it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
lmn-client/roles/ldap/tasks/setup.yml
Andreas B. Mundt 2cf34e8e55 Fix some ansible-lint complaints.
2023-02-07 19:17:53 +01:00

92 lines
2.3 KiB
YAML
Raw Blame History

## Install and configure slapd.
---
- name: preseed ldap domain
debconf:
name: slapd
question: slapd/domain
value: "{{ ansible_domain }}"
vtype: string
- name: preseed slapd admin password1
debconf:
name: slapd
question: slapd/password1
value: "{{ ldap_admin_pwd }}"
vtype: password
no_log: true
- name: preseed slapd admin password2
debconf:
name: slapd
question: slapd/password2
value: "{{ ldap_admin_pwd }}"
vtype: password
no_log: true
- name: dump admin password
shell:
cmd: echo -n "{{ ldap_admin_pwd }}" > "{{ ldap_admin_pwd_file }}" ; chmod 0600 "{{ ldap_admin_pwd_file }}"
creates: "{{ ldap_admin_pwd_file }}"
no_log: true
- name: install packages for LDAP
apt:
name:
- slapd
- ldap-utils
- ldapvi
- python3-ldap
- ssl-cert
state: latest # noqa package-latest
- name: add openldap to the ssl-cert group
user:
name: openldap
groups: ssl-cert
append: true
notify: restart slapd
- name: make initial slapd configuration available
copy:
src: slapd-config.ldif
dest: /etc/ldap/slapd.d/
mode: 0644
- name: make slapd TLS configuration available
template:
src: slapd-TLS.ldif
dest: /etc/ldap/slapd.d/
mode: 0644
- name: activate ppolicy schema
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif # noqa no-changed-when
- name: initialize slapd if it has just been installed
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-config.ldif # noqa no-changed-when
- name: configure LDAP TLS
command: ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-TLS.ldif # noqa no-changed-when
- name: add URI to ldap.conf
lineinfile:
dest: /etc/ldap/ldap.conf
line: "URI ldapi:///"
insertafter: "#URI.*"
- name: add BASE to ldap.conf
lineinfile:
dest: /etc/ldap/ldap.conf
line: "BASE {{ basedn }}"
insertafter: "#BASE.*"
- name: check against self signed certificate
replace:
path: /etc/ldap/ldap.conf
regexp: "^(TLS_CACERT\\s+/etc/ssl/certs/ca-certificates.crt)$"
replace: '#\1\nTLS_CACERT\t{{ certpub }}'
- name: enable pam-mkhomedir
command: pam-auth-update --enable mkhomedir
when: foo_pwd is defined and foo_pwd | length > 0
## Use 'sudo ldapvi -Y EXTERNAL -h ldapi:/// -b "cn=config"' to modify certificate and key.
Reference in a new issue View git blame Copy permalink