it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Use ansible_domain everywhere and bail out if it is empty.

Browse source
This commit is contained in:
Andreas B. Mundt 2019-11-21 15:47:08 +01:00
parent bbcf45bbeb
commit ed8b7a7fa6
12 changed files with 32 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
roles/krb5-kdc-ldap/tasks/main.yml
View file

@ -1,6 +1,8 @@
## Install and configure krb5-kdc-ldap (if not done yet), ## Install and configure krb5-kdc-ldap (if not done yet),
## run most tasks only on krb5-kdc-ldap installation. ## run most tasks only on krb5-kdc-ldap installation.
--- ---
- fail: msg="The machine's domain must not be empty."
when: ansible_domain | length == 0
- name: check if slapd is already there - name: check if slapd is already there
stat: path=/usr/sbin/krb5kdc stat: path=/usr/sbin/krb5kdc
@ -135,7 +137,7 @@
-H ldapi:/// -H ldapi:///
create -s -subtrees "{{ basedn }}" create -s -subtrees "{{ basedn }}"
-P "{{ kdc_master_pwd }}" -P "{{ kdc_master_pwd }}"
-r "{{ ldap_domain | upper }}" -r "{{ ansible_domain | upper }}"
no_log: true no_log: true
notify: "restart krb5-kdc" notify: "restart krb5-kdc"
when: not krb5kdc.stat.exists when: not krb5kdc.stat.exists
@ -154,14 +156,14 @@
when: not krb5kdc.stat.exists when: not krb5kdc.stat.exists
- name: create machine principals - name: create machine principals
command: kadmin.local -q "addprinc -randkey {{ item }}/{{ ansible_hostname }}.{{ ldap_domain }}" command: kadmin.local -q "addprinc -randkey {{ item }}/{{ ansible_hostname }}.{{ ansible_domain }}"
with_items: with_items:
- host - host
- ldap - ldap
when: not krb5kdc.stat.exists when: not krb5kdc.stat.exists
- name: add principal to the keytab - name: add principal to the keytab
command: kadmin.local -q "ktadd {{ item }}/{{ ansible_hostname }}.{{ ldap_domain }}" command: kadmin.local -q "ktadd {{ item }}/{{ ansible_hostname }}.{{ ansible_domain }}"
with_items: with_items:
- host - host
- ldap - ldap

6
roles/krb5-kdc-ldap/templates/kadm5.acl.j2
View file

@ -1,4 +1,4 @@
## access controls for the Kerberos KDC ## access controls for the Kerberos KDC
root/admin@{{ ldap_domain | upper }} * root/admin@{{ ansible_domain | upper }} *
*@{{ ldap_domain | upper }} cil *@{{ ansible_domain | upper }} cil
*/*@{{ ldap_domain | upper }} i */*@{{ ansible_domain | upper }} i

2
roles/krb5-kdc-ldap/templates/kdc.conf.j2
View file

@ -2,7 +2,7 @@
kdc_ports = 750,88 kdc_ports = 750,88
[realms] [realms]
{{ ldap_domain | upper }} = { {{ ansible_domain | upper }} = {
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash key_stash_file = /etc/krb5kdc/stash

8
roles/krb5-kdc-ldap/templates/krb5.conf.j2
View file

@ -1,16 +1,16 @@
[libdefaults] [libdefaults]
default_realm = {{ ldap_domain | upper }} default_realm = {{ ansible_domain | upper }}
[realms] [realms]
{{ ldap_domain | upper }} = { {{ ansible_domain | upper }} = {
kdc = {{ ansible_hostname }} kdc = {{ ansible_hostname }}
admin_server = {{ ansible_hostname }} admin_server = {{ ansible_hostname }}
database_module = LDAP database_module = LDAP
} }
[domain_realm] [domain_realm]
.{{ ldap_domain }} = {{ ldap_domain | upper }} .{{ ansible_domain }} = {{ ansible_domain | upper }}
{{ ldap_domain }} = {{ ldap_domain | upper }} {{ ansible_domain }} = {{ ansible_domain | upper }}
[dbdefaults] [dbdefaults]
ldap_kerberos_container_dn = cn=kerberos,{{ basedn }} ldap_kerberos_container_dn = cn=kerberos,{{ basedn }}

3
roles/lan-client/defaults/main.yml
View file

@ -1,6 +1,5 @@
lan_homes: /home/lan lan_homes: /home/lan
ldap_domain: "{{ ansible_domain | default('intern', true) }}" basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
basedn: "{{ 'dc=' + ( ldap_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
ldap_server: ldap ldap_server: ldap
krb_server: kerberos krb_server: kerberos
nfs_server: nfs nfs_server: nfs

9
roles/lan-client/tasks/main.yml
View file

@ -1,9 +1,12 @@
--- ---
- fail: msg="The machine's domain must not be empty."
when: ansible_domain | length == 0
- name: preseed krb5-config realm - name: preseed krb5-config realm
debconf: debconf:
name: krb5-config name: krb5-config
question: krb5-config/default_realm question: krb5-config/default_realm
value: "{{ ldap_domain | upper }}" value: "{{ ansible_domain | upper }}"
vtype: string vtype: string
- name: preseed krb5-config kerberos servers - name: preseed krb5-config kerberos servers
@ -43,12 +46,12 @@
## Activate machine after installation: ## Activate machine after installation:
- name: create machine principal - name: create machine principal
command: kadmin -p root/admin -w {{ lookup('password', '/root/kadmin.pwd') }} -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ldap_domain }}" command: kadmin -p root/admin -w {{ lookup('password', '/root/kadmin.pwd') }} -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
no_log: true no_log: true
when: not run_in_installer|default(false)|bool when: not run_in_installer|default(false)|bool
- name: add principal to keytab - name: add principal to keytab
command: kadmin -p root/admin -w {{ lookup('password', '/root/kadmin.pwd') }} -q "ktadd nfs/{{ ansible_hostname }}.{{ ldap_domain }}" command: kadmin -p root/admin -w {{ lookup('password', '/root/kadmin.pwd') }} -q "ktadd nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
args: args:
creates: /etc/krb5.keytab creates: /etc/krb5.keytab
no_log: true no_log: true

2
roles/lan-client/templates/sssd.conf.j2
View file

@ -16,7 +16,7 @@ ldap_search_base = {{ basedn }}
auth_provider = krb5 auth_provider = krb5
krb5_server = {{ krb_server }} krb5_server = {{ krb_server }}
krb5_realm = {{ ldap_domain | upper }} krb5_realm = {{ ansible_domain | upper }}
cache_credentials = true cache_credentials = true
min_id = 10000 min_id = 10000

3
roles/ldap/defaults/main.yml
View file

@ -1,5 +1,4 @@
ldap_admin_pwd: "{{ lookup('password', '/tmp/ldap_admin.pwd length=24') }}" ldap_admin_pwd: "{{ lookup('password', '/tmp/ldap_admin.pwd length=24') }}"
ldap_pwd_file: "/root/ldap-admin.pwd" ldap_pwd_file: "/root/ldap-admin.pwd"
ldap_domain: "{{ ansible_domain | default('intern', true) }}" basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
basedn: "{{ 'dc=' + ( ldap_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
lan_homes: /home/lan lan_homes: /home/lan

4
roles/ldap/tasks/main.yml
View file

@ -1,6 +1,8 @@
## Install and configure slapd (if not done yet), ## Install and configure slapd (if not done yet),
## run most tasks only on slapd installation. ## run most tasks only on slapd installation.
--- ---
- fail: msg="The machine's domain must not be empty."
when: ansible_domain | length == 0
- name: check if slapd is already there - name: check if slapd is already there
stat: path=/usr/sbin/slapd stat: path=/usr/sbin/slapd
@ -10,7 +12,7 @@
debconf: debconf:
name: slapd name: slapd
question: slapd/domain question: slapd/domain
value: "{{ ldap_domain }}" value: "{{ ansible_domain }}"
vtype: string vtype: string
when: not slapd.stat.exists when: not slapd.stat.exists

3
roles/nfs-server/defaults/main.yml
View file

@ -1,4 +1,3 @@
export_root: /srv/nfs4 export_root: /srv/nfs4
lan_homes: /home/lan lan_homes: /home/lan
ldap_domain: "{{ ansible_domain | default('intern', true) }}" basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
basedn: "{{ 'dc=' + ( ldap_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"

7
roles/nfs-server/tasks/main.yml
View file

@ -1,5 +1,8 @@
## Install and configure nfs-server ## Install and configure nfs-server
--- ---
- fail: msg="The machine's domain must not be empty."
when: ansible_domain | length == 0
- name: check if there are installing - name: check if there are installing
stat: path=/etc/exports stat: path=/etc/exports
register: exports register: exports
@ -40,11 +43,11 @@
register: kadmin register: kadmin
- name: create machine principal - name: create machine principal
command: kadmin.local -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ldap_domain }}" command: kadmin.local -q "addprinc -randkey nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
when: kadmin.stat.exists and not exports.stat.exists when: kadmin.stat.exists and not exports.stat.exists
- name: add principal to the keytab - name: add principal to the keytab
command: kadmin.local -q "ktadd nfs/{{ ansible_hostname }}.{{ ldap_domain }}" command: kadmin.local -q "ktadd nfs/{{ ansible_hostname }}.{{ ansible_domain }}"
notify: "restart rpc-svcgssd" notify: "restart rpc-svcgssd"
when: kadmin.stat.exists and not exports.stat.exists when: kadmin.stat.exists and not exports.stat.exists

2
roles/nfs-server/templates/sssd.conf.j2
View file

@ -16,7 +16,7 @@ ldap_search_base = {{ basedn }}
auth_provider = krb5 auth_provider = krb5
krb5_server = {{ ansible_hostname }} krb5_server = {{ ansible_hostname }}
krb5_realm = {{ ldap_domain | upper }} krb5_realm = {{ ansible_domain | upper }}
cache_credentials = false cache_credentials = false
min_id = 10000 min_id = 10000