Project

General

Profile

Statistics
| Branch: | Revision:

duckcorp-infra / ansible / roles / dc-ldap / tasks / main.yml @ fccc455f

History | View | Annotate | Download (12.3 KB)

1
---
2

    
3
- name: Install LDAP Server
4
  package:
5
    name:
6
      - slapd
7
      - ldap-utils
8
      - python-ldap   # for Ansible
9
    state: present
10

    
11
- name: Start LDAP Service
12
  service:
13
    name: slapd
14
    enabled: yes
15
    state: started
16

    
17
- name: Install LDAP tools configuration
18
  template:
19
    src: ldap.conf
20
    dest: "{{ ldap_confdir }}/"
21
    owner: root
22
    group: root
23
    mode: 0644
24

    
25
- name: Create TLS Certificates Directory
26
  file:
27
    path: "{{ cert_dir }}"
28
    state: directory
29
    owner: root
30
    group: "{{ ldap_usergroup }}"
31
    mode: 0750
32

    
33
- name: Install TLS Certificates
34
  copy:
35
    src: "{{ pki.path }}/server/{{ cert_base_name }}.{{ item }}"
36
    dest: "{{ cert_dir }}/"
37
    owner: root
38
    group: "{{ ldap_usergroup }}"
39
    mode: 0740
40
  with_items:
41
    - crt
42
    - key
43
    - dh
44
  notify: Restart LDAP Server
45

    
46
- name: Fetch replicator service account info
47
  include_tasks: service_account_info.yml
48
  vars:
49
    uid: srv-replicator
50
- name: "Store replicator service account info"
51
  set_fact:
52
    replicator_account: "{{ account_info }}"
53

    
54
- name: Fetch monitor service account info
55
  include_tasks: service_account_info.yml
56
  vars:
57
    uid: srv-monitor
58
- name: "Store monitor service account info"
59
  set_fact:
60
    monitor_account: "{{ account_info }}"
61

    
62
- name: Fetch auth service account info
63
  include_tasks: service_account_info.yml
64
  vars:
65
    uid: srv-auth
66
- name: "Store auth service account info"
67
  set_fact:
68
    auth_account: "{{ account_info }}"
69

    
70
- name: Fetch mail service account info
71
  include_tasks: service_account_info.yml
72
  vars:
73
    uid: srv-mail
74
- name: "Store mail service account info"
75
  set_fact:
76
    mail_account: "{{ account_info }}"
77

    
78
- name: "Load LDIF bits used to update the config"
79
  include_vars: ldif.yml
80

    
81
- name: Setup base config
82
  include_tasks: ldapmodify.yml
83
  vars:
84
    dn: "cn=config"
85
    changes:
86
      - {name: olcLocalSSF, values: "71"}
87
      - {name: olcLogLevel, values: ['Sync', 'None']}
88
      - {name: olcTLSCertificateKeyFile, values: "{{ cert_dir }}/{{ cert_base_name }}.key"}
89
      - {name: olcTLSCertificateFile, values: "{{ cert_dir }}/{{ cert_base_name }}.crt"}
90
      - {name: olcTLSDHParamFile, values: "{{ cert_dir }}/{{ cert_base_name }}.dh"}
91
      - {name: olcTLSCACertificateFile, values: /etc/ssl/certs/ca-certificates.crt}
92

    
93
- name: Fetch list of loaded LDAP modules
94
  shell: 'ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=module{0},cn=config" -s base -Q olcModuleLoad | grep "^olcModuleLoad:" | cut -d} -f2'
95
  changed_when: False
96
  check_mode: no
97
  register: mod_list
98

    
99
- name: Compute Modules to load
100
  set_fact:
101
    new_modules: "{{ ['back_mdb', 'back_monitor', 'syncprov', 'unique', 'deref'] | difference(mod_list.stdout_lines) }}"
102

    
103
- name: Setup modules to load
104
  block:
105
    - name: Update list of modules
106
      include_tasks: ldapmodify.yml
107
      vars:
108
        dn: "cn=module{0},cn=config"
109
        changes:
110
          - {name: olcModuleLoad, values: "{{ new_modules }}", op: add}
111
    - name: Restart LDAP Server
112
      service:
113
        name: slapd
114
        state: restarted
115
  when: new_modules | length > 0
116

    
117
- name: Setup frontend database
118
  include_tasks: ldapmodify.yml
119
  vars:
120
    dn: "olcDatabase={-1}frontend,cn=config"
121
    changes:
122
      - {name: olcMonitoring, values: "FALSE"}
123

    
124
- name: Setup config database
125
  include_tasks: ldapmodify.yml
126
  vars:
127
    dn: "olcDatabase={0}config,cn=config"
128
    changes:
129
      - name: olcAccess
130
        values:
131
          - >-
132
            {0}to *
133
            by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
134
            by dn.base="{{ replicator_account.bind_dn }}" read
135
            by * none
136
      - {name: olcMonitoring, values: "FALSE"}
137
      - {name: olcAddContentAcl, values: "TRUE"}
138

    
139
- name: Setup config database administrative credentials
140
  include_tasks: ldapmodify.yml
141
  vars:
142
    dn: "olcDatabase={0}config,cn=config"
143
    changes:
144
      - {name: olcRootDN, values: "{{ ldap.directory.config_root_dn }}"}
145
      - {name: olcRootPW, values: "{{ ldap.directory.config_root_pw }}"}
146
    no_log: True
147

    
148
- include_tasks: obj_create_update.yml
149
  vars:
150
    obj_name: "monitor database"
151
    obj_rdn: "olcDatabase=monitor"
152
    obj_base: "cn=config"
153
    obj_classes: olcDatabaseConfig
154
    obj_changes:
155
      - {name: olcMonitoring, values: "FALSE"}
156
      - name: olcAccess
157
        values:
158
          - >-
159
            {0}to dn.subtree="cn=monitor"
160
            by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
161
            by dn.base="cn=admin,dc=milkypond,dc=org" ssf=128 read
162
            by dn.base="{{ monitor_account.bind_dn }}" ssf=128 read
163
            by * none
164

    
165
# slaves also need an initial loading to be able to accept certain settings
166
- name: Load schemas
167
  include_tasks: load_schema.yml
168
  vars:
169
    schema: "{{ item.name }}"
170
    dependencies: "{{ item.dependencies | default([]) }}"
171
  loop:
172
    - name: ISPEnv2
173
    - name: DuckCorp
174
      dependencies: ['ISPEnv2']
175

    
176
- name: Fetch DN for milkypond database
177
  include_tasks: ldapsearch.yml
178
  vars:
179
    # reuse automatically created database
180
    search: "(&(olcDatabase=mdb)(|(olcSuffix=dc={{ (ansible_domain|default('nodomain', true)).split('.') | join(',dc=') }})(olcSuffix={{ base_dn }})))"
181
    result_var: milkypond_dn
182

    
183
- name: Create milkypond database directory
184
  file:
185
    path: "{{ database_dir }}"
186
    state: directory
187
    owner: openldap
188
    group: openldap
189
    mode: 0770
190
  notify: Restart LDAP Server
191

    
192
- name: Setup milkypond database
193
  include_tasks: ldapmodify.yml
194
  vars:
195
    dn: "{{ milkypond_dn }}"
196
    changes:
197
      - {name: olcSuffix, values: "{{ base_dn }}"}
198
      - {name: olcDbDirectory, values: "{{ database_dir }}"}
199
      - {name: olcRootDN, values: "cn=admin,{{ base_dn }}"}
200
      - {name: olcMonitoring, values: "TRUE"}
201
      - name: olcDbIndex
202
        values:
203
          - "allowedServices eq"
204
          - "allowGlobalDirectory eq"
205
          - "cn eq,sub"
206
          - "databaseName eq,sub"
207
          - "deliveryEntity eq"
208
          - "entryCSN eq"
209
          - "entryUUID eq"
210
          - "ftpHost eq"
211
          - "gidNumber eq"
212
          - "givenName eq,sub"
213
          - "jid eq"
214
          - "keyFingerPrint eq"
215
          - "mail eq"
216
          - "manager eq"
217
          - "member eq"
218
          - "memberUid eq"
219
          - "objectClass pres,eq"
220
          - "ou eq"
221
          - "relayEntity eq"
222
          - "sn eq,sub"
223
          - "uid eq"
224
          - "uidNumber eq"
225
          - "uniqueMember eq"
226
      - name: olcAccess
227
        values:
228
          - >-
229
            {0}to attrs=userPassword,shadowLastChange
230
            by anonymous peername.path="/var/run/slapd/ldapi" auth
231
            by anonymous peername.path="/var/run/ldapi" auth
232
            by anonymous peername.ip="127.0.0.1" auth
233
            by anonymous peername.ipv6="::1" auth
234
            by anonymous ssf=128 auth
235
            by dn.base="{{ replicator_account.bind_dn }}" read
236
            by group/groupOfMembers/uniqueMember.exact="cn=mp-admins,ou=groups,o=milkypond,ou=entities,dc=milkypond,dc=org" write
237
            by self write
238
            by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
239
            by * none
240
          - >-
241
            {1}to dn.subtree="o=duckcorp,ou=entities,dc=milkypond,dc=org"
242
            by group/groupOfMembers/uniqueMember.exact="cn=mp-admins,ou=groups,o=milkypond,ou=entities,dc=milkypond,dc=org" write
243
            by group/groupOfMembers/uniqueMember.exact="cn=dc-admins,ou=groups,o=duckcorp,ou=entities,dc=milkypond,dc=org" write
244
            by dn.base="{{ replicator_account.bind_dn }}" read
245
            by dn.base="{{ auth_account.bind_dn }}" read
246
            by dn.base="{{ mail_account.bind_dn }}" read
247
            by self read
248
            by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
249
            by * none
250
          - >-
251
            {2}to dn.subtree="o=rtpnet,ou=entities,dc=milkypond,dc=org"
252
            by group/groupOfMembers/uniqueMember.exact="cn=mp-admins,ou=groups,o=milkypond,ou=entities,dc=milkypond,dc=org" write
253
            by group/groupOfMembers/uniqueMember.exact="cn=dc-admins,ou=groups,o=rtpnet,ou=entities,dc=milkypond,dc=org" write
254
            by dn.base="{{ replicator_account.bind_dn }}" read
255
            by dn.base="{{ auth_account.bind_dn }}" read
256
            by dn.base="{{ mail_account.bind_dn }}" read
257
            by self read
258
            by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
259
            by * none
260
          - >-
261
            {3}to dn.subtree="dc=milkypond,dc=org"
262
            by group/groupOfMembers/uniqueMember.exact="cn=mp-admins,ou=groups,o=milkypond,ou=entities,dc=milkypond,dc=org" write
263
            by dn.base="{{ replicator_account.bind_dn }}" read
264
            by dn.base="{{ monitor_account.bind_dn }}" search
265
            by dn.base="{{ auth_account.bind_dn }}" read
266
            by dn.base="{{ mail_account.bind_dn }}" read
267
            by self read
268
            by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
269
            by * none
270
          - >-
271
            {4}to dn.regex="^ou=addr,(uid=([^,]+),ou=People,dc=milkypond,dc=org)$" attrs=children
272
            by dn.base,expand="$1" write
273
            by * break
274
          - >-
275
            {5}to dn.regex="^uid=([^,]+),ou=addr,(uid=([^,]+),ou=People,dc=milkypond,dc=org)$" attrs=entry
276
            by dn.base,expand="$2" write
277
            by * break
278
          - >-
279
            {6}to *
280
            by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
281
            by * none
282
      - name: olcLimits
283
        values:
284
          - >-
285
            {0}dn.base="cn=srv-replicator,dc=milkypond,dc=org" size.soft=unlimited size.hard=unlimited time.soft=unlimited time.hard=unlimited
286

    
287
- name: Check if local password for milkypond database is setup
288
  include_tasks: ldapsearch.yml
289
  vars:
290
    search: "(&(olcDatabase=mdb)(olcSuffix={{ base_dn }}))"
291
    attr: olcRootPW
292
    result_var: milkypond_pw
293

    
294
- name: Remove locally setup password for milkypond database
295
  include_tasks: ldapmodify.yml
296
  vars:
297
    dn: "{{ milkypond_dn }}"
298
    changes:
299
      - {name: olcRootPW, op: delete}
300
  when: milkypond_pw != ''
301

    
302
- name: Setup unicity for milkypond database
303
  include_tasks: obj_create_update.yml
304
  vars:
305
    obj_name: "milkypond database unicity"
306
    obj_rdn: "olcOverlay=unique"
307
    obj_base: "{{ milkypond_dn }}"
308
    obj_classes: ['olcOverlayConfig', 'olcUniqueConfig']
309
    obj_changes:
310
      - name: olcUniqueURI
311
        values:
312
          - "ldap:///?mail?sub?"
313
          - "ldap:///?uid?sub?"
314
          - "ldap:///?uniqueAbbreviation?sub?"
315

    
316
- name: Setup dereferencing for milkypond database
317
  include_tasks: obj_create_update.yml
318
  vars:
319
    obj_name: "milkypond database dereferencing"
320
    obj_rdn: "olcOverlay=deref"
321
    obj_base: "{{ milkypond_dn }}"
322
    obj_classes: ['olcOverlayConfig']
323
    obj_changes: []
324

    
325
- meta: flush_handlers
326

    
327
- name: Define replication data
328
  set_fact:
329
    replication_list:
330
      - name: config
331
        dn: "olcDatabase={0}config,cn=config"
332
        searchbase: "cn=schema,cn=config"
333
        filter: "(objectclass=olcSchemaConfig)"
334
      - name: milkypond
335
        dn: "{{ milkypond_dn }}"
336
        searchbase: "{{ base_dn }}"
337
        filter: "(objectclass=*)"
338

    
339
- name: Setup server replication
340
  include_tasks: obj_create_update.yml
341
  vars:
342
    obj_name: "{{ item.name }} database replication"
343
    obj_rdn: "olcOverlay=syncprov"
344
    obj_base: "{{ item.dn }}"
345
    obj_classes: ['olcOverlayConfig', 'olcSyncProvConfig']
346
    obj_changes:
347
      - {name: olcSpSessionlog, values: "1000"}
348
      - {name: olcSpReloadHint, values: "TRUE"}
349
      - {name: olcSpCheckpoint, values: "100 10"}
350
  when: ldap.directory.is_master|default(False)
351
  loop: "{{ replication_list }}"
352

    
353
- name: "Setup client replication #1"
354
  include_tasks: ldapmodify.yml
355
  vars:
356
    dn: "{{ item.dn }}"
357
    changes:
358
      - {name: olcSyncrepl, values: "{{ client_synrepl_change }}"}
359
      # needed to be allowed to update cn=config once replication is in place
360
      # unfortunately partial replication (here, schema only) does "shadow" the whole database
361
      - {name: olcMirrorMode, values: "TRUE"}
362
  when: not ldap.directory.is_master|default(False) and item.name == 'config'
363
  loop: "{{ replication_list }}"
364

    
365
- name: "Setup client replication #2"
366
  include_tasks: ldapmodify.yml
367
  vars:
368
    dn: "{{ item.dn }}"
369
    changes:
370
      - {name: olcSyncrepl, values: "{{ client_synrepl_change }}"}
371
      - {name: olcUpdateRef, values: "ldap://{{ ldap.directory.master.hostname }}"}
372
  when: not ldap.directory.is_master|default(False) and item.name != 'config'
373
  loop: "{{ replication_list }}"
374