forked from ISTI-ansible-roles/ansible-roles
library/roles/openldap-server: add script and an optional cron job to remove the old transaction logs. Ansible 2 fixes.
This commit is contained in:
parent
70c4f447da
commit
f6414fdb92
|
@ -6,11 +6,13 @@ openldap_pkg_list:
|
||||||
- ldapvi
|
- ldapvi
|
||||||
- ldap-utils
|
- ldap-utils
|
||||||
- ldapscripts
|
- ldapscripts
|
||||||
|
- db-util
|
||||||
|
|
||||||
openldap_slapd_tcp_port: 389
|
openldap_slapd_tcp_port: 389
|
||||||
openldap_slapd_ssl_port: 636
|
openldap_slapd_ssl_port: 636
|
||||||
openldap_slapd_ssl_only: False
|
openldap_slapd_ssl_only: False
|
||||||
|
|
||||||
|
openldap_db_dir: /var/lib/ldap
|
||||||
# Schemas automatically added:
|
# Schemas automatically added:
|
||||||
# core.ldif
|
# core.ldif
|
||||||
# cosine.ldif
|
# cosine.ldif
|
||||||
|
@ -19,6 +21,8 @@ openldap_slapd_ssl_only: False
|
||||||
#openldap_additional_schemas:
|
#openldap_additional_schemas:
|
||||||
# - dyngroup.ldif
|
# - dyngroup.ldif
|
||||||
|
|
||||||
|
openldap_cleaner_cron_job: False
|
||||||
|
|
||||||
# Set slapd_admin_pwd in a vault file
|
# Set slapd_admin_pwd in a vault file
|
||||||
slapd_debconf_params:
|
slapd_debconf_params:
|
||||||
- { question: 'slapd/no_configuration', value: 'false', vtype: 'boolean' }
|
- { question: 'slapd/no_configuration', value: 'false', vtype: 'boolean' }
|
||||||
|
|
|
@ -2,3 +2,7 @@
|
||||||
- include: openldap_packages.yml
|
- include: openldap_packages.yml
|
||||||
- include: openldap_initializazion.yml
|
- include: openldap_initializazion.yml
|
||||||
when: openldap_service_enabled
|
when: openldap_service_enabled
|
||||||
|
- include: openldap_maintenance.yml
|
||||||
|
when: openldap_service_enabled
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
- name: Create a basic configuration
|
- name: Create a basic configuration
|
||||||
debconf: name=slapd question='{{ item.question }}' value='{{ item.value }}' vtype='{{ item.vtype }}'
|
debconf: name=slapd question='{{ item.question }}' value='{{ item.value }}' vtype='{{ item.vtype }}'
|
||||||
with_items: slapd_debconf_params
|
with_items: '{{ slapd_debconf_params }}'
|
||||||
when: openldap_service_enabled
|
when: openldap_service_enabled
|
||||||
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
|
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
|
||||||
|
|
||||||
|
@ -32,8 +32,8 @@
|
||||||
shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/{{ item }}.installed
|
shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/{{ item }}.installed
|
||||||
args:
|
args:
|
||||||
creates: '/etc/ldap/schema/{{ item }}.installed'
|
creates: '/etc/ldap/schema/{{ item }}.installed'
|
||||||
with_items: openldap_additional_schemas
|
with_items: '{{ openldap_additional_schemas }}'
|
||||||
when: openldap_additional_schemas is defined
|
when: openldap_additional_schemas is defined
|
||||||
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
|
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,14 @@
|
||||||
|
---
|
||||||
|
- name: Install a script that removes the old transaction logs
|
||||||
|
template: src=ldap_logs_cleaner.sh.j2 dest=/usr/local/bin/ldap_logs_cleaner owner=root group=root mode=0500
|
||||||
|
tags: [ 'ldap_server', 'ldap', 'ldap_conf', 'ldap_db_cleaner' ]
|
||||||
|
|
||||||
|
- name: Install a cron job to run the ldap cleaner daily
|
||||||
|
cron: name="LDAP transaction logs cleaner" hour="0" job="/usr/local/bin/ldap_logs_cleaner"
|
||||||
|
when: openldap_cleaner_cron_job
|
||||||
|
tags: [ 'ldap_server', 'ldap', 'ldap_conf', 'ldap_db_cleaner' ]
|
||||||
|
|
||||||
|
- name: Install the cron job that runs the ldap cleaner
|
||||||
|
cron: name="LDAP transaction logs cleaner" state=absent
|
||||||
|
when: not openldap_cleaner_cron_job
|
||||||
|
tags: [ 'ldap_server', 'ldap', 'ldap_conf', 'ldap_db_cleaner' ]
|
|
@ -2,7 +2,7 @@
|
||||||
|
|
||||||
- name: Install the openldap server packages
|
- name: Install the openldap server packages
|
||||||
apt: name={{ item }} state={{ openldap_pkg_state }}
|
apt: name={{ item }} state={{ openldap_pkg_state }}
|
||||||
with_items: openldap_pkg_list
|
with_items: '{{ openldap_pkg_list }}'
|
||||||
tags: [ 'ldap_server', 'ldap' ]
|
tags: [ 'ldap_server', 'ldap' ]
|
||||||
|
|
||||||
- name: Ensure that the slapd service is enabled and running
|
- name: Ensure that the slapd service is enabled and running
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
db_archive -d -h {{ openldap_db_dir }} > /var/log/ldap_cleaner 2>&1
|
||||||
|
exit 0
|
||||||
|
|
|
@ -2,48 +2,41 @@
|
||||||
- name: Create the sudoers group if needed
|
- name: Create the sudoers group if needed
|
||||||
group: name={{ users_sudoers_group }} state=present
|
group: name={{ users_sudoers_group }} state=present
|
||||||
when: users_sudoers_create_group
|
when: users_sudoers_create_group
|
||||||
tags:
|
tags: users
|
||||||
- users
|
|
||||||
|
|
||||||
- name: Add a sudo additional configuration for the new sudoers group
|
- name: Add a sudo additional configuration for the new sudoers group
|
||||||
template: src=sudoers.j2 dest=/etc/sudoers.d/{{ users_sudoers_group }}
|
template: src=sudoers.j2 dest=/etc/sudoers.d/{{ users_sudoers_group }}
|
||||||
when: users_sudoers_create_sudo_conf
|
when: users_sudoers_create_sudo_conf
|
||||||
tags:
|
tags: users
|
||||||
- users
|
|
||||||
|
|
||||||
- name: Create users
|
- name: Create users
|
||||||
user: name={{ item.login }} comment="{{ item.name }}" home={{ item.home }}/{{ item.login }} createhome={{ item.createhome }} shell={{ item.shell }}
|
user: name={{ item.login }} comment="{{ item.name }}" home={{ item.home }}/{{ item.login }} createhome={{ item.createhome }} shell={{ item.shell }}
|
||||||
with_items: users_system_users
|
with_items: '{{ users_system_users }}'
|
||||||
when:
|
when: users_system_users is defined
|
||||||
- users_system_users is defined
|
tags: users
|
||||||
tags:
|
|
||||||
- users
|
|
||||||
|
|
||||||
- name: ensure that the users can login with their ssh keys
|
- name: ensure that the users can login with their ssh keys
|
||||||
authorized_key: user="{{ item.login }}" key="{{ item.ssh_key }}" state=present
|
authorized_key: user="{{ item.login }}" key="{{ item.ssh_key }}" state=present
|
||||||
with_items: users_system_users
|
with_items: '{{ users_system_users }}'
|
||||||
when:
|
when:
|
||||||
- users_system_users is defined
|
- users_system_users is defined
|
||||||
- item.ssh_key is defined
|
- item.ssh_key is defined
|
||||||
tags:
|
tags: users
|
||||||
- users
|
|
||||||
|
|
||||||
- name: Add the admin users to the sudoers group
|
- name: Add the admin users to the sudoers group
|
||||||
user: name={{ item.login }} groups={{ users_sudoers_group }} append=yes
|
user: name={{ item.login }} groups={{ users_sudoers_group }} append=yes
|
||||||
with_items: users_system_users
|
with_items: '{{ users_system_users }}'
|
||||||
when:
|
when:
|
||||||
- users_system_users is defined
|
- users_system_users is defined
|
||||||
- item.admin
|
- item.admin
|
||||||
tags:
|
tags: users
|
||||||
- users
|
|
||||||
|
|
||||||
- name: ensure that the users can login with their ssh keys as root if we want ensure direct access
|
- name: ensure that the users can login with their ssh keys as root if we want ensure direct access
|
||||||
authorized_key: user=root key="{{ item.ssh_key }}" state=present
|
authorized_key: user=root key="{{ item.ssh_key }}" state=present
|
||||||
with_items: users_system_users
|
with_items: '{{ users_system_users }}'
|
||||||
when:
|
when:
|
||||||
- users_system_users is defined
|
- users_system_users is defined
|
||||||
- item.ssh_key is defined
|
- item.ssh_key is defined
|
||||||
- ( item.log_as_root is defined ) and ( item.log_as_root )
|
- ( item.log_as_root is defined ) and ( item.log_as_root )
|
||||||
tags:
|
tags: users
|
||||||
- users
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue