majic-ansible-roles Changeset

Changeset - 5eb7821a1e4d

Parent rev.

Child rev.

[Not reviewed]

0 3 0

Branko Majic (branko) - 16 days ago 2024-09-03 15:40:00
branko@majic.rs

MAR-218: Switch to using ldap_attrs module:

- Update invocations and syntax.
- Drop the workaround for configuring TLS on the LDAP server (should
be possible to set all relevant attributes at the same time at this
point).
- Group some invocations where it makes sense.

3 files changed with 32 insertions and 83 deletions:

roles/ldap_server/tasks/main.yml

roles/mail_server/molecule/default/prepare.yml

roles/xmpp_server/molecule/default/prepare.yml

0 comments (0 inline, 0 general)

roles/ldap_server/tasks/main.yml

➞

Show inline comments

@@ @@ -55,17 +55,17 @@ @@
   ansible.builtin.service:
     name: slapd
     state: started
     enabled: true
 - name: Change log level for slapd
-  ldap_attr:
+  community.general.ldap_attrs:
     dn: cn=config
     attributes:
       olcLogLevel: "{{ ldap_server_log_level }}"
     state: exact
     name: olcLogLevel
     values: "{{ ldap_server_log_level }}"
 - name: Test if LDAP misc schema has been applied
   ansible.builtin.command: "ldapsearch -H ldapi:/// -Q -LLL -A -Y EXTERNAL -b cn=schema,cn=config -s one '(cn={*}misc)' cn"
   register: ldap_misc_schema_present
   changed_when: false
@@ @@ -113,87 +113,36 @@ @@
     content: "/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem"
     dest: "/etc/check_certificate/{{ ansible_fqdn }}_ldap.conf"
     owner: root
     group: root
     mode: "0644"
 # We need to have this hack around TLS configuration because OpenLDAP
 # expects both private key and certificate to be set at the same
 # time.
+#
 # OpenLDAP server behaviour is a bit weird around this thing, so here
 # is what happens:
+#
 # 1. First we set the private key, but ignore all errors. This has not
 #    yet changed the private key path, though.
+#
 # 2. Then we set the certificate. This succeeds, but the private key
 #    path still has the old value. If we haven't done the step (1),
 #    this task would fail too.
+#
 # 3. Now we can finally change the private key too, and LDAP server
 #    will be able to validate it against the corresponding certificate.
+#
 # See https://github.com/ansible/ansible/issues/25665 for more
 # information.
 - name: Configure TLS private key (ignore errors)
   ldap_attr:
     dn: cn=config
     name: olcTLSCertificateKeyFile
     values: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"
     state: exact
   failed_when: false
 - name: Configure TLS certificate
   ldap_attr:
     dn: cn=config
     name: olcTLSCertificateFile
     values: "/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem"
     state: exact
 - name: Configure TLS private key
   ldap_attr:
     dn: cn=config
     name: olcTLSCertificateKeyFile
     values: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"
     state: exact
 - name: Configure DH parameter
   ldap_attr:
     dn: cn=config
     name: olcTLSDHParamFile
     values: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.dh.pem"
     state: exact
 - name: Configure TLS cipher suites
   ldap_attr:
     dn: cn=config
     name: olcTLSCipherSuite
     values: "{{ ldap_tls_ciphers }}"
     state: exact
 - name: Configure SSF for local unix socket connections
   ldap_attr:
 - name: Configure TLS
   community.general.ldap_attrs:
     dn: cn=config
     attributes:
       olcTLSCertificateFile: "/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem"
       olcTLSCertificateKeyFile: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"
       olcTLSDHParamFile: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.dh.pem"
       olcTLSCipherSuite: "{{ ldap_tls_ciphers }}"
     state: exact
     name: olcLocalSSF
     values: "{{ ldap_server_ssf }}"
 - name: Configure required SSF
   ldap_attr:
 - name: Configure required SSF (make sure local unix socket connections are allowed)
   community.general.ldap_attrs:
     dn: cn=config
     attributes:
       olcLocalSSF: "{{ ldap_server_ssf }}"
       olcSecurity: "ssf={{ ldap_server_ssf }}"
     state: exact
     name: olcSecurity
     values: "ssf={{ ldap_server_ssf }}"
 - name: Enable the memberof module
-  ldap_attr:
+  community.general.ldap_attrs:
     dn: "cn=module{0},cn=config"
     attributes:
       olcModuleLoad: "{1}memberof"
     state: present
     name: olcModuleLoad
     values: "{1}memberof"
 - name: Enable the memberof overlay for database
   community.general.ldap_entry:
     dn: "olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config"
     objectClass:
       - olcConfig
@@ @@ -256,16 +205,16 @@ @@
       cn: "{{ item.name }}"
       userPassword: "{{ item.password }}"
     state: "{{ item.state | default('present') }}"
   with_items: "{{ ldap_server_consumers }}"
 - name: Update services login passwords
-  ldap_attr:
+  community.general.ldap_attrs:
     dn: "cn={{ item.name }},ou=services,{{ ldap_server_int_basedn }}"
     name: userPassword
     values: "{{ item.password }}"
     attributes:
       userPassword: "{{ item.password }}"
     state: exact
   with_items: "{{ ldap_server_consumers }}"
   when: "item.state | default('present') == 'present'"
 - name: Create or remove user-supplied groups
   community.general.ldap_entry:
@@ @@ -312,16 +261,16 @@ @@
   ansible.builtin.command: "ldapwhoami -H ldapi:/// -D 'cn=admin,{{ ldap_server_int_basedn }}' -x -y /root/.ldap_admin_password"
   register: ldap_admin_password_check
   changed_when: ldap_admin_password_check.rc != 0
   failed_when: false
 - name: Update LDAP admin password
-  ldap_attr:
+  community.general.ldap_attrs:
     dn: "olcDatabase={1}mdb,cn=config"
     name: olcRootPW
     values: "{{ ldap_admin_password | ldap_password_hash }}"
     attributes:
       olcRootPW: "{{ ldap_admin_password | ldap_password_hash }}"
     state: exact
   when: ldap_admin_password_check.rc != 0
 - name: Remove temporary file with LDAP admin password
   ansible.builtin.file:
     path: "/root/.ldap_admin_password"

roles/mail_server/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -419,19 +419,19 @@ @@
           objectClass: nisMailAlias
           attributes:
             cn: webmaster@domain2
             rfc822MailMember: jane.doe@domain2
     - name: Add test accounts to correct group
-      ldap_attr:
+      community.general.ldap_attrs:
         dn: "cn=mail,ou=groups,dc=local"
         name: uniqueMember
         state: exact
         values:
         attributes:
           uniqueMember:
             - uid=john,ou=people,dc=local
             - uid=jane,ou=people,dc=local
         state: exact
 - name: Prepare, test fixtures
   hosts: parameters-mandatory,parameters-optional
   become: true
   tasks:

roles/xmpp_server/molecule/default/prepare.yml

➞

Show inline comments

@@ @@ -249,21 +249,21 @@ @@
             uid: noxmpp
             cn: No XMPP
             sn: XMPP
             mail: noxmpp@domain1
     - name: Add test accounts to correct group
-      ldap_attr:
+      community.general.ldap_attrs:
         dn: "cn=xmpp,ou=groups,dc=local"
         name: uniqueMember
         state: exact
         values:
         attributes:
           uniqueMember:
             - uid=john,ou=people,dc=local
             - uid=jane,ou=people,dc=local
             - uid=mick,ou=people,dc=local
             - uid=eve,ou=people,dc=local
         state: exact
 - name: Prepare, test fixtures
   hosts: parameters-mandatory,parameters-optional
   become: true
   tasks:

0 comments (0 inline, 0 general)