From f9cea4b1430b6a690e92527f91a13c958120455f Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 1 Mar 2018 14:30:17 +0100 Subject: [PATCH] Various fixes to the ldap playbook. Now force the correct base DN. --- openldap-server/defaults/main.yml | 7 ++++ openldap-server/files/usr.sbin.slapd.apparmor | 3 ++ openldap-server/tasks/main.yml | 8 ++--- .../tasks/openldap_initializazion.yml | 32 +++++++++++++++++-- openldap-server/templates/base-dn.ldif.j2 | 9 ++++++ openldap-server/templates/monitor.ldif.j2 | 5 +++ 6 files changed, 57 insertions(+), 7 deletions(-) create mode 100644 openldap-server/files/usr.sbin.slapd.apparmor create mode 100644 openldap-server/templates/base-dn.ldif.j2 create mode 100644 openldap-server/templates/monitor.ldif.j2 diff --git a/openldap-server/defaults/main.yml b/openldap-server/defaults/main.yml index 209176c4..ce49a2e9 100644 --- a/openldap-server/defaults/main.yml +++ b/openldap-server/defaults/main.yml @@ -19,9 +19,16 @@ openldap_db_dir: /var/lib/ldap # cosine.ldif # inetorgperson.ldif # nis.ldif + +openldap_base_schemas: + - monitor.ldif + #openldap_additional_schemas: # - dyngroup.ldif +openldap_admin_user: admin +openldap_base_dn: 'dc=example,dc=org' + openldap_cleaner_cron_job: False openldap_letsencrypt_managed: False diff --git a/openldap-server/files/usr.sbin.slapd.apparmor b/openldap-server/files/usr.sbin.slapd.apparmor new file mode 100644 index 00000000..92bd8763 --- /dev/null +++ b/openldap-server/files/usr.sbin.slapd.apparmor @@ -0,0 +1,3 @@ + /etc/pki/openldap/ r, + /etc/pki/openldap/* r, + \ No newline at end of file diff --git a/openldap-server/tasks/main.yml b/openldap-server/tasks/main.yml index 99857330..790b71ca 100644 --- a/openldap-server/tasks/main.yml +++ b/openldap-server/tasks/main.yml @@ -1,10 +1,10 @@ --- -- include: openldap_packages.yml -- include: openldap_initializazion.yml +- import_tasks: openldap_packages.yml +- import_tasks: openldap_initializazion.yml when: openldap_service_enabled -- include: openldap_maintenance.yml +- import_tasks: openldap_maintenance.yml when: openldap_service_enabled -- include: openldap-letsencrypt.yml +- import_tasks: openldap-letsencrypt.yml when: openldap_letsencrypt_managed diff --git a/openldap-server/tasks/openldap_initializazion.yml b/openldap-server/tasks/openldap_initializazion.yml index fe07686c..ef412551 100644 --- a/openldap-server/tasks/openldap_initializazion.yml +++ b/openldap-server/tasks/openldap_initializazion.yml @@ -1,10 +1,24 @@ --- -- name: Create a basic configuration +- name: Install the apparmor additional configuration if we are going to use letsencrypt + copy: src=usr.sbin.slapd.apparmor dest=/etc/apparmor.d/local/usr.sbin.slapd force=yes + when: openldap_letsencrypt_managed + +- name: Create a basic configuration via debconf debconf: name=slapd question='{{ item.question }}' value='{{ item.value }}' vtype='{{ item.vtype }}' with_items: '{{ slapd_debconf_params }}' when: openldap_service_enabled tags: [ 'ldap_server', 'ldap', 'ldap_conf' ] +- name: Install the ldif file needed to change the BASE DN and the Root DN + template: src=base-dn.ldif.j2 dest=/etc/ldap/schema/base-dn.ldif owner=root group=root mode=0400 + register: base_dn_ldif + tags: [ 'ldap_server', 'ldap', 'ldap_conf' ] + +- name: Change the Base DN and Root DN + shell: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/base-dn.ldif + when: base_dn_ldif is changed + tags: [ 'ldap_server', 'ldap', 'ldap_conf' ] + - name: Generate the local admin password shell: slappasswd -h {SSHA} -s {{ slapd_admin_pwd }} > /root/.slapdadmin ; chmod 400 /root/.slapdadmin args: @@ -19,13 +33,25 @@ tags: [ 'ldap_server', 'ldap', 'ldap_conf' ] - name: Create the ldif file to set the admin password - shell: ADMIN_PASS=$( cat /root/.slapdadmin ); sed -e "s/@ADMINPWD@/${ADMIN_PASS}/" /etc/ldap/adminpwd_ldif.tmpl > /etc/ldap/adminpwd.ldif ; chmod 400 /etc/ldap/adminpwd.ldif + shell: export ADMIN_PASS=$( cat /root/.slapdadmin ); sed -e "s/@ADMINPWD@/${ADMIN_PASS}/" /etc/ldap/adminpwd_ldif.tmpl > /etc/ldap/adminpwd.ldif ; chmod 400 /etc/ldap/adminpwd.ldif when: slapd_admin_pwd is defined tags: [ 'ldap_server', 'ldap', 'ldap_conf' ] - name: Finally set the admin password shell: ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/adminpwd.ldif - when: ( admin_pass_file | changed ) + when: admin_pass_file is changed + tags: [ 'ldap_server', 'ldap', 'ldap_conf' ] + +- name: Copy the monitor ldif file + template: src={{ item }}.j2 dest=/etc/ldap/schema/{{ item }} + with_items: '{{ openldap_base_schemas | default([]) }}' + tags: [ 'ldap_server', 'ldap', 'ldap_conf' ] + +- name: Install some default schemas + shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }} ; touch /etc/ldap/schema/.{{ item }}.installed + args: + creates: '/etc/ldap/schema/{{ item }}.installed' + with_items: '{{ openldap_base_schemas | default([]) }}' tags: [ 'ldap_server', 'ldap', 'ldap_conf' ] - name: Install some additional schemas diff --git a/openldap-server/templates/base-dn.ldif.j2 b/openldap-server/templates/base-dn.ldif.j2 new file mode 100644 index 00000000..8ef02fe3 --- /dev/null +++ b/openldap-server/templates/base-dn.ldif.j2 @@ -0,0 +1,9 @@ +dn: olcDatabase={1}hdb,cn=config +changetype: modify +replace: olcSuffix +olcSuffix: {{ openldap_base_dn }} + +dn: olcDatabase={1}hdb,cn=config +changetype: modify +replace: olcRootDN +olcRootDN: cn={{ openldap_admin_user }},{{ openldap_base_dn }} diff --git a/openldap-server/templates/monitor.ldif.j2 b/openldap-server/templates/monitor.ldif.j2 new file mode 100644 index 00000000..fa07bc27 --- /dev/null +++ b/openldap-server/templates/monitor.ldif.j2 @@ -0,0 +1,5 @@ +dn: olcDatabase={1}monitor,cn=config +changetype: modify +replace: olcAccess +olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external, cn=auth" read by dn.base="cn={{ openldap_admin_user }},{{ openldap_base_dn }}" read by * none +