline-cmd when run during installation:
|
||||
|
||||
- name: allow ldap service in firewalld
|
||||
command: "firewall-offline-cmd --zone=internal --add-service=ldap"
|
||||
when: run_in_installer|default(false)|bool
|
||||
|
|
|
|||
|
|
@ -60,7 +60,7 @@
|
|||
when: kadmin.stat.exists
|
||||
|
||||
- name: copy home from /etc/skel for dummy user foo
|
||||
shell: cp -r /etc/skel {{ lan_homes }}/foo && chmod -R o-rwx {{ lan_homes }}/foo && chown -R foo:foo {{ lan_homes }}/foo
|
||||
shell: cp -r /etc/skel {{ lan_homes }}/foo && chmod -R o-rwx {{ lan_homes }}/foo && chown -R 10000:10000 {{ lan_homes }}/foo
|
||||
args:
|
||||
creates: "{{ lan_homes }}/foo"
|
||||
when: foo_pwd is defined and foo_pwd | length > 0
|
||||
|
|
@ -76,18 +76,9 @@
|
|||
notify: "restart dnsmasq"
|
||||
when: dnsmasq.stat.exists
|
||||
|
||||
#############################
|
||||
|
||||
- name: allow nfs service in firewalld
|
||||
firewalld:
|
||||
zone: internal
|
||||
service: nfs
|
||||
permanent: yes
|
||||
state: enabled
|
||||
when: not run_in_installer|default(false)|bool
|
||||
|
||||
## Use firewall-offline-cmd when run during installation:
|
||||
|
||||
- name: allow nfs service in firewalld
|
||||
command: "firewall-offline-cmd --zone=internal --add-service=nfs"
|
||||
when: run_in_installer|default(false)|bool
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue