deac/ansible-role-ldapi
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

init

Browse source
This commit is contained in:
Denis Knauf 2020-11-07 23:12:01 +01:00
commit 0113277fd1
9 changed files with 240 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
.gitignore vendored Normal file
View file

@ -0,0 +1,24 @@
# ---> Ansible
*.retry
# ---> Vim
# Swap
[._]*.s[a-v][a-z]
!*.svg # comment out if you don't need vector files
[._]*.sw[a-p]
[._]s[a-rt-v][a-z]
[._]ss[a-gi-z]
[._]sw[a-p]
# Session
Session.vim
Sessionx.vim
# Temporary
.netrwhist
*~
# Auto-generated tag files
tags
# Persistent undo
[._]*.un~

43
README.adoc Normal file
View file

@ -0,0 +1,43 @@
OpenLDAP
========
Primary for using as `ldapi://` for example for mail-servers.
Requirements
------------
You need to have debian (or compatible, like ubuntu) or alpine already installed.
* sshd
Role Variables
--------------
ldap_basedn::
Your basedn like `cn=example,cn=org`.
Example Playbook
----------------
----
---
# vim: set expandtab tabstop=2 shiftwidth=2:
- hosts: ldapserver
remote_user: root
become: false
tasks:
- import_role:
name: denkn.ldapi
----
License
-------
AGPLv3
Author Information
------------------
Denis Knauf - https://git.denkn.at/deac/ansible-role-ldapi

2
defaults/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
# defaults file for ldap

2
handlers/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
# handlers file for ldap

53
meta/main.yml Normal file
View file

@ -0,0 +1,53 @@
galaxy_info:
author: your name
description: your role description
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Choose a valid license ID from https://spdx.org - some suggested licenses:
# - BSD-3-Clause (default)
# - MIT
# - GPL-2.0-or-later
# - GPL-3.0-only
# - Apache-2.0
# - CC-BY-4.0
license: license (GPL-2.0-or-later, MIT, etc)
min_ansible_version: 2.9
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.

107
tasks/main.yml Normal file
View file

@ -0,0 +1,107 @@
---
# vim: set expandtab tabstop=2 shiftwidth=2:
- name: install openldap
apt:
name:
- slapd
- ldap-utils
- python-ldap
- name: fix acl
ldap_attr:
name: olcAccess
dn: olcDatabase={1}mdb,cn=config
state: exact
values:
- >-
{0}to attrs=userPassword,shadowLastChange
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write
by self write
by anonymous auth
by * none
- >-
{1}to dn.base="" by * read
- >-
{2}to *
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write
by * read
- name: set crypto
ldap_attr:
dn: cn=config
name: "{{item.key}}"
state: exact
values: "{{item.value}}"
with_dict:
olcPasswordHash: '{CRYPT}'
olcPasswordCryptSaltFormat: "$6$rounds=8000$%.16s"
- name: set base DN
ldap_attr:
dn: 'olcDatabase=\{{{ldap_database_index|default(1)}}\}mdb,cn=config'
name: "{{item.key}}"
state: exact
values: "{{item.value}}"
with_dict:
olcSuffix: "{{ldap_basedn}}"
olcRootDN: "cn=root,{{ldap_basedn}}"
- name: base DN exists?
shell: ldapsearch -H ldapi:// -Y external -LLL -b {{ldap_basedn|quote}}
register: basedn_check
changed_when: no
failed_when: "basedn_check.rc != 0 and basedn_check.rc != 32"
- name: "Base DN {{'exists' if basedn_check.rc == 0 else 'does not exists'}}"
set_fact:
basedn_exists: "{{basedn_check.rc == 0}}"
- name: prepare base DN
when: not basedn_exists
block:
- name: generate root password
set_fact:
root_passwort: '{{lookup("password", "/dev/null chars=ascii_letters,digits,hexdigits length=20")}}'
- debug: var=root_passwort
- debug: var=root_passwort
- name: add base DN
become: yes
become_user: openldap
shell: slapadd -v
args:
stdin: |
dn: {{ldap_basedn}}
objectClass: top
objectClass: dcObject
objectClass: organization
dc: {{ldap_basedn | regex_replace('^[^=]+=([^,]+).*', '\1')}}
o: {{ldap_basedn | regex_replace('^[^=]+=([^,]+).*', '\1')}}
dn: ou=People,{{ldap_basedn}}
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
ou: People
dn: ou=Groups,{{ldap_basedn}}
objectClass: top
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
ou: Groups
dn: cn=root,{{ldap_basedn}}
objectClass: simpleSecurityObject
objectClass: organizationalRole
structuralObjectClass: organizationalRole
cn: root
description: LDAP administrator
userPassword: highsecure
# - name: update in ldap.conf
# lineinfile:
# path: /etc/ldap/ldap.conf
# regexp: "^{{item.key}}"
# insertafter: "^#{{item.key}}"
# line: "{{item.key}} {{item.value}}"
# with_dict:
# BASE: '{{ldap_basedn}}'
# URI: ldapi://

2
tests/inventory Normal file
View file

@ -0,0 +1,2 @@
localhost

5
tests/test.yml Normal file
View file

@ -0,0 +1,5 @@
---
- hosts: localhost
remote_user: root
roles:
- ldapi

2
vars/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
# vars file for ldap