2018-09-03 20:06:05 +02:00
|
|
|
|
---
|
|
|
|
|
# The home-server project produces a multi-purpose setup using Ansible.
|
|
|
|
|
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
|
|
|
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
|
|
|
|
|
|
|
|
|
### UPSTREAM BEGIN ⇒ ###
|
|
|
|
|
- name: pull prerequisites from upstream
|
|
|
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
|
|
|
|
vars:
|
|
|
|
|
msg: OpenLDAP daemon
|
|
|
|
|
### ⇐ UPSTREAM BEGIN ###
|
|
|
|
|
|
|
|
|
|
- name: install packages
|
|
|
|
|
package:
|
|
|
|
|
name: "{{item}}"
|
|
|
|
|
state: present
|
|
|
|
|
with_items:
|
2020-01-03 18:26:29 +01:00
|
|
|
|
- python-ldap
|
2018-09-03 20:06:05 +02:00
|
|
|
|
- openldap
|
|
|
|
|
|
|
|
|
|
### UPSTREAM END ⇒ ###
|
|
|
|
|
- name: merge upstream
|
|
|
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
|
|
|
|
vars:
|
|
|
|
|
msg: OpenLDAP daemon
|
|
|
|
|
### ⇐ UPSTREAM END ###
|
|
|
|
|
|
|
|
|
|
- name: make sure /etc/systemd/system/slapd.service.d exists
|
|
|
|
|
file:
|
|
|
|
|
path: /etc/systemd/system/slapd.service.d
|
|
|
|
|
state: directory
|
|
|
|
|
mode: 0755
|
|
|
|
|
|
|
|
|
|
- name: override slapd.service settings
|
|
|
|
|
copy:
|
|
|
|
|
content: |
|
|
|
|
|
[Unit]
|
|
|
|
|
After=systemd-tmpfiles-setup.service
|
|
|
|
|
[Service]
|
|
|
|
|
Group=ldap
|
|
|
|
|
RuntimeDirectory=openldap
|
|
|
|
|
RuntimeDirectoryMode=0775
|
|
|
|
|
ExecStart=
|
|
|
|
|
ExecStart=/usr/bin/slapd -u ldap -g ldap -h 'ldap:// ldapi://%%2Frun%%2Fshared_sockets%%2Fldapi'
|
|
|
|
|
dest: /etc/systemd/system/slapd.service.d/shared_sockets.conf
|
|
|
|
|
mode: 0644
|
|
|
|
|
notify:
|
|
|
|
|
- restart slapd.service
|
|
|
|
|
|
|
|
|
|
- name: create LDAP data directory
|
|
|
|
|
file:
|
|
|
|
|
path: /var/lib/openldap/openldap-data
|
|
|
|
|
state: directory
|
|
|
|
|
|
|
|
|
|
- name: set LDAP root credentials
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/openldap/slapd.conf
|
|
|
|
|
regexp: '^{{item.var}}'
|
|
|
|
|
line: '{{item.var}} {{item.val}}'
|
|
|
|
|
with_items:
|
|
|
|
|
- {var: suffix, val: '"{{ldap_root}}"'}
|
|
|
|
|
- {var: rootdn, val: '"cn=root,{{ldap_root}}"'}
|
|
|
|
|
- {var: rootpw, val: '"{{ldap_rootpw_sha}}"'}
|
|
|
|
|
notify:
|
|
|
|
|
- restart slapd.service
|
|
|
|
|
|
|
|
|
|
- name: include LDAP schemas
|
|
|
|
|
blockinfile:
|
|
|
|
|
path: /etc/openldap/slapd.conf
|
|
|
|
|
marker:
|
|
|
|
|
'# {mark} https://wiki.archlinux.org/index.php/OpenLDAP - include'
|
|
|
|
|
block: |
|
|
|
|
|
include /etc/openldap/schema/cosine.schema
|
|
|
|
|
include /etc/openldap/schema/inetorgperson.schema
|
|
|
|
|
include /etc/openldap/schema/nis.schema
|
|
|
|
|
include /etc/openldap/schema/misc.schema
|
|
|
|
|
insertafter: '^include'
|
|
|
|
|
validate: slaptest -f %s -F /etc/openldap/slapd.d/ -u
|
|
|
|
|
notify:
|
|
|
|
|
- restart slapd.service
|
|
|
|
|
|
|
|
|
|
- name: set LDAP indexes
|
|
|
|
|
blockinfile:
|
|
|
|
|
path: /etc/openldap/slapd.conf
|
|
|
|
|
marker:
|
|
|
|
|
'# {mark} https://wiki.archlinux.org/index.php/OpenLDAP - index'
|
|
|
|
|
block: |
|
|
|
|
|
index uid pres,eq
|
|
|
|
|
index mail pres,sub,eq
|
|
|
|
|
index cn pres,sub,eq
|
|
|
|
|
index sn pres,sub,eq
|
|
|
|
|
index dc eq
|
|
|
|
|
insertafter: '^index'
|
|
|
|
|
validate: slaptest -f %s -F /etc/openldap/slapd.d/ -u
|
|
|
|
|
notify:
|
|
|
|
|
- restart slapd.service
|
|
|
|
|
|
|
|
|
|
- name: set LDAP access rules
|
|
|
|
|
blockinfile:
|
|
|
|
|
path: /etc/openldap/slapd.conf
|
|
|
|
|
marker: '# {mark} https://wiki.archlinux.org/index.php/LDAP_authentication - access'
|
|
|
|
|
block: |
|
|
|
|
|
{{ldap_extra_acl}}
|
|
|
|
|
access to attrs=userPassword,givenName,sn,photo
|
|
|
|
|
by self write
|
|
|
|
|
by anonymous auth
|
|
|
|
|
by dn.base="cn=root,{{ldap_root}}" write
|
|
|
|
|
by * none
|
|
|
|
|
access to *
|
|
|
|
|
by self read
|
|
|
|
|
by dn.base="cn=root,{{ldap_root}}" write
|
|
|
|
|
by * read
|
|
|
|
|
insertbefore: '^# Sample access control policy'
|
|
|
|
|
validate: slaptest -f %s -F /etc/openldap/slapd.d/ -u
|
|
|
|
|
notify:
|
|
|
|
|
- restart slapd.service
|
|
|
|
|
|
|
|
|
|
- name: create LDAP DB_CONFIG
|
|
|
|
|
command: bash -c 'cp /var/lib/openldap/openldap-data/DB_CONFIG{.example,}'
|
|
|
|
|
args:
|
|
|
|
|
creates: /var/lib/openldap/openldap-data/DB_CONFIG
|
|
|
|
|
notify:
|
|
|
|
|
- restart slapd.service
|
|
|
|
|
|
|
|
|
|
- name: LDAP enabled
|
|
|
|
|
systemd:
|
|
|
|
|
daemon_reload: true
|
|
|
|
|
name: slapd.service
|
|
|
|
|
enabled: true
|
|
|
|
|
|
|
|
|
|
- meta: flush_handlers
|
|
|
|
|
|
|
|
|
|
- name: domain LDIF
|
|
|
|
|
ldap_entry:
|
|
|
|
|
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
|
|
|
|
|
bind_dn: "cn=root,{{ldap_root}}"
|
|
|
|
|
bind_pw: "{{ldap_rootpw}}"
|
|
|
|
|
dn: "{{ldap_root}}"
|
|
|
|
|
objectClass:
|
|
|
|
|
- top
|
|
|
|
|
- dcObject
|
|
|
|
|
- organization
|
|
|
|
|
attributes:
|
|
|
|
|
dc: "{{ldap_root | regex_replace('^dc=([^,]+)(?:,.*)?$', '\\1')}}"
|
|
|
|
|
o: "{{ldap_o_name}}"
|
|
|
|
|
|
|
|
|
|
- name: root LDIF
|
|
|
|
|
ldap_entry:
|
|
|
|
|
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
|
|
|
|
|
bind_dn: "cn=root,{{ldap_root}}"
|
|
|
|
|
bind_pw: "{{ldap_rootpw}}"
|
|
|
|
|
dn: "cn=root,{{ldap_root}}"
|
|
|
|
|
objectClass:
|
|
|
|
|
- top
|
|
|
|
|
- organizationalRole
|
|
|
|
|
attributes:
|
|
|
|
|
cn: root
|
|
|
|
|
description: LDAP administrator
|
|
|
|
|
roleOccupant: "{{ldap_root}}"
|
|
|
|
|
|
|
|
|
|
- name: Users and Groups categories LDIF
|
|
|
|
|
ldap_entry:
|
|
|
|
|
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
|
|
|
|
|
bind_dn: "cn=root,{{ldap_root}}"
|
|
|
|
|
bind_pw: "{{ldap_rootpw}}"
|
|
|
|
|
dn: "ou={{item}},{{ldap_root}}"
|
|
|
|
|
objectClass:
|
|
|
|
|
- top
|
|
|
|
|
- organizationalUnit
|
|
|
|
|
attributes:
|
|
|
|
|
ou: "{{item}}"
|
|
|
|
|
with_items:
|
|
|
|
|
- Users
|
|
|
|
|
- Groups
|
|
|
|
|
- SUDOers
|
|
|
|
|
|
|
|
|
|
- name: system users LDIF
|
|
|
|
|
ldap_entry:
|
|
|
|
|
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
|
|
|
|
|
bind_dn: "cn=root,{{ldap_root}}"
|
|
|
|
|
bind_pw: "{{ldap_rootpw}}"
|
|
|
|
|
dn: "uid={{item.uid}},ou=Users,{{ldap_root}}"
|
|
|
|
|
objectClass:
|
|
|
|
|
- top
|
|
|
|
|
- person
|
|
|
|
|
- inetOrgPerson
|
|
|
|
|
- organizationalPerson
|
|
|
|
|
- posixAccount
|
|
|
|
|
- shadowAccount
|
|
|
|
|
attributes:
|
|
|
|
|
uid: "{{item.uid}}"
|
|
|
|
|
uidNumber: "{{item.uidNumber}}"
|
|
|
|
|
gidNumber: "{{item.gidNumber}}"
|
|
|
|
|
userPassword: "{{item.password}}"
|
|
|
|
|
homeDirectory: "/home/{{item.uid}}"
|
|
|
|
|
loginShell: /bin/bash
|
|
|
|
|
givenName: "{{item.cn}}"
|
|
|
|
|
cn: "{{item.cn}}"
|
|
|
|
|
sn: "{{item.sn}}"
|
|
|
|
|
mail: "{{item.uid}}@{{net_soa}}"
|
|
|
|
|
with_items: "{{ldap_system_users}}"
|
|
|
|
|
|
|
|
|
|
- name: virtual users LDIF
|
|
|
|
|
ldap_entry:
|
|
|
|
|
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
|
|
|
|
|
bind_dn: "cn=root,{{ldap_root}}"
|
|
|
|
|
bind_pw: "{{ldap_rootpw}}"
|
|
|
|
|
dn: "uid={{item.uid}},ou=Users,{{ldap_root}}"
|
|
|
|
|
objectClass:
|
|
|
|
|
- top
|
|
|
|
|
- person
|
|
|
|
|
- inetOrgPerson
|
|
|
|
|
- organizationalPerson
|
|
|
|
|
- posixAccount
|
|
|
|
|
attributes:
|
|
|
|
|
uid: "{{item.uid}}"
|
|
|
|
|
uidNumber: "{{ldap_virtual_user_uid}}"
|
|
|
|
|
gidNumber: "{{ldap_virtual_user_gid}}"
|
|
|
|
|
userPassword: "{{item.password}}"
|
|
|
|
|
homeDirectory: "/var/spool/mail/{{item.uid}}"
|
|
|
|
|
loginShell: /usr/bin/nologin
|
|
|
|
|
givenName: "{{item.cn}}"
|
|
|
|
|
cn: "{{item.cn}}"
|
|
|
|
|
sn: "{{item.sn}}"
|
|
|
|
|
mail: "{{item.uid}}@{{net_soa}}"
|
|
|
|
|
with_items: "{{ldap_virtual_users}}"
|
|
|
|
|
|
|
|
|
|
- name: all users’ properties LDIF
|
|
|
|
|
ldap_attr:
|
|
|
|
|
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
|
|
|
|
|
bind_dn: "cn=root,{{ldap_root}}"
|
|
|
|
|
bind_pw: "{{ldap_rootpw}}"
|
|
|
|
|
dn: "uid={{item.uid}},ou=Users,{{ldap_root}}"
|
|
|
|
|
name: "{{item.attr}}"
|
|
|
|
|
values: "{{item.value}}"
|
|
|
|
|
state: exact
|
|
|
|
|
with_items: "{{ldap_users_attrs}}"
|
|
|
|
|
|
|
|
|
|
- name: groups LDIF
|
|
|
|
|
ldap_entry:
|
|
|
|
|
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
|
|
|
|
|
bind_dn: "cn=root,{{ldap_root}}"
|
|
|
|
|
bind_pw: "{{ldap_rootpw}}"
|
|
|
|
|
dn: "cn={{item.cn}},ou=Groups,{{ldap_root}}"
|
|
|
|
|
objectClass:
|
|
|
|
|
- top
|
|
|
|
|
- posixGroup
|
|
|
|
|
attributes:
|
|
|
|
|
gidNumber: "{{item.gidNumber}}"
|
|
|
|
|
with_items: "{{ldap_system_groups}}"
|
|
|
|
|
|
|
|
|
|
- name: declare existing groups’ members
|
|
|
|
|
ldap_attr:
|
|
|
|
|
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
|
|
|
|
|
bind_dn: "cn=root,{{ldap_root}}"
|
|
|
|
|
bind_pw: "{{ldap_rootpw}}"
|
|
|
|
|
dn: "cn={{item.group}},ou=Groups,{{ldap_root}}"
|
|
|
|
|
name: memberuid
|
|
|
|
|
values: "{{item.member}}"
|
|
|
|
|
state: present
|
|
|
|
|
with_items: "{{ldap_system_group_members}}"
|
|
|
|
|
|
|
|
|
|
### LOCAL COMMIT ⇒ ###
|
|
|
|
|
- name: commit local changes
|
|
|
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
|
|
|
|
vars:
|
|
|
|
|
msg: OpenLDAP daemon
|
|
|
|
|
### ⇐ LOCAL COMMIT ###
|
|
|
|
|
- meta: flush_handlers
|