yves
/
home-server
1
0
Fork 0
Code Issues 8 Pull Requests Releases Wiki Activity
home-server/roles/slapd/tasks/main.yml

270 lines
7.5 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
### UPSTREAM BEGIN ⇒ ###
- name: pull prerequisites from upstream
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
vars:
msg: OpenLDAP daemon
### ⇐ UPSTREAM BEGIN ###
- name: install packages
package:
name: "{{item}}"
state: present
with_items:
- python-ldap
- openldap
### UPSTREAM END ⇒ ###
- name: merge upstream
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
vars:
msg: OpenLDAP daemon
### ⇐ UPSTREAM END ###
- name: make sure /etc/systemd/system/slapd.service.d exists
file:
path: /etc/systemd/system/slapd.service.d
state: directory
mode: 0755
- name: override slapd.service settings
copy:
content: |
[Unit]
After=systemd-tmpfiles-setup.service
[Service]
Group=ldap
RuntimeDirectory=openldap
RuntimeDirectoryMode=0775
ExecStart=
ExecStart=/usr/bin/slapd -u ldap -g ldap -h 'ldap:// ldapi://%%2Frun%%2Fshared_sockets%%2Fldapi'
dest: /etc/systemd/system/slapd.service.d/shared_sockets.conf
mode: 0644
notify:
- restart slapd.service
- name: create LDAP data directory
file:
path: /var/lib/openldap/openldap-data
state: directory
- name: set LDAP root credentials
lineinfile:
path: /etc/openldap/slapd.conf
regexp: '^{{item.var}}'
line: '{{item.var}} {{item.val}}'
with_items:
- {var: suffix, val: '"{{ldap_root}}"'}
- {var: rootdn, val: '"cn=root,{{ldap_root}}"'}
- {var: rootpw, val: '"{{ldap_rootpw_sha}}"'}
notify:
- restart slapd.service
- name: include LDAP schemas
blockinfile:
path: /etc/openldap/slapd.conf
marker:
'# {mark} https://wiki.archlinux.org/index.php/OpenLDAP - include'
block: |
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/misc.schema
insertafter: '^include'
validate: slaptest -f %s -F /etc/openldap/slapd.d/ -u
notify:
- restart slapd.service
- name: set LDAP indexes
blockinfile:
path: /etc/openldap/slapd.conf
marker:
'# {mark} https://wiki.archlinux.org/index.php/OpenLDAP - index'
block: |
index uid pres,eq
index mail pres,sub,eq
index cn pres,sub,eq
index sn pres,sub,eq
index dc eq
insertafter: '^index'
validate: slaptest -f %s -F /etc/openldap/slapd.d/ -u
notify:
- restart slapd.service
- name: set LDAP access rules
blockinfile:
path: /etc/openldap/slapd.conf
marker: '# {mark} https://wiki.archlinux.org/index.php/LDAP_authentication - access'
block: |
{{ldap_extra_acl}}
access to attrs=userPassword,givenName,sn,photo
by self write
by anonymous auth
by dn.base="cn=root,{{ldap_root}}" write
by * none
access to *
by self read
by dn.base="cn=root,{{ldap_root}}" write
by * read
insertbefore: '^# Sample access control policy'
validate: slaptest -f %s -F /etc/openldap/slapd.d/ -u
notify:
- restart slapd.service
- name: create LDAP DB_CONFIG
command: bash -c 'cp /var/lib/openldap/openldap-data/DB_CONFIG{.example,}'
args:
creates: /var/lib/openldap/openldap-data/DB_CONFIG
notify:
- restart slapd.service
- name: LDAP enabled
systemd:
daemon_reload: true
name: slapd.service
enabled: true
- meta: flush_handlers
- name: domain LDIF
ldap_entry:
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
bind_dn: "cn=root,{{ldap_root}}"
bind_pw: "{{ldap_rootpw}}"
dn: "{{ldap_root}}"
objectClass:
- top
- dcObject
- organization
attributes:
dc: "{{ldap_root | regex_replace('^dc=([^,]+)(?:,.*)?$', '\\1')}}"
o: "{{ldap_o_name}}"
- name: root LDIF
ldap_entry:
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
bind_dn: "cn=root,{{ldap_root}}"
bind_pw: "{{ldap_rootpw}}"
dn: "cn=root,{{ldap_root}}"
objectClass:
- top
- organizationalRole
attributes:
cn: root
description: LDAP administrator
roleOccupant: "{{ldap_root}}"
- name: Users and Groups categories LDIF
ldap_entry:
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
bind_dn: "cn=root,{{ldap_root}}"
bind_pw: "{{ldap_rootpw}}"
dn: "ou={{item}},{{ldap_root}}"
objectClass:
- top
- organizationalUnit
attributes:
ou: "{{item}}"
with_items:
- Users
- Groups
- SUDOers
- name: system users LDIF
ldap_entry:
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
bind_dn: "cn=root,{{ldap_root}}"
bind_pw: "{{ldap_rootpw}}"
dn: "uid={{item.uid}},ou=Users,{{ldap_root}}"
objectClass:
- top
- person
- inetOrgPerson
- organizationalPerson
- posixAccount
- shadowAccount
attributes:
uid: "{{item.uid}}"
uidNumber: "{{item.uidNumber}}"
gidNumber: "{{item.gidNumber}}"
userPassword: "{{item.password}}"
homeDirectory: "/home/{{item.uid}}"
loginShell: /bin/bash
givenName: "{{item.cn}}"
cn: "{{item.cn}}"
sn: "{{item.sn}}"
mail: "{{item.uid}}@{{net_soa}}"
with_items: "{{ldap_system_users}}"
- name: virtual users LDIF
ldap_entry:
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
bind_dn: "cn=root,{{ldap_root}}"
bind_pw: "{{ldap_rootpw}}"
dn: "uid={{item.uid}},ou=Users,{{ldap_root}}"
objectClass:
- top
- person
- inetOrgPerson
- organizationalPerson
- posixAccount
attributes:
uid: "{{item.uid}}"
uidNumber: "{{ldap_virtual_user_uid}}"
gidNumber: "{{ldap_virtual_user_gid}}"
userPassword: "{{item.password}}"
homeDirectory: "/var/spool/mail/{{item.uid}}"
loginShell: /usr/bin/nologin
givenName: "{{item.cn}}"
cn: "{{item.cn}}"
sn: "{{item.sn}}"
mail: "{{item.uid}}@{{net_soa}}"
with_items: "{{ldap_virtual_users}}"
- name: all users properties LDIF
ldap_attr:
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
bind_dn: "cn=root,{{ldap_root}}"
bind_pw: "{{ldap_rootpw}}"
dn: "uid={{item.uid}},ou=Users,{{ldap_root}}"
name: "{{item.attr}}"
values: "{{item.value}}"
state: exact
with_items: "{{ldap_users_attrs}}"
- name: groups LDIF
ldap_entry:
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
bind_dn: "cn=root,{{ldap_root}}"
bind_pw: "{{ldap_rootpw}}"
dn: "cn={{item.cn}},ou=Groups,{{ldap_root}}"
objectClass:
- top
- posixGroup
attributes:
gidNumber: "{{item.gidNumber}}"
with_items: "{{ldap_system_groups}}"
- name: declare existing groups members
ldap_attr:
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
bind_dn: "cn=root,{{ldap_root}}"
bind_pw: "{{ldap_rootpw}}"
dn: "cn={{item.group}},ou=Groups,{{ldap_root}}"
name: memberuid
values: "{{item.member}}"
state: present
with_items: "{{ldap_system_group_members}}"
### LOCAL COMMIT ⇒ ###
- name: commit local changes
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
vars:
msg: OpenLDAP daemon
### ⇐ LOCAL COMMIT ###
- meta: flush_handlers
Reference in New Issue View Git Blame Copy Permalink