majic-ansible-roles Changeset

Changeset - 5eb7821a1e4d

Parent rev.

Child rev.

[Not reviewed]

0 3 0

Branko Majic (branko) - 2 months ago 2024-09-03 15:40:00
branko@majic.rs

MAR-218: Switch to using ldap_attrs module:

- Update invocations and syntax.
- Drop the workaround for configuring TLS on the LDAP server (should
be possible to set all relevant attributes at the same time at this
point).
- Group some invocations where it makes sense.

3 files changed with 36 insertions and 87 deletions:

roles/ldap_server/tasks/main.yml

roles/mail_server/molecule/default/prepare.yml

roles/xmpp_server/molecule/default/prepare.yml

0 comments (0 inline, 0 general)

roles/ldap_server/tasks/main.yml

➞

Show inline comments

@@ @@ -58,11 +58,11 @@ @@
     enabled: true
 - name: Change log level for slapd
-  ldap_attr:
+  community.general.ldap_attrs:
     dn: cn=config
     attributes:
       olcLogLevel: "{{ ldap_server_log_level }}"
     state: exact
     name: olcLogLevel
     values: "{{ ldap_server_log_level }}"
 - name: Test if LDAP misc schema has been applied
   ansible.builtin.command: "ldapsearch -H ldapi:/// -Q -LLL -A -Y EXTERNAL -b cn=schema,cn=config -s one '(cn={*}misc)' cn"
@@ @@ -116,81 +116,30 @@ @@
     group: root
     mode: "0644"
 # We need to have this hack around TLS configuration because OpenLDAP
 # expects both private key and certificate to be set at the same
 # time.
+#
 # OpenLDAP server behaviour is a bit weird around this thing, so here
 # is what happens:
+#
 # 1. First we set the private key, but ignore all errors. This has not
 #    yet changed the private key path, though.
+#
 # 2. Then we set the certificate. This succeeds, but the private key
 #    path still has the old value. If we haven't done the step (1),
 #    this task would fail too.
+#
 # 3. Now we can finally change the private key too, and LDAP server
 #    will be able to validate it against the corresponding certificate.
+#
 # See https://github.com/ansible/ansible/issues/25665 for more
 # information.
 - name: Configure TLS private key (ignore errors)
   ldap_attr:
     dn: cn=config
     name: olcTLSCertificateKeyFile
     values: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"
     state: exact
   failed_when: false
 - name: Configure TLS certificate
   ldap_attr:
     dn: cn=config
     name: olcTLSCertificateFile
     values: "/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem"
     state: exact
 - name: Configure TLS private key
   ldap_attr:
     dn: cn=config
     name: olcTLSCertificateKeyFile
     values: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"
     state: exact
 - name: Configure DH parameter
   ldap_attr:
     dn: cn=config
     name: olcTLSDHParamFile
     values: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.dh.pem"
     state: exact
 - name: Configure TLS cipher suites
   ldap_attr:
     dn: cn=config
     name: olcTLSCipherSuite
     values: "{{ ldap_tls_ciphers }}"
     state: exact
 - name: Configure SSF for local unix socket connections
   ldap_attr:
 - name: Configure TLS
   community.general.ldap_attrs:
     dn: cn=config
     attributes:
       olcTLSCertificateFile: "/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem"
       olcTLSCertificateKeyFile: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"
       olcTLSDHParamFile: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.dh.pem"
       olcTLSCipherSuite: "{{ ldap_tls_ciphers }}"
     state: exact
     name: olcLocalSSF
     values: "{{ ldap_server_ssf }}"
 - name: Configure required SSF
   ldap_attr:
 - name: Configure required SSF (make sure local unix socket connections are allowed)
   community.general.ldap_attrs:
     dn: cn=config
     attributes:
       olcLocalSSF: "{{ ldap_server_ssf }}"
       olcSecurity: "ssf={{ ldap_server_ssf }}"
     state: exact
     name: olcSecurity
     values: "ssf={{ ldap_server_ssf }}"
 - name: Enable the memberof module
-  ldap_attr:
+  community.general.ldap_attrs:
     dn: "cn=module{0},cn=config"
     attributes:
       olcModuleLoad: "{1}memberof"
     state: present
     name: olcModuleLoad
     values: "{1}memberof"
 - name: Enable the memberof overlay for database
   community.general.ldap_entry:
@@ @@ -259,10 +208,10 @@ @@
   with_items: "{{ ldap_server_consumers }}"
 - name: Update services login passwords
-  ldap_attr:
+  community.general.ldap_attrs:
     dn: "cn={{ item.name }},ou=services,{{ ldap_server_int_basedn }}"
     name: userPassword
     values: "{{ item.password }}"
     attributes:
       userPassword: "{{ item.password }}"
     state: exact
   with_items: "{{ ldap_server_consumers }}"
   when: "item.state | default('present') == 'present'"
@@ @@ -315,10 +264,10 @@ @@
   failed_when: false
 - name: Update LDAP admin password
-  ldap_attr:
+  community.general.ldap_attrs:
     dn: "olcDatabase={1}mdb,cn=config"
     name: olcRootPW
     values: "{{ ldap_admin_password | ldap_password_hash }}"
     attributes:
       olcRootPW: "{{ ldap_admin_password | ldap_password_hash }}"
     state: exact
   when: ldap_admin_password_check.rc != 0

roles/mail_server/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -422,13 +422,13 @@ @@
             rfc822MailMember: jane.doe@domain2
     - name: Add test accounts to correct group
-      ldap_attr:
+      community.general.ldap_attrs:
         dn: "cn=mail,ou=groups,dc=local"
         name: uniqueMember
         attributes:
           uniqueMember:
             - uid=john,ou=people,dc=local
             - uid=jane,ou=people,dc=local
         state: exact
         values:
           - uid=john,ou=people,dc=local
           - uid=jane,ou=people,dc=local
 - name: Prepare, test fixtures
   hosts: parameters-mandatory,parameters-optional

roles/xmpp_server/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -252,15 +252,15 @@ @@
             mail: noxmpp@domain1
     - name: Add test accounts to correct group
-      ldap_attr:
+      community.general.ldap_attrs:
         dn: "cn=xmpp,ou=groups,dc=local"
         name: uniqueMember
         attributes:
           uniqueMember:
             - uid=john,ou=people,dc=local
             - uid=jane,ou=people,dc=local
             - uid=mick,ou=people,dc=local
             - uid=eve,ou=people,dc=local
         state: exact
         values:
           - uid=john,ou=people,dc=local
           - uid=jane,ou=people,dc=local
           - uid=mick,ou=people,dc=local
           - uid=eve,ou=people,dc=local
 - name: Prepare, test fixtures
   hosts: parameters-mandatory,parameters-optional

0 comments (0 inline, 0 general)