Improve ldap role
This commit is contained in:
parent
2aa26e2d68
commit
95408a2409
|
@ -1,4 +1,5 @@
|
||||||
---
|
---
|
||||||
ldap_domain: "{{ ansible_fqdn }}"
|
ldap_domain: "{{ ansible_fqdn }}"
|
||||||
ldap_organization: "{{ ansible_domain }}"
|
ldap_organization: "{{ ansible_domain }}"
|
||||||
#ldap_password=$(apg -n1 -m 12 -c cl_seed)
|
ldap_suffix: "dc=example,dc=com"
|
||||||
|
ldap_suffix_dc: "example"
|
||||||
|
|
|
@ -6,8 +6,72 @@
|
||||||
- slapd
|
- slapd
|
||||||
- ldap-utils
|
- ldap-utils
|
||||||
- ldapvi
|
- ldapvi
|
||||||
|
- shelldap
|
||||||
|
|
||||||
|
- name: "Is /root/.ldapvirc present ?"
|
||||||
|
stat:
|
||||||
|
path: /root/.ldapvirc
|
||||||
|
check_mode: no
|
||||||
|
register: root_ldapvirc_path
|
||||||
|
|
||||||
- name: apg package is installed
|
- name: apg package is installed
|
||||||
apt:
|
apt:
|
||||||
name: apg
|
name: apg
|
||||||
state: present
|
state: present
|
||||||
|
when: not root_ldapvirc_path.stat.exists
|
||||||
|
|
||||||
|
- name: create a password for cn=admin
|
||||||
|
command: "apg -n 1 -m 16 -M lcN"
|
||||||
|
register: ldap_admin_password
|
||||||
|
changed_when: False
|
||||||
|
when: not root_ldapvirc_path.stat.exists
|
||||||
|
|
||||||
|
- name: create a password for cn=nagios
|
||||||
|
command: "apg -n 1 -m 16 -M lcN"
|
||||||
|
register: ldap_nagios_password
|
||||||
|
changed_when: False
|
||||||
|
when: not root_ldapvirc_path.stat.exists
|
||||||
|
|
||||||
|
- name: hash password for cn=admin
|
||||||
|
command: "slappasswd -s {{ ldap_admin_password.stdout }}"
|
||||||
|
register: ldap_admin_password_ssha
|
||||||
|
changed_when: False
|
||||||
|
when: not root_ldapvirc_path.stat.exists
|
||||||
|
|
||||||
|
- name: hash password for cn=nagios
|
||||||
|
command: "slappasswd -s {{ ldap_nagios_password.stdout }}"
|
||||||
|
register: ldap_nagios_password_ssha
|
||||||
|
changed_when: False
|
||||||
|
when: not root_ldapvirc_path.stat.exists
|
||||||
|
|
||||||
|
- name: create ldapvirc config
|
||||||
|
template:
|
||||||
|
src: ldapvirc.j2
|
||||||
|
dest: /root/.ldapvirc
|
||||||
|
mode: "0640"
|
||||||
|
when: not root_ldapvirc_path.stat.exists
|
||||||
|
|
||||||
|
- name: upload ldap initial config
|
||||||
|
template:
|
||||||
|
src: config_ldapvi.j2
|
||||||
|
dest: /root/evolinux_ldap_config.ldapvi
|
||||||
|
mode: "0640"
|
||||||
|
when: not root_ldapvirc_path.stat.exists
|
||||||
|
|
||||||
|
- name: upload ldap initial entries
|
||||||
|
template:
|
||||||
|
src: first-entries.ldif.j2
|
||||||
|
dest: /root/evolinux_ldap_first-entries.ldif
|
||||||
|
mode: "0640"
|
||||||
|
when: not root_ldapvirc_path.stat.exists
|
||||||
|
|
||||||
|
- name: inject config
|
||||||
|
command: ldapvi -Y EXTERNAL -h ldapi:// --ldapmodify /root/evolinux_ldap_config.ldapvi
|
||||||
|
environment:
|
||||||
|
TERM: xterm
|
||||||
|
when: not root_ldapvirc_path.stat.exists
|
||||||
|
|
||||||
|
- name: inject first entries
|
||||||
|
command: slapadd -l /root/evolinux_ldap_first-entries.ldif
|
||||||
|
when: not root_ldapvirc_path.stat.exists
|
||||||
|
|
||||||
|
|
8
ldap/templates/config_ldapvi.j2
Normal file
8
ldap/templates/config_ldapvi.j2
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
modify: olcDatabase={1}mdb,cn=config
|
||||||
|
olcSuffix: {{ ldap_suffix }}
|
||||||
|
olcRootDN: cn=admin,{{ ldap_suffix }}
|
||||||
|
olcRootPW: {{ ldap_admin_password_ssha.stdout }}
|
||||||
|
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
|
||||||
|
olcAccess: {1}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * none
|
||||||
|
olcAccess: {2}to attrs=shadowLastChange by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read
|
||||||
|
olcAccess: {3}to * by self write by dn="cn=admin,{{ ldap_suffix }}" write by dn="cn=perl,ou=ldapusers,{{ ldap_suffix }}" write by * read
|
30
ldap/templates/first-entries.ldif.j2
Normal file
30
ldap/templates/first-entries.ldif.j2
Normal file
|
@ -0,0 +1,30 @@
|
||||||
|
dn: {{ ldap_suffix }}
|
||||||
|
objectClass: top
|
||||||
|
objectClass: dcObject
|
||||||
|
objectClass: organization
|
||||||
|
o: {{ ldap_suffix_dc }}
|
||||||
|
dc: {{ ldap_suffix_dc }}
|
||||||
|
|
||||||
|
dn: cn=admin,{{ ldap_suffix }}
|
||||||
|
objectClass: simpleSecurityObject
|
||||||
|
objectClass: organizationalRole
|
||||||
|
cn: admin
|
||||||
|
description: LDAP administrator
|
||||||
|
userPassword: {{ ldap_admin_password_ssha.stdout }}
|
||||||
|
|
||||||
|
dn: ou=ldapusers,{{ ldap_suffix }}
|
||||||
|
objectClass: top
|
||||||
|
objectClass: organizationalUnit
|
||||||
|
ou: ldapusers
|
||||||
|
|
||||||
|
dn: cn=perl,ou=ldapusers,{{ ldap_suffix }}
|
||||||
|
objectClass: simpleSecurityObject
|
||||||
|
objectClass: organizationalRole
|
||||||
|
cn: perl
|
||||||
|
userPassword: {{ ldap_admin_password_ssha.stdout }}
|
||||||
|
|
||||||
|
dn: cn=nagios,ou=ldapusers,{{ ldap_suffix }}
|
||||||
|
objectClass: simpleSecurityObject
|
||||||
|
objectClass: organizationalRole
|
||||||
|
cn: nagios
|
||||||
|
userPassword: {{ ldap_nagios_password_ssha.stdout }}
|
6
ldap/templates/ldapvirc.j2
Normal file
6
ldap/templates/ldapvirc.j2
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
profile default
|
||||||
|
host: ldap://127.0.0.1
|
||||||
|
base: {{ ldap_suffix }}
|
||||||
|
user: cn=admin,{{ ldap_suffix }}
|
||||||
|
bind: simple
|
||||||
|
password: {{ ldap_admin_password.stdout }}
|
Loading…
Reference in a new issue