library/roles/openldap-server: add script and an optional cron job to remove the old transaction logs. Ansible 2 fixes.

2016-03-10 16:53:35 +01:00 · 2016-03-10 16:53:35 +01:00 · f6414fdb92
parent 70c4f447da
commit f6414fdb92
7 changed files with 42 additions and 22 deletions
--- a/openldap-server/defaults/main.yml
+++ b/openldap-server/defaults/main.yml
@ -6,11 +6,13 @@ openldap_pkg_list:
  - ldapvi
  - ldap-utils
  - ldapscripts
+  - db-util

 openldap_slapd_tcp_port: 389
 openldap_slapd_ssl_port: 636
 openldap_slapd_ssl_only: False

+openldap_db_dir: /var/lib/ldap
 # Schemas automatically added:
 # core.ldif
 # cosine.ldif
@ -19,6 +21,8 @@ openldap_slapd_ssl_only: False
 #openldap_additional_schemas:
 #  - dyngroup.ldif

+openldap_cleaner_cron_job: False
+
 # Set slapd_admin_pwd in a vault file
 slapd_debconf_params:
  - { question: 'slapd/no_configuration', value: 'false', vtype: 'boolean' }
--- a/openldap-server/tasks/main.yml
+++ b/openldap-server/tasks/main.yml
@ -2,3 +2,7 @@
 - include: openldap_packages.yml
 - include: openldap_initializazion.yml
  when: openldap_service_enabled
+- include: openldap_maintenance.yml
+  when: openldap_service_enabled
+  
+  
--- a/openldap-server/tasks/openldap_initializazion.yml
+++ b/openldap-server/tasks/openldap_initializazion.yml
@ -1,7 +1,7 @@
 ---
 - name: Create a basic configuration
  debconf: name=slapd question='{{ item.question }}' value='{{ item.value }}' vtype='{{ item.vtype }}'
-  with_items: slapd_debconf_params
+  with_items: '{{ slapd_debconf_params }}'
  when: openldap_service_enabled
  tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]

@ -32,8 +32,8 @@
  shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/{{ item }}.installed
  args:
    creates: '/etc/ldap/schema/{{ item }}.installed'
-  with_items: openldap_additional_schemas
+  with_items: '{{ openldap_additional_schemas }}'
  when: openldap_additional_schemas is defined
  tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]

-  
+  
--- a/openldap-server/tasks/openldap_maintenance.yml
+++ b/openldap-server/tasks/openldap_maintenance.yml
@ -0,0 +1,14 @@
+---
+- name: Install a script that removes the old transaction logs
+  template: src=ldap_logs_cleaner.sh.j2 dest=/usr/local/bin/ldap_logs_cleaner owner=root group=root mode=0500
+  tags: [ 'ldap_server', 'ldap', 'ldap_conf', 'ldap_db_cleaner' ]
+
+- name: Install a cron job to run the ldap cleaner daily
+  cron: name="LDAP transaction logs cleaner" hour="0" job="/usr/local/bin/ldap_logs_cleaner"
+  when: openldap_cleaner_cron_job
+  tags: [ 'ldap_server', 'ldap', 'ldap_conf', 'ldap_db_cleaner' ]
+
+- name: Install the cron job that runs the ldap cleaner
+  cron: name="LDAP transaction logs cleaner" state=absent
+  when: not openldap_cleaner_cron_job
+  tags: [ 'ldap_server', 'ldap', 'ldap_conf', 'ldap_db_cleaner' ]
--- a/openldap-server/tasks/openldap_packages.yml
+++ b/openldap-server/tasks/openldap_packages.yml
@ -2,7 +2,7 @@
  
 - name: Install the openldap server packages
  apt: name={{ item }} state={{ openldap_pkg_state }}
-  with_items: openldap_pkg_list
+  with_items: '{{ openldap_pkg_list }}'
  tags: [ 'ldap_server', 'ldap' ]

 - name: Ensure that the slapd service is enabled and running
--- a/openldap-server/templates/ldap_logs_cleaner.sh.j2
+++ b/openldap-server/templates/ldap_logs_cleaner.sh.j2
@ -0,0 +1,5 @@
+#!/bin/bash
+
+db_archive -d -h {{ openldap_db_dir }} > /var/log/ldap_cleaner 2>&1
+exit 0
+
--- a/users/tasks/main.yml
+++ b/users/tasks/main.yml
@ -2,48 +2,41 @@
 - name: Create the sudoers group if needed
  group: name={{ users_sudoers_group }} state=present
  when: users_sudoers_create_group
-  tags:
-    - users
+  tags: users

 - name: Add a sudo additional configuration for the new sudoers group
  template: src=sudoers.j2 dest=/etc/sudoers.d/{{ users_sudoers_group }}
  when: users_sudoers_create_sudo_conf
-  tags:
-    - users
+  tags: users

 - name: Create users
  user: name={{ item.login }} comment="{{ item.name }}" home={{ item.home }}/{{ item.login }} createhome={{ item.createhome }} shell={{ item.shell }}
-  with_items: users_system_users
-  when:
-    - users_system_users is defined
-  tags:
-    - users
+  with_items: '{{ users_system_users }}'
+  when: users_system_users is defined
+  tags: users

 - name: ensure that the users can login with their ssh keys
  authorized_key: user="{{ item.login }}" key="{{ item.ssh_key }}" state=present
-  with_items: users_system_users
+  with_items: '{{ users_system_users }}'
  when:
    - users_system_users is defined
    - item.ssh_key is defined
-  tags:
-    - users
+  tags: users

 - name: Add the admin users to the sudoers group
  user: name={{ item.login }} groups={{ users_sudoers_group }} append=yes
-  with_items: users_system_users
+  with_items: '{{ users_system_users }}'
  when:
    - users_system_users is defined
    - item.admin
-  tags:
-    - users
+  tags: users

 - name: ensure that the users can login with their ssh keys as root if we want ensure direct access
  authorized_key: user=root key="{{ item.ssh_key }}" state=present
-  with_items: users_system_users
+  with_items: '{{ users_system_users }}'
  when:
    - users_system_users is defined
    - item.ssh_key is defined
    - ( item.log_as_root is defined ) and ( item.log_as_root )
-  tags:
-    - users
+  tags: users