forked from ISTI-ansible-roles/ansible-roles
Various fixes to the ldap playbook. Now force the correct base DN.
This commit is contained in:
Andrea Dell'Amico
parent
e4d90a8e76
commit
f9cea4b143
|
|
@ -19,9 +19,16 @@ openldap_db_dir: /var/lib/ldap
|
|||
# cosine.ldif
|
||||
# inetorgperson.ldif
|
||||
# nis.ldif
|
||||
|
||||
openldap_base_schemas:
|
||||
- monitor.ldif
|
||||
|
||||
#openldap_additional_schemas:
|
||||
# - dyngroup.ldif
|
||||
|
||||
openldap_admin_user: admin
|
||||
openldap_base_dn: 'dc=example,dc=org'
|
||||
|
||||
openldap_cleaner_cron_job: False
|
||||
openldap_letsencrypt_managed: False
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,3 @@
|
|||
/etc/pki/openldap/ r,
|
||||
/etc/pki/openldap/* r,
|
||||
|
||||
|
|
@ -1,10 +1,10 @@
|
|||
---
|
||||
- include: openldap_packages.yml
|
||||
- include: openldap_initializazion.yml
|
||||
- import_tasks: openldap_packages.yml
|
||||
- import_tasks: openldap_initializazion.yml
|
||||
when: openldap_service_enabled
|
||||
- include: openldap_maintenance.yml
|
||||
- import_tasks: openldap_maintenance.yml
|
||||
when: openldap_service_enabled
|
||||
- include: openldap-letsencrypt.yml
|
||||
- import_tasks: openldap-letsencrypt.yml
|
||||
when: openldap_letsencrypt_managed
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -1,10 +1,24 @@
|
|||
---
|
||||
- name: Create a basic configuration
|
||||
- name: Install the apparmor additional configuration if we are going to use letsencrypt
|
||||
copy: src=usr.sbin.slapd.apparmor dest=/etc/apparmor.d/local/usr.sbin.slapd force=yes
|
||||
when: openldap_letsencrypt_managed
|
||||
|
||||
- name: Create a basic configuration via debconf
|
||||
debconf: name=slapd question='{{ item.question }}' value='{{ item.value }}' vtype='{{ item.vtype }}'
|
||||
with_items: '{{ slapd_debconf_params }}'
|
||||
when: openldap_service_enabled
|
||||
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
|
||||
|
||||
- name: Install the ldif file needed to change the BASE DN and the Root DN
|
||||
template: src=base-dn.ldif.j2 dest=/etc/ldap/schema/base-dn.ldif owner=root group=root mode=0400
|
||||
register: base_dn_ldif
|
||||
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
|
||||
|
||||
- name: Change the Base DN and Root DN
|
||||
shell: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/base-dn.ldif
|
||||
when: base_dn_ldif is changed
|
||||
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
|
||||
|
||||
- name: Generate the local admin password
|
||||
shell: slappasswd -h {SSHA} -s {{ slapd_admin_pwd }} > /root/.slapdadmin ; chmod 400 /root/.slapdadmin
|
||||
args:
|
||||
|
|
@ -19,13 +33,25 @@
|
|||
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
|
||||
|
||||
- name: Create the ldif file to set the admin password
|
||||
shell: ADMIN_PASS=$( cat /root/.slapdadmin ); sed -e "s/@ADMINPWD@/${ADMIN_PASS}/" /etc/ldap/adminpwd_ldif.tmpl > /etc/ldap/adminpwd.ldif ; chmod 400 /etc/ldap/adminpwd.ldif
|
||||
shell: export ADMIN_PASS=$( cat /root/.slapdadmin ); sed -e "s/@ADMINPWD@/${ADMIN_PASS}/" /etc/ldap/adminpwd_ldif.tmpl > /etc/ldap/adminpwd.ldif ; chmod 400 /etc/ldap/adminpwd.ldif
|
||||
when: slapd_admin_pwd is defined
|
||||
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
|
||||
|
||||
- name: Finally set the admin password
|
||||
shell: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/adminpwd.ldif
|
||||
when: ( admin_pass_file | changed )
|
||||
when: admin_pass_file is changed
|
||||
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
|
||||
|
||||
- name: Copy the monitor ldif file
|
||||
template: src={{ item }}.j2 dest=/etc/ldap/schema/{{ item }}
|
||||
with_items: '{{ openldap_base_schemas | default([]) }}'
|
||||
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
|
||||
|
||||
- name: Install some default schemas
|
||||
shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/.{{ item }}.installed
|
||||
args:
|
||||
creates: '/etc/ldap/schema/{{ item }}.installed'
|
||||
with_items: '{{ openldap_base_schemas | default([]) }}'
|
||||
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
|
||||
|
||||
- name: Install some additional schemas
|
||||
|
|
|
|||
|
|
@ -0,0 +1,9 @@
|
|||
dn: olcDatabase={1}hdb,cn=config
|
||||
changetype: modify
|
||||
replace: olcSuffix
|
||||
olcSuffix: {{ openldap_base_dn }}
|
||||
|
||||
dn: olcDatabase={1}hdb,cn=config
|
||||
changetype: modify
|
||||
replace: olcRootDN
|
||||
olcRootDN: cn={{ openldap_admin_user }},{{ openldap_base_dn }}
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
dn: olcDatabase={1}monitor,cn=config
|
||||
changetype: modify
|
||||
replace: olcAccess
|
||||
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn={{ openldap_admin_user }},{{ openldap_base_dn }}" read by * none
|
||||
|
||||
Loading…
Reference in New Issue