From 6eaeb90f6e6d50f6c336ba24246662054fa6c9ae Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Sun, 2 May 2021 23:28:09 +0200 Subject: [PATCH] ldap: fix edge cases where passwords were not set/get properly --- CHANGELOG.md | 2 + ldap/defaults/main.yml | 7 ++- ldap/tasks/init.yml | 32 ++++++++++++ ldap/tasks/ldapvirc.yml | 62 +++++++++++++++++++++++ ldap/tasks/main.yml | 100 ++++--------------------------------- ldap/tasks/nagios.yml | 74 +++++++++++++++++++++++++++ ldap/templates/ldapvirc.j2 | 2 +- 7 files changed, 186 insertions(+), 93 deletions(-) create mode 100644 ldap/tasks/init.yml create mode 100644 ldap/tasks/ldapvirc.yml create mode 100644 ldap/tasks/nagios.yml diff --git a/CHANGELOG.md b/CHANGELOG.md index 79a38b83..7aed1413 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -26,6 +26,8 @@ The **patch** part changes incrementally at each release. ### Fixed +* ldap: fix edge cases where passwords were not set/get properly + ### Removed ### Security diff --git a/ldap/defaults/main.yml b/ldap/defaults/main.yml index 450c7a6c..29c51244 100644 --- a/ldap/defaults/main.yml +++ b/ldap/defaults/main.yml @@ -1,5 +1,10 @@ --- -ldap_hostname: "{{ ansible_hostname }}" + ldap_listen: "ldap://127.0.0.1:389/" + +ldap_hostname: "{{ ansible_hostname }}" ldap_domain: "{{ ansible_domain }}" ldap_suffix: "dc={{ ldap_hostname }},dc={{ ldap_domain.split('.')[-2] }},dc={{ ldap_domain.split('.')[-1] }}" + +ldap_admin_password: "" +ldap_nagios_password: "" \ No newline at end of file diff --git a/ldap/tasks/init.yml b/ldap/tasks/init.yml new file mode 100644 index 00000000..16be0842 --- /dev/null +++ b/ldap/tasks/init.yml @@ -0,0 +1,32 @@ +--- + +- name: upload ldap initial config + template: + src: config_ldapvi.j2 + dest: /root/evolinux_ldap_config.ldapvi + mode: "0640" + +- name: upload ldap initial entries + template: + src: first-entries.ldif.j2 + dest: /root/evolinux_ldap_first-entries.ldif + mode: "0640" + +- name: inject config + command: ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi + environment: + TERM: xterm + +- name: inject first entries + command: slapadd -l /root/evolinux_ldap_first-entries.ldif + +- name: upload custom schema + copy: + src: "{{ ldap_schema }}" + dest: "/root/{{ ldap_schema }}" + mode: "0640" + when: ldap_schema is defined + +- name: inject custom schema + command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /root/{{ ldap_schema }}" + when: ldap_schema is defined \ No newline at end of file diff --git a/ldap/tasks/ldapvirc.yml b/ldap/tasks/ldapvirc.yml new file mode 100644 index 00000000..06f9199d --- /dev/null +++ b/ldap/tasks/ldapvirc.yml @@ -0,0 +1,62 @@ +--- + +- name: "Is /root/.ldapvirc present ?" + stat: + path: /root/.ldapvirc + check_mode: no + register: root_ldapvirc_path + +- name: Warning when ldapvirc file is present and ldap_admin_password is given + debug: + msg: "WARNING: an LDAP admin password is given, but an ldapvirc file already exists. It will not be updated." + when: + - ldap_admin_password != "" + - root_ldapvirc_path.stat.exists + +# Generate ldap password if none is given and ldapvirc is absent +- name: apg package is installed + apt: + name: apg + state: present + when: not root_ldapvirc_path.stat.exists + +- name: create a password for cn=admin + command: "apg -n 1 -m 16 -M lcN" + register: new_ldap_admin_password + changed_when: False + when: + - ldap_admin_password == "" + - not root_ldapvirc_path.stat.exists + +# Use the generated password or the one found in the file +- name: overwrite ldap_admin_password + set_fact: + ldap_admin_password: "{{ new_ldap_admin_password.stdout }}" + when: + - ldap_admin_password == "" + - not root_ldapvirc_path.stat.exists + +- name: hash password for cn=admin + command: "slappasswd -s {{ ldap_admin_password }}" + register: ldap_admin_password_ssha + changed_when: False + when: not root_ldapvirc_path.stat.exists + +- name: create ldapvirc config + template: + src: ldapvirc.j2 + dest: /root/.ldapvirc + mode: "0640" + when: not root_ldapvirc_path.stat.exists + +# Read ldap password when none is given and ldapvirc is present +- name: read ldap admin password from ldapvirc file + shell: "grep -E '^password: .+$' /root/.ldapvirc | awk '{print $2}'" + changed_when: False + check_mode: no + register: new_ldap_admin_password + +# Use the password found in the file +- name: overwrite ldap_admin_password + set_fact: + ldap_admin_password: "{{ new_ldap_admin_password.stdout }}" diff --git a/ldap/tasks/main.yml b/ldap/tasks/main.yml index 8f6fbd67..9bfb6517 100644 --- a/ldap/tasks/main.yml +++ b/ldap/tasks/main.yml @@ -6,103 +6,21 @@ - ldapvi - shelldap state: present + update_cache: yes -- name: change sldap listen ip:port +- name: change slapd listen ip:port lineinfile: dest: /etc/default/slapd regexp: 'SLAPD_SERVICES=.*' line: "SLAPD_SERVICES=\"{{ ldap_listen }}\"" notify: restart slapd -- name: "Is /root/.ldapvirc present ?" - stat: - path: /root/.ldapvirc - check_mode: no - register: root_ldapvirc_path +- name: ldapvirc file + include: ldapvirc.yml -- name: apg package is installed - apt: - name: apg - state: present - when: not root_ldapvirc_path.stat.exists +- name: nagios config file for LDAP + include: nagios.yml -- name: create a password for cn=admin - command: "apg -n 1 -m 16 -M lcN" - register: ldap_admin_password - changed_when: False - when: not root_ldapvirc_path.stat.exists - -- name: create a password for cn=nagios - command: "apg -n 1 -m 16 -M lcN" - register: ldap_nagios_password - changed_when: False - when: not root_ldapvirc_path.stat.exists - -- name: hash password for cn=admin - command: "slappasswd -s {{ ldap_admin_password.stdout }}" - register: ldap_admin_password_ssha - changed_when: False - when: not root_ldapvirc_path.stat.exists - -- name: hash password for cn=nagios - command: "slappasswd -s {{ ldap_nagios_password.stdout }}" - register: ldap_nagios_password_ssha - changed_when: False - when: not root_ldapvirc_path.stat.exists - -- name: create ldapvirc config - template: - src: ldapvirc.j2 - dest: /root/.ldapvirc - mode: "0640" - when: not root_ldapvirc_path.stat.exists - -- name: set params for NRPE check - ini_file: - dest: /etc/nagios/monitoring-plugins.ini - owner: root - group: nagios - section: check_ldap - option: "{{ item.option }}" - value: "{{ item.value }}" - mode: 0640 - with_items: - - { option: 'hostname', value: '127.0.0.1' } - - { option: 'base', value: "{{ ldap_suffix }}" } - - { option: 'bind', value: "cn=nagios,ou=ldapusers,{{ ldap_suffix }}" } - - { option: 'pass', value: "{{ ldap_nagios_password.stdout }}" } - -- name: upload ldap initial config - template: - src: config_ldapvi.j2 - dest: /root/evolinux_ldap_config.ldapvi - mode: "0640" - when: not root_ldapvirc_path.stat.exists - -- name: upload ldap initial entries - template: - src: first-entries.ldif.j2 - dest: /root/evolinux_ldap_first-entries.ldif - mode: "0640" - when: not root_ldapvirc_path.stat.exists - -- name: inject config - command: ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi - environment: - TERM: xterm - when: not root_ldapvirc_path.stat.exists - -- name: inject first entries - command: slapadd -l /root/evolinux_ldap_first-entries.ldif - when: not root_ldapvirc_path.stat.exists - -- name: upload custom schema - copy: - src: "{{ ldap_schema }}" - dest: "/root/{{ ldap_schema }}" - mode: "0640" - when: not root_ldapvirc_path.stat.exists and ldap_schema is defined - -- name: inject custom schema - command: "ldapadd -Y EXTERNAL -H ldapi:/// -f /root/{{ ldap_schema }}" - when: not root_ldapvirc_path.stat.exists and ldap_schema is defined +- name: initialize database + include: init.yml + when: not root_ldapvirc_path.stat.exists \ No newline at end of file diff --git a/ldap/tasks/nagios.yml b/ldap/tasks/nagios.yml new file mode 100644 index 00000000..a9cb5751 --- /dev/null +++ b/ldap/tasks/nagios.yml @@ -0,0 +1,74 @@ +--- + +- name: "Is /etc/nagios/monitoring-plugins.ini present ?" + stat: + path: /etc/nagios/monitoring-plugins.ini + check_mode: no + register: nagios_monitoring_plugins_path + +- name: Warning when nagios config is present and ldap_nagios_password is given + debug: + msg: "WARNING: an LDAP nagios password is given, but a nagios config already exists. It will not be updated." + when: + - ldap_nagios_password != "" + - nagios_monitoring_plugins_path.stat.exists + +# Generate ldap password if none is given and nagios config is absent +- name: apg package is installed + apt: + name: apg + state: present + when: + - ldap_nagios_password == "" + - not nagios_monitoring_plugins_path.stat.exists + +- name: create a password for cn=admin + command: "apg -n 1 -m 16 -M lcN" + register: new_ldap_nagios_password + changed_when: False + when: + - ldap_nagios_password == "" + - not nagios_monitoring_plugins_path.stat.exists + +# Use the generated password or the one found in the file +- name: overwrite ldap_nagios_password (from apg) + set_fact: + ldap_nagios_password: "{{ new_ldap_nagios_password.stdout }}" + when: + - ldap_nagios_password == "" + - not nagios_monitoring_plugins_path.stat.exists + +- name: set params for NRPE check + ini_file: + dest: /etc/nagios/monitoring-plugins.ini + owner: root + group: nagios + section: check_ldap + option: "{{ item.option }}" + value: "{{ item.value }}" + mode: "0640" + with_items: + - { option: 'hostname', value: '127.0.0.1' } + - { option: 'base', value: "{{ ldap_suffix }}" } + - { option: 'bind', value: "cn=nagios,ou=ldapusers,{{ ldap_suffix }}" } + - { option: 'pass', value: "{{ ldap_nagios_password }}" } + when: not nagios_monitoring_plugins_path.stat.exists + +# Read ldap password when none is given and nagios config is present +# We can't parse a remote file, so we have to fetch it first +- name: Fetch /etc/nagios/monitoring-plugins.ini + fetch: + src: /etc/nagios/monitoring-plugins.ini + dest: /tmp/{{ inventory_hostname }}/ + flat: yes + +# Then web can parse it with the 'ini' lookup +# and set the variable +- name: overwrite ldap_nagios_password (from file) + set_fact: + ldap_nagios_password: "{{ lookup('ini', 'pass section=check_ldap file=/tmp/{{ inventory_hostname }}/etc/nagios/monitoring-plugins.ini') }}" + +- name: hash password for cn=nagios + command: "slappasswd -s {{ ldap_nagios_password }}" + register: ldap_nagios_password_ssha + changed_when: False \ No newline at end of file diff --git a/ldap/templates/ldapvirc.j2 b/ldap/templates/ldapvirc.j2 index e61a7524..53ece952 100644 --- a/ldap/templates/ldapvirc.j2 +++ b/ldap/templates/ldapvirc.j2 @@ -3,4 +3,4 @@ host: ldap://127.0.0.1 base: {{ ldap_suffix }} user: cn=admin,{{ ldap_suffix }} bind: simple -password: {{ ldap_admin_password.stdout }} +password: {{ ldap_admin_password }}