--- # vim: set expandtab tabstop=2 shiftwidth=2: - name: install openldap apt: name: - slapd - ldap-utils - python-ldap - name: fix acl ldap_attr: name: olcAccess dn: olcDatabase={1}mdb,cn=config state: exact values: - >- {0}to attrs=userPassword,shadowLastChange by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write by self write by anonymous auth by * none - >- {1}to dn.base="" by * read - >- {2}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write by * read - name: set crypto ldap_attr: dn: cn=config name: "{{item.key}}" state: exact values: "{{item.value}}" with_dict: olcPasswordHash: '{CRYPT}' olcPasswordCryptSaltFormat: "$6$rounds=8000$%.16s" - name: set base DN ldap_attr: dn: 'olcDatabase=\{{{ldap_database_index|default(1)}}\}mdb,cn=config' name: "{{item.key}}" state: exact values: "{{item.value}}" with_dict: olcSuffix: "{{ldap_basedn}}" olcRootDN: "cn=root,{{ldap_basedn}}" - name: base DN exists? shell: ldapsearch -H ldapi:// -Y external -LLL -b {{ldap_basedn|quote}} register: basedn_check changed_when: no failed_when: "basedn_check.rc != 0 and basedn_check.rc != 32" - name: "Base DN {{'exists' if basedn_check.rc == 0 else 'does not exists'}}" set_fact: basedn_exists: "{{basedn_check.rc == 0}}" - name: prepare base DN when: not basedn_exists block: - name: generate root password set_fact: root_passwort: '{{lookup("password", "/dev/null chars=ascii_letters,digits,hexdigits length=20")}}' - debug: var=root_passwort - debug: var=root_passwort - name: add base DN become: yes become_user: openldap shell: slapadd -v args: stdin: | dn: {{ldap_basedn}} objectClass: top objectClass: dcObject objectClass: organization dc: {{ldap_basedn | regex_replace('^[^=]+=([^,]+).*', '\1')}} o: {{ldap_basedn | regex_replace('^[^=]+=([^,]+).*', '\1')}} dn: ou=People,{{ldap_basedn}} objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit ou: People dn: ou=Groups,{{ldap_basedn}} objectClass: top objectClass: organizationalUnit structuralObjectClass: organizationalUnit ou: Groups dn: cn=root,{{ldap_basedn}} objectClass: simpleSecurityObject objectClass: organizationalRole structuralObjectClass: organizationalRole cn: root description: LDAP administrator userPassword: highsecure # - name: update in ldap.conf # lineinfile: # path: /etc/ldap/ldap.conf # regexp: "^{{item.key}}" # insertafter: "^#{{item.key}}" # line: "{{item.key}} {{item.value}}" # with_dict: # BASE: '{{ldap_basedn}}' # URI: ldapi://