Files @ 3d1e72c4cbaf
Branch filter:

Location: majic-ansible-roles/roles/ldap_server/tasks/main.yml

3d1e72c4cbaf 9.6 KiB text/x-yaml Show Annotation Show as Raw Download as Raw
branko
MAR-192: Drop rsyslog/logrotate configuration for ldap_server role under Debian 12 Bookworm:

- Default installations of Debian 12 Bookworm no longer come with
rsyslog pre-installed (and it is considered to be deprecated as
default system logger under Debian 12 Bookworm).
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
---

- name: Set domain for slapd
  debconf:
    name: slapd
    question: slapd/domain
    vtype: string
    value: "{{ ldap_server_domain }}"

- name: Set organisation for slapd
  debconf:
    name: slapd
    question: shared/organization
    vtype: string
    value: "{{ ldap_server_organization }}"

- name: Install slapd
  apt:
    name: slapd
    state: present

- name: Allow OpenLDAP user to traverse the directory with TLS private keys
  user:
    name: openldap
    append: true
    groups: ssl-cert
  register: openldap_in_ssl_cert

- name: Restart slapd if group membership has changed (apply immediatelly)  # noqa 503
  # [503] Tasks that run when changed should likely be handlers
  #   In order to be able to change LDAP server TLS configuration, it must be
  #   able to read both the private key and certificate. Therefore we need to
  #   immediatelly restart (since configuration is done live on the server.
  service:
    name: slapd
    state: restarted
  when: openldap_in_ssl_cert.changed

- name: Install Python LDAP bindings
  apt:
    name: python3-pyldap
    state: present

- name: Set-up LDAP server to listen on legacy SSL port
  lineinfile:
    dest: /etc/default/slapd
    state: present
    backrefs: true
    regexp: '^SLAPD_SERVICES=.*'
    line: 'SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"'
  notify:
    - Restart slapd

- name: Enable and start slapd service
  service:
    name: slapd
    state: started
    enabled: true

- name: Deploy system logger configuration file for slapd
  copy:
    src: slapd_rsyslog.conf
    dest: /etc/rsyslog.d/slapd.conf
    owner: root
    group: root
    mode: 0644
  when: "ansible_distribution_release == 'bullseye'"
  notify:
    - Restart rsyslog

- name: Deploy configuration file for log rotation of slapd logs
  copy:
    src: slapd_logrotate
    dest: /etc/logrotate.d/slapd
    owner: root
    group: root
    mode: 0644
  when: "ansible_distribution_release == 'bullseye'"

- name: Change log level for slapd
  ldap_attr:
    dn: cn=config
    state: exact
    name: olcLogLevel
    values: "{{ ldap_server_log_level }}"

- name: Test if LDAP misc schema has been applied
  command: "ldapsearch -H ldapi:/// -Q -LLL -A -Y EXTERNAL -b cn=schema,cn=config -s one '(cn={*}misc)' cn"
  register: ldap_misc_schema_present
  changed_when: false

- name: Deploy LDAP misc schema
  command: "ldapadd -H ldapi:/// -Q -Y EXTERNAL -f /etc/ldap/schema/misc.ldif"
  when: not ldap_misc_schema_present.stdout

# Technically, the only thing this does is pick the size of DH
# parameters to use, with GnuTLS (against which slapd is linked
# against under Debian) picking a matching DH parameter from RFC-7919
# (https://www.ietf.org/rfc/rfc7919.txt).
- name: Generate the LDAP server Diffie-Hellman parameter
  openssl_dhparam:
    owner: root
    group: openldap
    mode: 0640
    path: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.dh.pem"
    size: 2048
  notify:
    - Restart slapd

- name: Deploy LDAP TLS private key
  template:
    src: "ldap_tls_key.j2"
    dest: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"
    mode: 0640
    owner: root
    group: openldap
  notify:
    - Restart slapd

- name: Deploy LDAP TLS certificate
  template:
    src: "ldap_tls_cert.j2"
    dest: "/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem"
    mode: 0644
    owner: root
    group: root
  notify:
    - Restart slapd

- name: Deploy configuration file for checking certificate validity via cron
  copy:
    content: "/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem"
    dest: "/etc/check_certificate/{{ ansible_fqdn }}_ldap.conf"
    owner: root
    group: root
    mode: 0644

# We need to have this hack around TLS configuration because OpenLDAP
# expects both private key and certificate to be set at the same
# time.
#
# OpenLDAP server behaviour is a bit weird around this thing, so here
# is what happens:
#
# 1. First we set the private key, but ignore all errors. This has not
#    yet changed the private key path, though.
#
# 2. Then we set the certificate. This succeeds, but the private key
#    path still has the old value. If we haven't done the step (1),
#    this task would fail too.
#
# 3. Now we can finally change the private key too, and LDAP server
#    will be able to validate it against the corresponding certificate.
#
# See https://github.com/ansible/ansible/issues/25665 for more
# information.
- name: Configure TLS private key (ignore errors)
  ldap_attr:
    dn: cn=config
    name: olcTLSCertificateKeyFile
    values: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"
    state: exact
  failed_when: false

- name: Configure TLS certificate
  ldap_attr:
    dn: cn=config
    name: olcTLSCertificateFile
    values: "/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem"
    state: exact

- name: Configure TLS private key
  ldap_attr:
    dn: cn=config
    name: olcTLSCertificateKeyFile
    values: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"
    state: exact

- name: Configure DH parameter
  ldap_attr:
    dn: cn=config
    name: olcTLSDHParamFile
    values: "/etc/ssl/private/{{ ansible_fqdn }}_ldap.dh.pem"
    state: exact

- name: Configure TLS cipher suites
  ldap_attr:
    dn: cn=config
    name: olcTLSCipherSuite
    values: "{{ ldap_tls_ciphers }}"
    state: exact

- name: Configure SSF for local unix socket connections
  ldap_attr:
    dn: cn=config
    state: exact
    name: olcLocalSSF
    values: "{{ ldap_server_ssf }}"

- name: Configure required SSF
  ldap_attr:
    dn: cn=config
    state: exact
    name: olcSecurity
    values: "ssf={{ ldap_server_ssf }}"

- name: Enable the memberof module
  ldap_attr:
    dn: "cn=module{0},cn=config"
    state: present
    name: olcModuleLoad
    values: "{1}memberof"

- name: Enable the memberof overlay for database
  ldap_entry:
    dn: "olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config"
    objectClass:
      - olcConfig
      - olcMemberOf
      - olcOverlayConfig
    attributes:
      olcOverlay: memberof
      olcMemberOfRefInt: "TRUE"
      olcMemberOfGroupOC: groupOfUniqueNames
      olcMemberOfMemberAD: uniqueMember

- name: Apply database permissions
  m_ldap_permissions:
    filter: "(olcSuffix={{ ldap_server_int_basedn }})"
    rules: "{{ ldap_permissions }}"

- name: Drop the admin entry corresponding to olcRootDN for database from directory
  ldap_entry:
    dn: "cn=admin,{{ ldap_server_int_basedn }}"
    state: absent

- name: Create basic LDAP directory structure
  ldap_entry:
    dn: "ou={{ item }},{{ ldap_server_int_basedn }}"
    objectClass:
      - organizationalUnit
    attributes:
      ou: "{{ item }}"
  with_items:
    - people
    - groups
    - services

- name: Create the entry that will contain mail service information
  ldap_entry:
    dn: "ou=mail,ou=services,{{ ldap_server_int_basedn }}"
    objectClass:
      - organizationalUnit
    attributes:
      ou: mail

- name: Create LDAP directory structure for mail service
  ldap_entry:
    dn: "ou={{ item }},ou=mail,ou=services,{{ ldap_server_int_basedn }}"
    objectClass:
      - organizationalUnit
    attributes:
      ou: "{{ item }}"
  with_items:
    - domains
    - aliases

- name: Create or remove login entries for services
  ldap_entry:
    dn: "cn={{ item.name }},ou=services,{{ ldap_server_int_basedn }}"
    objectClass:
      - applicationProcess
      - simpleSecurityObject
    attributes:
      cn: "{{ item.name }}"
      userPassword: "{{ item.password }}"
    state: "{{ item.state | default('present') }}"
  with_items: "{{ ldap_server_consumers }}"

- name: Update services login passwords
  ldap_attr:
    dn: "cn={{ item.name }},ou=services,{{ ldap_server_int_basedn }}"
    name: userPassword
    values: "{{ item.password }}"
    state: exact
  with_items: "{{ ldap_server_consumers }}"
  when: "item.state | default('present') == 'present'"

- name: Create or remove user-supplied groups
  ldap_entry:
    dn: "cn={{ item.name }},ou=groups,{{ ldap_server_int_basedn }}"
    objectClass:
      - groupOfUniqueNames
    attributes:
      cn: "{{ item.name }}"
      uniqueMember: "cn=NONE"
    state: "{{ item.state | default('present') }}"
  with_items: "{{ ldap_server_groups }}"

- name: Create user-supplied LDAP entries
  ldap_entry:
    dn: "{{ item.dn }}"
    objectClass: "{{ item.attributes.objectClass }}"
    attributes: "{{ item.attributes }}"
    state: "{{ item.state | default('present') }}"
  with_items: "{{ ldap_entries }}"

- name: Deploy firewall configuration for LDAP
  copy:
    src: "ferm_ldap.conf"
    dest: "/etc/ferm/conf.d/10-ldap.conf"
    owner: root
    group: root
    mode: 0640
  notify:
    - Restart ferm

# @TODO: This whole thing could be dropped if newer version of Ansible
#        was in use (where community collection has the ldap_search
#        module.
- name: Deploy temporary file with LDAP admin password
  template:
    src: "ldap_admin_password.j2"
    dest: "/root/.ldap_admin_password"
    owner: root
    group: root
    mode: 0400
  changed_when: false

- name: Test if LDAP admin password needs to be changed
  command: "ldapwhoami -H ldapi:/// -D 'cn=admin,{{ ldap_server_int_basedn }}' -x -y /root/.ldap_admin_password"
  register: ldap_admin_password_check
  changed_when: ldap_admin_password_check.rc != 0
  failed_when: false

- name: Update LDAP admin password
  ldap_attr:
    dn: "olcDatabase={1}mdb,cn=config"
    name: olcRootPW
    values: "{{ ldap_admin_password | ldap_password_hash }}"
    state: exact
  when: ldap_admin_password_check.rc != 0

- name: Remove temporary file with LDAP admin password
  file:
    path: "/root/.ldap_admin_password"
    state: absent
  changed_when: false

- name: Enable backup
  include: backup.yml
  when: enable_backup

- name: Explicitly run all handlers
  include: ../handlers/main.yml
  when: "run_handlers | default(False) | bool()"
  tags:
    - handlers
This site is powered by Kallithea 0.7.0, which is © 2010–2023 by various authors & licensed under GPLv3.