forked from ISTI-ansible-roles/ansible-roles
library/roles/openldap-server: add script and an optional cron job to remove the old transaction logs. Ansible 2 fixes.
This commit is contained in:
parent
70c4f447da
commit
f6414fdb92
|
@ -6,11 +6,13 @@ openldap_pkg_list:
|
|||
- ldapvi
|
||||
- ldap-utils
|
||||
- ldapscripts
|
||||
- db-util
|
||||
|
||||
openldap_slapd_tcp_port: 389
|
||||
openldap_slapd_ssl_port: 636
|
||||
openldap_slapd_ssl_only: False
|
||||
|
||||
openldap_db_dir: /var/lib/ldap
|
||||
# Schemas automatically added:
|
||||
# core.ldif
|
||||
# cosine.ldif
|
||||
|
@ -19,6 +21,8 @@ openldap_slapd_ssl_only: False
|
|||
#openldap_additional_schemas:
|
||||
# - dyngroup.ldif
|
||||
|
||||
openldap_cleaner_cron_job: False
|
||||
|
||||
# Set slapd_admin_pwd in a vault file
|
||||
slapd_debconf_params:
|
||||
- { question: 'slapd/no_configuration', value: 'false', vtype: 'boolean' }
|
||||
|
|
|
@ -2,3 +2,7 @@
|
|||
- include: openldap_packages.yml
|
||||
- include: openldap_initializazion.yml
|
||||
when: openldap_service_enabled
|
||||
- include: openldap_maintenance.yml
|
||||
when: openldap_service_enabled
|
||||
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
- name: Create a basic configuration
|
||||
debconf: name=slapd question='{{ item.question }}' value='{{ item.value }}' vtype='{{ item.vtype }}'
|
||||
with_items: slapd_debconf_params
|
||||
with_items: '{{ slapd_debconf_params }}'
|
||||
when: openldap_service_enabled
|
||||
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
|
||||
|
||||
|
@ -32,7 +32,7 @@
|
|||
shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/{{ item }}.installed
|
||||
args:
|
||||
creates: '/etc/ldap/schema/{{ item }}.installed'
|
||||
with_items: openldap_additional_schemas
|
||||
with_items: '{{ openldap_additional_schemas }}'
|
||||
when: openldap_additional_schemas is defined
|
||||
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
|
||||
|
||||
|
|
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
- name: Install a script that removes the old transaction logs
|
||||
template: src=ldap_logs_cleaner.sh.j2 dest=/usr/local/bin/ldap_logs_cleaner owner=root group=root mode=0500
|
||||
tags: [ 'ldap_server', 'ldap', 'ldap_conf', 'ldap_db_cleaner' ]
|
||||
|
||||
- name: Install a cron job to run the ldap cleaner daily
|
||||
cron: name="LDAP transaction logs cleaner" hour="0" job="/usr/local/bin/ldap_logs_cleaner"
|
||||
when: openldap_cleaner_cron_job
|
||||
tags: [ 'ldap_server', 'ldap', 'ldap_conf', 'ldap_db_cleaner' ]
|
||||
|
||||
- name: Install the cron job that runs the ldap cleaner
|
||||
cron: name="LDAP transaction logs cleaner" state=absent
|
||||
when: not openldap_cleaner_cron_job
|
||||
tags: [ 'ldap_server', 'ldap', 'ldap_conf', 'ldap_db_cleaner' ]
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
- name: Install the openldap server packages
|
||||
apt: name={{ item }} state={{ openldap_pkg_state }}
|
||||
with_items: openldap_pkg_list
|
||||
with_items: '{{ openldap_pkg_list }}'
|
||||
tags: [ 'ldap_server', 'ldap' ]
|
||||
|
||||
- name: Ensure that the slapd service is enabled and running
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
|
||||
db_archive -d -h {{ openldap_db_dir }} > /var/log/ldap_cleaner 2>&1
|
||||
exit 0
|
||||
|
|
@ -2,48 +2,41 @@
|
|||
- name: Create the sudoers group if needed
|
||||
group: name={{ users_sudoers_group }} state=present
|
||||
when: users_sudoers_create_group
|
||||
tags:
|
||||
- users
|
||||
tags: users
|
||||
|
||||
- name: Add a sudo additional configuration for the new sudoers group
|
||||
template: src=sudoers.j2 dest=/etc/sudoers.d/{{ users_sudoers_group }}
|
||||
when: users_sudoers_create_sudo_conf
|
||||
tags:
|
||||
- users
|
||||
tags: users
|
||||
|
||||
- name: Create users
|
||||
user: name={{ item.login }} comment="{{ item.name }}" home={{ item.home }}/{{ item.login }} createhome={{ item.createhome }} shell={{ item.shell }}
|
||||
with_items: users_system_users
|
||||
when:
|
||||
- users_system_users is defined
|
||||
tags:
|
||||
- users
|
||||
with_items: '{{ users_system_users }}'
|
||||
when: users_system_users is defined
|
||||
tags: users
|
||||
|
||||
- name: ensure that the users can login with their ssh keys
|
||||
authorized_key: user="{{ item.login }}" key="{{ item.ssh_key }}" state=present
|
||||
with_items: users_system_users
|
||||
with_items: '{{ users_system_users }}'
|
||||
when:
|
||||
- users_system_users is defined
|
||||
- item.ssh_key is defined
|
||||
tags:
|
||||
- users
|
||||
tags: users
|
||||
|
||||
- name: Add the admin users to the sudoers group
|
||||
user: name={{ item.login }} groups={{ users_sudoers_group }} append=yes
|
||||
with_items: users_system_users
|
||||
with_items: '{{ users_system_users }}'
|
||||
when:
|
||||
- users_system_users is defined
|
||||
- item.admin
|
||||
tags:
|
||||
- users
|
||||
tags: users
|
||||
|
||||
- name: ensure that the users can login with their ssh keys as root if we want ensure direct access
|
||||
authorized_key: user=root key="{{ item.ssh_key }}" state=present
|
||||
with_items: users_system_users
|
||||
with_items: '{{ users_system_users }}'
|
||||
when:
|
||||
- users_system_users is defined
|
||||
- item.ssh_key is defined
|
||||
- ( item.log_as_root is defined ) and ( item.log_as_root )
|
||||
tags:
|
||||
- users
|
||||
tags: users
|
||||
|
||||
|
|
Loading…
Reference in New Issue