ldap: fix edge cases where passwords were not set/get properly
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
43c726e86a
commit
6eaeb90f6e
|
@ -26,6 +26,8 @@ The **patch** part changes incrementally at each release.
|
|||
|
||||
### Fixed
|
||||
|
||||
* ldap: fix edge cases where passwords were not set/get properly
|
||||
|
||||
### Removed
|
||||
|
||||
### Security
|
||||
|
|
|
@ -1,5 +1,10 @@
|
|||
---
|
||||
ldap_hostname: "{{ ansible_hostname }}"
|
||||
|
||||
ldap_listen: "ldap://127.0.0.1:389/"
|
||||
|
||||
ldap_hostname: "{{ ansible_hostname }}"
|
||||
ldap_domain: "{{ ansible_domain }}"
|
||||
ldap_suffix: "dc={{ ldap_hostname }},dc={{ ldap_domain.split('.')[-2] }},dc={{ ldap_domain.split('.')[-1] }}"
|
||||
|
||||
ldap_admin_password: ""
|
||||
ldap_nagios_password: ""
|
32
ldap/tasks/init.yml
Normal file
32
ldap/tasks/init.yml
Normal file
|
@ -0,0 +1,32 @@
|
|||
---
|
||||
|
||||
- name: upload ldap initial config
|
||||
template:
|
||||
src: config_ldapvi.j2
|
||||
dest: /root/evolinux_ldap_config.ldapvi
|
||||
mode: "0640"
|
||||
|
||||
- name: upload ldap initial entries
|
||||
template:
|
||||
src: first-entries.ldif.j2
|
||||
dest: /root/evolinux_ldap_first-entries.ldif
|
||||
mode: "0640"
|
||||
|
||||
- name: inject config
|
||||
command: ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi
|
||||
environment:
|
||||
TERM: xterm
|
||||
|
||||
- name: inject first entries
|
||||
command: slapadd -l /root/evolinux_ldap_first-entries.ldif
|
||||
|
||||
- name: upload custom schema
|
||||
copy:
|
||||
src: "{{ ldap_schema }}"
|
||||
dest: "/root/{{ ldap_schema }}"
|
||||
mode: "0640"
|
||||
when: ldap_schema is defined
|
||||
|
||||
- name: inject custom schema
|
||||
command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /root/{{ ldap_schema }}"
|
||||
when: ldap_schema is defined
|
62
ldap/tasks/ldapvirc.yml
Normal file
62
ldap/tasks/ldapvirc.yml
Normal file
|
@ -0,0 +1,62 @@
|
|||
---
|
||||
|
||||
- name: "Is /root/.ldapvirc present ?"
|
||||
stat:
|
||||
path: /root/.ldapvirc
|
||||
check_mode: no
|
||||
register: root_ldapvirc_path
|
||||
|
||||
- name: Warning when ldapvirc file is present and ldap_admin_password is given
|
||||
debug:
|
||||
msg: "WARNING: an LDAP admin password is given, but an ldapvirc file already exists. It will not be updated."
|
||||
when:
|
||||
- ldap_admin_password != ""
|
||||
- root_ldapvirc_path.stat.exists
|
||||
|
||||
# Generate ldap password if none is given and ldapvirc is absent
|
||||
- name: apg package is installed
|
||||
apt:
|
||||
name: apg
|
||||
state: present
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: create a password for cn=admin
|
||||
command: "apg -n 1 -m 16 -M lcN"
|
||||
register: new_ldap_admin_password
|
||||
changed_when: False
|
||||
when:
|
||||
- ldap_admin_password == ""
|
||||
- not root_ldapvirc_path.stat.exists
|
||||
|
||||
# Use the generated password or the one found in the file
|
||||
- name: overwrite ldap_admin_password
|
||||
set_fact:
|
||||
ldap_admin_password: "{{ new_ldap_admin_password.stdout }}"
|
||||
when:
|
||||
- ldap_admin_password == ""
|
||||
- not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: hash password for cn=admin
|
||||
command: "slappasswd -s {{ ldap_admin_password }}"
|
||||
register: ldap_admin_password_ssha
|
||||
changed_when: False
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: create ldapvirc config
|
||||
template:
|
||||
src: ldapvirc.j2
|
||||
dest: /root/.ldapvirc
|
||||
mode: "0640"
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
# Read ldap password when none is given and ldapvirc is present
|
||||
- name: read ldap admin password from ldapvirc file
|
||||
shell: "grep -E '^password: .+$' /root/.ldapvirc | awk '{print $2}'"
|
||||
changed_when: False
|
||||
check_mode: no
|
||||
register: new_ldap_admin_password
|
||||
|
||||
# Use the password found in the file
|
||||
- name: overwrite ldap_admin_password
|
||||
set_fact:
|
||||
ldap_admin_password: "{{ new_ldap_admin_password.stdout }}"
|
|
@ -6,103 +6,21 @@
|
|||
- ldapvi
|
||||
- shelldap
|
||||
state: present
|
||||
update_cache: yes
|
||||
|
||||
- name: change sldap listen ip:port
|
||||
- name: change slapd listen ip:port
|
||||
lineinfile:
|
||||
dest: /etc/default/slapd
|
||||
regexp: 'SLAPD_SERVICES=.*'
|
||||
line: "SLAPD_SERVICES=\"{{ ldap_listen }}\""
|
||||
notify: restart slapd
|
||||
|
||||
- name: "Is /root/.ldapvirc present ?"
|
||||
stat:
|
||||
path: /root/.ldapvirc
|
||||
check_mode: no
|
||||
register: root_ldapvirc_path
|
||||
- name: ldapvirc file
|
||||
include: ldapvirc.yml
|
||||
|
||||
- name: apg package is installed
|
||||
apt:
|
||||
name: apg
|
||||
state: present
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
- name: nagios config file for LDAP
|
||||
include: nagios.yml
|
||||
|
||||
- name: create a password for cn=admin
|
||||
command: "apg -n 1 -m 16 -M lcN"
|
||||
register: ldap_admin_password
|
||||
changed_when: False
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: create a password for cn=nagios
|
||||
command: "apg -n 1 -m 16 -M lcN"
|
||||
register: ldap_nagios_password
|
||||
changed_when: False
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: hash password for cn=admin
|
||||
command: "slappasswd -s {{ ldap_admin_password.stdout }}"
|
||||
register: ldap_admin_password_ssha
|
||||
changed_when: False
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: hash password for cn=nagios
|
||||
command: "slappasswd -s {{ ldap_nagios_password.stdout }}"
|
||||
register: ldap_nagios_password_ssha
|
||||
changed_when: False
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: create ldapvirc config
|
||||
template:
|
||||
src: ldapvirc.j2
|
||||
dest: /root/.ldapvirc
|
||||
mode: "0640"
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: set params for NRPE check
|
||||
ini_file:
|
||||
dest: /etc/nagios/monitoring-plugins.ini
|
||||
owner: root
|
||||
group: nagios
|
||||
section: check_ldap
|
||||
option: "{{ item.option }}"
|
||||
value: "{{ item.value }}"
|
||||
mode: 0640
|
||||
with_items:
|
||||
- { option: 'hostname', value: '127.0.0.1' }
|
||||
- { option: 'base', value: "{{ ldap_suffix }}" }
|
||||
- { option: 'bind', value: "cn=nagios,ou=ldapusers,{{ ldap_suffix }}" }
|
||||
- { option: 'pass', value: "{{ ldap_nagios_password.stdout }}" }
|
||||
|
||||
- name: upload ldap initial config
|
||||
template:
|
||||
src: config_ldapvi.j2
|
||||
dest: /root/evolinux_ldap_config.ldapvi
|
||||
mode: "0640"
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: upload ldap initial entries
|
||||
template:
|
||||
src: first-entries.ldif.j2
|
||||
dest: /root/evolinux_ldap_first-entries.ldif
|
||||
mode: "0640"
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: inject config
|
||||
command: ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi
|
||||
environment:
|
||||
TERM: xterm
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: inject first entries
|
||||
command: slapadd -l /root/evolinux_ldap_first-entries.ldif
|
||||
when: not root_ldapvirc_path.stat.exists
|
||||
|
||||
- name: upload custom schema
|
||||
copy:
|
||||
src: "{{ ldap_schema }}"
|
||||
dest: "/root/{{ ldap_schema }}"
|
||||
mode: "0640"
|
||||
when: not root_ldapvirc_path.stat.exists and ldap_schema is defined
|
||||
|
||||
- name: inject custom schema
|
||||
command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /root/{{ ldap_schema }}"
|
||||
when: not root_ldapvirc_path.stat.exists and ldap_schema is defined
|
||||
- name: initialize database
|
||||
include: init.yml
|
||||
when: not root_ldapvirc_path.stat.exists
|
74
ldap/tasks/nagios.yml
Normal file
74
ldap/tasks/nagios.yml
Normal file
|
@ -0,0 +1,74 @@
|
|||
---
|
||||
|
||||
- name: "Is /etc/nagios/monitoring-plugins.ini present ?"
|
||||
stat:
|
||||
path: /etc/nagios/monitoring-plugins.ini
|
||||
check_mode: no
|
||||
register: nagios_monitoring_plugins_path
|
||||
|
||||
- name: Warning when nagios config is present and ldap_nagios_password is given
|
||||
debug:
|
||||
msg: "WARNING: an LDAP nagios password is given, but a nagios config already exists. It will not be updated."
|
||||
when:
|
||||
- ldap_nagios_password != ""
|
||||
- nagios_monitoring_plugins_path.stat.exists
|
||||
|
||||
# Generate ldap password if none is given and nagios config is absent
|
||||
- name: apg package is installed
|
||||
apt:
|
||||
name: apg
|
||||
state: present
|
||||
when:
|
||||
- ldap_nagios_password == ""
|
||||
- not nagios_monitoring_plugins_path.stat.exists
|
||||
|
||||
- name: create a password for cn=admin
|
||||
command: "apg -n 1 -m 16 -M lcN"
|
||||
register: new_ldap_nagios_password
|
||||
changed_when: False
|
||||
when:
|
||||
- ldap_nagios_password == ""
|
||||
- not nagios_monitoring_plugins_path.stat.exists
|
||||
|
||||
# Use the generated password or the one found in the file
|
||||
- name: overwrite ldap_nagios_password (from apg)
|
||||
set_fact:
|
||||
ldap_nagios_password: "{{ new_ldap_nagios_password.stdout }}"
|
||||
when:
|
||||
- ldap_nagios_password == ""
|
||||
- not nagios_monitoring_plugins_path.stat.exists
|
||||
|
||||
- name: set params for NRPE check
|
||||
ini_file:
|
||||
dest: /etc/nagios/monitoring-plugins.ini
|
||||
owner: root
|
||||
group: nagios
|
||||
section: check_ldap
|
||||
option: "{{ item.option }}"
|
||||
value: "{{ item.value }}"
|
||||
mode: "0640"
|
||||
with_items:
|
||||
- { option: 'hostname', value: '127.0.0.1' }
|
||||
- { option: 'base', value: "{{ ldap_suffix }}" }
|
||||
- { option: 'bind', value: "cn=nagios,ou=ldapusers,{{ ldap_suffix }}" }
|
||||
- { option: 'pass', value: "{{ ldap_nagios_password }}" }
|
||||
when: not nagios_monitoring_plugins_path.stat.exists
|
||||
|
||||
# Read ldap password when none is given and nagios config is present
|
||||
# We can't parse a remote file, so we have to fetch it first
|
||||
- name: Fetch /etc/nagios/monitoring-plugins.ini
|
||||
fetch:
|
||||
src: /etc/nagios/monitoring-plugins.ini
|
||||
dest: /tmp/{{ inventory_hostname }}/
|
||||
flat: yes
|
||||
|
||||
# Then web can parse it with the 'ini' lookup
|
||||
# and set the variable
|
||||
- name: overwrite ldap_nagios_password (from file)
|
||||
set_fact:
|
||||
ldap_nagios_password: "{{ lookup('ini', 'pass section=check_ldap file=/tmp/{{ inventory_hostname }}/etc/nagios/monitoring-plugins.ini') }}"
|
||||
|
||||
- name: hash password for cn=nagios
|
||||
command: "slappasswd -s {{ ldap_nagios_password }}"
|
||||
register: ldap_nagios_password_ssha
|
||||
changed_when: False
|
|
@ -3,4 +3,4 @@ host: ldap://127.0.0.1
|
|||
base: {{ ldap_suffix }}
|
||||
user: cn=admin,{{ ldap_suffix }}
|
||||
bind: simple
|
||||
password: {{ ldap_admin_password.stdout }}
|
||||
password: {{ ldap_admin_password }}
|
||||
|
|
Loading…
Reference in a new issue