Improve ldap role

ldap/defaults/main.yml

@@ -1,4 +1,5 @@
 ---
 ldap_domain: "{{ ansible_fqdn }}"
 ldap_organization: "{{ ansible_domain }}"
-#ldap_password=$(apg -n1 -m 12 -c cl_seed)
+ldap_suffix: "dc=example,dc=com"
+ldap_suffix_dc: "example"

ldap/tasks/main.yml

@@ -6,8 +6,72 @@
     - slapd
     - ldap-utils
     - ldapvi
+    - shelldap
+
+- name: "Is /root/.ldapvirc present ?"
+  stat:
+    path: /root/.ldapvirc
+  check_mode: no
+  register: root_ldapvirc_path
 
 - name: apg package is installed
   apt:
     name: apg
     state: present
+  when: not root_ldapvirc_path.stat.exists
+
+- name: create a password for cn=admin
+  command: "apg -n 1 -m 16 -M lcN"
+  register: ldap_admin_password
+  changed_when: False
+  when: not root_ldapvirc_path.stat.exists
+
+- name: create a password for cn=nagios
+  command: "apg -n 1 -m 16 -M lcN"
+  register: ldap_nagios_password
+  changed_when: False
+  when: not root_ldapvirc_path.stat.exists
+
+- name: hash password for cn=admin
+  command: "slappasswd -s {{ ldap_admin_password.stdout }}"
+  register: ldap_admin_password_ssha
+  changed_when: False
+  when: not root_ldapvirc_path.stat.exists
+
+- name: hash password for cn=nagios
+  command: "slappasswd -s {{ ldap_nagios_password.stdout }}"
+  register: ldap_nagios_password_ssha
+  changed_when: False
+  when: not root_ldapvirc_path.stat.exists
+
+- name: create ldapvirc config
+  template:
+    src: ldapvirc.j2
+    dest: /root/.ldapvirc
+    mode: "0640"
+  when: not root_ldapvirc_path.stat.exists
+
+- name: upload ldap initial config
+  template:
+    src: config_ldapvi.j2
+    dest: /root/evolinux_ldap_config.ldapvi
+    mode: "0640"
+  when: not root_ldapvirc_path.stat.exists
+
+- name: upload ldap initial entries
+  template:
+    src: first-entries.ldif.j2
+    dest: /root/evolinux_ldap_first-entries.ldif
+    mode: "0640"
+  when: not root_ldapvirc_path.stat.exists
+
+- name: inject config
+  command: ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi
+  environment:
+    TERM: xterm
+  when: not root_ldapvirc_path.stat.exists
+
+- name: inject first entries
+  command: slapadd -l /root/evolinux_ldap_first-entries.ldif
+  when: not root_ldapvirc_path.stat.exists
+

ldap/templates/config_ldapvi.j2

@@ -0,0 +1,8 @@
+modify: olcDatabase={1}mdb,cn=config
+olcSuffix: {{ ldap_suffix }}
+olcRootDN: cn=admin,{{ ldap_suffix }}
+olcRootPW: {{ ldap_admin_password_ssha.stdout }}
+olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
+olcAccess: {1}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * none
+olcAccess: {2}to attrs=shadowLastChange by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read
+olcAccess: {3}to * by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read

ldap/templates/first-entries.ldif.j2

@@ -0,0 +1,30 @@
+dn: {{ ldap_suffix }}
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+o: {{ ldap_suffix_dc }}
+dc: {{ ldap_suffix_dc }}
+
+dn: cn=admin,{{ ldap_suffix }}
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+cn: admin
+description: LDAP administrator
+userPassword: {{ ldap_admin_password_ssha.stdout }}
+
+dn: ou=ldapusers,{{ ldap_suffix }}
+objectClass: top
+objectClass: organizationalUnit
+ou: ldapusers
+
+dn: cn=perl,ou=ldapusers,{{ ldap_suffix }}
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+cn: perl
+userPassword: {{ ldap_admin_password_ssha.stdout }}
+
+dn: cn=nagios,ou=ldapusers,{{ ldap_suffix }}
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+cn: nagios
+userPassword: {{ ldap_nagios_password_ssha.stdout }}

ldap/templates/ldapvirc.j2

@@ -0,0 +1,6 @@
+profile default
+host: ldap://127.0.0.1
+base: {{ ldap_suffix }}
+user: cn=admin,{{ ldap_suffix }}
+bind: simple
+password: {{ ldap_admin_password.stdout }}