270 lines
7.5 KiB
YAML
270 lines
7.5 KiB
YAML
---
|
||
# The home-server project produces a multi-purpose setup using Ansible.
|
||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||
|
||
### UPSTREAM BEGIN ⇒ ###
|
||
- name: pull prerequisites from upstream
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
||
vars:
|
||
msg: OpenLDAP daemon
|
||
### ⇐ UPSTREAM BEGIN ###
|
||
|
||
- name: install packages
|
||
package:
|
||
name: "{{item}}"
|
||
state: present
|
||
with_items:
|
||
- python-ldap
|
||
- openldap
|
||
|
||
### UPSTREAM END ⇒ ###
|
||
- name: merge upstream
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
||
vars:
|
||
msg: OpenLDAP daemon
|
||
### ⇐ UPSTREAM END ###
|
||
|
||
- name: make sure /etc/systemd/system/slapd.service.d exists
|
||
file:
|
||
path: /etc/systemd/system/slapd.service.d
|
||
state: directory
|
||
mode: 0755
|
||
|
||
- name: override slapd.service settings
|
||
copy:
|
||
content: |
|
||
[Unit]
|
||
After=systemd-tmpfiles-setup.service
|
||
[Service]
|
||
Group=ldap
|
||
RuntimeDirectory=openldap
|
||
RuntimeDirectoryMode=0775
|
||
ExecStart=
|
||
ExecStart=/usr/bin/slapd -u ldap -g ldap -h 'ldap:// ldapi://%%2Frun%%2Fshared_sockets%%2Fldapi'
|
||
dest: /etc/systemd/system/slapd.service.d/shared_sockets.conf
|
||
mode: 0644
|
||
notify:
|
||
- restart slapd.service
|
||
|
||
- name: create LDAP data directory
|
||
file:
|
||
path: /var/lib/openldap/openldap-data
|
||
state: directory
|
||
|
||
- name: set LDAP root credentials
|
||
lineinfile:
|
||
path: /etc/openldap/slapd.conf
|
||
regexp: '^{{item.var}}'
|
||
line: '{{item.var}} {{item.val}}'
|
||
with_items:
|
||
- {var: suffix, val: '"{{ldap_root}}"'}
|
||
- {var: rootdn, val: '"cn=root,{{ldap_root}}"'}
|
||
- {var: rootpw, val: '"{{ldap_rootpw_sha}}"'}
|
||
notify:
|
||
- restart slapd.service
|
||
|
||
- name: include LDAP schemas
|
||
blockinfile:
|
||
path: /etc/openldap/slapd.conf
|
||
marker:
|
||
'# {mark} https://wiki.archlinux.org/index.php/OpenLDAP - include'
|
||
block: |
|
||
include /etc/openldap/schema/cosine.schema
|
||
include /etc/openldap/schema/inetorgperson.schema
|
||
include /etc/openldap/schema/nis.schema
|
||
include /etc/openldap/schema/misc.schema
|
||
insertafter: '^include'
|
||
validate: slaptest -f %s -F /etc/openldap/slapd.d/ -u
|
||
notify:
|
||
- restart slapd.service
|
||
|
||
- name: set LDAP indexes
|
||
blockinfile:
|
||
path: /etc/openldap/slapd.conf
|
||
marker:
|
||
'# {mark} https://wiki.archlinux.org/index.php/OpenLDAP - index'
|
||
block: |
|
||
index uid pres,eq
|
||
index mail pres,sub,eq
|
||
index cn pres,sub,eq
|
||
index sn pres,sub,eq
|
||
index dc eq
|
||
insertafter: '^index'
|
||
validate: slaptest -f %s -F /etc/openldap/slapd.d/ -u
|
||
notify:
|
||
- restart slapd.service
|
||
|
||
- name: set LDAP access rules
|
||
blockinfile:
|
||
path: /etc/openldap/slapd.conf
|
||
marker: '# {mark} https://wiki.archlinux.org/index.php/LDAP_authentication - access'
|
||
block: |
|
||
{{ldap_extra_acl}}
|
||
access to attrs=userPassword,givenName,sn,photo
|
||
by self write
|
||
by anonymous auth
|
||
by dn.base="cn=root,{{ldap_root}}" write
|
||
by * none
|
||
access to *
|
||
by self read
|
||
by dn.base="cn=root,{{ldap_root}}" write
|
||
by * read
|
||
insertbefore: '^# Sample access control policy'
|
||
validate: slaptest -f %s -F /etc/openldap/slapd.d/ -u
|
||
notify:
|
||
- restart slapd.service
|
||
|
||
- name: create LDAP DB_CONFIG
|
||
command: bash -c 'cp /var/lib/openldap/openldap-data/DB_CONFIG{.example,}'
|
||
args:
|
||
creates: /var/lib/openldap/openldap-data/DB_CONFIG
|
||
notify:
|
||
- restart slapd.service
|
||
|
||
- name: LDAP enabled
|
||
systemd:
|
||
daemon_reload: true
|
||
name: slapd.service
|
||
enabled: true
|
||
|
||
- meta: flush_handlers
|
||
|
||
- name: domain LDIF
|
||
ldap_entry:
|
||
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
|
||
bind_dn: "cn=root,{{ldap_root}}"
|
||
bind_pw: "{{ldap_rootpw}}"
|
||
dn: "{{ldap_root}}"
|
||
objectClass:
|
||
- top
|
||
- dcObject
|
||
- organization
|
||
attributes:
|
||
dc: "{{ldap_root | regex_replace('^dc=([^,]+)(?:,.*)?$', '\\1')}}"
|
||
o: "{{ldap_o_name}}"
|
||
|
||
- name: root LDIF
|
||
ldap_entry:
|
||
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
|
||
bind_dn: "cn=root,{{ldap_root}}"
|
||
bind_pw: "{{ldap_rootpw}}"
|
||
dn: "cn=root,{{ldap_root}}"
|
||
objectClass:
|
||
- top
|
||
- organizationalRole
|
||
attributes:
|
||
cn: root
|
||
description: LDAP administrator
|
||
roleOccupant: "{{ldap_root}}"
|
||
|
||
- name: Users and Groups categories LDIF
|
||
ldap_entry:
|
||
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
|
||
bind_dn: "cn=root,{{ldap_root}}"
|
||
bind_pw: "{{ldap_rootpw}}"
|
||
dn: "ou={{item}},{{ldap_root}}"
|
||
objectClass:
|
||
- top
|
||
- organizationalUnit
|
||
attributes:
|
||
ou: "{{item}}"
|
||
with_items:
|
||
- Users
|
||
- Groups
|
||
- SUDOers
|
||
|
||
- name: system users LDIF
|
||
ldap_entry:
|
||
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
|
||
bind_dn: "cn=root,{{ldap_root}}"
|
||
bind_pw: "{{ldap_rootpw}}"
|
||
dn: "uid={{item.uid}},ou=Users,{{ldap_root}}"
|
||
objectClass:
|
||
- top
|
||
- person
|
||
- inetOrgPerson
|
||
- organizationalPerson
|
||
- posixAccount
|
||
- shadowAccount
|
||
attributes:
|
||
uid: "{{item.uid}}"
|
||
uidNumber: "{{item.uidNumber}}"
|
||
gidNumber: "{{item.gidNumber}}"
|
||
userPassword: "{{item.password}}"
|
||
homeDirectory: "/home/{{item.uid}}"
|
||
loginShell: /bin/bash
|
||
givenName: "{{item.cn}}"
|
||
cn: "{{item.cn}}"
|
||
sn: "{{item.sn}}"
|
||
mail: "{{item.uid}}@{{net_soa}}"
|
||
with_items: "{{ldap_system_users}}"
|
||
|
||
- name: virtual users LDIF
|
||
ldap_entry:
|
||
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
|
||
bind_dn: "cn=root,{{ldap_root}}"
|
||
bind_pw: "{{ldap_rootpw}}"
|
||
dn: "uid={{item.uid}},ou=Users,{{ldap_root}}"
|
||
objectClass:
|
||
- top
|
||
- person
|
||
- inetOrgPerson
|
||
- organizationalPerson
|
||
- posixAccount
|
||
attributes:
|
||
uid: "{{item.uid}}"
|
||
uidNumber: "{{ldap_virtual_user_uid}}"
|
||
gidNumber: "{{ldap_virtual_user_gid}}"
|
||
userPassword: "{{item.password}}"
|
||
homeDirectory: "/var/spool/mail/{{item.uid}}"
|
||
loginShell: /usr/bin/nologin
|
||
givenName: "{{item.cn}}"
|
||
cn: "{{item.cn}}"
|
||
sn: "{{item.sn}}"
|
||
mail: "{{item.uid}}@{{net_soa}}"
|
||
with_items: "{{ldap_virtual_users}}"
|
||
|
||
- name: all users’ properties LDIF
|
||
ldap_attr:
|
||
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
|
||
bind_dn: "cn=root,{{ldap_root}}"
|
||
bind_pw: "{{ldap_rootpw}}"
|
||
dn: "uid={{item.uid}},ou=Users,{{ldap_root}}"
|
||
name: "{{item.attr}}"
|
||
values: "{{item.value}}"
|
||
state: exact
|
||
with_items: "{{ldap_users_attrs}}"
|
||
|
||
- name: groups LDIF
|
||
ldap_entry:
|
||
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
|
||
bind_dn: "cn=root,{{ldap_root}}"
|
||
bind_pw: "{{ldap_rootpw}}"
|
||
dn: "cn={{item.cn}},ou=Groups,{{ldap_root}}"
|
||
objectClass:
|
||
- top
|
||
- posixGroup
|
||
attributes:
|
||
gidNumber: "{{item.gidNumber}}"
|
||
with_items: "{{ldap_system_groups}}"
|
||
|
||
- name: declare existing groups’ members
|
||
ldap_attr:
|
||
server_uri: ldapi://%2Frun%2Fshared_sockets%2Fldapi/
|
||
bind_dn: "cn=root,{{ldap_root}}"
|
||
bind_pw: "{{ldap_rootpw}}"
|
||
dn: "cn={{item.group}},ou=Groups,{{ldap_root}}"
|
||
name: memberuid
|
||
values: "{{item.member}}"
|
||
state: present
|
||
with_items: "{{ldap_system_group_members}}"
|
||
|
||
### LOCAL COMMIT ⇒ ###
|
||
- name: commit local changes
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
||
vars:
|
||
msg: OpenLDAP daemon
|
||
### ⇐ LOCAL COMMIT ###
|
||
- meta: flush_handlers
|