108 lines
2.9 KiB
YAML
108 lines
2.9 KiB
YAML
|
---
|
||
|
# vim: set expandtab tabstop=2 shiftwidth=2:
|
||
|
|
||
|
- name: install openldap
|
||
|
apt:
|
||
|
name:
|
||
|
- slapd
|
||
|
- ldap-utils
|
||
|
- python-ldap
|
||
|
|
||
|
- name: fix acl
|
||
|
ldap_attr:
|
||
|
name: olcAccess
|
||
|
dn: olcDatabase={1}mdb,cn=config
|
||
|
state: exact
|
||
|
values:
|
||
|
- >-
|
||
|
{0}to attrs=userPassword,shadowLastChange
|
||
|
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write
|
||
|
by self write
|
||
|
by anonymous auth
|
||
|
by * none
|
||
|
- >-
|
||
|
{1}to dn.base="" by * read
|
||
|
- >-
|
||
|
{2}to *
|
||
|
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write
|
||
|
by * read
|
||
|
- name: set crypto
|
||
|
ldap_attr:
|
||
|
dn: cn=config
|
||
|
name: "{{item.key}}"
|
||
|
state: exact
|
||
|
values: "{{item.value}}"
|
||
|
with_dict:
|
||
|
olcPasswordHash: '{CRYPT}'
|
||
|
olcPasswordCryptSaltFormat: "$6$rounds=8000$%.16s"
|
||
|
|
||
|
- name: set base DN
|
||
|
ldap_attr:
|
||
|
dn: 'olcDatabase=\{{{ldap_database_index|default(1)}}\}mdb,cn=config'
|
||
|
name: "{{item.key}}"
|
||
|
state: exact
|
||
|
values: "{{item.value}}"
|
||
|
with_dict:
|
||
|
olcSuffix: "{{ldap_basedn}}"
|
||
|
olcRootDN: "cn=root,{{ldap_basedn}}"
|
||
|
|
||
|
- name: base DN exists?
|
||
|
shell: ldapsearch -H ldapi:// -Y external -LLL -b {{ldap_basedn|quote}}
|
||
|
register: basedn_check
|
||
|
changed_when: no
|
||
|
failed_when: "basedn_check.rc != 0 and basedn_check.rc != 32"
|
||
|
- name: "Base DN {{'exists' if basedn_check.rc == 0 else 'does not exists'}}"
|
||
|
set_fact:
|
||
|
basedn_exists: "{{basedn_check.rc == 0}}"
|
||
|
|
||
|
- name: prepare base DN
|
||
|
when: not basedn_exists
|
||
|
block:
|
||
|
- name: generate root password
|
||
|
set_fact:
|
||
|
root_passwort: '{{lookup("password", "/dev/null chars=ascii_letters,digits,hexdigits length=20")}}'
|
||
|
- debug: var=root_passwort
|
||
|
- debug: var=root_passwort
|
||
|
- name: add base DN
|
||
|
become: yes
|
||
|
become_user: openldap
|
||
|
shell: slapadd -v
|
||
|
args:
|
||
|
stdin: |
|
||
|
dn: {{ldap_basedn}}
|
||
|
objectClass: top
|
||
|
objectClass: dcObject
|
||
|
objectClass: organization
|
||
|
dc: {{ldap_basedn | regex_replace('^[^=]+=([^,]+).*', '\1')}}
|
||
|
o: {{ldap_basedn | regex_replace('^[^=]+=([^,]+).*', '\1')}}
|
||
|
|
||
|
dn: ou=People,{{ldap_basedn}}
|
||
|
objectClass: top
|
||
|
objectClass: organizationalUnit
|
||
|
structuralObjectClass: organizationalUnit
|
||
|
ou: People
|
||
|
|
||
|
dn: ou=Groups,{{ldap_basedn}}
|
||
|
objectClass: top
|
||
|
objectClass: organizationalUnit
|
||
|
structuralObjectClass: organizationalUnit
|
||
|
ou: Groups
|
||
|
|
||
|
dn: cn=root,{{ldap_basedn}}
|
||
|
objectClass: simpleSecurityObject
|
||
|
objectClass: organizationalRole
|
||
|
structuralObjectClass: organizationalRole
|
||
|
cn: root
|
||
|
description: LDAP administrator
|
||
|
userPassword: highsecure
|
||
|
|
||
|
# - name: update in ldap.conf
|
||
|
# lineinfile:
|
||
|
# path: /etc/ldap/ldap.conf
|
||
|
# regexp: "^{{item.key}}"
|
||
|
# insertafter: "^#{{item.key}}"
|
||
|
# line: "{{item.key}} {{item.value}}"
|
||
|
# with_dict:
|
||
|
# BASE: '{{ldap_basedn}}'
|
||
|
# URI: ldapi://
|