it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Move LDAP install/setup tasks into extra file.

Browse source
This commit is contained in:
Andreas B. Mundt 2021-04-05 19:12:31 +02:00 committed by Andreas B. Mundt
parent 51f01858c1
commit c976c69bed
2 changed files with 104 additions and 106 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

116
roles/ldap/tasks/main.yml
View file

@ -1,117 +1,18 @@
## Install and configure slapd (if not done yet), ## Install and configure slapd.
## run most tasks only on slapd installation.
--- ---
- fail: msg="The machine's domain must not be empty." - fail: msg="The machine's domain must not be empty."
when: ansible_domain | length == 0 when: ansible_domain | length == 0
- name: check if slapd is already there - name: check if slapd is already set up
stat: path=/etc/ldap/slapd.d/slapd-config.ldif stat: path=/usr/sbin/slapd
register: slapd register: slapd
- name: preseed ldap domain - name: install and configure slapd
debconf: include_tasks: setup.yml
name: slapd
question: slapd/domain
value: "{{ ansible_domain }}"
vtype: string
when: not slapd.stat.exists
- name: preseed slapd admin password1
debconf:
name: slapd
question: slapd/password1
value: "{{ ldap_admin_pwd }}"
vtype: password
no_log: true
when: not slapd.stat.exists
- name: preseed slapd admin password2
debconf:
name: slapd
question: slapd/password2
value: "{{ ldap_admin_pwd }}"
vtype: password
no_log: true
when: not slapd.stat.exists
- name: dump admin password
shell: echo -n "{{ ldap_admin_pwd }}" > "{{ ldap_admin_pwd_file }}" ; chmod 0600 "{{ ldap_admin_pwd_file }}"
no_log: true
when: not slapd.stat.exists
- name: install packages for LDAP
apt:
name:
- slapd
- ldap-utils
- ldapvi
- python3-ldap
- ssl-cert
state: latest
- name: add openldap to the ssl-cert group
user:
name: openldap
groups: ssl-cert
append: yes
register: ssl_cert_group
- name: restart slapd
systemd: name=slapd state=restarted
when: ssl_cert_group.changed
- name: make initial slapd configuration available
copy:
src: slapd-config.ldif
dest: /etc/ldap/slapd.d/
when: not slapd.stat.exists
- name: make slapd TLS configuration available
template:
src: slapd-TLS.ldif
dest: /etc/ldap/slapd.d/
when: not slapd.stat.exists
- name: activate ppolicy schema
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
when: not slapd.stat.exists
- name: initialize slapd if it has just been installed
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-config.ldif
when: not slapd.stat.exists
- name: configure LDAP TLS
command: ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-TLS.ldif
when: not slapd.stat.exists
- name: "make 'ldap' an alias hostname resolvable from the LAN"
replace:
path: /etc/hosts
regexp: "^({{ ipaddr_lan | ipaddr('address') }}\\s.+)$"
replace: '\1 ldap'
when: not slapd.stat.exists
- name: add URI to ldap.conf
lineinfile:
dest: /etc/ldap/ldap.conf
line: "URI ldapi:///"
insertafter: "#URI.*"
- name: add BASE to ldap.conf
lineinfile:
dest: /etc/ldap/ldap.conf
line: "BASE {{ basedn }}"
insertafter: "#BASE.*"
- name: check against self signed certificate
replace:
path: /etc/ldap/ldap.conf
regexp: "^(TLS_CACERT\\s+/etc/ssl/certs/ca-certificates.crt)$"
replace: '#\1\nTLS_CACERT\t{{ TLSCertificateFile }}'
when: not slapd.stat.exists when: not slapd.stat.exists
####################################################################################### #######################################################################################
## Use the admin password saved to file from now on (available also after installation): ## Use the admin password saved to file (available also after installation):
- name: slurp admin password - name: slurp admin password
slurp: slurp:
src: "{{ ldap_admin_pwd_file }}" src: "{{ ldap_admin_pwd_file }}"
@ -133,6 +34,7 @@
bind_dn: "cn=admin,{{ basedn }}" bind_dn: "cn=admin,{{ basedn }}"
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}" bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
- name: add group for ldap users - name: add group for ldap users
ldap_entry: ldap_entry:
dn: "cn=ldapuser,ou=groups,{{ basedn }}" dn: "cn=ldapuser,ou=groups,{{ basedn }}"
@ -143,13 +45,14 @@
bind_dn: "cn=admin,{{ basedn }}" bind_dn: "cn=admin,{{ basedn }}"
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}" bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
- name: provide simple script to manage ldap/kdc - name: provide simple script to manage ldap/kdc
template: template:
src: debian-lan.j2 src: debian-lan.j2
dest: /usr/local/sbin/debian-lan dest: /usr/local/sbin/debian-lan
mode: 0744 mode: 0744
## Add user
- name: add dummy user foo - name: add dummy user foo
ldap_entry: ldap_entry:
dn: "uid=foo,ou=people,{{ basedn }}" dn: "uid=foo,ou=people,{{ basedn }}"
@ -179,6 +82,7 @@
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}" bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
when: foo_pwd is defined and foo_pwd | length > 0 when: foo_pwd is defined and foo_pwd | length > 0
- name: allow ldap service in firewalld - name: allow ldap service in firewalld
firewalld: firewalld:
zone: internal zone: internal

94
roles/ldap/tasks/setup.yml Normal file
View file

@ -0,0 +1,94 @@
## Install and configure slapd.
---
- name: preseed ldap domain
debconf:
name: slapd
question: slapd/domain
value: "{{ ansible_domain }}"
vtype: string
- name: preseed slapd admin password1
debconf:
name: slapd
question: slapd/password1
value: "{{ ldap_admin_pwd }}"
vtype: password
no_log: true
- name: preseed slapd admin password2
debconf:
name: slapd
question: slapd/password2
value: "{{ ldap_admin_pwd }}"
vtype: password
no_log: true
- name: dump admin password
shell: echo -n "{{ ldap_admin_pwd }}" > "{{ ldap_admin_pwd_file }}" ; chmod 0600 "{{ ldap_admin_pwd_file }}"
no_log: true
- name: install packages for LDAP
apt:
name:
- slapd
- ldap-utils
- ldapvi
- python3-ldap
- ssl-cert
state: latest
- name: add openldap to the ssl-cert group
user:
name: openldap
groups: ssl-cert
append: yes
register: ssl_cert_group
- name: restart slapd
systemd: name=slapd state=restarted
when: ssl_cert_group.changed
- name: make initial slapd configuration available
copy:
src: slapd-config.ldif
dest: /etc/ldap/slapd.d/
- name: make slapd TLS configuration available
template:
src: slapd-TLS.ldif
dest: /etc/ldap/slapd.d/
- name: activate ppolicy schema
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
- name: initialize slapd if it has just been installed
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-config.ldif
- name: configure LDAP TLS
command: ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-TLS.ldif
- name: "make 'ldap' an alias hostname resolvable from the LAN"
replace:
path: /etc/hosts
regexp: "^({{ ipaddr_lan | ipaddr('address') }}\\s.+)$"
replace: '\1 ldap'
- name: add URI to ldap.conf
lineinfile:
dest: /etc/ldap/ldap.conf
line: "URI ldapi:///"
insertafter: "#URI.*"
- name: add BASE to ldap.conf
lineinfile:
dest: /etc/ldap/ldap.conf
line: "BASE {{ basedn }}"
insertafter: "#BASE.*"
- name: check against self signed certificate
replace:
path: /etc/ldap/ldap.conf
regexp: "^(TLS_CACERT\\s+/etc/ssl/certs/ca-certificates.crt)$"
replace: '#\1\nTLS_CACERT\t{{ TLSCertificateFile }}'
## Use 'sudo ldapvi -Y EXTERNAL -h ldapi:/// -b "cn=config"' to modify certificate and key.