Changeset - b8bfc506359f
Parent rev.
Child rev.
[Not reviewed]
1 1 0
Branko Majic (branko) - 1 month ago 2024-09-21 13:29:58
branko@majic.rs
MAR-218: Rework/improve code for setting LDAP server admin password:

- Avoid dropping temporary file with password by invoking a search on
the LDAP server using the supplied credentials.
- Do not log sensitive informationi when setting the LDAP server admin
password.
2 files changed with 9 insertions and 23 deletions:
roles/ldap_server/tasks/main.yml
9
22
roles/ldap_server/templates/ldap_admin_password.j2
1
0 comments (0 inline, 0 general)
roles/ldap_server/tasks/main.yml
Show inline comments
 
@@ -245,22 +245,14 @@
 
  notify:
 
    - Restart ferm
 

			




	
	
	
		
 
# @TODO: This whole thing could be dropped if newer version of Ansible

			




	
	
	
		
 
#        was in use (where community collection has the ldap_search

			




	
	
	
		
 
#        module.

			




	
	
	
		
 
- name: Deploy temporary file with LDAP admin password

			




	
	
	
		
 
  ansible.builtin.template:

			




	
	
	
		
 
    src: "ldap_admin_password.j2"

			




	
	
	
		
 
    dest: "/root/.ldap_admin_password"

			




	
	
	
		
 
    owner: root

			




	
	
	
		
 
    group: root

			




	
	
	
		
 
    mode: "0400"

			




	
	
	
		
 
  changed_when: false

			




	
	
	
		
 

			




	
	
	
		
 
- name: Test if LDAP admin password needs to be changed

			




	
	
	
		
 
  ansible.builtin.command: "ldapwhoami -H ldapi:/// -D 'cn=admin,{{ ldap_server_int_basedn }}' -x -y /root/.ldap_admin_password"

			




	
	
	
		
 
- name: Test LDAP admin password

			




	
	
	
		
 
  community.general.ldap_search:

			




	
	
	
		
 
    bind_dn: "cn=admin,{{ ldap_server_int_basedn }}"

			




	
	
	
		
 
    bind_pw: "{{ ldap_admin_password }}"

			




	
	
	
		
 
    server_uri: "ldapi:///"

			




	
	
	
		
 
    dn: "{{ ldap_server_int_basedn }}"

			




	
	
	
		
 
    scope: base

			




	
	
	
		
 
  register: ldap_admin_password_check

			




	
	
	
		
 
  changed_when: ldap_admin_password_check.rc != 0

			




	
	
	
		
 
  failed_when: false

			




	
	
	
		
 

			




	
	
	
		
 
- name: Update LDAP admin password

			




	
	
		
 
@@ -269,13 +261,8 @@

			




	
	
	
		
 
    attributes:

			




	
	
	
		
 
      olcRootPW: "{{ ldap_admin_password | ldap_password_hash }}"

			




	
	
	
		
 
    state: exact

			




	
	
	
		
 
  when: ldap_admin_password_check.rc != 0

			




	
	
	
		
 

			




	
	
	
		
 
- name: Remove temporary file with LDAP admin password

			




	
	
	
		
 
  ansible.builtin.file:

			




	
	
	
		
 
    path: "/root/.ldap_admin_password"

			




	
	
	
		
 
    state: absent

			




	
	
	
		
 
  changed_when: false

			




	
	
	
		
 
  no_log: true

			




	
	
	
		
 
  when: "'results' not in ldap_admin_password_check"

			




	
	
	
		
 

			




	
	
	
		
 
- name: Enable backup

			




	
	
	
		
 
  ansible.builtin.import_tasks: backup.yml

			




        

    


    
    

    

        

                

                    roles/ldap_server/templates/ldap_admin_password.j2
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
deleted file

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2024 by various authors & licensed under GPLv3.