## Install and configure slapd. --- - fail: msg="The machine's domain must not be empty." when: ansible_domain | length == 0 - name: check if slapd is already set up stat: path=/usr/sbin/slapd register: slapd - name: install and configure slapd include_tasks: setup.yml when: not slapd.stat.exists ####################################################################################### ## Use the admin password saved to file (available also after installation): - name: slurp admin password slurp: src: "{{ ldap_admin_pwd_file }}" register: ldap_admin_pwd no_log: true ## Prepare user directories - name: make sure we have a people entry for users ldap_entry: dn: "ou=people,{{ basedn }}" objectClass: organizationalUnit bind_dn: "cn=admin,{{ basedn }}" bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}" - name: make sure we have a group entry for users ldap_entry: dn: "ou=groups,{{ basedn }}" objectClass: organizationalUnit bind_dn: "cn=admin,{{ basedn }}" bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}" - name: add group for ldap users ldap_entry: dn: "cn=ldapuser,ou=groups,{{ basedn }}" objectClass: - posixGroup attributes: gidNumber: "{{ ldapuser_gid }}" bind_dn: "cn=admin,{{ basedn }}" bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}" - name: provide simple script to manage ldap/kdc template: src: debian-lan.j2 dest: /usr/local/sbin/debian-lan mode: 0744 - name: add dummy user foo ldap_entry: dn: "uid=foo,ou=people,{{ basedn }}" objectClass: - inetOrgPerson - posixAccount attributes: cn: foo sn: bar userPassword: "{{ foo_pwd }}" uidNumber: "{{ min_id }}" gidNumber: "{{ min_id }}" homeDirectory: "{{ lan_homes }}/foo" loginShell: /bin/bash bind_dn: "cn=admin,{{ basedn }}" bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}" when: foo_pwd is defined and foo_pwd | length > 0 - name: add dummy group foo ldap_entry: dn: "cn=foo,ou=groups,{{ basedn }}" objectClass: - posixGroup attributes: gidNumber: "{{ min_id }}" bind_dn: "cn=admin,{{ basedn }}" bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}" when: foo_pwd is defined and foo_pwd | length > 0 - name: allow ldap service in firewalld firewalld: zone: internal service: ldap permanent: yes immediate: yes state: enabled