ldap: fix edge cases where passwords were not set/get properly

CHANGELOG.md

@@ -26,6 +26,8 @@ The **patch** part changes incrementally at each release.
 
 ### Fixed
 
+* ldap: fix edge cases where passwords were not set/get properly
+
 ### Removed
 
 ### Security

ldap/defaults/main.yml

@@ -1,5 +1,10 @@
 ---
-ldap_hostname: "{{ ansible_hostname }}"
+
 ldap_listen: "ldap://127.0.0.1:389/"
+
+ldap_hostname: "{{ ansible_hostname }}"
 ldap_domain: "{{ ansible_domain }}"
 ldap_suffix: "dc={{ ldap_hostname }},dc={{ ldap_domain.split('.')[-2] }},dc={{ ldap_domain.split('.')[-1] }}"
+
+ldap_admin_password: ""
+ldap_nagios_password: ""

ldap/tasks/init.yml

@@ -0,0 +1,32 @@
+---
+
+- name: upload ldap initial config
+  template:
+    src: config_ldapvi.j2
+    dest: /root/evolinux_ldap_config.ldapvi
+    mode: "0640"
+
+- name: upload ldap initial entries
+  template:
+    src: first-entries.ldif.j2
+    dest: /root/evolinux_ldap_first-entries.ldif
+    mode: "0640"
+
+- name: inject config
+  command: ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi
+  environment:
+    TERM: xterm
+
+- name: inject first entries
+  command: slapadd -l /root/evolinux_ldap_first-entries.ldif
+
+- name: upload custom schema
+  copy:
+    src: "{{ ldap_schema }}"
+    dest: "/root/{{ ldap_schema }}"
+    mode: "0640"
+  when: ldap_schema is defined
+
+- name: inject custom schema
+  command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /root/{{ ldap_schema }}"
+  when: ldap_schema is defined

ldap/tasks/ldapvirc.yml

@@ -0,0 +1,62 @@
+---
+
+- name: "Is /root/.ldapvirc present ?"
+  stat:
+    path: /root/.ldapvirc
+  check_mode: no
+  register: root_ldapvirc_path
+
+- name: Warning when ldapvirc file is present and ldap_admin_password is given
+  debug:
+    msg: "WARNING: an LDAP admin password is given, but an ldapvirc file already exists. It will not be updated."
+  when: 
+    - ldap_admin_password != ""
+    - root_ldapvirc_path.stat.exists
+
+# Generate ldap password if none is given and ldapvirc is absent
+- name: apg package is installed
+  apt:
+    name: apg
+    state: present
+  when: not root_ldapvirc_path.stat.exists
+
+- name: create a password for cn=admin
+  command: "apg -n 1 -m 16 -M lcN"
+  register: new_ldap_admin_password
+  changed_when: False
+  when:
+    - ldap_admin_password == ""
+    - not root_ldapvirc_path.stat.exists
+
+# Use the generated password or the one found in the file 
+- name: overwrite ldap_admin_password
+  set_fact:
+    ldap_admin_password: "{{ new_ldap_admin_password.stdout }}"
+  when:
+    - ldap_admin_password == ""
+    - not root_ldapvirc_path.stat.exists
+
+- name: hash password for cn=admin
+  command: "slappasswd -s {{ ldap_admin_password }}"
+  register: ldap_admin_password_ssha
+  changed_when: False
+  when: not root_ldapvirc_path.stat.exists
+
+- name: create ldapvirc config
+  template:
+    src: ldapvirc.j2
+    dest: /root/.ldapvirc
+    mode: "0640"
+  when: not root_ldapvirc_path.stat.exists
+
+# Read ldap password when none is given and ldapvirc is present
+- name: read ldap admin password from ldapvirc file
+  shell: "grep -E '^password: .+$' /root/.ldapvirc | awk '{print $2}'"
+  changed_when: False
+  check_mode: no
+  register: new_ldap_admin_password
+
+# Use the password found in the file 
+- name: overwrite ldap_admin_password
+  set_fact:
+    ldap_admin_password: "{{ new_ldap_admin_password.stdout }}"

ldap/tasks/main.yml

@@ -6,103 +6,21 @@
       - ldapvi
       - shelldap
     state: present
+    update_cache: yes
 
-- name: change sldap listen ip:port
+- name: change slapd listen ip:port
   lineinfile:
     dest: /etc/default/slapd
     regexp: 'SLAPD_SERVICES=.*'
     line: "SLAPD_SERVICES=\"{{ ldap_listen }}\""
   notify: restart slapd
 
-- name: "Is /root/.ldapvirc present ?"
-  stat:
-    path: /root/.ldapvirc
-  check_mode: no
-  register: root_ldapvirc_path
+- name: ldapvirc file
+  include: ldapvirc.yml
 
-- name: apg package is installed
-  apt:
-    name: apg
-    state: present
-  when: not root_ldapvirc_path.stat.exists
+- name: nagios config file for LDAP
+  include: nagios.yml
 
-- name: create a password for cn=admin
-  command: "apg -n 1 -m 16 -M lcN"
-  register: ldap_admin_password
-  changed_when: False
-  when: not root_ldapvirc_path.stat.exists
-
-- name: create a password for cn=nagios
-  command: "apg -n 1 -m 16 -M lcN"
-  register: ldap_nagios_password
-  changed_when: False
-  when: not root_ldapvirc_path.stat.exists
-
-- name: hash password for cn=admin
-  command: "slappasswd -s {{ ldap_admin_password.stdout }}"
-  register: ldap_admin_password_ssha
-  changed_when: False
-  when: not root_ldapvirc_path.stat.exists
-
-- name: hash password for cn=nagios
-  command: "slappasswd -s {{ ldap_nagios_password.stdout }}"
-  register: ldap_nagios_password_ssha
-  changed_when: False
-  when: not root_ldapvirc_path.stat.exists
-
-- name: create ldapvirc config
-  template:
-    src: ldapvirc.j2
-    dest: /root/.ldapvirc
-    mode: "0640"
-  when: not root_ldapvirc_path.stat.exists
-
-- name: set params for NRPE check
-  ini_file:
-    dest: /etc/nagios/monitoring-plugins.ini
-    owner: root
-    group: nagios
-    section: check_ldap
-    option: "{{ item.option }}"
-    value: "{{ item.value }}"
-    mode: 0640
-  with_items:
-    - { option: 'hostname', value: '127.0.0.1' }
-    - { option: 'base', value: "{{ ldap_suffix }}" }
-    - { option: 'bind', value: "cn=nagios,ou=ldapusers,{{ ldap_suffix }}" }
-    - { option: 'pass', value: "{{ ldap_nagios_password.stdout }}" }
-
-- name: upload ldap initial config
-  template:
-    src: config_ldapvi.j2
-    dest: /root/evolinux_ldap_config.ldapvi
-    mode: "0640"
-  when: not root_ldapvirc_path.stat.exists
-
-- name: upload ldap initial entries
-  template:
-    src: first-entries.ldif.j2
-    dest: /root/evolinux_ldap_first-entries.ldif
-    mode: "0640"
-  when: not root_ldapvirc_path.stat.exists
-
-- name: inject config
-  command: ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi
-  environment:
-    TERM: xterm
-  when: not root_ldapvirc_path.stat.exists
-
-- name: inject first entries
-  command: slapadd -l /root/evolinux_ldap_first-entries.ldif
-  when: not root_ldapvirc_path.stat.exists
-
-- name: upload custom schema
-  copy:
-    src: "{{ ldap_schema }}"
-    dest: "/root/{{ ldap_schema }}"
-    mode: "0640"
-  when: not root_ldapvirc_path.stat.exists and ldap_schema is defined
-
-- name: inject custom schema
-  command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /root/{{ ldap_schema }}"
-  when: not root_ldapvirc_path.stat.exists and ldap_schema is defined
+- name: initialize database
+  include: init.yml
+  when: not root_ldapvirc_path.stat.exists

ldap/tasks/nagios.yml

@@ -0,0 +1,74 @@
+---
+
+- name: "Is /etc/nagios/monitoring-plugins.ini present ?"
+  stat:
+    path: /etc/nagios/monitoring-plugins.ini
+  check_mode: no
+  register: nagios_monitoring_plugins_path
+
+- name: Warning when nagios config is present and ldap_nagios_password is given
+  debug:
+    msg: "WARNING: an LDAP nagios password is given, but a nagios config already exists. It will not be updated."
+  when:
+    - ldap_nagios_password != ""
+    - nagios_monitoring_plugins_path.stat.exists
+
+# Generate ldap password if none is given and nagios config is absent
+- name: apg package is installed
+  apt:
+    name: apg
+    state: present
+  when:
+    - ldap_nagios_password == ""
+    - not nagios_monitoring_plugins_path.stat.exists
+
+- name: create a password for cn=admin
+  command: "apg -n 1 -m 16 -M lcN"
+  register: new_ldap_nagios_password
+  changed_when: False
+  when:
+    - ldap_nagios_password == ""
+    - not nagios_monitoring_plugins_path.stat.exists
+
+# Use the generated password or the one found in the file 
+- name: overwrite ldap_nagios_password (from apg)
+  set_fact:
+    ldap_nagios_password: "{{ new_ldap_nagios_password.stdout }}"
+  when:
+    - ldap_nagios_password == ""
+    - not nagios_monitoring_plugins_path.stat.exists
+
+- name: set params for NRPE check
+  ini_file:
+    dest: /etc/nagios/monitoring-plugins.ini
+    owner: root
+    group: nagios
+    section: check_ldap
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+    mode: "0640"
+  with_items:
+    - { option: 'hostname', value: '127.0.0.1' }
+    - { option: 'base', value: "{{ ldap_suffix }}" }
+    - { option: 'bind', value: "cn=nagios,ou=ldapusers,{{ ldap_suffix }}" }
+    - { option: 'pass', value: "{{ ldap_nagios_password }}" }
+  when: not nagios_monitoring_plugins_path.stat.exists
+
+# Read ldap password when none is given and nagios config is present
+# We can't parse a remote file, so we have to fetch it first
+- name: Fetch /etc/nagios/monitoring-plugins.ini
+  fetch:
+    src: /etc/nagios/monitoring-plugins.ini
+    dest: /tmp/{{ inventory_hostname }}/
+    flat: yes
+
+# Then web can parse it with the 'ini' lookup
+# and set the variable
+- name: overwrite ldap_nagios_password (from file)
+  set_fact:
+    ldap_nagios_password: "{{ lookup('ini', 'pass section=check_ldap file=/tmp/{{ inventory_hostname }}/etc/nagios/monitoring-plugins.ini') }}"
+
+- name: hash password for cn=nagios
+  command: "slappasswd -s {{ ldap_nagios_password }}"
+  register: ldap_nagios_password_ssha
+  changed_when: False

ldap/templates/ldapvirc.j2

@@ -3,4 +3,4 @@ host: ldap://127.0.0.1
 base: {{ ldap_suffix }}
 user: cn=admin,{{ ldap_suffix }}
 bind: simple
-password: {{ ldap_admin_password.stdout }}
+password: {{ ldap_admin_password }}