ldap: fix edge cases where passwords were not set/get properly
continuous-integration/drone/push Build is passing Details

This commit is contained in:
Jérémy Lecour 2021-05-02 23:28:09 +02:00 committed by Jérémy Lecour
parent 43c726e86a
commit 6eaeb90f6e
7 changed files with 186 additions and 93 deletions

View File

@ -26,6 +26,8 @@ The **patch** part changes incrementally at each release.
### Fixed
* ldap: fix edge cases where passwords were not set/get properly
### Removed
### Security

View File

@ -1,5 +1,10 @@
---
ldap_hostname: "{{ ansible_hostname }}"
ldap_listen: "ldap://127.0.0.1:389/"
ldap_hostname: "{{ ansible_hostname }}"
ldap_domain: "{{ ansible_domain }}"
ldap_suffix: "dc={{ ldap_hostname }},dc={{ ldap_domain.split('.')[-2] }},dc={{ ldap_domain.split('.')[-1] }}"
ldap_admin_password: ""
ldap_nagios_password: ""

32
ldap/tasks/init.yml Normal file
View File

@ -0,0 +1,32 @@
---
- name: upload ldap initial config
template:
src: config_ldapvi.j2
dest: /root/evolinux_ldap_config.ldapvi
mode: "0640"
- name: upload ldap initial entries
template:
src: first-entries.ldif.j2
dest: /root/evolinux_ldap_first-entries.ldif
mode: "0640"
- name: inject config
command: ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi
environment:
TERM: xterm
- name: inject first entries
command: slapadd -l /root/evolinux_ldap_first-entries.ldif
- name: upload custom schema
copy:
src: "{{ ldap_schema }}"
dest: "/root/{{ ldap_schema }}"
mode: "0640"
when: ldap_schema is defined
- name: inject custom schema
command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /root/{{ ldap_schema }}"
when: ldap_schema is defined

62
ldap/tasks/ldapvirc.yml Normal file
View File

@ -0,0 +1,62 @@
---
- name: "Is /root/.ldapvirc present ?"
stat:
path: /root/.ldapvirc
check_mode: no
register: root_ldapvirc_path
- name: Warning when ldapvirc file is present and ldap_admin_password is given
debug:
msg: "WARNING: an LDAP admin password is given, but an ldapvirc file already exists. It will not be updated."
when:
- ldap_admin_password != ""
- root_ldapvirc_path.stat.exists
# Generate ldap password if none is given and ldapvirc is absent
- name: apg package is installed
apt:
name: apg
state: present
when: not root_ldapvirc_path.stat.exists
- name: create a password for cn=admin
command: "apg -n 1 -m 16 -M lcN"
register: new_ldap_admin_password
changed_when: False
when:
- ldap_admin_password == ""
- not root_ldapvirc_path.stat.exists
# Use the generated password or the one found in the file
- name: overwrite ldap_admin_password
set_fact:
ldap_admin_password: "{{ new_ldap_admin_password.stdout }}"
when:
- ldap_admin_password == ""
- not root_ldapvirc_path.stat.exists
- name: hash password for cn=admin
command: "slappasswd -s {{ ldap_admin_password }}"
register: ldap_admin_password_ssha
changed_when: False
when: not root_ldapvirc_path.stat.exists
- name: create ldapvirc config
template:
src: ldapvirc.j2
dest: /root/.ldapvirc
mode: "0640"
when: not root_ldapvirc_path.stat.exists
# Read ldap password when none is given and ldapvirc is present
- name: read ldap admin password from ldapvirc file
shell: "grep -E '^password: .+$' /root/.ldapvirc | awk '{print $2}'"
changed_when: False
check_mode: no
register: new_ldap_admin_password
# Use the password found in the file
- name: overwrite ldap_admin_password
set_fact:
ldap_admin_password: "{{ new_ldap_admin_password.stdout }}"

View File

@ -6,103 +6,21 @@
- ldapvi
- shelldap
state: present
update_cache: yes
- name: change sldap listen ip:port
- name: change slapd listen ip:port
lineinfile:
dest: /etc/default/slapd
regexp: 'SLAPD_SERVICES=.*'
line: "SLAPD_SERVICES=\"{{ ldap_listen }}\""
notify: restart slapd
- name: "Is /root/.ldapvirc present ?"
stat:
path: /root/.ldapvirc
check_mode: no
register: root_ldapvirc_path
- name: ldapvirc file
include: ldapvirc.yml
- name: apg package is installed
apt:
name: apg
state: present
when: not root_ldapvirc_path.stat.exists
- name: nagios config file for LDAP
include: nagios.yml
- name: create a password for cn=admin
command: "apg -n 1 -m 16 -M lcN"
register: ldap_admin_password
changed_when: False
when: not root_ldapvirc_path.stat.exists
- name: create a password for cn=nagios
command: "apg -n 1 -m 16 -M lcN"
register: ldap_nagios_password
changed_when: False
when: not root_ldapvirc_path.stat.exists
- name: hash password for cn=admin
command: "slappasswd -s {{ ldap_admin_password.stdout }}"
register: ldap_admin_password_ssha
changed_when: False
when: not root_ldapvirc_path.stat.exists
- name: hash password for cn=nagios
command: "slappasswd -s {{ ldap_nagios_password.stdout }}"
register: ldap_nagios_password_ssha
changed_when: False
when: not root_ldapvirc_path.stat.exists
- name: create ldapvirc config
template:
src: ldapvirc.j2
dest: /root/.ldapvirc
mode: "0640"
when: not root_ldapvirc_path.stat.exists
- name: set params for NRPE check
ini_file:
dest: /etc/nagios/monitoring-plugins.ini
owner: root
group: nagios
section: check_ldap
option: "{{ item.option }}"
value: "{{ item.value }}"
mode: 0640
with_items:
- { option: 'hostname', value: '127.0.0.1' }
- { option: 'base', value: "{{ ldap_suffix }}" }
- { option: 'bind', value: "cn=nagios,ou=ldapusers,{{ ldap_suffix }}" }
- { option: 'pass', value: "{{ ldap_nagios_password.stdout }}" }
- name: upload ldap initial config
template:
src: config_ldapvi.j2
dest: /root/evolinux_ldap_config.ldapvi
mode: "0640"
when: not root_ldapvirc_path.stat.exists
- name: upload ldap initial entries
template:
src: first-entries.ldif.j2
dest: /root/evolinux_ldap_first-entries.ldif
mode: "0640"
when: not root_ldapvirc_path.stat.exists
- name: inject config
command: ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi
environment:
TERM: xterm
when: not root_ldapvirc_path.stat.exists
- name: inject first entries
command: slapadd -l /root/evolinux_ldap_first-entries.ldif
when: not root_ldapvirc_path.stat.exists
- name: upload custom schema
copy:
src: "{{ ldap_schema }}"
dest: "/root/{{ ldap_schema }}"
mode: "0640"
when: not root_ldapvirc_path.stat.exists and ldap_schema is defined
- name: inject custom schema
command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /root/{{ ldap_schema }}"
when: not root_ldapvirc_path.stat.exists and ldap_schema is defined
- name: initialize database
include: init.yml
when: not root_ldapvirc_path.stat.exists

74
ldap/tasks/nagios.yml Normal file
View File

@ -0,0 +1,74 @@
---
- name: "Is /etc/nagios/monitoring-plugins.ini present ?"
stat:
path: /etc/nagios/monitoring-plugins.ini
check_mode: no
register: nagios_monitoring_plugins_path
- name: Warning when nagios config is present and ldap_nagios_password is given
debug:
msg: "WARNING: an LDAP nagios password is given, but a nagios config already exists. It will not be updated."
when:
- ldap_nagios_password != ""
- nagios_monitoring_plugins_path.stat.exists
# Generate ldap password if none is given and nagios config is absent
- name: apg package is installed
apt:
name: apg
state: present
when:
- ldap_nagios_password == ""
- not nagios_monitoring_plugins_path.stat.exists
- name: create a password for cn=admin
command: "apg -n 1 -m 16 -M lcN"
register: new_ldap_nagios_password
changed_when: False
when:
- ldap_nagios_password == ""
- not nagios_monitoring_plugins_path.stat.exists
# Use the generated password or the one found in the file
- name: overwrite ldap_nagios_password (from apg)
set_fact:
ldap_nagios_password: "{{ new_ldap_nagios_password.stdout }}"
when:
- ldap_nagios_password == ""
- not nagios_monitoring_plugins_path.stat.exists
- name: set params for NRPE check
ini_file:
dest: /etc/nagios/monitoring-plugins.ini
owner: root
group: nagios
section: check_ldap
option: "{{ item.option }}"
value: "{{ item.value }}"
mode: "0640"
with_items:
- { option: 'hostname', value: '127.0.0.1' }
- { option: 'base', value: "{{ ldap_suffix }}" }
- { option: 'bind', value: "cn=nagios,ou=ldapusers,{{ ldap_suffix }}" }
- { option: 'pass', value: "{{ ldap_nagios_password }}" }
when: not nagios_monitoring_plugins_path.stat.exists
# Read ldap password when none is given and nagios config is present
# We can't parse a remote file, so we have to fetch it first
- name: Fetch /etc/nagios/monitoring-plugins.ini
fetch:
src: /etc/nagios/monitoring-plugins.ini
dest: /tmp/{{ inventory_hostname }}/
flat: yes
# Then web can parse it with the 'ini' lookup
# and set the variable
- name: overwrite ldap_nagios_password (from file)
set_fact:
ldap_nagios_password: "{{ lookup('ini', 'pass section=check_ldap file=/tmp/{{ inventory_hostname }}/etc/nagios/monitoring-plugins.ini') }}"
- name: hash password for cn=nagios
command: "slappasswd -s {{ ldap_nagios_password }}"
register: ldap_nagios_password_ssha
changed_when: False

View File

@ -3,4 +3,4 @@ host: ldap://127.0.0.1
base: {{ ldap_suffix }}
user: cn=admin,{{ ldap_suffix }}
bind: simple
password: {{ ldap_admin_password.stdout }}
password: {{ ldap_admin_password }}