Files @ 61e6cfb81789
Branch filter:

Location: majic-ansible-roles/roles/ldap_server/tasks/main.yml

61e6cfb81789 5.8 KiB text/x-yaml Show Annotation Show as Raw Download as Raw
branko
MAR-51: Fixed documentation for ansible_key parameter in preseed role. Updated ca_certificates parameter in common role to accept key-value pairs of filenames and certificates to put on remote host (so lookups/inventory can be utilised in more flexible manner). Updated backup_client role to fail if it is not possible to extract encryption key IDs from deployed keys. Moved purging of Exim4 configuration files from handlers to tasks (more robust, and still idempotent). All documentation has been updated as well.
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
---

- name: Set domain for slapd
  debconf: name=slapd question=slapd/domain vtype=string value="{{ ldap_server_domain }}"

- name: Set organisation for slapd
  debconf: name=slapd question=slapd/organization vtype=string value="{{ ldap_server_organization }}"

- name: Install slapd
  apt: name=slapd state=installed

- name: Allow OpenLDAP user to traverse the directory with TLS private keys
  user: name=openldap append=yes groups=ssl-cert
  register: openldap_in_ssl_cert

- name: Restart slapd if group membership has changed
  service: name=slapd state=restarted
  when: openldap_in_ssl_cert.changed

- name: Install Python LDAP bindings
  apt: name=python-ldap state=installed

- name: Enable slapd service on boot (workaround for systemctl broken handling of SysV)
  command: rcconf -on slapd
  register: result
  changed_when: result.stderr == ""

- name: Enable slapd service
  service: name=slapd state=started

- name: Deploy system logger configuration file for slapd
  copy: src=slapd_rsyslog.conf dest=/etc/rsyslog.d/slapd.conf owner=root group=root mode=0644
  notify:
    - Restart rsyslog

- name: Deploy configuration file for log rotation of slapd logs
  copy: src=slapd_logrotate dest=/etc/logrotate.d/slapd owner=root group=root mode=0644

- name: Change log level for slapd
  ldap_entry: dn=cn=config state=replace olcLogLevel="{{ ldap_server_log_level }}"

- name: Test if LDAP misc schema has been applied
  command: ldapsearch -Q -LLL -A -Y EXTERNAL -b cn=schema,cn=config -s one '(cn={*}misc)' cn
  register: ldap_misc_schema_present
  changed_when: false

- name: Deploy LDAP misc schema
  command: ldapadd -Y EXTERNAL -f /etc/ldap/schema/misc.ldif
  when: ldap_misc_schema_present.stdout == ""

- name: Deploy LDAP TLS private key
  copy: dest="/etc/ssl/private/{{ ldap_server_tls_key | basename }}" src="{{ ldap_server_tls_key }}"
        mode=640 owner=root group=openldap
  notify:
    - Restart slapd

- name: Deploy LDAP TLS certificate
  copy: dest="/etc/ssl/certs/{{ ldap_server_tls_certificate | basename }}" src="{{ ldap_server_tls_certificate }}"
        mode=644 owner=root group=root
  notify:
    - Restart slapd

- name: Configure TLS for slapd (includes hardening)
  ldap_entry: dn=cn=config state=replace olcTLSCertificateFile="/etc/ssl/certs/{{ ldap_server_tls_certificate | basename }}" olcTLSCertificateKeyFile="/etc/ssl/private/{{ ldap_server_tls_key | basename }}"
              olcTLSCipherSuite="NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL"
  notify:
    - Restart slapd

- name: Configure SSF
  ldap_entry: dn=cn=config state=replace olcSecurity=ssf="{{ ldap_server_ssf }}" olcLocalSSF="{{ ldap_server_ssf }}"

- name: Enable the memberof module
  ldap_entry: dn="cn=module{0},cn=config" state=append olcModuleLoad="{1}memberof"

- name: Enable the memberof overlay for database
  ldap_entry:
    dn: "olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config"
    objectClass:
      - olcConfig
      - olcMemberOf
      - olcOverlayConfig
    olcOverlay: memberof
    olcMemberOfRefInt: "TRUE"
    olcMemberOfGroupOC: groupOfUniqueNames
    olcMemberOfMemberAD: uniqueMember

- name: Apply database permissions
  ldap_permissions:
    filter: "(olcSuffix={{ ldap_server_int_basedn }})"
    rules: "{{ ldap_permissions }}"

- name: Create basic LDAP directory structure
  ldap_entry: ""
  args:
    dn: "ou={{ item }},{{ ldap_server_int_basedn }}"
    objectClass:
      - organizationalUnit
    ou: "{{ item }}"
  with_items:
    - people
    - groups
    - services

- name: Create the entry that will contain mail service information
  ldap_entry: ""
  args:
    dn: "ou=mail,ou=services,{{ ldap_server_int_basedn }}"
    objectClass: organizationalUnit
    ou: mail

- name: Create LDAP directory structure for mail service
  ldap_entry: ""
  args:
    dn: "ou={{ item }},ou=mail,ou=services,{{ ldap_server_int_basedn }}"
    objectClass: organizationalUnit
    ou: "{{ item }}"
  with_items:
    - domains
    - aliases

- name: Create or remove login entries for services
  ldap_entry: ""
  args:
    dn: "cn={{ item.name }},ou=services,{{ ldap_server_int_basedn }}"
    objectClass:
      - applicationProcess
      - simpleSecurityObject
    cn: "{{ item.name }}"
    userPassword: "{{ item.password }}"
    state: "{{ item.state | default('present') }}"
  with_items: ldap_server_consumers

- name: Create or remove user-supplied groups
  ldap_entry: ""
  args:
    dn: "cn={{ item.name }},ou=groups,{{ ldap_server_int_basedn }}"
    objectClass: groupOfUniqueNames
    cn: "{{ item.name }}"
    uniqueMember: "cn=NONE"
    state: "{{ item.state | default('append') }}"
  with_items: ldap_server_groups

- name: Create user-supplied LDAP entries
  ldap_entry: ""
  args: "{{ item }}"
  with_items: ldap_entries

- name: Deploy firewall configuration for LDAP
  copy: src="ferm_ldap.conf" dest="/etc/ferm/conf.d/10-ldap.conf" owner=root group=root mode=640
  notify:
    - Restart ferm

- name: Deploy temporary file with LDAP admin password
  template: src="ldap_admin_password.j2" dest="/root/.ldap_admin_password"
            owner=root group=root mode=400
  changed_when: False

- name: Test if LDAP admin password needs to be changed
  command: ldapwhoami -D "cn=admin,{{ ldap_server_int_basedn }}" -x -y /root/.ldap_admin_password
  register: ldap_admin_password_check
  changed_when: ldap_admin_password_check.rc != 0
  failed_when: False

- name: Update LDAP admin password
  command: ldappasswd -Y EXTERNAL -H ldapi:/// "cn=admin,{{ ldap_server_int_basedn }}" -T /root/.ldap_admin_password
  when: ldap_admin_password_check.rc != 0

- name: Remove temporary file with LDAP admin password
  file: path="/root/.ldap_admin_password" state=absent
  changed_when: False

- name: Enable backup
  include: backup.yml
  when: enable_backup
This site is powered by Kallithea 0.7.0, which is © 2010–2023 by various authors & licensed under GPLv3.