Files @ 3c03c2ea9d2a
Branch filter:

Location: majic-ansible-roles/roles/ldap_server/tasks/main.yml

branko
MAR-128: Upgraded tests for bootstrap role:

- Switch to new Molecule configuration.
- Updated set-up playbook to use become: yes.
- Moved some preparatory steps outside of the main playbook (eases
idempotence tests).
- Updated tests to reference the yml inventory file.
- Updated tests to use new fixture (host instead of individual ones).
- Fixed some linting issues.
---

- name: Set domain for slapd
  debconf:
    name: slapd
    question: slapd/domain
    vtype: string
    value: "{{ ldap_server_domain }}"

- name: Set organisation for slapd
  debconf:
    name: slapd
    question: shared/organization
    vtype: string
    value: "{{ ldap_server_organization }}"

- name: Install slapd
  apt:
    name: slapd
    state: installed

- name: Allow OpenLDAP user to traverse the directory with TLS private keys
  user:
    name: openldap
    append: yes
    groups: ssl-cert
  register: openldap_in_ssl_cert

- name: Restart slapd if group membership has changed (apply immediatelly)
  service:
    name: slapd
    state: restarted
  when: openldap_in_ssl_cert.changed
  tags:
    # [ANSIBLE0016] Tasks that run when changed should likely be handlers
    #   In order to be able to change LDAP server TLS configuration, it must be
    #   able to read both the private key and certificate. Therefore we need to
    #   immediatelly restart (since configuration is done live on the server.
    - skip_ansible_lint

- name: Install Python LDAP bindings
  apt:
    name: python-ldap
    state: installed

- name: Set-up LDAP server to listen on legacy SSL port
  lineinfile:
    dest: /etc/default/slapd
    state: present
    backrefs: yes
    regexp: '^SLAPD_SERVICES=.*'
    line: 'SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"'
  notify:
    - Restart slapd

- name: Enable slapd service on boot (workaround for systemctl broken handling of SysV)
  command: "rcconf -on slapd"
  register: result
  changed_when: result.stderr == ""

- name: Enable slapd service
  service:
    name: slapd
    state: started

- name: Deploy system logger configuration file for slapd
  copy:
    src: slapd_rsyslog.conf
    dest: /etc/rsyslog.d/slapd.conf
    owner: root
    group: root
    mode: 0644
  notify:
    - Restart rsyslog

- name: Deploy configuration file for log rotation of slapd logs
  copy:
    src: slapd_logrotate
    dest: /etc/logrotate.d/slapd
    owner: root
    group: root
    mode: 0644

- name: Change log level for slapd
  m_ldap_entry:
    dn: cn=config
    state: replace
    olcLogLevel: "{{ ldap_server_log_level }}"

- name: Test if LDAP misc schema has been applied
  command: "ldapsearch -H ldapi:/// -Q -LLL -A -Y EXTERNAL -b cn=schema,cn=config -s one '(cn={*}misc)' cn"
  register: ldap_misc_schema_present
  changed_when: false

- name: Deploy LDAP misc schema
  command: "ldapadd -H ldapi:/// -Q -Y EXTERNAL -f /etc/ldap/schema/misc.ldif"
  when: ldap_misc_schema_present.stdout == ""

- name: Deploy LDAP TLS private key
  template:
    src: "ldap_tls_key.j2"
    dest: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"
    mode: 0640
    owner: root
    group: openldap
  notify:
    - Restart slapd

- name: Deploy LDAP TLS certificate
  template:
    src: "ldap_tls_cert.j2"
    dest: "/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem"
    mode: 0644
    owner: root
    group: root
  notify:
    - Restart slapd

- name: Deploy configuration file for checking certificate validity via cron
  copy:
    content: "/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem"
    dest: "/etc/check_certificate/{{ ansible_fqdn }}_ldap.conf"
    owner: root
    group: root
    mode: 0644

- name: Configure TLS for slapd (includes hardening)
  m_ldap_entry:
    dn: cn=config
    state: replace
    olcTLSCertificateFile: "/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem"
    olcTLSCertificateKeyFile: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"
    olcTLSCipherSuite: "{{ ldap_tls_ciphers }}"
  notify:
    - Restart slapd

- name: Configure SSF
  m_ldap_entry:
    dn: cn=config
    state: replace
    olcSecurity: "ssf={{ ldap_server_ssf }}"
    olcLocalSSF: "{{ ldap_server_ssf }}"

- name: Enable the memberof module
  m_ldap_entry:
    dn: "cn=module{0},cn=config"
    state: append
    olcModuleLoad: "{1}memberof"

- name: Enable the memberof overlay for database
  m_ldap_entry:
    dn: "olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config"
    objectClass:
      - olcConfig
      - olcMemberOf
      - olcOverlayConfig
    olcOverlay: memberof
    olcMemberOfRefInt: "TRUE"
    olcMemberOfGroupOC: groupOfUniqueNames
    olcMemberOfMemberAD: uniqueMember

- name: Apply database permissions
  m_ldap_permissions:
    filter: "(olcSuffix={{ ldap_server_int_basedn }})"
    rules: "{{ ldap_permissions }}"

- name: Create basic LDAP directory structure
  m_ldap_entry: ""
  args:
    dn: "ou={{ item }},{{ ldap_server_int_basedn }}"
    objectClass:
      - organizationalUnit
    ou: "{{ item }}"
  with_items:
    - people
    - groups
    - services

- name: Create the entry that will contain mail service information
  m_ldap_entry: ""
  args:
    dn: "ou=mail,ou=services,{{ ldap_server_int_basedn }}"
    objectClass: organizationalUnit
    ou: mail

- name: Create LDAP directory structure for mail service
  m_ldap_entry: ""
  args:
    dn: "ou={{ item }},ou=mail,ou=services,{{ ldap_server_int_basedn }}"
    objectClass: organizationalUnit
    ou: "{{ item }}"
  with_items:
    - domains
    - aliases

- name: Create or remove login entries for services
  m_ldap_entry: ""
  args:
    dn: "cn={{ item.name }},ou=services,{{ ldap_server_int_basedn }}"
    objectClass:
      - applicationProcess
      - simpleSecurityObject
    cn: "{{ item.name }}"
    userPassword: "{{ item.password }}"
    state: "{{ item.state | default('present') }}"
  with_items: "{{ ldap_server_consumers }}"

- name: Create or remove user-supplied groups
  m_ldap_entry: ""
  args:
    dn: "cn={{ item.name }},ou=groups,{{ ldap_server_int_basedn }}"
    objectClass: groupOfUniqueNames
    cn: "{{ item.name }}"
    uniqueMember: "cn=NONE"
    state: "{{ item.state | default('append') }}"
  with_items: "{{ ldap_server_groups }}"

- name: Create user-supplied LDAP entries
  m_ldap_entry: ""
  args:
    dn: "{{ item.dn }}"
    state: "{{ item.state | default('present')}}"
    attributes: "{{ item.attributes }}"
  with_items: "{{ ldap_entries }}"

- name: Deploy firewall configuration for LDAP
  copy:
    src: "ferm_ldap.conf"
    dest: "/etc/ferm/conf.d/10-ldap.conf"
    owner: root
    group: root
    mode: 0640
  notify:
    - Restart ferm

- name: Deploy temporary file with LDAP admin password
  template:
    src: "ldap_admin_password.j2"
    dest: "/root/.ldap_admin_password"
    owner: root
    group: root
    mode: 0400
  changed_when: False

- name: Test if LDAP admin password needs to be changed
  command: "ldapwhoami -H ldapi:/// -D 'cn=admin,{{ ldap_server_int_basedn }}' -x -y /root/.ldap_admin_password"
  register: ldap_admin_password_check
  changed_when: ldap_admin_password_check.rc != 0
  failed_when: False

- name: Update LDAP admin password
  command: "ldappasswd -Y EXTERNAL -H ldapi:/// 'cn=admin,{{ ldap_server_int_basedn }}' -T /root/.ldap_admin_password"
  when: ldap_admin_password_check.rc != 0

- name: Remove temporary file with LDAP admin password
  file:
    path: "/root/.ldap_admin_password"
    state: absent
  changed_when: False

- name: Enable backup
  include: backup.yml
  when: enable_backup

- name: Explicitly run all handlers
  include: ../handlers/main.yml
  when: "handlers | default(False) | bool() == True"
  tags:
    - handlers