Minor fixes and improvements, mostly KDC/LDAP related.

2019-11-18 15:31:30 +01:00 · 2019-11-18 15:31:30 +01:00 · ce6bd53319
commit ce6bd53319
parent ece5bca5b5
8 changed files with 52 additions and 19 deletions
--- a/roles/dhcp-dns-dnsmasq/tasks/main.yml
+++ b/roles/dhcp-dns-dnsmasq/tasks/main.yml
@ -1,3 +1,7 @@
 - name: check if dnsmasq is already there
  stat: path=/etc/dnsmasq.d/dnsmasq-dhcp
  register: dnsmasq
 - name: install dnsmasq package
  apt:
    name: dnsmasq
@ -9,6 +13,7 @@
    line: "{{ item.1 }}\t{{ 'debian%03d' | format(item.0) }}"
  with_indexed_items: "{{ dhcp_list }}"
  notify: "restart dnsmasq"
  when: not dnsmasq.stat.exists
 - name: configure dnsmasq
  template:
--- a/roles/krb5-kdc-ldap/defaults/main.yml
+++ b/roles/krb5-kdc-ldap/defaults/main.yml
@ -1,5 +1,9 @@
 ---
 kdc_pwd: "{{ lookup('password', '/tmp/kdc.pwd length=24') }}"
 kadmin_pwd: "{{ lookup('password', '/tmp/kadmin.pwd length=24') }}"
 kdc_master_pwd: "{{ lookup('password', '/tmp/kdc_master.pwd length=24') }}"
-kdc_pwd_file: "/root/kdc-master.pwd"
+kdc_master_pwd_file: "/root/kdc-master.pwd"
 kdc_service_pwd: "{{ lookup('password', '/tmp/kdc-service.pwd length=24') }}"
 kadmin_service_pwd: "{{ lookup('password', '/tmp/kadmin-service.pwd length=24') }}"
 kadmin_pwd: "{{ lookup('password', '/tmp/kadmin.pwd length=24') }}"
 kadmin_pwd_file: "/root/kadmin.pwd"
--- a/roles/krb5-kdc-ldap/tasks/main.yml
+++ b/roles/krb5-kdc-ldap/tasks/main.yml
@ -11,6 +11,9 @@
    src: krb5.conf.j2
    dest: /etc/krb5.conf
 - name: make sure krb5kdc exists
  file: path=/etc/krb5kdc state=directory recurse=yes
 - name: prepare kdc.conf
  template:
    src: kdc.conf.j2
@ -52,7 +55,7 @@
      - organizationalRole
      - simpleSecurityObject
    attributes:
-      userPassword: "{{ kdc_pwd }}"
+      userPassword: "{{ kdc_service_pwd }}"
    bind_dn: "cn=admin,{{ basedn }}"
    bind_pw: "{{ ldap_admin_pwd }}"
  when: not krb5kdc.stat.exists
@ -64,7 +67,7 @@
      - organizationalRole
      - simpleSecurityObject
    attributes:
-      userPassword: "{{ kadmin_pwd }}"
+      userPassword: "{{ kadmin_service_pwd }}"
    bind_dn: "cn=admin,{{ basedn }}"
    bind_pw: "{{ ldap_admin_pwd }}"
  when: not krb5kdc.stat.exists
@ -109,17 +112,17 @@
  when: not krb5kdc.stat.exists
 - name: prepare password for kdc
-  shell: echo "cn=kdc,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kdc_pwd }} | xxd -g0 -ps | sed 's/0a$//')" > /etc/krb5kdc/service.keyfile
+  shell: echo "cn=kdc,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kdc_service_pwd }} | xxd -g0 -ps | sed 's/0a$//')" > /etc/krb5kdc/service.keyfile
  no_log: true
  when: not krb5kdc.stat.exists
 - name: prepare password for kadmin
-  shell: echo "cn=kadmin,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kadmin_pwd }} | xxd -g0 -ps | sed 's/0a$//')" >> /etc/krb5kdc/service.keyfile
+  shell: echo "cn=kadmin,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kadmin_service_pwd }} | xxd -g0 -ps | sed 's/0a$//')" >> /etc/krb5kdc/service.keyfile
  no_log: true
  when: not krb5kdc.stat.exists
 - name: dump kdc master password
-  shell: echo -n "{{ kdc_master_pwd }}" > "{{ kdc_pwd_file }}" ; chmod 0600 "{{ kdc_pwd_file }}"
+  shell: echo -n "{{ kdc_master_pwd }}" > "{{ kdc_master_pwd_file }}" ; chmod 0600 "{{ kdc_master_pwd_file }}"
  no_log: true
  when: not krb5kdc.stat.exists
@ -137,18 +140,35 @@
  notify: "restart krb5-kdc"
  when: not krb5kdc.stat.exists
 - name: add root/admin as kadmin  
  command: kadmin.local -q "addprinc -pw {{ kadmin_pwd }} root/admin"
  when: not krb5kdc.stat.exists
 - name: dump kadmin password
  shell: echo -n "{{ kadmin_pwd }}" > "{{ kadmin_pwd_file }}" ; chmod 0600 "{{ kadmin_pwd_file }}"
  no_log: true
  when: not krb5kdc.stat.exists
 - name: add default policy to silence warning when using kadmin
  command: kadmin.local -q "add_policy default"
  when: not krb5kdc.stat.exists
- name: create machine principal
+- name: create machine principals
-  command: kadmin.local -q "addprinc -randkey host/{{ ansible_hostname }}.{{ ldap_domain }}"
+  command: kadmin.local -q "addprinc -randkey {{ item }}/{{ ansible_hostname }}.{{ ldap_domain }}"
  with_items:
    - host
    - ldap
  when: not krb5kdc.stat.exists
 - name: add principal to the keytab
-  command: kadmin.local -q "ktadd host/{{ ansible_hostname }}.{{ ldap_domain }}"
+  command: kadmin.local -q "ktadd {{ item }}/{{ ansible_hostname }}.{{ ldap_domain }}"
  with_items:
    - host
    - ldap
  when: not krb5kdc.stat.exists
 ##############
 - name: kerberize dummy user foo
  command: kadmin.local -q 'add_principal -pw {{ foo_pwd }} -x dn="uid=foo,ou=people,{{ basedn }}" foo'
  when: foo_pwd is defined
--- a/roles/krb5-kdc-ldap/templates/kadm5.acl.j2
+++ b/roles/krb5-kdc-ldap/templates/kadm5.acl.j2
@ -1,3 +1,4 @@
 ## access controls for the Kerberos KDC
 root/admin@{{ ldap_domain | upper }} *
 *@{{ ldap_domain | upper }} cil
 */*@{{ ldap_domain | upper }} i
--- a/roles/ldap/defaults/main.yml
+++ b/roles/ldap/defaults/main.yml
@ -2,3 +2,4 @@ ldap_admin_pwd: "{{ lookup('password', '/tmp/ldap_admin.pwd length=24') }}"
 ldap_pwd_file: "/root/ldap-admin.pwd"
 ldap_domain: "{{ ansible_domain | default('intern', true) }}"
 basedn: "{{ 'dc=' + ( ldap_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
 lan_homes:  /home/lan
--- a/roles/ldap/tasks/main.yml
+++ b/roles/ldap/tasks/main.yml
@ -37,11 +37,13 @@
  no_log: true
  when: not slapd.stat.exists
- name: install slapd and python-ldap
+- name: install slapd, ldap-utils, ldapvi and python3-ldap
  apt:
    name:
      - slapd
-      - python-ldap
+      - ldap-utils
      - ldapvi
      - python3-ldap
    state: latest
 - name: make initial slapd configuration available
@ -90,7 +92,7 @@
      userPassword: "{{ foo_pwd }}"
      uidNumber: 10000
      gidNumber: 10000
-      homeDirectory: /home/lan/foo
+      homeDirectory: "{{ lan_homes }}/foo"
    bind_dn: "cn=admin,{{ basedn }}"
    bind_pw: "{{ ldap_admin_pwd }}"
  when: foo_pwd is defined
--- a/roles/nfs-server/defaults/main.yml
+++ b/roles/nfs-server/defaults/main.yml
@ -1,4 +1,4 @@
 export_root: /srv/nfs4
-export_dir:  /home/lan
+lan_homes:  /home/lan
 ldap_domain: "{{ ansible_domain | default('intern', true) }}"
 basedn: "{{ 'dc=' + ( ldap_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
--- a/roles/nfs-server/tasks/main.yml
+++ b/roles/nfs-server/tasks/main.yml
@ -14,12 +14,12 @@
  file: path={{ export_root }}/home/ state=directory recurse=yes
 - name: make sure the export exists
-  file: path={{ export_dir }} state=directory recurse=yes
+  file: path={{ lan_homes }} state=directory recurse=yes
 - name: bind mount exported dir
  mount:
    path: "{{ export_root }}/home/"
-    src: "{{ export_dir }}"
+    src: "{{ lan_homes }}"
    fstype: none
    state: mounted
    opts: bind
@ -40,11 +40,11 @@
  register: kadmin
 - name: create machine principal
-  command: kadmin.local -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
+  command: kadmin.local -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ldap_domain }}"
  when: kadmin.stat.exists and not exports.stat.exists
 - name: add principal to the keytab
-  command: kadmin.local -q "ktadd nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
+  command: kadmin.local -q "ktadd nfs/{{ ansible_hostname }}.{{ ldap_domain }}"
  notify: "restart rpc-svcgssd"
  when: kadmin.stat.exists and not exports.stat.exists