library/roles/openldap-server: add script and an optional cron job to remove the old transaction logs. Ansible 2 fixes.

This commit is contained in:
Andrea Dell'Amico 2016-03-10 16:53:35 +01:00
parent 70c4f447da
commit f6414fdb92
7 changed files with 42 additions and 22 deletions

View File

@ -6,11 +6,13 @@ openldap_pkg_list:
- ldapvi - ldapvi
- ldap-utils - ldap-utils
- ldapscripts - ldapscripts
- db-util
openldap_slapd_tcp_port: 389 openldap_slapd_tcp_port: 389
openldap_slapd_ssl_port: 636 openldap_slapd_ssl_port: 636
openldap_slapd_ssl_only: False openldap_slapd_ssl_only: False
openldap_db_dir: /var/lib/ldap
# Schemas automatically added: # Schemas automatically added:
# core.ldif # core.ldif
# cosine.ldif # cosine.ldif
@ -19,6 +21,8 @@ openldap_slapd_ssl_only: False
#openldap_additional_schemas: #openldap_additional_schemas:
# - dyngroup.ldif # - dyngroup.ldif
openldap_cleaner_cron_job: False
# Set slapd_admin_pwd in a vault file # Set slapd_admin_pwd in a vault file
slapd_debconf_params: slapd_debconf_params:
- { question: 'slapd/no_configuration', value: 'false', vtype: 'boolean' } - { question: 'slapd/no_configuration', value: 'false', vtype: 'boolean' }

View File

@ -2,3 +2,7 @@
- include: openldap_packages.yml - include: openldap_packages.yml
- include: openldap_initializazion.yml - include: openldap_initializazion.yml
when: openldap_service_enabled when: openldap_service_enabled
- include: openldap_maintenance.yml
when: openldap_service_enabled

View File

@ -1,7 +1,7 @@
--- ---
- name: Create a basic configuration - name: Create a basic configuration
debconf: name=slapd question='{{ item.question }}' value='{{ item.value }}' vtype='{{ item.vtype }}' debconf: name=slapd question='{{ item.question }}' value='{{ item.value }}' vtype='{{ item.vtype }}'
with_items: slapd_debconf_params with_items: '{{ slapd_debconf_params }}'
when: openldap_service_enabled when: openldap_service_enabled
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ] tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
@ -32,8 +32,8 @@
shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/{{ item }}.installed shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/{{ item }}.installed
args: args:
creates: '/etc/ldap/schema/{{ item }}.installed' creates: '/etc/ldap/schema/{{ item }}.installed'
with_items: openldap_additional_schemas with_items: '{{ openldap_additional_schemas }}'
when: openldap_additional_schemas is defined when: openldap_additional_schemas is defined
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ] tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]

View File

@ -0,0 +1,14 @@
---
- name: Install a script that removes the old transaction logs
template: src=ldap_logs_cleaner.sh.j2 dest=/usr/local/bin/ldap_logs_cleaner owner=root group=root mode=0500
tags: [ 'ldap_server', 'ldap', 'ldap_conf', 'ldap_db_cleaner' ]
- name: Install a cron job to run the ldap cleaner daily
cron: name="LDAP transaction logs cleaner" hour="0" job="/usr/local/bin/ldap_logs_cleaner"
when: openldap_cleaner_cron_job
tags: [ 'ldap_server', 'ldap', 'ldap_conf', 'ldap_db_cleaner' ]
- name: Install the cron job that runs the ldap cleaner
cron: name="LDAP transaction logs cleaner" state=absent
when: not openldap_cleaner_cron_job
tags: [ 'ldap_server', 'ldap', 'ldap_conf', 'ldap_db_cleaner' ]

View File

@ -2,7 +2,7 @@
- name: Install the openldap server packages - name: Install the openldap server packages
apt: name={{ item }} state={{ openldap_pkg_state }} apt: name={{ item }} state={{ openldap_pkg_state }}
with_items: openldap_pkg_list with_items: '{{ openldap_pkg_list }}'
tags: [ 'ldap_server', 'ldap' ] tags: [ 'ldap_server', 'ldap' ]
- name: Ensure that the slapd service is enabled and running - name: Ensure that the slapd service is enabled and running

View File

@ -0,0 +1,5 @@
#!/bin/bash
db_archive -d -h {{ openldap_db_dir }} > /var/log/ldap_cleaner 2>&1
exit 0

View File

@ -2,48 +2,41 @@
- name: Create the sudoers group if needed - name: Create the sudoers group if needed
group: name={{ users_sudoers_group }} state=present group: name={{ users_sudoers_group }} state=present
when: users_sudoers_create_group when: users_sudoers_create_group
tags: tags: users
- users
- name: Add a sudo additional configuration for the new sudoers group - name: Add a sudo additional configuration for the new sudoers group
template: src=sudoers.j2 dest=/etc/sudoers.d/{{ users_sudoers_group }} template: src=sudoers.j2 dest=/etc/sudoers.d/{{ users_sudoers_group }}
when: users_sudoers_create_sudo_conf when: users_sudoers_create_sudo_conf
tags: tags: users
- users
- name: Create users - name: Create users
user: name={{ item.login }} comment="{{ item.name }}" home={{ item.home }}/{{ item.login }} createhome={{ item.createhome }} shell={{ item.shell }} user: name={{ item.login }} comment="{{ item.name }}" home={{ item.home }}/{{ item.login }} createhome={{ item.createhome }} shell={{ item.shell }}
with_items: users_system_users with_items: '{{ users_system_users }}'
when: when: users_system_users is defined
- users_system_users is defined tags: users
tags:
- users
- name: ensure that the users can login with their ssh keys - name: ensure that the users can login with their ssh keys
authorized_key: user="{{ item.login }}" key="{{ item.ssh_key }}" state=present authorized_key: user="{{ item.login }}" key="{{ item.ssh_key }}" state=present
with_items: users_system_users with_items: '{{ users_system_users }}'
when: when:
- users_system_users is defined - users_system_users is defined
- item.ssh_key is defined - item.ssh_key is defined
tags: tags: users
- users
- name: Add the admin users to the sudoers group - name: Add the admin users to the sudoers group
user: name={{ item.login }} groups={{ users_sudoers_group }} append=yes user: name={{ item.login }} groups={{ users_sudoers_group }} append=yes
with_items: users_system_users with_items: '{{ users_system_users }}'
when: when:
- users_system_users is defined - users_system_users is defined
- item.admin - item.admin
tags: tags: users
- users
- name: ensure that the users can login with their ssh keys as root if we want ensure direct access - name: ensure that the users can login with their ssh keys as root if we want ensure direct access
authorized_key: user=root key="{{ item.ssh_key }}" state=present authorized_key: user=root key="{{ item.ssh_key }}" state=present
with_items: users_system_users with_items: '{{ users_system_users }}'
when: when:
- users_system_users is defined - users_system_users is defined
- item.ssh_key is defined - item.ssh_key is defined
- ( item.log_as_root is defined ) and ( item.log_as_root ) - ( item.log_as_root is defined ) and ( item.log_as_root )
tags: tags: users
- users