debfranca
/
ansible-roles
forked from ISTI-ansible-roles/ansible-roles
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

openldap: Install a custom DB_CONFIG

This commit is contained in:
Andrea Dell'Amico 2018-03-04 12:18:36 +01:00
parent 10bcd7ca65
commit e912f58caa
4 changed files with 69 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
openldap-server/defaults/main.yml
View File

@ -11,6 +11,9 @@ openldap_pkg_list:
- ldapscripts - ldapscripts
- db-util - db-util
# DB_CONFIG options
openldap_db_set_cachesize: '0 524288000 1'
openldap_slapd_services: 'ldap:/// ldapi:///' openldap_slapd_services: 'ldap:/// ldapi:///'
openldap_slapd_tcp_port: 389 openldap_slapd_tcp_port: 389
openldap_slapd_ssl_port: 636 openldap_slapd_ssl_port: 636

122
openldap-server/tasks/openldap_initializazion.yml
View File

@ -1,67 +1,61 @@
--- ---
- name: Install the apparmor additional configuration if we are going to use letsencrypt - block:
copy: src=usr.sbin.slapd.apparmor dest=/etc/apparmor.d/local/usr.sbin.slapd force=yes - name: Install the apparmor additional configuration if we are going to use letsencrypt
register: slapd_apparmour copy: src=usr.sbin.slapd.apparmor dest=/etc/apparmor.d/local/usr.sbin.slapd force=yes
when: openldap_letsencrypt_managed register: slapd_apparmour
when: openldap_letsencrypt_managed
- name: Restart apparmor
service: name=apparmor state=restarted
- name: Install the ldif file needed to change the BASE DN and the Root DN
template: src=base-dn.ldif.j2 dest=/etc/ldap/schema/base-dn.ldif owner=root group=root mode=0400
register: base_dn_ldif
- name: Change the Base DN and Root DN
shell: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/base-dn.ldif
when: base_dn_ldif is changed
- name: Generate the local admin password
shell: slappasswd -h {SSHA} -s {{ slapd_admin_pwd }} > /root/.slapdadmin ; chmod 400 /root/.slapdadmin
args:
creates: /root/.slapdadmin
when: slapd_admin_pwd is defined
register: admin_pass_file
- name: Copy the ldif template to set the admin password
template: src=adminpwd.ldif.j2 dest=/etc/ldap/adminpwd_ldif.tmpl
when: slapd_admin_pwd is defined
- name: Create the ldif file to set the admin password
shell: export ADMIN_PASS=$( cat /root/.slapdadmin ); sed -e "s/@ADMINPWD@/${ADMIN_PASS}/" /etc/ldap/adminpwd_ldif.tmpl > /etc/ldap/adminpwd.ldif ; chmod 400 /etc/ldap/adminpwd.ldif
when: slapd_admin_pwd is defined
- name: Finally set the admin password
shell: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/adminpwd.ldif
when: admin_pass_file is changed
- name: Copy the monitor ldif file
template: src={{ item }}.j2 dest=/etc/ldap/schema/{{ item }}
with_items: '{{ openldap_base_schemas | default([]) }}'
- name: Install some default schemas
shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/.{{ item }}.installed
args:
creates: '/etc/ldap/schema/{{ item }}.installed'
with_items: '{{ openldap_base_schemas | default([]) }}'
- name: Install some additional schemas
shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/.{{ item }}.installed
args:
creates: '/etc/ldap/schema/{{ item }}.installed'
with_items: '{{ openldap_additional_schemas | default([]) }}'
- name: Install the default environment for slapd
template: src=slapd-default.j2 dest=/etc/default/slapd owner=root group=root mode=0644
- name: Install the DB_CONFIG settings
template: src=DB_CONFIG.j2 dest=/var/lib/ldap/DB_CONFIG owner=openldap group=openldap mode=0644
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ] tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
- name: Restart apparmor
service: name=apparmor state=restarted
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
- name: Install the ldif file needed to change the BASE DN and the Root DN
template: src=base-dn.ldif.j2 dest=/etc/ldap/schema/base-dn.ldif owner=root group=root mode=0400
register: base_dn_ldif
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
- name: Change the Base DN and Root DN
shell: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/base-dn.ldif
when: base_dn_ldif is changed
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
- name: Generate the local admin password
shell: slappasswd -h {SSHA} -s {{ slapd_admin_pwd }} > /root/.slapdadmin ; chmod 400 /root/.slapdadmin
args:
creates: /root/.slapdadmin
when: slapd_admin_pwd is defined
register: admin_pass_file
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
- name: Copy the ldif template to set the admin password
template: src=adminpwd.ldif.j2 dest=/etc/ldap/adminpwd_ldif.tmpl
when: slapd_admin_pwd is defined
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
- name: Create the ldif file to set the admin password
shell: export ADMIN_PASS=$( cat /root/.slapdadmin ); sed -e "s/@ADMINPWD@/${ADMIN_PASS}/" /etc/ldap/adminpwd_ldif.tmpl > /etc/ldap/adminpwd.ldif ; chmod 400 /etc/ldap/adminpwd.ldif
when: slapd_admin_pwd is defined
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
- name: Finally set the admin password
shell: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/adminpwd.ldif
when: admin_pass_file is changed
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
- name: Copy the monitor ldif file
template: src={{ item }}.j2 dest=/etc/ldap/schema/{{ item }}
with_items: '{{ openldap_base_schemas | default([]) }}'
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
- name: Install some default schemas
shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/.{{ item }}.installed
args:
creates: '/etc/ldap/schema/{{ item }}.installed'
with_items: '{{ openldap_base_schemas | default([]) }}'
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
- name: Install some additional schemas
shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/.{{ item }}.installed
args:
creates: '/etc/ldap/schema/{{ item }}.installed'
with_items: '{{ openldap_additional_schemas | default([]) }}'
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
- name: Install the default environment for slapd
template: src=slapd-default.j2 dest=/etc/default/slapd owner=root group=root mode=0644
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]

3
openldap-server/tasks/openldap_master_setup.yml
View File

@ -6,6 +6,9 @@
- name: Create the accesslog directory - name: Create the accesslog directory
file: dest=/var/lib/ldap/accesslog state=directory owner=openldap group=openldap file: dest=/var/lib/ldap/accesslog state=directory owner=openldap group=openldap
- name: Install the DB_CONFIG settings into the accesslog directory
template: src=DB_CONFIG.j2 dest=/var/lib/ldap/accesslog/DB_CONFIG owner=openldap group=openldap mode=0644
- name: Install the accesslog and syncprov configuration - name: Install the accesslog and syncprov configuration
shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/.{{ item }}.installed shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/.{{ item }}.installed
args: args:

5
openldap-server/templates/DB_CONFIG.j2 Normal file
View File

@ -0,0 +1,5 @@
set_cachesize {{ openldap_db_set_cachesize }}
set_lk_max_objects 1500
set_lk_max_locks 3000
set_lk_max_lockers 1500
set_flags DB_LOG_AUTOREMOVE