majic-ansible-roles Changeset

Changeset - e994537dd735

Parent rev.

Child rev.

[Not reviewed]

0 4 0

Branko Majic (branko) - 7 years ago 2017-08-08 21:49:40
branko@majic.rs

MAR-114: Updated task syntax for ldap roles:

- Updated ldap_client and ldap_server roles.
- Added and removed quoting where it makes sense.
- Switched to using expanded syntax (instead of one-liners).

4 files changed with 116 insertions and 35 deletions:

roles/ldap_client/tasks/main.yml

roles/ldap_server/handlers/main.yml

roles/ldap_server/tasks/backup.yml

roles/ldap_server/tasks/main.yml

0 comments (0 inline, 0 general)

roles/ldap_client/tasks/main.yml

➞

Show inline comments

 ---
 - name: Install OpenLDAP client tools
   apt: name=ldap-utils state=installed
   apt:
     name: ldap-utils
     state: installed
 - name: Deploy LDAP client configuration file
   template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf owner=root group=root mode=0644
   template:
     src: ldap.conf.j2
     dest: /etc/ldap/ldap.conf
     owner: root
     group: root
     mode: 0644
 - name: Explicitly run all handlers
   include: ../handlers/main.yml

roles/ldap_server/handlers/main.yml

➞

Show inline comments

 ---
 - name: Restart rsyslog
   service: name=rsyslog state=restarted
   service:
     name: rsyslog
     state: restarted
 - name: Restart slapd
   service: name=slapd state=restarted
   service:
     name: slapd
     state: restarted

roles/ldap_server/tasks/backup.yml

➞

Show inline comments

 ---
 - name: Create directory for storing LDAP database dumps
   file: path="{{ item }}" state=directory
         owner=root group=root mode=0700
   file:
     path: "{{ item }}"
     state: directory
     owner: root
     group: root
     mode: 0700
   with_items:
     - "/srv/backup"
 - name: Deploy script for creating LDAP database backup dumps
   copy: src="ldapdump.sh" dest="/etc/duply/main/pre.d/ldapdump.sh"
         owner=root group=root mode=0700
   copy:
     src: "ldapdump.sh"
     dest: "/etc/duply/main/pre.d/ldapdump.sh"
     owner: root
     group: root
     mode: 0700

roles/ldap_server/tasks/main.yml

➞

Show inline comments

 ---
 - name: Set domain for slapd
   debconf: name=slapd question=slapd/domain vtype=string value="{{ ldap_server_domain }}"
   debconf:
     name: slapd
     question: slapd/domain
     vtype: string
     value: "{{ ldap_server_domain }}"
 - name: Set organisation for slapd
   debconf: name=slapd question=shared/organization vtype=string value="{{ ldap_server_organization }}"
   debconf:
     name: slapd
     question: shared/organization
     vtype: string
     value: "{{ ldap_server_organization }}"
 - name: Install slapd
   apt: name=slapd state=installed
   apt:
     name: slapd
     state: installed
 - name: Allow OpenLDAP user to traverse the directory with TLS private keys
   user: name=openldap append=yes groups=ssl-cert
   user:
     name: openldap
     append: yes
     groups: ssl-cert
   register: openldap_in_ssl_cert
 - name: Restart slapd if group membership has changed (apply immediatelly)
   service: name=slapd state=restarted
   service:
     name: slapd
     state: restarted
   when: openldap_in_ssl_cert.changed
   tags:
     # [ANSIBLE0016] Tasks that run when changed should likely be handlers
@@ @@ -24,40 +39,61 @@ @@
     - skip_ansible_lint
 - name: Install Python LDAP bindings
   apt: name=python-ldap state=installed
   apt:
     name: python-ldap
     state: installed
 - name: Set-up LDAP server to listen on legacy SSL port
   lineinfile: dest=/etc/default/slapd state=present backrefs=yes
               regexp='^SLAPD_SERVICES=.*' line='SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"'
   lineinfile:
     dest: /etc/default/slapd
     state: present
     backrefs: yes
     regexp: '^SLAPD_SERVICES=.*'
     line: 'SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"'
   notify:
     - Restart slapd
 - name: Enable slapd service on boot (workaround for systemctl broken handling of SysV)
   command: rcconf -on slapd
+  command: "rcconf -on slapd"
   register: result
   changed_when: result.stderr == ""
 - name: Enable slapd service
   service: name=slapd state=started
   service:
     name: slapd
     state: started
 - name: Deploy system logger configuration file for slapd
   copy: src=slapd_rsyslog.conf dest=/etc/rsyslog.d/slapd.conf owner=root group=root mode=0644
   copy:
     src: slapd_rsyslog.conf
     dest: /etc/rsyslog.d/slapd.conf
     owner: root
     group: root
     mode: 0644
   notify:
     - Restart rsyslog
 - name: Deploy configuration file for log rotation of slapd logs
   copy: src=slapd_logrotate dest=/etc/logrotate.d/slapd owner=root group=root mode=0644
   copy:
     src: slapd_logrotate
     dest: /etc/logrotate.d/slapd
     owner: root
     group: root
     mode: 0644
 - name: Change log level for slapd
   ldap_entry: dn=cn=config state=replace olcLogLevel="{{ ldap_server_log_level }}"
   ldap_entry:
     dn: cn=config
     state: replace
     olcLogLevel: "{{ ldap_server_log_level }}"
 - name: Test if LDAP misc schema has been applied
   command: ldapsearch -H ldapi:/// -Q -LLL -A -Y EXTERNAL -b cn=schema,cn=config -s one '(cn={*}misc)' cn
+  command: "ldapsearch -H ldapi:/// -Q -LLL -A -Y EXTERNAL -b cn=schema,cn=config -s one '(cn={*}misc)' cn"
   register: ldap_misc_schema_present
   changed_when: false
 - name: Deploy LDAP misc schema
   command: ldapadd -H ldapi:/// -Q -Y EXTERNAL -f /etc/ldap/schema/misc.ldif
+  command: "ldapadd -H ldapi:/// -Q -Y EXTERNAL -f /etc/ldap/schema/misc.ldif"
   when: ldap_misc_schema_present.stdout == ""
 - name: Deploy LDAP TLS private key
@@ @@ -81,20 +117,35 @@ @@
     - Restart slapd
 - name: Deploy configuration file for checking certificate validity via cron
   copy: content="/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem" dest="/etc/check_certificate/{{ ansible_fqdn }}_ldap.conf"
         owner=root group=root mode=0644
   copy:
     content: "/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem"
     dest: "/etc/check_certificate/{{ ansible_fqdn }}_ldap.conf"
     owner: root
     group: root
     mode: 0644
 - name: Configure TLS for slapd (includes hardening)
   ldap_entry: dn=cn=config state=replace olcTLSCertificateFile="/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem" olcTLSCertificateKeyFile="/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"
               olcTLSCipherSuite="{{ ldap_tls_ciphers }}"
   ldap_entry:
     dn: cn=config
     state: replace
     olcTLSCertificateFile: "/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem"
     olcTLSCertificateKeyFile: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"
     olcTLSCipherSuite: "{{ ldap_tls_ciphers }}"
   notify:
     - Restart slapd
 - name: Configure SSF
   ldap_entry: dn=cn=config state=replace olcSecurity=ssf="{{ ldap_server_ssf }}" olcLocalSSF="{{ ldap_server_ssf }}"
   ldap_entry:
     dn: cn=config
     state: replace
     olcSecurity: "ssf={{ ldap_server_ssf }}"
     olcLocalSSF: "{{ ldap_server_ssf }}"
 - name: Enable the memberof module
   ldap_entry: dn="cn=module{0},cn=config" state=append olcModuleLoad="{1}memberof"
   ldap_entry:
     dn: "cn=module{0},cn=config"
     state: append
     olcModuleLoad: "{1}memberof"
 - name: Enable the memberof overlay for database
   ldap_entry:
@@ @@ -173,27 +224,38 @@ @@
   with_items: "{{ ldap_entries }}"
 - name: Deploy firewall configuration for LDAP
   copy: src="ferm_ldap.conf" dest="/etc/ferm/conf.d/10-ldap.conf" owner=root group=root mode=0640
   copy:
     src: "ferm_ldap.conf"
     dest: "/etc/ferm/conf.d/10-ldap.conf"
     owner: root
     group: root
     mode: 0640
   notify:
     - Restart ferm
 - name: Deploy temporary file with LDAP admin password
   template: src="ldap_admin_password.j2" dest="/root/.ldap_admin_password"
             owner=root group=root mode=0400
   template:
     src: "ldap_admin_password.j2"
     dest: "/root/.ldap_admin_password"
     owner: root
     group: root
     mode: 0400
   changed_when: False
 - name: Test if LDAP admin password needs to be changed
-  command: ldapwhoami -H ldapi:/// -D "cn=admin,{{ ldap_server_int_basedn }}" -x -y /root/.ldap_admin_password
+  command: "ldapwhoami -H ldapi:/// -D 'cn=admin,{{ ldap_server_int_basedn }}' -x -y /root/.ldap_admin_password"
   register: ldap_admin_password_check
   changed_when: ldap_admin_password_check.rc != 0
   failed_when: False
 - name: Update LDAP admin password
-  command: ldappasswd -Y EXTERNAL -H ldapi:/// "cn=admin,{{ ldap_server_int_basedn }}" -T /root/.ldap_admin_password
+  command: "ldappasswd -Y EXTERNAL -H ldapi:/// 'cn=admin,{{ ldap_server_int_basedn }}' -T /root/.ldap_admin_password"
   when: ldap_admin_password_check.rc != 0
 - name: Remove temporary file with LDAP admin password
   file: path="/root/.ldap_admin_password" state=absent
   file:
     path: "/root/.ldap_admin_password"
     state: absent
   changed_when: False
 - name: Enable backup

0 comments (0 inline, 0 general)