diff --git a/openldap-server/defaults/main.yml b/openldap-server/defaults/main.yml index ce49a2e9..5b2b3e85 100644 --- a/openldap-server/defaults/main.yml +++ b/openldap-server/defaults/main.yml @@ -1,6 +1,9 @@ --- openldap_pkg_state: present openldap_service_enabled: True +# Important: for a replica to work correctly, the same exact schemas present into the master have to be installed in advance +openldap_master: False +openldap_slave: False openldap_pkg_list: - slapd - ldapvi @@ -11,6 +14,7 @@ openldap_pkg_list: openldap_slapd_services: 'ldap:/// ldapi:///' openldap_slapd_tcp_port: 389 openldap_slapd_ssl_port: 636 +# Leave it to false if you want to use start_tls (recommended) openldap_slapd_ssl_only: False openldap_db_dir: /var/lib/ldap @@ -27,11 +31,22 @@ openldap_base_schemas: # - dyngroup.ldif openldap_admin_user: admin +# If you want a different user for the consumer, you have to create it on the master +openldap_replica_user: '{{ openldap_admin_user }}' + openldap_base_dn: 'dc=example,dc=org' +openldap_slave_search_base: '{{ openldap_base_dn }}' +openldap_slave_sync_interval: '00:00:05:00' +openldap_slave_sync_type: refreshAndPersist +openldap_slave_syncdata_type: accesslog +openldap_slave_tls_starttls: 'yes' openldap_cleaner_cron_job: False openldap_letsencrypt_managed: False +# Default: check once a day, purge the entries older than two days +openldap_accesslog_purge: '02+00:00 01+00:00' + openldap_letsencrypt_ldif: - olcSSL.ldif diff --git a/openldap-server/tasks/main.yml b/openldap-server/tasks/main.yml index 790b71ca..f0e44752 100644 --- a/openldap-server/tasks/main.yml +++ b/openldap-server/tasks/main.yml @@ -2,6 +2,10 @@ - import_tasks: openldap_packages.yml - import_tasks: openldap_initializazion.yml when: openldap_service_enabled +- import_tasks: openldap_master_setup.yml + when: openldap_master +- import_tasks: openldap_slave_setup.yml + when: openldap_slave - import_tasks: openldap_maintenance.yml when: openldap_service_enabled - import_tasks: openldap-letsencrypt.yml diff --git a/openldap-server/tasks/openldap_master_setup.yml b/openldap-server/tasks/openldap_master_setup.yml new file mode 100644 index 00000000..6863a047 --- /dev/null +++ b/openldap-server/tasks/openldap_master_setup.yml @@ -0,0 +1,17 @@ +--- +- block: + - name: Install the ldif that activates the accesslog db + template: src=syncprov.ldif.j2 dest=/etc/ldap/schema/syncprov.ldif + + - name: Create the accesslog directory + file: dest=/var/lib/ldap/accesslog state=directory owner=openldap group=openldap + + - name: Install the accesslog and syncprov configuration + shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/.{{ item }}.installed + args: + creates: '/etc/ldap/schema/{{ item }}.installed' + with_items: syncprov.ldif + + tags: [ 'ldap', 'openldap', 'ldap_master', 'ldap_conf' ] + when: openldap_master + \ No newline at end of file diff --git a/openldap-server/tasks/openldap_slave_setup.yml b/openldap-server/tasks/openldap_slave_setup.yml new file mode 100644 index 00000000..a6dd6699 --- /dev/null +++ b/openldap-server/tasks/openldap_slave_setup.yml @@ -0,0 +1,14 @@ +--- +- block: + - name: Install the ldif that provides the slave configuration + template: src=consumer.ldif.j2 dest=/etc/ldap/schema/consumer.ldif + + - name: Install the consumer configuration in the slave + shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/.{{ item }}.installed + args: + creates: '/etc/ldap/schema/{{ item }}.installed' + with_items: consumer.ldif + + tags: [ 'ldap', 'openldap', 'ldap_master', 'ldap_conf' ] + when: openldap_slave + \ No newline at end of file diff --git a/openldap-server/templates/consumer.ldif.j2 b/openldap-server/templates/consumer.ldif.j2 new file mode 100644 index 00000000..9fb124a6 --- /dev/null +++ b/openldap-server/templates/consumer.ldif.j2 @@ -0,0 +1,35 @@ +dn: cn=module,cn=config +objectClass: olcModuleList +cn: module +olcModulePath: /usr/lib/ldap +olcModuleLoad: syncprov + +dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcSyncProvConfig +olcOverlay: syncprov +olcSpSessionLog: 100 + +dn: olcDatabase={1}hdb,cn=config +changetype: modify +add: olcDbIndex +olcDbIndex: entryUUID eq +- +add: olcSyncRepl +olcSyncRepl: rid={{ openldap_slave_id | default(001) }} + provider={{ openldap_master_ldap_uri }} + bindmethod=simple + binddn="cn={{ openldap_replica_user }},{{ openldap_base_dn }}" + credentials={{ slapd_replica_pwd }} + searchbase="{{ openldap_slave_search_base }}" + logbase="cn=accesslog" + schemachecking=on + type={{ openldap_slave_sync_type }} + retry="60 +" + interval={{ openldap_slave_sync_interval }} + starttls="{{ openldap_slave_tls_starttls: }}" + syncdata={{ openldap_slave_syncdata_type }} +- +add: olcUpdateRef +olcUpdateRef: {{ openldap_master_ldap_uri }} + diff --git a/openldap-server/templates/syncprov.ldif.j2 b/openldap-server/templates/syncprov.ldif.j2 new file mode 100644 index 00000000..9133f5fc --- /dev/null +++ b/openldap-server/templates/syncprov.ldif.j2 @@ -0,0 +1,37 @@ +dn: cn=module,cn=config +objectClass: olcModuleList +cn: module +olcModulePath: /usr/lib/ldap +olcModuleLoad: syncprov + +# Accesslog database definitions +dn: olcDatabase={2}hdb,cn=config +objectClass: olcDatabaseConfig +objectClass: olcHdbConfig +olcDatabase: {2}hdb +olcDbDirectory: /var/lib/ldap/accesslog +olcSuffix: cn=accesslog +olcRootDN: cn=admin,dc=d4science,dc=org +olcDbIndex: default eq +olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart + +# Accesslog db syncprov. +dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config +changetype: add +objectClass: olcOverlayConfig +objectClass: olcSyncProvConfig +olcOverlay: syncprov +olcSpNoPresent: TRUE +olcSpReloadHint: TRUE + +# accesslog overlay definitions for primary db +dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcAccessLogConfig +olcOverlay: accesslog +olcAccessLogDB: cn=accesslog +olcAccessLogOps: writes +olcAccessLogSuccess: TRUE +# scan the accesslog DB every day, and purge entries older than 2 days +olcAccessLogPurge: {{ openldap_accesslog_purge }} +