## Install and configure slapd (if not done yet),
## run most tasks only on slapd installation.
---
- fail: msg="The machine's domain must not be empty."
when: ansible_domain | length == 0
- name: check if slapd is already there
stat: path=/etc/ldap/slapd.d/slapd-config.ldif
register: slapd
- name: preseed ldap domain
debconf:
name: slapd
question: slapd/domain
value: "{{ ansible_domain }}"
vtype: string
when: not slapd.stat.exists
- name: preseed slapd admin password1
debconf:
name: slapd
question: slapd/password1
value: "{{ ldap_admin_pwd }}"
vtype: password
no_log: true
when: not slapd.stat.exists
- name: preseed slapd admin password2
debconf:
name: slapd
question: slapd/password2
value: "{{ ldap_admin_pwd }}"
vtype: password
no_log: true
when: not slapd.stat.exists
- name: dump admin password
shell: echo -n "{{ ldap_admin_pwd }}" > "{{ ldap_admin_pwd_file }}" ; chmod 0600 "{{ ldap_admin_pwd_file }}"
no_log: true
when: not slapd.stat.exists
- name: install slapd, ldap-utils, ldapvi and python3-ldap
apt:
name:
- slapd
- ldap-utils
- ldapvi
- python3-ldap
state: latest
- name: make initial slapd configuration available
copy:
src: slapd-config.ldif
dest: /etc/ldap/slapd.d/slapd-config.ldif
when: not slapd.stat.exists
- name: activate ppolicy schema
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
when: not slapd.stat.exists
- name: initialize slapd if it has just been installed
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-config.ldif
when: not slapd.stat.exists
- name: "make 'ldap' an alias hostname resolvable from the LAN"
replace:
path: /etc/hosts
regexp: "^({{ ipaddr_lan | ipaddr('address') }}\\s.+)$"
replace: '\1 ldap'
when: not slapd.stat.exists
- name: add URI to ldap.conf
lineinfile:
dest: /etc/ldap/ldap.conf
line: "URI ldapi:///"
insertafter: "#URI.*"
- name: add BASE to ldap.conf
lineinfile:
dest: /etc/ldap/ldap.conf
line: "BASE {{ basedn }}"
insertafter: "#BASE.*"
#######################################################################################
## Use the admin password saved to file from now on (available also after installation):
- name: slurp admin password
slurp:
src: "{{ ldap_admin_pwd_file }}"
register: ldap_admin_pwd
no_log: true
## Prepare user directories
- name: make sure we have a people entry for users
ldap_entry:
dn: "ou=people,{{ basedn }}"
objectClass: organizationalUnit
bind_dn: "cn=admin,{{ basedn }}"
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
- name: make sure we have a group entry for users
ldap_entry:
dn: "ou=groups,{{ basedn }}"
objectClass: organizationalUnit
bind_dn: "cn=admin,{{ basedn }}"
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
- name: add group for ldap users
ldap_entry:
dn: "cn=ldapuser,ou=groups,{{ basedn }}"
objectClass:
- posixGroup
attributes:
gidNumber: "{{ ldapuser_gid }}"
bind_dn: "cn=admin,{{ basedn }}"
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
- name: provide simple script to manage ldap/kdc
template:
src: debian-lan.j2
dest: /usr/local/sbin/debian-lan
mode: 0744
## Add user
- name: add dummy user foo
ldap_entry:
dn: "uid=foo,ou=people,{{ basedn }}"
objectClass:
- inetOrgPerson
- posixAccount
attributes:
cn: foo
sn: bar
userPassword: "{{ foo_pwd }}"
uidNumber: "{{ min_id }}"
gidNumber: "{{ min_id }}"
homeDirectory: "{{ lan_homes }}/foo"
loginShell: /bin/bash
bind_dn: "cn=admin,{{ basedn }}"
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
when: foo_pwd is defined and foo_pwd | length > 0
- name: add dummy group foo
ldap_entry:
dn: "cn=foo,ou=groups,{{ basedn }}"
objectClass:
- posixGroup
attributes:
gidNumber: "{{ min_id }}"
bind_dn: "cn=admin,{{ basedn }}"
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
when: foo_pwd is defined and foo_pwd | length > 0
- name: allow ldap service in firewalld
firewalld:
zone: internal
service: ldap
permanent: yes
state: enabled