majic-ansible-roles Changeset

Changeset - 011f651f90ce

Parent rev.

Child rev.

[Not reviewed]

0 5 0

Branko Majic (branko) - 9 years ago 2015-10-18 11:57:41
branko@majic.rs

MAR-40: Updated the XMPP role to be more in the line of other roles (like mail server) by having more implicit settings/expected LDAP directory structure.Removed a number of options that are now hard-coded. Updated testsite appropriately to accomodate for this change.

5 files changed with 41 insertions and 60 deletions:

docs/rolereference.rst

roles/xmpp_server/defaults/main.yml

roles/xmpp_server/templates/prosody.cfg.lua.j2

testsite/group_vars/ldap.yml

testsite/group_vars/xmpp.yml

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -615,6 +615,15 @@ Prosody is configured as follows: @@
 * For each domain specified, a dedicated file proxy service will be set-up, with
   FQDN set to ``proxy.DOMAIN``.
 Prosody expects a specific directory structure in LDAP when doing look-ups:
 * Prosody will log-in to LDAP as user
   ``cn=prosody,ou=services,XMPP_LDAP_BASE_DN``.
 * User entries are read from sub-tree (first-level only)
   ``ou=people,XMPP_LDAP_BASE_DN``. Query filter used for finding users is
   ``(&(mail=$user@$host)(memberOf=cn=xmpp,ou=groups,XMPP_LDAP_BASE_DN))``. This
   allows group-based granting of XMPP service to users.
 Parameters
 ~~~~~~~~~~
@@ @@ -624,48 +633,29 @@ Parameters @@
   Prosody. Each item is a string with value equal to XMPP user ID
   (i.e. ``john.doe@example.com``).
 **xmpp_tls_key** (string, optional, ``{{ tls_private_key_dir }}/{{ ansible_fqdn }}_xmpp.key``)
   Path to file on Ansible host that contains the private key used for TLS for
   XMPP service. The file will be copied to directory ``/etc/ssl/private/``.
 **xmpp_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/{{ ansible_fqdn }}_xmpp.pem``)
   Path to file on Ansible host that contains the X.509 certificate used for TLS
   for SMTP service. The file will be copied to directory ``/etc/ssl/certs/``.
 **xmpp_domains** (list, optional, ``{{ ansible_domain }}``)
   List of domains that are served by this Prosody instance. Each item is a
   string specifying a domain.
 **xmpp_ldap_server** (string, mandatory)
   Fully qualified domain name, hostname, or IP address of the LDAP server used
   for user authentication and listing.
 **xmpp_ldap_bind_dn** (string, mandatory)
   Distinguished name of LDAP user used for authenticating to the LDAP
   server. This user is used for looking-up the users available on the
   server. Users themselves authenticate via their own account.
 **xmpp_ldap_base_dn** (string, mandatory)
   Base DN on the LDAP server. A specific directory structure is expected under
   this entry (as explained above) in order to locate the available domains,
   users, aliases etc.
 **xmpp_ldap_password** (string, mandatory)
   Password used for authenticating to the LDAP server.
 **xmpp_ldap_filter** (string, optional, ``(mail=$user@$host)``)
   LDAP filter used for obtaining a list of users available on the Prosody
   server. Two special strings can be used for specifying the user and domain,
   ``$user``, and ``$host`` within. These will be replaced with real values in
   the filter every time a user is looked-up.
 **xmpp_ldap_scope** (string, optional, ``subtree``)
   Scope for performing the LDAP search for obtaining a list of users available
   on the Prosody server.
 **xmpp_ldap_server** (string, mandatory)
   Fully qualified domain name, hostname, or IP address of the LDAP server used
   for user authentication and listing.
 **xmpp_ldap_base** (string, optional, see below)
   Base DN under which the lists of users available on the Prosody should be
   looked-up.
 **xmpp_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/{{ ansible_fqdn }}_xmpp.pem``)
   Path to file on Ansible host that contains the X.509 certificate used for TLS
   for SMTP service. The file will be copied to directory ``/etc/ssl/certs/``.
   If not specified, the value will default to base DN constructed by putting all
   elements of the server's domain as ``dc`` entries (as per standard Debian
   convention). I.e. if XMPP server domain is ``example.com``, the resulting base
   DN would be ``dc=example,dc=com``.
 **xmpp_tls_key** (string, optional, ``{{ tls_private_key_dir }}/{{ ansible_fqdn }}_xmpp.key``)
   Path to file on Ansible host that contains the private key used for TLS for
   XMPP service. The file will be copied to directory ``/etc/ssl/private/``.
 Examples
   xmpp_administrators:
     - john.doe@example.com
   # These are default key and certificate that generated during Prosody
   # installation.
   xmpp_tls_key: /etc/prosody/certs/localhost.key
   xmpp_tls_certificate: /etc/prosody/certs/localhost.crt
   xmpp_domains:
     - example.com
   xmpp_ldap_server: ldap.example.com
   xmpp_ldap_bind_dn: cn=xmpp,ou=services,dc=example,dc=com
   xmpp_ldap_base_dn: dc=example,dc=com
   xmpp_ldap_password: xmpp
   # This would require that the memberof overlay is available on LDAP server
   # side.
   xmpp_ldap_filter: '(&(memberOf=cn=xmpp,ou=groups,dc=example,dc=com)(mail=$user@$host))'
   xmpp_ldap_scope: "onelevel"
   xmpp_ldap_base: "ou=people,dc=example,dc=com"
   xmpp_ldap_server: ldap.example.com
   # These are default key and certificate that generated during Prosody
   # installation. Possibly you want to deploy your own.
   xmpp_tls_key: /etc/prosody/certs/localhost.key
   xmpp_tls_certificate: /etc/prosody/certs/localhost.crt
 Mail Server

roles/xmpp_server/defaults/main.yml

➞

Show inline comments

 ---
 xmpp_domains: "{{ ansible_domain }}"
 xmpp_ldap_filter: '(mail=$user@$host)'
 xmpp_ldap_scope: subtree
 xmpp_ldap_base: "{{ ansible_domain | regex_replace('\\.', ',dc=') | regex_replace('^', 'dc=') }}"
 xmpp_tls_certificate: "{{ tls_certificate_dir }}/{{ ansible_fqdn }}_xmpp.pem"
 xmpp_tls_key: "{{ tls_private_key_dir }}/{{ ansible_fqdn }}_xmpp.key"

roles/xmpp_server/templates/prosody.cfg.lua.j2

➞

Show inline comments

@@ @@ -61,12 +61,12 @@ pidfile = "/var/run/prosody/prosody.pid" @@
 -- Authentication backend.
 authentication = "ldap"
 ldap_server = "{{ xmpp_ldap_server }}"
-ldap_rootdn = "{{ xmpp_ldap_bind_dn }}"
+ldap_rootdn = "cn=prosody,ou=services,{{ xmpp_ldap_base_dn }}"
 ldap_password = "{{ xmpp_ldap_password }}"
 ldap_filter = "{{ xmpp_ldap_filter }}"
 ldap_scope = "{{ xmpp_ldap_scope }}"
 ldap_filter = "(&(mail=$user@$host)(memberOf=cn=xmpp,ou=groups,{{xmpp_ldap_base_dn}}))"
 ldap_scope = "onelevel"
 ldap_tls = true
-ldap_base = "{{ xmpp_ldap_base }}"
+ldap_base = "ou=people,{{ xmpp_ldap_base_dn }}"
 -- Storage backend.
 storage = "internal"

testsite/group_vars/ldap.yml

➞

Show inline comments

@@ @@ -25,8 +25,8 @@ ldap_client_config: @@
 ldap_admin_password: admin
 ldap_server_consumers:
   - name: xmpp
     password: xmpp
   - name: prosody
     password: prosody
   - name: postfix
     password: postfix
   - name: dovecot
@@ @@ -89,6 +89,11 @@ ldap_entries: @@
       - uid=johndoe,ou=people,{{ testsite_ldap_base }}
       - uid=janedoe,ou=people,{{ testsite_ldap_base }}
     state: append
   - dn: "cn=xmpp,ou=groups,{{ testsite_ldap_base }}"
     uniqueMember:
       - uid=johndoe,ou=people,{{ testsite_ldap_base }}
       - uid=janedoe,ou=people,{{ testsite_ldap_base }}
     state: append
   - dn: dc={{ testsite_domain }},ou=domains,ou=mail,ou=services,{{ testsite_ldap_base }}
     objectClass: dNSDomain
     dc: "{{ testsite_domain }}"

testsite/group_vars/xmpp.yml

➞

Show inline comments

@@ @@ -19,12 +19,6 @@ xmpp_domains: @@
 xmpp_ldap_server: ldap.{{ testsite_domain }}
-xmpp_ldap_bind_dn: cn=xmpp,ou=services,{{ testsite_ldap_base }}
+xmpp_ldap_password: prosody
 xmpp_ldap_password: xmpp
 xmpp_ldap_filter: '(&(memberOf=cn=xmpp,ou=groups,{{ testsite_ldap_base }})(mail=$user@$host))'
 xmpp_ldap_scope: "onelevel"
 xmpp_ldap_base: "ou=people,{{ testsite_ldap_base }}"
 xmpp_ldap_base_dn: "{{ testsite_ldap_base }}"

0 comments (0 inline, 0 general)