majic-ansible-roles Changeset

Changeset - a6f0fe607199

Parent rev.

Child rev.

[Not reviewed]

1 3 0

Branko Majic (branko) - 6 years ago 2018-06-07 17:30:22
branko@majic.rs

MAR-129: Removed m_ldap_entry module:

- Removed the custom m_ldap_entry module used for managing LDAP
entries.
- Replaced the module usage with official ldap_entry and ldap_attr
modules.
- Updated role reference documentation.
- Updated usage instructions since we can't misuse the m_ldap_entry
any longer for adding members to groups.

4 files changed with 116 insertions and 505 deletions:

docs/rolereference.rst

docs/usage.rst

roles/ldap_server/library/m_ldap_entry.py

419

roles/ldap_server/tasks/main.yml

100

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -647,8 +647,10 @@ Parameters @@
     LDAP DN entry.
   **state** (string, optional, ``present``)
     Whether the entry should be present or not. Value can be anything supported
     by the ``ldap_entry`` module.
     Whether the entry should be present or not. Value can be anything
     supported by the ``ldap_entry`` module. Keep in mind that state
     ``present`` will not update the attributes and their values if the
     entry is already present.
   **attributes** (dictionary, mandatory)
     Dictionary describing remaining attributes (except ``dn``). The keys in this

docs/usage.rst

➞

Show inline comments

@@ @@ -766,20 +766,6 @@ role. @@
               userPassword: janedoe
               mail: jane.doe@example.com
           # Now, let's add the two users to the mail group. Observe that we use
           # the "state: append" option. This is a bit of a cheat since the
           # ldap_entries option passes the provided entries directly to the
           # m_ldap_entry module (this is a custom module, not to be confused with
           # the official ldap_entry module). "state: append" will make sure we
           # don't overwrite the group, and instead add the attributes to it (in
           # this case we add the two users from above).
           - dn: cn=mail,ou=groups,dc=example,dc=com
             state: append
             attributes:
               uniqueMember:
                 - uid=johndoe,ou=people,dc=example,dc=com
                 - uid=janedoe,ou=people,dc=example,dc=com
           # Let's register our domain in LDAP directory.
           - dn: dc=example.com,ou=domains,ou=mail,ou=services,dc=example,dc=com
             attributes:
@@ @@ -795,7 +781,14 @@ role. @@
               cn: postmaster@example.com
               rfc822MailMember: john.doe@example.com
 . Once again, before we apply the configuration, we must make sure the
 . Let's add the two users to the mail group (otherwise, the mail
    server will ignore them). We'll use the ``ldap_attr`` module
    directly to make our life a bit easier::
      workon mysite && ansible --become -m ldap_attr -a "dn=cn=mail,ou=groups,dc=example,dc=com state=present name=uniqueMember value=uid=johndoe,ou=people,dc=example,dc=com" communications
      workon mysite && ansible --become -m ldap_attr -a "dn=cn=mail,ou=groups,dc=example,dc=com state=present name=uniqueMember value=uid=janedoe,ou=people,dc=example,dc=com" communications
 . Once again, before we apply the configuration, we must make sure the
    necessary TLS private keys and certificates are available. In this particular
    case, we need to set-up separate key/certificate pair for both the SMTP and
    IMAP service:
@@ @@ -833,11 +826,11 @@ role. @@
         certtool --sec-param normal --generate-privkey --outfile ~/mysite/tls/comms.example.com_imap.key
         certtool --generate-certificate --load-ca-privkey ~/mysite/tls/ca.key --load-ca-certificate ~/mysite/tls/ca.pem --template ~/mysite/tls/comms.example.com_imap.cfg --load-privkey ~/mysite/tls/comms.example.com_imap.key --outfile ~/mysite/tls/comms.example.com_imap.pem
-. Configuration and TLS keys have ben set-up, so it is time to apply the changes::
+. Configuration and TLS keys have ben set-up, so it is time to apply the changes::
      workon mysite && ansible-playbook playbooks/site.yml
-. If no errors have been reported, at this point you should have two mail
+. If no errors have been reported, at this point you should have two mail
    accounts - ``john.doe@example.com``, with password ``johndoe``, and
    ``jane.doe@example.com``, with password ``janedoe``. In this particular
    set-up, the mail addresses are used as usernames. If you want to test it out,
@@ @@ -1030,25 +1023,10 @@ role. @@
       Same warning applies here as for mail server role for managing the
       user/group entries! Scroll up and re-read it if you missed it!
    :file:`~/mysite/group_vars/communications.yml`
    ::
       # Don't replace the entire ldap_entries, just append the new group
       # modification.
       ldap_entries:
           # Add the two users to the xmpp group. Observe that we use
           # the "state: append" option. This is a bit of a cheat since the
           # ldap_entries option passes the provided entries directly to the
           # m_ldap_entry module (this is a custom module, not to be confused
           # with the official ldap_entry module). "state: append" will make sure
           # we don't overwrite the group, and instead add the attributes to it
           # (in this case we add the two users).
           - dn: cn=xmpp,ou=groups,dc=example,dc=com
             state: append
             attributes:
               uniqueMember:
                 - uid=johndoe,ou=people,dc=example,dc=com
                 - uid=janedoe,ou=people,dc=example,dc=com
       workon mysite && ansible --become -m ldap_attr -a "dn=cn=xmpp,ou=groups,dc=example,dc=com state=present name=uniqueMember value=uid=johndoe,ou=people,dc=example,dc=com" communications
       workon mysite && ansible --become -m ldap_attr -a "dn=cn=xmpp,ou=groups,dc=example,dc=com state=present name=uniqueMember value=uid=janedoe,ou=people,dc=example,dc=com" communications
 . Do you know what comes next? Yes! Create some more TLS private keys
    and certificates, this time for our XMPP server ;)

roles/ldap_server/library/m_ldap_entry.py

➞

Show inline comments

deleted file

roles/ldap_server/tasks/main.yml

➞

Show inline comments

@@ @@ -82,11 +82,11 @@ @@
     mode: 0644
 - name: Change log level for slapd
-  m_ldap_entry:
+  ldap_attr:
     dn: cn=config
     state: replace
     attributes:
       olcLogLevel: "{{ ldap_server_log_level }}"
     state: exact
     name: olcLogLevel
     values: "{{ ldap_server_log_level }}"
 - name: Test if LDAP misc schema has been applied
   command: "ldapsearch -H ldapi:/// -Q -LLL -A -Y EXTERNAL -b cn=schema,cn=config -s one '(cn={*}misc)' cn"
@@ @@ -125,40 +125,83 @@ @@
     group: root
     mode: 0644
 - name: Configure TLS for slapd (includes hardening)
   m_ldap_entry:
 # We need to have this hack around TLS configuration because OpenLDAP
 # expects both private key and certificate to be set at the same
 # time.
+#
 # OpenLDAP server behaviour is a bit weird around this thing, so here
 # is what happens:
+#
 # 1. First we set the private key, but ignore all errors. This has not
 #    yet changed the private key path, though.
+#
 # 2. Then we set the certificate. This succeeds, but the private key
 #    path still has the old value. If we haven't done the step (1),
 #    this task would fail too.
+#
 # 3. Now we can finally change the private key too, and LDAP server
 #    will be able to validate it against the corresponding certificate.
+#
 # See https://github.com/ansible/ansible/issues/25665 for more
 # information.
 - name: Configure TLS private key (ignore errors)
   ldap_attr:
     dn: cn=config
     state: replace
     attributes:
       olcTLSCertificateFile: "/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem"
       olcTLSCertificateKeyFile: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"
       olcTLSCipherSuite: "{{ ldap_tls_ciphers }}"
   notify:
     - Restart slapd
     name: olcTLSCertificateKeyFile
     values: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"
     state: exact
   failed_when: false
 - name: Configure SSF
   m_ldap_entry:
 - name: Configure TLS certificate
   ldap_attr:
     dn: cn=config
     state: replace
     attributes:
       olcSecurity: "ssf={{ ldap_server_ssf }}"
       olcLocalSSF: "{{ ldap_server_ssf }}"
     name: olcTLSCertificateFile
     values: "/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem"
     state: exact
 - name: Configure TLS private key
   ldap_attr:
     dn: cn=config
     name: olcTLSCertificateKeyFile
     values: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"
     state: exact
 - name: Configure TLS cipher suites
   ldap_attr:
     dn: cn=config
     name: olcTLSCipherSuite
     values: "{{ ldap_tls_ciphers }}"
     state: exact
 - name: Configure SSF for local unix socket connections
   ldap_attr:
     dn: cn=config
     state: exact
     name: olcLocalSSF
     values: "{{ ldap_server_ssf }}"
 - name: Configure required SSF
   ldap_attr:
     dn: cn=config
     state: exact
     name: olcSecurity
     values: "ssf={{ ldap_server_ssf }}"
 - name: Enable the memberof module
-  m_ldap_entry:
+  ldap_attr:
     dn: "cn=module{0},cn=config"
     state: append
     attributes:
       olcModuleLoad: "{1}memberof"
     state: present
     name: olcModuleLoad
     values: "{1}memberof"
 - name: Enable the memberof overlay for database
-  m_ldap_entry:
+  ldap_entry:
     dn: "olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config"
     objectClass:
       - olcConfig
       - olcMemberOf
       - olcOverlayConfig
     attributes:
       objectClass:
         - olcConfig
         - olcMemberOf
         - olcOverlayConfig
       olcOverlay: memberof
       olcMemberOfRefInt: "TRUE"
       olcMemberOfGroupOC: groupOfUniqueNames
@@ @@ -170,12 +213,11 @@ @@
     rules: "{{ ldap_permissions }}"
 - name: Create basic LDAP directory structure
   m_ldap_entry: ""
   args:
   ldap_entry:
     dn: "ou={{ item }},{{ ldap_server_int_basedn }}"
     objectClass:
       - organizationalUnit
     attributes:
       objectClass:
         - organizationalUnit
       ou: "{{ item }}"
   with_items:
     - people
@@ @@ -183,54 +225,62 @@ @@
     - services
 - name: Create the entry that will contain mail service information
   m_ldap_entry: ""
   args:
   ldap_entry:
     dn: "ou=mail,ou=services,{{ ldap_server_int_basedn }}"
     objectClass:
       - organizationalUnit
     attributes:
       objectClass: organizationalUnit
       ou: mail
 - name: Create LDAP directory structure for mail service
   m_ldap_entry: ""
   args:
   ldap_entry:
     dn: "ou={{ item }},ou=mail,ou=services,{{ ldap_server_int_basedn }}"
     objectClass:
       - organizationalUnit
     attributes:
       objectClass: organizationalUnit
       ou: "{{ item }}"
   with_items:
     - domains
     - aliases
 - name: Create or remove login entries for services
   m_ldap_entry: ""
   args:
   ldap_entry:
     dn: "cn={{ item.name }},ou=services,{{ ldap_server_int_basedn }}"
     objectClass:
       - applicationProcess
       - simpleSecurityObject
     attributes:
       objectClass:
         - applicationProcess
         - simpleSecurityObject
       cn: "{{ item.name }}"
       userPassword: "{{ item.password }}"
     state: "{{ item.state | default('present') }}"
   with_items: "{{ ldap_server_consumers }}"
 - name: Update services login passwords
   ldap_attr:
     dn: "cn={{ item.name }},ou=services,{{ ldap_server_int_basedn }}"
     name: userPassword
     values: "{{ item.password }}"
     state: exact
   with_items: "{{ ldap_server_consumers }}"
   when: "item.state | default('present') == 'present'"
 - name: Create or remove user-supplied groups
   m_ldap_entry: ""
   args:
   ldap_entry:
     dn: "cn={{ item.name }},ou=groups,{{ ldap_server_int_basedn }}"
     objectClass:
       - groupOfUniqueNames
     attributes:
       objectClass: groupOfUniqueNames
       cn: "{{ item.name }}"
       uniqueMember: "cn=NONE"
-    state: "{{ item.state | default('append') }}"
+    state: "{{ item.state | default('present') }}"
   with_items: "{{ ldap_server_groups }}"
 - name: Create user-supplied LDAP entries
   m_ldap_entry: ""
   args:
   ldap_entry:
     dn: "{{ item.dn }}"
-    state: "{{ item.state | default('present')}}"
+    objectClass: "{{ item.attributes.objectClass }}"
     attributes: "{{ item.attributes }}"
     state: "{{ item.state | default('present')}}"
   with_items: "{{ ldap_entries }}"
 - name: Deploy firewall configuration for LDAP

0 comments (0 inline, 0 general)