openldap: add templates and tasks to setup a replica

openldap-server/defaults/main.yml

@@ -1,6 +1,9 @@
 ---
 openldap_pkg_state: present
 openldap_service_enabled: True
+# Important: for a replica to work correctly, the same exact schemas present into the master have to be installed in advance 
+openldap_master: False
+openldap_slave: False
 openldap_pkg_list:
   - slapd
   - ldapvi
@@ -11,6 +14,7 @@ openldap_pkg_list:
 openldap_slapd_services: 'ldap:/// ldapi:///'
 openldap_slapd_tcp_port: 389
 openldap_slapd_ssl_port: 636
+# Leave it to false if you want to use start_tls (recommended)
 openldap_slapd_ssl_only: False
 
 openldap_db_dir: /var/lib/ldap
@@ -27,11 +31,22 @@ openldap_base_schemas:
 #  - dyngroup.ldif
 
 openldap_admin_user: admin
+# If you want a different user for the consumer, you have to create it on the master
+openldap_replica_user: '{{ openldap_admin_user }}'
+
 openldap_base_dn: 'dc=example,dc=org'
+openldap_slave_search_base: '{{ openldap_base_dn }}'
+openldap_slave_sync_interval: '00:00:05:00'
+openldap_slave_sync_type: refreshAndPersist
+openldap_slave_syncdata_type: accesslog
+openldap_slave_tls_starttls: 'yes' 
 
 openldap_cleaner_cron_job: False
 openldap_letsencrypt_managed: False
 
+# Default: check once a day, purge the entries older than two days
+openldap_accesslog_purge: '02+00:00 01+00:00'
+
 openldap_letsencrypt_ldif:
   - olcSSL.ldif
 

openldap-server/tasks/main.yml

@@ -2,6 +2,10 @@
 - import_tasks: openldap_packages.yml
 - import_tasks: openldap_initializazion.yml
   when: openldap_service_enabled
+- import_tasks: openldap_master_setup.yml
+  when: openldap_master
+- import_tasks: openldap_slave_setup.yml
+  when: openldap_slave
 - import_tasks: openldap_maintenance.yml
   when: openldap_service_enabled
 - import_tasks: openldap-letsencrypt.yml

openldap-server/tasks/openldap_master_setup.yml

@@ -0,0 +1,17 @@
+---
+- block:
+  - name: Install the ldif that activates the accesslog db 
+    template: src=syncprov.ldif.j2 dest=/etc/ldap/schema/syncprov.ldif
+
+  - name: Create the accesslog directory
+    file: dest=/var/lib/ldap/accesslog state=directory owner=openldap group=openldap
+
+  - name: Install the accesslog and syncprov configuration
+    shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/.{{ item }}.installed
+    args:
+      creates: '/etc/ldap/schema/{{ item }}.installed'
+    with_items: syncprov.ldif
+
+  tags: [ 'ldap', 'openldap', 'ldap_master', 'ldap_conf' ]
+  when: openldap_master
+  

openldap-server/tasks/openldap_slave_setup.yml

@@ -0,0 +1,14 @@
+---
+- block:
+  - name: Install the ldif that provides the slave configuration 
+    template: src=consumer.ldif.j2 dest=/etc/ldap/schema/consumer.ldif
+
+  - name: Install the consumer configuration in the slave
+    shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/.{{ item }}.installed
+    args:
+      creates: '/etc/ldap/schema/{{ item }}.installed'
+    with_items: consumer.ldif
+
+  tags: [ 'ldap', 'openldap', 'ldap_master', 'ldap_conf' ]
+  when: openldap_slave
+  

openldap-server/templates/consumer.ldif.j2

@@ -0,0 +1,35 @@
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModulePath: /usr/lib/ldap
+olcModuleLoad: syncprov
+
+dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcSyncProvConfig
+olcOverlay: syncprov
+olcSpSessionLog: 100
+
+dn: olcDatabase={1}hdb,cn=config
+changetype: modify
+add: olcDbIndex
+olcDbIndex: entryUUID eq
+-
+add: olcSyncRepl
+olcSyncRepl: rid={{ openldap_slave_id | default(001) }}
+  provider={{ openldap_master_ldap_uri }}
+  bindmethod=simple
+  binddn="cn={{ openldap_replica_user }},{{ openldap_base_dn }}"
+  credentials={{ slapd_replica_pwd }}
+  searchbase="{{ openldap_slave_search_base }}"
+  logbase="cn=accesslog"
+  schemachecking=on
+  type={{ openldap_slave_sync_type }}
+  retry="60 +"
+  interval={{ openldap_slave_sync_interval }}
+  starttls="{{ openldap_slave_tls_starttls: }}"
+  syncdata={{ openldap_slave_syncdata_type }}
+-
+add: olcUpdateRef
+olcUpdateRef: {{ openldap_master_ldap_uri }}
+

openldap-server/templates/syncprov.ldif.j2

@@ -0,0 +1,37 @@
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModulePath: /usr/lib/ldap
+olcModuleLoad: syncprov
+
+# Accesslog database definitions
+dn: olcDatabase={2}hdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcHdbConfig
+olcDatabase: {2}hdb
+olcDbDirectory: /var/lib/ldap/accesslog
+olcSuffix: cn=accesslog
+olcRootDN: cn=admin,dc=d4science,dc=org
+olcDbIndex: default eq
+olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
+
+# Accesslog db syncprov.
+dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
+changetype: add
+objectClass: olcOverlayConfig
+objectClass: olcSyncProvConfig
+olcOverlay: syncprov
+olcSpNoPresent: TRUE
+olcSpReloadHint: TRUE
+
+# accesslog overlay definitions for primary db
+dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcAccessLogConfig
+olcOverlay: accesslog
+olcAccessLogDB: cn=accesslog
+olcAccessLogOps: writes
+olcAccessLogSuccess: TRUE
+# scan the accesslog DB every day, and purge entries older than 2 days
+olcAccessLogPurge: {{ openldap_accesslog_purge }}
+