diff --git a/ldap/defaults/main.yml b/ldap/defaults/main.yml index 1e90583f..2f208f98 100644 --- a/ldap/defaults/main.yml +++ b/ldap/defaults/main.yml @@ -1,4 +1,5 @@ --- ldap_domain: "{{ ansible_fqdn }}" ldap_organization: "{{ ansible_domain }}" -#ldap_password=$(apg -n1 -m 12 -c cl_seed) +ldap_suffix: "dc=example,dc=com" +ldap_suffix_dc: "example" diff --git a/ldap/tasks/main.yml b/ldap/tasks/main.yml index c28c01fe..be3a8bd1 100644 --- a/ldap/tasks/main.yml +++ b/ldap/tasks/main.yml @@ -6,8 +6,72 @@ - slapd - ldap-utils - ldapvi + - shelldap + +- name: "Is /root/.ldapvirc present ?" + stat: + path: /root/.ldapvirc + check_mode: no + register: root_ldapvirc_path - name: apg package is installed apt: name: apg state: present + when: not root_ldapvirc_path.stat.exists + +- name: create a password for cn=admin + command: "apg -n 1 -m 16 -M lcN" + register: ldap_admin_password + changed_when: False + when: not root_ldapvirc_path.stat.exists + +- name: create a password for cn=nagios + command: "apg -n 1 -m 16 -M lcN" + register: ldap_nagios_password + changed_when: False + when: not root_ldapvirc_path.stat.exists + +- name: hash password for cn=admin + command: "slappasswd -s {{ ldap_admin_password.stdout }}" + register: ldap_admin_password_ssha + changed_when: False + when: not root_ldapvirc_path.stat.exists + +- name: hash password for cn=nagios + command: "slappasswd -s {{ ldap_nagios_password.stdout }}" + register: ldap_nagios_password_ssha + changed_when: False + when: not root_ldapvirc_path.stat.exists + +- name: create ldapvirc config + template: + src: ldapvirc.j2 + dest: /root/.ldapvirc + mode: "0640" + when: not root_ldapvirc_path.stat.exists + +- name: upload ldap initial config + template: + src: config_ldapvi.j2 + dest: /root/evolinux_ldap_config.ldapvi + mode: "0640" + when: not root_ldapvirc_path.stat.exists + +- name: upload ldap initial entries + template: + src: first-entries.ldif.j2 + dest: /root/evolinux_ldap_first-entries.ldif + mode: "0640" + when: not root_ldapvirc_path.stat.exists + +- name: inject config + command: ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi + environment: + TERM: xterm + when: not root_ldapvirc_path.stat.exists + +- name: inject first entries + command: slapadd -l /root/evolinux_ldap_first-entries.ldif + when: not root_ldapvirc_path.stat.exists + diff --git a/ldap/templates/config_ldapvi.j2 b/ldap/templates/config_ldapvi.j2 new file mode 100644 index 00000000..9be8044c --- /dev/null +++ b/ldap/templates/config_ldapvi.j2 @@ -0,0 +1,8 @@ +modify: olcDatabase={1}mdb,cn=config +olcSuffix: {{ ldap_suffix }} +olcRootDN: cn=admin,{{ ldap_suffix }} +olcRootPW: {{ ldap_admin_password_ssha.stdout }} +olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break +olcAccess: {1}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * none +olcAccess: {2}to attrs=shadowLastChange by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read +olcAccess: {3}to * by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read diff --git a/ldap/templates/first-entries.ldif.j2 b/ldap/templates/first-entries.ldif.j2 new file mode 100644 index 00000000..56828636 --- /dev/null +++ b/ldap/templates/first-entries.ldif.j2 @@ -0,0 +1,30 @@ +dn: {{ ldap_suffix }} +objectClass: top +objectClass: dcObject +objectClass: organization +o: {{ ldap_suffix_dc }} +dc: {{ ldap_suffix_dc }} + +dn: cn=admin,{{ ldap_suffix }} +objectClass: simpleSecurityObject +objectClass: organizationalRole +cn: admin +description: LDAP administrator +userPassword: {{ ldap_admin_password_ssha.stdout }} + +dn: ou=ldapusers,{{ ldap_suffix }} +objectClass: top +objectClass: organizationalUnit +ou: ldapusers + +dn: cn=perl,ou=ldapusers,{{ ldap_suffix }} +objectClass: simpleSecurityObject +objectClass: organizationalRole +cn: perl +userPassword: {{ ldap_admin_password_ssha.stdout }} + +dn: cn=nagios,ou=ldapusers,{{ ldap_suffix }} +objectClass: simpleSecurityObject +objectClass: organizationalRole +cn: nagios +userPassword: {{ ldap_nagios_password_ssha.stdout }} diff --git a/ldap/templates/ldapvirc.j2 b/ldap/templates/ldapvirc.j2 new file mode 100644 index 00000000..e61a7524 --- /dev/null +++ b/ldap/templates/ldapvirc.j2 @@ -0,0 +1,6 @@ +profile default +host: ldap://127.0.0.1 +base: {{ ldap_suffix }} +user: cn=admin,{{ ldap_suffix }} +bind: simple +password: {{ ldap_admin_password.stdout }}