Improve ldap role

This commit is contained in:
Gregory Colpart 2017-10-03 22:58:49 +02:00 committed by Victor LABORIE
parent 2aa26e2d68
commit 95408a2409
5 changed files with 110 additions and 1 deletions

View File

@ -1,4 +1,5 @@
---
ldap_domain: "{{ ansible_fqdn }}"
ldap_organization: "{{ ansible_domain }}"
#ldap_password=$(apg -n1 -m 12 -c cl_seed)
ldap_suffix: "dc=example,dc=com"
ldap_suffix_dc: "example"

View File

@ -6,8 +6,72 @@
- slapd
- ldap-utils
- ldapvi
- shelldap
- name: "Is /root/.ldapvirc present ?"
stat:
path: /root/.ldapvirc
check_mode: no
register: root_ldapvirc_path
- name: apg package is installed
apt:
name: apg
state: present
when: not root_ldapvirc_path.stat.exists
- name: create a password for cn=admin
command: "apg -n 1 -m 16 -M lcN"
register: ldap_admin_password
changed_when: False
when: not root_ldapvirc_path.stat.exists
- name: create a password for cn=nagios
command: "apg -n 1 -m 16 -M lcN"
register: ldap_nagios_password
changed_when: False
when: not root_ldapvirc_path.stat.exists
- name: hash password for cn=admin
command: "slappasswd -s {{ ldap_admin_password.stdout }}"
register: ldap_admin_password_ssha
changed_when: False
when: not root_ldapvirc_path.stat.exists
- name: hash password for cn=nagios
command: "slappasswd -s {{ ldap_nagios_password.stdout }}"
register: ldap_nagios_password_ssha
changed_when: False
when: not root_ldapvirc_path.stat.exists
- name: create ldapvirc config
template:
src: ldapvirc.j2
dest: /root/.ldapvirc
mode: "0640"
when: not root_ldapvirc_path.stat.exists
- name: upload ldap initial config
template:
src: config_ldapvi.j2
dest: /root/evolinux_ldap_config.ldapvi
mode: "0640"
when: not root_ldapvirc_path.stat.exists
- name: upload ldap initial entries
template:
src: first-entries.ldif.j2
dest: /root/evolinux_ldap_first-entries.ldif
mode: "0640"
when: not root_ldapvirc_path.stat.exists
- name: inject config
command: ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi
environment:
TERM: xterm
when: not root_ldapvirc_path.stat.exists
- name: inject first entries
command: slapadd -l /root/evolinux_ldap_first-entries.ldif
when: not root_ldapvirc_path.stat.exists

View File

@ -0,0 +1,8 @@
modify: olcDatabase={1}mdb,cn=config
olcSuffix: {{ ldap_suffix }}
olcRootDN: cn=admin,{{ ldap_suffix }}
olcRootPW: {{ ldap_admin_password_ssha.stdout }}
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: {1}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * none
olcAccess: {2}to attrs=shadowLastChange by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read
olcAccess: {3}to * by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read

View File

@ -0,0 +1,30 @@
dn: {{ ldap_suffix }}
objectClass: top
objectClass: dcObject
objectClass: organization
o: {{ ldap_suffix_dc }}
dc: {{ ldap_suffix_dc }}
dn: cn=admin,{{ ldap_suffix }}
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: {{ ldap_admin_password_ssha.stdout }}
dn: ou=ldapusers,{{ ldap_suffix }}
objectClass: top
objectClass: organizationalUnit
ou: ldapusers
dn: cn=perl,ou=ldapusers,{{ ldap_suffix }}
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: perl
userPassword: {{ ldap_admin_password_ssha.stdout }}
dn: cn=nagios,ou=ldapusers,{{ ldap_suffix }}
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: nagios
userPassword: {{ ldap_nagios_password_ssha.stdout }}

View File

@ -0,0 +1,6 @@
profile default
host: ldap://127.0.0.1
base: {{ ldap_suffix }}
user: cn=admin,{{ ldap_suffix }}
bind: simple
password: {{ ldap_admin_password.stdout }}