majic-ansible-roles Changeset

Changeset - b325005c1a8f

Parent rev.

Child rev.

[Not reviewed]

0 3 0

Branko Majic (branko) - 9 years ago 2015-08-30 19:30:25
branko@majic.rs

MAR-19: Flattened the ldap server configurtion parameter provisioning (i.e. no more placeholder dictionary, instead use distinct variable names for each option).

3 files changed with 46 insertions and 52 deletions:

docs/rolereference.rst

roles/ldap_server/tasks/main.yml

testsite/group_vars/ldap.yml

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -410,38 +410,12 @@ The role implements the following: @@
 Parameters
 ~~~~~~~~~~
 **ldap_server_config** (list, mandatory)
   A dictionary of configuration options for OpenLDAP server. The following
   configuration options are available:
   **domain** (string, mandatory)
     Domain that should be used for constructing the base DN of default user LDAP
     database. This should be a sub-domain dedicated to organisation. The base DN
     will be constructed by putting all elements of the sub-domain as ``dc``
     entries (as per standard Debian convention). I.e. ``example.com`` would get
     transformed into ``dc=example,dc=com``.
   **organization** (string, mandatory)
     Organization that should be specified in the base DN entry.
   **log_level** (string, mandatory)
     Log level to use for the server. This should be compatible with OpenLDAP
     configuration option ``olcLogLevel``. See `OpenLDAP Administrator's Guide
     <http://www.openldap.org/doc/admin24/slapdconf2.html#cn=config>` for value
     description and syntax.
   **tls_certificate** (string, mandatory)
     Path to file on Ansible host that contains the X.509 certificate used for
     TLS for LDAP service. The file will be copied to directory
     ``/etc/ssl/certs/``.
   **tls_key** (string, mandatory)
     Path to file on Ansible host that contains the private key used for TLS for
     LDAP service. The file will be copied to directory ``/etc/ssl/private/``.
   **ssf** (number, mandatory)
     Minimum *Security Strength Factor* to require from all incoming
     connections. This applies for both remote and local connections.
 **ldap_entries** (list, mandatory)
   List of entries that should be kept in the LDAP directory. Each item is a
   dictionary describing a single LDAP entry, with all of its attributes
   listed. The keys in this dictionary should be the attribute names. The values
   should be either strings, for setting a single attribute value, or a list of
   strings if it is necessary to set multiple values for the same attribute.
 **ldap_permissions** (list, mandatory)
   List of LDAP access controls to apply to directories served by the LDAP
@@ @@ -462,12 +436,33 @@ Parameters @@
     the same as described in `OpenLDAP Administrator's Guide
     <http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%20via%20Dynamic%20Configuration>`.
 **ldap_entries** (list, mandatory)
   List of entries that should be kept in the LDAP directory. Each item is a
   dictionary describing a single LDAP entry, with all of its attributes
   listed. The keys in this dictionary should be the attribute names. The values
   should be either strings, for setting a single attribute value, or a list of
   strings if it is necessary to set multiple values for the same attribute.
 **ldap_server_domain** (string, mandatory)
   Domain that should be used for constructing the base DN of default user LDAP
   database. This should be a sub-domain dedicated to organisation. The base DN
   will be constructed by putting all elements of the sub-domain as ``dc``
   entries (as per standard Debian convention). I.e. ``example.com`` would get
   transformed into ``dc=example,dc=com``.
 **ldap_server_organization** (string, mandatory)
   Organization that should be specified in the base DN entry.
 **ldap_server_log_level** (string, mandatory)
   Log level to use for the server. This should be compatible with OpenLDAP
   configuration option ``olcLogLevel``. See `OpenLDAP Administrator's Guide
   <http://www.openldap.org/doc/admin24/slapdconf2.html#cn=config>` for value
   description and syntax.
 **ldap_server_tls_certificate** (string, mandatory)
   Path to file on Ansible host that contains the X.509 certificate used for TLS
   for LDAP service. The file will be copied to directory ``/etc/ssl/certs/``.
 **ldap_server_tls_key** (string, mandatory)
   Path to file on Ansible host that contains the private key used for TLS for
   LDAP service. The file will be copied to directory ``/etc/ssl/private/``.
 **ldap_server_ssf** (number, mandatory)
   Minimum *Security Strength Factor* to require from all incoming
   connections. This applies for both remote and local connections.
 Examples

roles/ldap_server/tasks/main.yml

➞

Show inline comments

 ---
 - name: Set domain for slapd
-  debconf: name=slapd question=slapd/domain vtype=string value="{{ ldap_server_config.domain }}"
+  debconf: name=slapd question=slapd/domain vtype=string value="{{ ldap_server_domain }}"
 - name: Set organisation for slapd
-  debconf: name=slapd question=slapd/organization vtype=string value="{{ ldap_server_config.organization }}"
+  debconf: name=slapd question=slapd/organization vtype=string value="{{ ldap_server_organization }}"
 - name: Install slapd
   apt: name=slapd state=installed
@@ @@ -32,27 +32,27 @@ @@
   copy: src=slapd_logrotate dest=/etc/logrotate.d/slapd owner=root group=root mode=0644
 - name: Change log level for slapd
-  ldap_entry: dn=cn=config state=replaceattributes olcLogLevel="{{ ldap_server_config.log_level }}"
+  ldap_entry: dn=cn=config state=replaceattributes olcLogLevel="{{ ldap_server_log_level }}"
 - name: Deploy LDAP TLS private key
-  copy: dest="/etc/ssl/private/{{ ldap_server_config.tls_key | basename }}" src="{{ ldap_server_config.tls_key }}"
+  copy: dest="/etc/ssl/private/{{ ldap_server_tls_key | basename }}" src="{{ ldap_server_tls_key }}"
         mode=640 owner=root group=openldap
   notify:
     - Restart slapd
 - name: Deploy LDAP TLS certificate
-  copy: dest="/etc/ssl/certs/{{ ldap_server_config.tls_certificate | basename }}" src="{{ ldap_server_config.tls_certificate }}"
+  copy: dest="/etc/ssl/certs/{{ ldap_server_tls_certificate | basename }}" src="{{ ldap_server_tls_certificate }}"
         mode=644 owner=root group=root
   notify:
     - Restart slapd
 - name: Configure TLS for slapd
-  ldap_entry: dn=cn=config state=replaceattributes olcTLSCertificateFile="/etc/ssl/certs/{{ ldap_server_config.tls_certificate | basename }}" olcTLSCertificateKeyFile="/etc/ssl/private/{{ ldap_server_config.tls_key | basename }}"
+  ldap_entry: dn=cn=config state=replaceattributes olcTLSCertificateFile="/etc/ssl/certs/{{ ldap_server_tls_certificate | basename }}" olcTLSCertificateKeyFile="/etc/ssl/private/{{ ldap_server_tls_key | basename }}"
   notify:
     - Restart slapd
 - name: Configure SSF
-  ldap_entry: dn=cn=config state=replaceattributes olcSecurity=ssf="{{ ldap_server_config.ssf }}" olcLocalSSF="{{ ldap_server_config.ssf }}"
+  ldap_entry: dn=cn=config state=replaceattributes olcSecurity=ssf="{{ ldap_server_ssf }}" olcLocalSSF="{{ ldap_server_ssf }}"
 - name: Enable the memberof module
   ldap_entry: dn="cn=module{0},cn=config" state=addattributes olcModuleLoad="{1}memberof"

testsite/group_vars/ldap.yml

➞

Show inline comments

@@ @@ -20,13 +20,12 @@ ldap_client_config: @@
     option: TLS_CACERT
     value: /etc/ssl/certs/ca.pem
 ldap_server_config:
   domain: "{{ testsite_domain }}"
   organization: "Example Inc."
   log_level: 256
   tls_certificate: "{{ inventory_dir }}/tls/ldap.{{ testsite_domain }}_ldap.pem"
   tls_key: "{{ inventory_dir }}/tls/ldap.{{ testsite_domain }}_ldap.key"
   ssf: 128
 ldap_server_domain: "{{ testsite_domain }}"
 ldap_server_organization: "Example Inc."
 ldap_server_log_level: 256
 ldap_server_tls_certificate: "{{ inventory_dir }}/tls/ldap.{{ testsite_domain }}_ldap.pem"
 ldap_server_tls_key: "{{ inventory_dir }}/tls/ldap.{{ testsite_domain }}_ldap.key"
 ldap_server_ssf: 128
 ldap_permissions:
   - filter: '(olcSuffix={{ testsite_ldap_base }})'

0 comments (0 inline, 0 general)