Various fixes to the ldap playbook. Now force the correct base DN.

openldap-server/defaults/main.yml

@@ -19,9 +19,16 @@ openldap_db_dir: /var/lib/ldap
 # cosine.ldif
 # inetorgperson.ldif
 # nis.ldif
+
+openldap_base_schemas:
+  - monitor.ldif
+
 #openldap_additional_schemas:
 #  - dyngroup.ldif
 
+openldap_admin_user: admin
+openldap_base_dn: 'dc=example,dc=org'
+
 openldap_cleaner_cron_job: False
 openldap_letsencrypt_managed: False
 

openldap-server/files/usr.sbin.slapd.apparmor

@@ -0,0 +1,3 @@
+  /etc/pki/openldap/ r,
+  /etc/pki/openldap/* r,
+  

openldap-server/tasks/main.yml

@@ -1,10 +1,10 @@
 ---
-- include: openldap_packages.yml
+- import_tasks: openldap_packages.yml
-- include: openldap_initializazion.yml
+- import_tasks: openldap_initializazion.yml
   when: openldap_service_enabled
-- include: openldap_maintenance.yml
+- import_tasks: openldap_maintenance.yml
   when: openldap_service_enabled
-- include: openldap-letsencrypt.yml
+- import_tasks: openldap-letsencrypt.yml
   when: openldap_letsencrypt_managed
 
   

openldap-server/tasks/openldap_initializazion.yml

@@ -1,10 +1,24 @@
 ---
-- name: Create a basic configuration
+- name: Install the apparmor additional configuration if we are going to use letsencrypt
+  copy: src=usr.sbin.slapd.apparmor dest=/etc/apparmor.d/local/usr.sbin.slapd force=yes 
+  when: openldap_letsencrypt_managed
+
+- name: Create a basic configuration via debconf
   debconf: name=slapd question='{{ item.question }}' value='{{ item.value }}' vtype='{{ item.vtype }}'
   with_items: '{{ slapd_debconf_params }}'
   when: openldap_service_enabled
   tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
 
+- name: Install the ldif file needed to change the BASE DN and the Root DN
+  template: src=base-dn.ldif.j2 dest=/etc/ldap/schema/base-dn.ldif owner=root group=root mode=0400
+  register: base_dn_ldif
+  tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
+
+- name: Change the Base DN and Root DN
+  shell: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/base-dn.ldif
+  when: base_dn_ldif is changed
+  tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
+
 - name: Generate the local admin password
   shell: slappasswd -h {SSHA} -s {{ slapd_admin_pwd }} > /root/.slapdadmin ; chmod 400 /root/.slapdadmin
   args:
@@ -19,13 +33,25 @@
   tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
 
 - name: Create the ldif file to set the admin password
-  shell: ADMIN_PASS=$( cat /root/.slapdadmin ); sed -e "s/@ADMINPWD@/${ADMIN_PASS}/" /etc/ldap/adminpwd_ldif.tmpl > /etc/ldap/adminpwd.ldif ; chmod 400 /etc/ldap/adminpwd.ldif
+  shell: export ADMIN_PASS=$( cat /root/.slapdadmin ); sed -e "s/@ADMINPWD@/${ADMIN_PASS}/" /etc/ldap/adminpwd_ldif.tmpl > /etc/ldap/adminpwd.ldif ; chmod 400 /etc/ldap/adminpwd.ldif
   when: slapd_admin_pwd is defined
   tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
 
 - name: Finally set the admin password
   shell: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/adminpwd.ldif
-  when: ( admin_pass_file | changed )
+  when: admin_pass_file is changed
+  tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
+
+- name: Copy the monitor ldif file
+  template: src={{ item }}.j2 dest=/etc/ldap/schema/{{ item }}
+  with_items: '{{ openldap_base_schemas | default([]) }}'
+  tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
+
+- name: Install some default schemas
+  shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/.{{ item }}.installed
+  args:
+    creates: '/etc/ldap/schema/{{ item }}.installed'
+  with_items: '{{ openldap_base_schemas | default([]) }}'
   tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
 
 - name: Install some additional schemas

openldap-server/templates/base-dn.ldif.j2

@@ -0,0 +1,9 @@
+dn: olcDatabase={1}hdb,cn=config
+changetype: modify
+replace: olcSuffix
+olcSuffix: {{ openldap_base_dn }}
+
+dn: olcDatabase={1}hdb,cn=config
+changetype: modify
+replace: olcRootDN
+olcRootDN: cn={{ openldap_admin_user }},{{ openldap_base_dn }}

openldap-server/templates/monitor.ldif.j2

@@ -0,0 +1,5 @@
+dn: olcDatabase={1}monitor,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn={{ openldap_admin_user }},{{ openldap_base_dn }}" read by * none
+