103 lines
2.9 KiB
YAML
103 lines
2.9 KiB
YAML
---
|
|
# vim: set expandtab tabstop=2 shiftwidth=2:
|
|
|
|
- name: install openldap
|
|
apt:
|
|
name:
|
|
- slapd
|
|
- ldap-utils
|
|
- python-ldap
|
|
|
|
- name: fix acl
|
|
community.general.ldap_attrs:
|
|
dn: olcDatabase={1}mdb,cn=config
|
|
state: exact
|
|
attributes:
|
|
olcAccess:
|
|
- >-
|
|
{0}to attrs=userPassword,shadowLastChange
|
|
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write
|
|
by self write
|
|
by anonymous auth
|
|
by * none
|
|
- >-
|
|
{1}to dn.base="" by * read
|
|
- >-
|
|
{2}to *
|
|
by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth write
|
|
by * read
|
|
- name: set crypto
|
|
community.general.ldap_attrs:
|
|
dn: cn=config
|
|
state: exact
|
|
attributes:
|
|
olcPasswordHash: '{CRYPT}'
|
|
olcPasswordCryptSaltFormat: "$6$rounds=8000$%.16s"
|
|
|
|
- name: set base DN
|
|
community.general.ldap_attrs:
|
|
dn: 'olcDatabase={{"{"+(ldap_database_index|default(1)|string)+"}"}}mdb,cn=config'
|
|
state: exact
|
|
attributes:
|
|
olcSuffix: "{{ldap_basedn}}"
|
|
olcRootDN: "cn=root,{{ldap_basedn}}"
|
|
|
|
- name: base DN exists?
|
|
shell: ldapsearch -H ldapi:// -Y external -LLL -b {{ldap_basedn|quote}}
|
|
register: basedn_check
|
|
changed_when: no
|
|
failed_when: "basedn_check.rc != 0 and basedn_check.rc != 32"
|
|
- name: "Base DN {{'exists' if basedn_check.rc == 0 else 'does not exists'}}"
|
|
set_fact:
|
|
basedn_exists: "{{basedn_check.rc == 0}}"
|
|
|
|
- name: prepare base DN
|
|
when: not basedn_exists
|
|
block:
|
|
- name: generate root password
|
|
set_fact:
|
|
root_password: '{{lookup("password", "/dev/null chars=ascii_letters,digits,hexdigits length=20")}}'
|
|
- debug: var=root_passwort
|
|
- name: add base DN
|
|
become: yes
|
|
become_user: openldap
|
|
shell: slapadd -v
|
|
args:
|
|
stdin: |
|
|
dn: {{ldap_basedn}}
|
|
objectClass: top
|
|
objectClass: dcObject
|
|
objectClass: organization
|
|
dc: {{ldap_basedn | regex_replace( '^[^=]+=([^,]+).*', '\1')}}
|
|
o: {{ldap_basedn | regex_replace( '^[^=]+=([^,]+).*', '\1')}}
|
|
|
|
dn: ou=People,{{ldap_basedn}}
|
|
objectClass: top
|
|
objectClass: organizationalUnit
|
|
structuralObjectClass: organizationalUnit
|
|
ou: People
|
|
|
|
dn: ou=Groups,{{ldap_basedn}}
|
|
objectClass: top
|
|
objectClass: organizationalUnit
|
|
structuralObjectClass: organizationalUnit
|
|
ou: Groups
|
|
|
|
dn: cn=root,{{ldap_basedn}}
|
|
objectClass: simpleSecurityObject
|
|
objectClass: organizationalRole
|
|
structuralObjectClass: organizationalRole
|
|
cn: root
|
|
description: LDAP administrator
|
|
userPassword: {{root_password}}
|
|
|
|
# - name: update in ldap.conf
|
|
# lineinfile:
|
|
# path: /etc/ldap/ldap.conf
|
|
# regexp: "^{{item.key}}"
|
|
# insertafter: "^#{{item.key}}"
|
|
# line: "{{item.key}} {{item.value}}"
|
|
# with_dict:
|
|
# BASE: '{{ldap_basedn}}'
|
|
# URI: ldapi://
|