home-server/roles/slapd/tasks/main.yml

---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.

### UPSTREAM BEGIN ⇒ ###
- name: pull prerequisites from upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
  vars:
    msg: OpenLDAP daemon
### ⇐ UPSTREAM BEGIN ###

- name: install packages
  package:
    name: "{{item}}"
    state: present
  with_items:
    - python-ldap
    - openldap

### UPSTREAM END ⇒ ###
- name: merge upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
  vars:
    msg: OpenLDAP daemon
### ⇐ UPSTREAM END ###

- name: make sure /etc/systemd/system/slapd.service.d exists
  file:
    path: /etc/systemd/system/slapd.service.d
    state: directory
    mode: 0755

- name: override slapd.service settings
  copy:
    content: |
      [Unit]
      After=systemd-tmpfiles-setup.service
      [Service]
      Group=ldap
      RuntimeDirectory=openldap
      RuntimeDirectoryMode=0775
      ExecStart=
      ExecStart=/usr/bin/slapd -u ldap -g ldap -h 'ldap:// ldapi://%%2Frun%%2Fshared_sockets%%2Fldapi'
    dest: /etc/systemd/system/slapd.service.d/shared_sockets.conf
    mode: 0644
  notify:
    - restart slapd.service

- name: create LDAP data directory
  file:
    path: /var/lib/openldap/openldap-data
    state: directory

- name: set LDAP root credentials
  lineinfile:
    path: /etc/openldap/slapd.conf
    regexp: '^{{item.var}}'
    line: '{{item.var}} {{item.val}}'
  with_items:
    - {var: suffix, val: '"{{ldap_root}}"'}
    - {var: rootdn, val: '"cn=root,{{ldap_root}}"'}
    - {var: rootpw, val: '"{{ldap_rootpw_sha}}"'}
  notify:
    - restart slapd.service

- name: include LDAP schemas
  blockinfile:
    path: /etc/openldap/slapd.conf
    marker:
      '# {mark} https://wiki.archlinux.org/index.php/OpenLDAP - include'
    block: |
      include         /etc/openldap/schema/cosine.schema
      include         /etc/openldap/schema/inetorgperson.schema
      include         /etc/openldap/schema/nis.schema
      include         /etc/openldap/schema/misc.schema
    insertafter: '^include'
    validate: slaptest -f %s -F /etc/openldap/slapd.d/ -u
  notify:
    - restart slapd.service

- name: set LDAP indexes
  blockinfile:
    path: /etc/openldap/slapd.conf
    marker:
      '# {mark} https://wiki.archlinux.org/index.php/OpenLDAP - index'
    block: |
      index   uid             pres,eq
      index   mail            pres,sub,eq
      index   cn              pres,sub,eq
      index   sn              pres,sub,eq
      index   dc              eq
    insertafter: '^index'
    validate: slaptest -f %s -F /etc/openldap/slapd.d/ -u
  notify:
    - restart slapd.service

- name: set LDAP access rules
  blockinfile:
    path: /etc/openldap/slapd.conf
    marker: '# {mark} https://wiki.archlinux.org/index.php/LDAP_authentication - access'
    block: |
      {{ldap_extra_acl}}
      access to attrs=userPassword,givenName,sn,photo
              by self write
              by anonymous auth
              by dn.base="cn=root,{{ldap_root}}" write
              by * none
      access to *
              by self read
              by dn.base="cn=root,{{ldap_root}}" write
              by * read
    insertbefore: '^# Sample access control policy'
    validate: slaptest -f %s -F /etc/openldap/slapd.d/ -u
  notify:
    - restart slapd.service

- name: create LDAP DB_CONFIG
  command: bash -c 'cp /var/lib/openldap/openldap-data/DB_CONFIG{.example,}'
  args:
    creates: /var/lib/openldap/openldap-data/DB_CONFIG
  notify:
    - restart slapd.service

- name: LDAP enabled
  systemd:
    daemon_reload: true
    name: slapd.service
    enabled: true

- meta: flush_handlers

- name: domain LDIF
  ldap_entry:
    server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
    bind_dn: "cn=root,{{ldap_root}}"
    bind_pw: "{{ldap_rootpw}}"
    dn: "{{ldap_root}}"
    objectClass:
      - top
      - dcObject
      - organization
    attributes:
      dc: "{{ldap_root | regex_replace('^dc=([^,]+)(?:,.*)?$', '\\1')}}"
      o: "{{ldap_o_name}}"

- name: root LDIF
  ldap_entry:
    server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
    bind_dn: "cn=root,{{ldap_root}}"
    bind_pw: "{{ldap_rootpw}}"
    dn: "cn=root,{{ldap_root}}"
    objectClass:
      - top
      - organizationalRole
    attributes:
      cn: root
      description: LDAP administrator
      roleOccupant: "{{ldap_root}}"

- name: Users and Groups categories LDIF
  ldap_entry:
    server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
    bind_dn: "cn=root,{{ldap_root}}"
    bind_pw: "{{ldap_rootpw}}"
    dn: "ou={{item}},{{ldap_root}}"
    objectClass:
      - top
      - organizationalUnit
    attributes:
      ou: "{{item}}"
  with_items:
    - Users
    - Groups
    - SUDOers

- name: system users LDIF
  ldap_entry:
    server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
    bind_dn: "cn=root,{{ldap_root}}"
    bind_pw: "{{ldap_rootpw}}"
    dn: "uid={{item.uid}},ou=Users,{{ldap_root}}"
    objectClass:
      - top
      - person
      - inetOrgPerson
      - organizationalPerson
      - posixAccount
      - shadowAccount
    attributes:
      uid: "{{item.uid}}"
      uidNumber: "{{item.uidNumber}}"
      gidNumber: "{{item.gidNumber}}"
      userPassword: "{{item.password}}"
      homeDirectory: "/home/{{item.uid}}"
      loginShell: /bin/bash
      givenName: "{{item.cn}}"
      cn: "{{item.cn}}"
      sn: "{{item.sn}}"
      mail: "{{item.uid}}@{{net_soa}}"
  with_items: "{{ldap_system_users}}"

- name: virtual users LDIF
  ldap_entry:
    server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
    bind_dn: "cn=root,{{ldap_root}}"
    bind_pw: "{{ldap_rootpw}}"
    dn: "uid={{item.uid}},ou=Users,{{ldap_root}}"
    objectClass:
      - top
      - person
      - inetOrgPerson
      - organizationalPerson
      - posixAccount
    attributes:
      uid: "{{item.uid}}"
      uidNumber: "{{ldap_virtual_user_uid}}"
      gidNumber: "{{ldap_virtual_user_gid}}"
      userPassword: "{{item.password}}"
      homeDirectory: "/var/spool/mail/{{item.uid}}"
      loginShell: /usr/bin/nologin
      givenName: "{{item.cn}}"
      cn: "{{item.cn}}"
      sn: "{{item.sn}}"
      mail: "{{item.uid}}@{{net_soa}}"
  with_items: "{{ldap_virtual_users}}"

- name: all users’ properties LDIF
  ldap_attr:
    server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
    bind_dn: "cn=root,{{ldap_root}}"
    bind_pw: "{{ldap_rootpw}}"
    dn: "uid={{item.uid}},ou=Users,{{ldap_root}}"
    name: "{{item.attr}}"
    values: "{{item.value}}"
    state: exact
  with_items: "{{ldap_users_attrs}}"

- name: groups LDIF
  ldap_entry:
    server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
    bind_dn: "cn=root,{{ldap_root}}"
    bind_pw: "{{ldap_rootpw}}"
    dn: "cn={{item.cn}},ou=Groups,{{ldap_root}}"
    objectClass:
      - top
      - posixGroup
    attributes:
      gidNumber: "{{item.gidNumber}}"
  with_items: "{{ldap_system_groups}}"

- name: declare existing groups’ members
  ldap_attr:
    server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
    bind_dn: "cn=root,{{ldap_root}}"
    bind_pw: "{{ldap_rootpw}}"
    dn: "cn={{item.group}},ou=Groups,{{ldap_root}}"
    name: memberuid
    values: "{{item.member}}"
    state: present
  with_items: "{{ldap_system_group_members}}"

### LOCAL COMMIT ⇒ ###
- name: commit local changes
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
  vars:
    msg: OpenLDAP daemon
### ⇐ LOCAL COMMIT ###
- meta: flush_handlers