forked from ISTI-ansible-roles/ansible-roles
openldap: add templates and tasks to setup a replica
This commit is contained in:
Andrea Dell'Amico
parent
170fb7bd08
commit
11466ea877
|
|
@ -1,6 +1,9 @@
|
|||
---
|
||||
openldap_pkg_state: present
|
||||
openldap_service_enabled: True
|
||||
# Important: for a replica to work correctly, the same exact schemas present into the master have to be installed in advance
|
||||
openldap_master: False
|
||||
openldap_slave: False
|
||||
openldap_pkg_list:
|
||||
- slapd
|
||||
- ldapvi
|
||||
|
|
@ -11,6 +14,7 @@ openldap_pkg_list:
|
|||
openldap_slapd_services: 'ldap:/// ldapi:///'
|
||||
openldap_slapd_tcp_port: 389
|
||||
openldap_slapd_ssl_port: 636
|
||||
# Leave it to false if you want to use start_tls (recommended)
|
||||
openldap_slapd_ssl_only: False
|
||||
|
||||
openldap_db_dir: /var/lib/ldap
|
||||
|
|
@ -27,11 +31,22 @@ openldap_base_schemas:
|
|||
# - dyngroup.ldif
|
||||
|
||||
openldap_admin_user: admin
|
||||
# If you want a different user for the consumer, you have to create it on the master
|
||||
openldap_replica_user: '{{ openldap_admin_user }}'
|
||||
|
||||
openldap_base_dn: 'dc=example,dc=org'
|
||||
openldap_slave_search_base: '{{ openldap_base_dn }}'
|
||||
openldap_slave_sync_interval: '00:00:05:00'
|
||||
openldap_slave_sync_type: refreshAndPersist
|
||||
openldap_slave_syncdata_type: accesslog
|
||||
openldap_slave_tls_starttls: 'yes'
|
||||
|
||||
openldap_cleaner_cron_job: False
|
||||
openldap_letsencrypt_managed: False
|
||||
|
||||
# Default: check once a day, purge the entries older than two days
|
||||
openldap_accesslog_purge: '02+00:00 01+00:00'
|
||||
|
||||
openldap_letsencrypt_ldif:
|
||||
- olcSSL.ldif
|
||||
|
||||
|
|
|
|||
|
|
@ -2,6 +2,10 @@
|
|||
- import_tasks: openldap_packages.yml
|
||||
- import_tasks: openldap_initializazion.yml
|
||||
when: openldap_service_enabled
|
||||
- import_tasks: openldap_master_setup.yml
|
||||
when: openldap_master
|
||||
- import_tasks: openldap_slave_setup.yml
|
||||
when: openldap_slave
|
||||
- import_tasks: openldap_maintenance.yml
|
||||
when: openldap_service_enabled
|
||||
- import_tasks: openldap-letsencrypt.yml
|
||||
|
|
|
|||
|
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
- block:
|
||||
- name: Install the ldif that activates the accesslog db
|
||||
template: src=syncprov.ldif.j2 dest=/etc/ldap/schema/syncprov.ldif
|
||||
|
||||
- name: Create the accesslog directory
|
||||
file: dest=/var/lib/ldap/accesslog state=directory owner=openldap group=openldap
|
||||
|
||||
- name: Install the accesslog and syncprov configuration
|
||||
shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/.{{ item }}.installed
|
||||
args:
|
||||
creates: '/etc/ldap/schema/{{ item }}.installed'
|
||||
with_items: syncprov.ldif
|
||||
|
||||
tags: [ 'ldap', 'openldap', 'ldap_master', 'ldap_conf' ]
|
||||
when: openldap_master
|
||||
|
||||
|
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
- block:
|
||||
- name: Install the ldif that provides the slave configuration
|
||||
template: src=consumer.ldif.j2 dest=/etc/ldap/schema/consumer.ldif
|
||||
|
||||
- name: Install the consumer configuration in the slave
|
||||
shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/.{{ item }}.installed
|
||||
args:
|
||||
creates: '/etc/ldap/schema/{{ item }}.installed'
|
||||
with_items: consumer.ldif
|
||||
|
||||
tags: [ 'ldap', 'openldap', 'ldap_master', 'ldap_conf' ]
|
||||
when: openldap_slave
|
||||
|
||||
|
|
@ -0,0 +1,35 @@
|
|||
dn: cn=module,cn=config
|
||||
objectClass: olcModuleList
|
||||
cn: module
|
||||
olcModulePath: /usr/lib/ldap
|
||||
olcModuleLoad: syncprov
|
||||
|
||||
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
|
||||
objectClass: olcOverlayConfig
|
||||
objectClass: olcSyncProvConfig
|
||||
olcOverlay: syncprov
|
||||
olcSpSessionLog: 100
|
||||
|
||||
dn: olcDatabase={1}hdb,cn=config
|
||||
changetype: modify
|
||||
add: olcDbIndex
|
||||
olcDbIndex: entryUUID eq
|
||||
-
|
||||
add: olcSyncRepl
|
||||
olcSyncRepl: rid={{ openldap_slave_id | default(001) }}
|
||||
provider={{ openldap_master_ldap_uri }}
|
||||
bindmethod=simple
|
||||
binddn="cn={{ openldap_replica_user }},{{ openldap_base_dn }}"
|
||||
credentials={{ slapd_replica_pwd }}
|
||||
searchbase="{{ openldap_slave_search_base }}"
|
||||
logbase="cn=accesslog"
|
||||
schemachecking=on
|
||||
type={{ openldap_slave_sync_type }}
|
||||
retry="60 +"
|
||||
interval={{ openldap_slave_sync_interval }}
|
||||
starttls="{{ openldap_slave_tls_starttls: }}"
|
||||
syncdata={{ openldap_slave_syncdata_type }}
|
||||
-
|
||||
add: olcUpdateRef
|
||||
olcUpdateRef: {{ openldap_master_ldap_uri }}
|
||||
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
dn: cn=module,cn=config
|
||||
objectClass: olcModuleList
|
||||
cn: module
|
||||
olcModulePath: /usr/lib/ldap
|
||||
olcModuleLoad: syncprov
|
||||
|
||||
# Accesslog database definitions
|
||||
dn: olcDatabase={2}hdb,cn=config
|
||||
objectClass: olcDatabaseConfig
|
||||
objectClass: olcHdbConfig
|
||||
olcDatabase: {2}hdb
|
||||
olcDbDirectory: /var/lib/ldap/accesslog
|
||||
olcSuffix: cn=accesslog
|
||||
olcRootDN: cn=admin,dc=d4science,dc=org
|
||||
olcDbIndex: default eq
|
||||
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
|
||||
|
||||
# Accesslog db syncprov.
|
||||
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
|
||||
changetype: add
|
||||
objectClass: olcOverlayConfig
|
||||
objectClass: olcSyncProvConfig
|
||||
olcOverlay: syncprov
|
||||
olcSpNoPresent: TRUE
|
||||
olcSpReloadHint: TRUE
|
||||
|
||||
# accesslog overlay definitions for primary db
|
||||
dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
|
||||
objectClass: olcOverlayConfig
|
||||
objectClass: olcAccessLogConfig
|
||||
olcOverlay: accesslog
|
||||
olcAccessLogDB: cn=accesslog
|
||||
olcAccessLogOps: writes
|
||||
olcAccessLogSuccess: TRUE
|
||||
# scan the accesslog DB every day, and purge entries older than 2 days
|
||||
olcAccessLogPurge: {{ openldap_accesslog_purge }}
|
||||
|
||||
Loading…
Reference in New Issue