136 lines
3.7 KiB
YAML
136 lines
3.7 KiB
YAML
## Install and configure slapd (if not done yet),
|
|
## run most tasks only on slapd installation.
|
|
---
|
|
- fail: msg="The machine's domain must not be empty."
|
|
when: ansible_domain | length == 0
|
|
|
|
- name: check if slapd is already there
|
|
stat: path=/etc/ldap/slapd.d/slapd-config.ldif
|
|
register: slapd
|
|
|
|
- name: preseed ldap domain
|
|
debconf:
|
|
name: slapd
|
|
question: slapd/domain
|
|
value: "{{ ansible_domain }}"
|
|
vtype: string
|
|
when: not slapd.stat.exists
|
|
|
|
- name: preseed slapd admin password1
|
|
debconf:
|
|
name: slapd
|
|
question: slapd/password1
|
|
value: "{{ ldap_admin_pwd }}"
|
|
vtype: password
|
|
no_log: true
|
|
when: not slapd.stat.exists
|
|
|
|
- name: preseed slapd admin password2
|
|
debconf:
|
|
name: slapd
|
|
question: slapd/password2
|
|
value: "{{ ldap_admin_pwd }}"
|
|
vtype: password
|
|
no_log: true
|
|
when: not slapd.stat.exists
|
|
|
|
- name: dump admin password
|
|
shell: echo -n "{{ ldap_admin_pwd }}" > "{{ ldap_admin_pwd_file }}" ; chmod 0600 "{{ ldap_admin_pwd_file }}"
|
|
no_log: true
|
|
when: not slapd.stat.exists
|
|
|
|
- name: install slapd, ldap-utils, ldapvi and python3-ldap
|
|
apt:
|
|
name:
|
|
- slapd
|
|
- ldap-utils
|
|
- ldapvi
|
|
- python3-ldap
|
|
state: latest
|
|
|
|
- name: make initial slapd configuration available
|
|
copy:
|
|
src: slapd-config.ldif
|
|
dest: /etc/ldap/slapd.d/slapd-config.ldif
|
|
when: not slapd.stat.exists
|
|
|
|
- name: activate ppolicy schema
|
|
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
|
|
when: not slapd.stat.exists
|
|
|
|
- name: initialize slapd if it has just been installed
|
|
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-config.ldif
|
|
when: not slapd.stat.exists
|
|
|
|
- name: "make 'ldap' an alias hostname resolvable from the LAN"
|
|
replace:
|
|
path: /etc/hosts
|
|
regexp: "^({{ ipaddr_lan | ipaddr('address') }}\\s.+)$"
|
|
replace: '\1 ldap'
|
|
when: not slapd.stat.exists
|
|
|
|
#######################################################################################
|
|
## Use the admin password saved to file from now on (available also after installation):
|
|
- name: slurp admin password
|
|
slurp:
|
|
src: "{{ ldap_admin_pwd_file }}"
|
|
register: ldap_admin_pwd
|
|
no_log: true
|
|
|
|
## Prepare user directories
|
|
- name: make sure we have a people entry for users
|
|
ldap_entry:
|
|
dn: "ou=people,{{ basedn }}"
|
|
objectClass: organizationalUnit
|
|
bind_dn: "cn=admin,{{ basedn }}"
|
|
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
|
|
|
|
- name: make sure we have a group entry for users
|
|
ldap_entry:
|
|
dn: "ou=groups,{{ basedn }}"
|
|
objectClass: organizationalUnit
|
|
bind_dn: "cn=admin,{{ basedn }}"
|
|
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
|
|
|
|
- name: provide simple script to add/delete users
|
|
template:
|
|
src: debian-lan.j2
|
|
dest: /usr/local/bin/debian-lan
|
|
mode: 0744
|
|
|
|
## Add user
|
|
- name: add dummy user foo
|
|
ldap_entry:
|
|
dn: "uid=foo,ou=people,{{ basedn }}"
|
|
objectClass:
|
|
- inetOrgPerson
|
|
- posixAccount
|
|
attributes:
|
|
cn: foo
|
|
sn: bar
|
|
userPassword: "{{ foo_pwd }}"
|
|
uidNumber: 10000
|
|
gidNumber: 10000
|
|
homeDirectory: "{{ lan_homes }}/foo"
|
|
loginShell: /bin/bash
|
|
bind_dn: "cn=admin,{{ basedn }}"
|
|
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
|
|
when: foo_pwd is defined and foo_pwd | length > 0
|
|
|
|
- name: add dummy group foo
|
|
ldap_entry:
|
|
dn: "cn=foo,ou=groups,{{ basedn }}"
|
|
objectClass:
|
|
- posixGroup
|
|
attributes:
|
|
gidNumber: 10000
|
|
bind_dn: "cn=admin,{{ basedn }}"
|
|
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
|
|
when: foo_pwd is defined and foo_pwd | length > 0
|
|
|
|
- name: allow ldap service in firewalld
|
|
firewalld:
|
|
zone: internal
|
|
service: ldap
|
|
permanent: yes
|
|
state: enabled
|