initial commit

This commit is contained in:
Robert Kaussow 2018-12-01 01:31:11 +01:00
parent 817124f36b
commit d00768f623
8 changed files with 180 additions and 0 deletions

24
defaults/main.yml Normal file
View File

@ -0,0 +1,24 @@
---
ldap_proxy_urls:
- "ldapi:/// ldap:///"
ldap_proxy_options: []
# You can deploy your certificates from a file or from content.
# If you enable ldap_proxy_tls_source_use_content you have to put the content of your cert files into
# ldap_proxy_tls_cert_path and ldap_proxy_tls_cert_path.
ldap_proxy_tls_source_use_content: False
# If you enable ldap_proxy_tls_source_use_files theses variables have to contain the path to your
# certificate files located on the ansible "master" host
ldap_proxy_tls_source_use_files: True
ldap_proxy_tls_cert_source: mycert.pem
ldap_proxy_tls_key_source: mykey.pem
ldap_proxy_tls_ca_source: ca.pem
ldap_proxy_tls_cert_path: /etc/openldap/certs/mycert.pem
ldap_proxy_tls_key_path: /etc/openldap/certs/mykey.pem
ldap_proxy_tls_ca_path: /etc/openldap/certs/ca.path
ldap_proxy_server: "ldap://ad.example.com:389"
ldap_proxy_server_suffix: "dc=example,dc=com"
ldap_proxy_readonly_enabled: True
ldap_proxy_loglevel: 0

9
handlers/main.yml Normal file
View File

@ -0,0 +1,9 @@
---
- block:
- name: Reload openldap service
systemd:
state: restarted
name: slapd
listen: __slapd_restart
become: True
become_user: root

4
tasks/main.yml Normal file
View File

@ -0,0 +1,4 @@
---
- include_tasks: setup.yml
- import_tasks: tls.yml
- include_tasks: post_tasks.yml

8
tasks/post_tasks.yml Normal file
View File

@ -0,0 +1,8 @@
---
- name: Make sure openldap service is up and running
systemd:
state: started
enabled: yes
name: slapd
become: True
become_user: root

29
tasks/setup.yml Normal file
View File

@ -0,0 +1,29 @@
---
- block:
- name: Install required packages
package:
name: "{{ item }}"
state: present
with_items:
- openldap-servers
- openldap-clients
- name: Deploy environment file
template:
src: "etc/sysconfig/slapd.j2"
dest: "/etc/sysconfig/slapd"
owner: root
group: root
mode: 0644
notify: __slapd_restart
- name: Deploy config file
template:
src: "etc/openldap/slapd.conf.j2"
dest: "/etc/openldap/slapd.conf"
owner: root
group: root
mode: 0644
notify: __slapd_restart
become: True
become_user: root

50
tasks/tls.yml Normal file
View File

@ -0,0 +1,50 @@
---
- block:
- name: Create tls folder structure
file:
path: "{{ item }}"
state: directory
owner: root
group: root
selevel: s0
serole: object_r
setype: slapd_cert_t
seuser: system_u
recurse: True
with_items:
- "{{ ldap_proxy_tls_cert_path | dirname }}"
- "{{ ldap_proxy_tls_key_path | dirname }}"
- name: Copy certs and private key (file)
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
selevel: s0
serole: object_r
setype: slapd_cert_t
seuser: system_u
with_items:
- { src: "{{ ldap_proxy_tls_key_source }}", dest: '{{ ldap_proxy_tls_key_path }}', mode: '0600' }
- { src: "{{ ldap_proxy_tls_cert_source }}", dest: '{{ ldap_proxy_tls_cert_path }}', mode: '0750' }
loop_control:
label: "{{ item.dest }}"
when: ldap_proxy_tls_source_use_files
- name: Copy certs and private key (content)
copy:
content: "{{ item.src }}"
dest: "{{ item.dest }}"
mode: "{{ item.mode }}"
selevel: s0
serole: object_r
setype: slapd_cert_t
seuser: system_u
with_items:
- { src: "{{ ldap_proxy_tls_key_source }}", dest: '{{ ldap_proxy_tls_key_path }}', mode: '0600' }
- { src: "{{ ldap_proxy_tls_cert_source }}", dest: '{{ ldap_proxy_tls_cert_path }}', mode: '0750' }
loop_control:
label: "{{ item.dest }}"
when: ldap_proxy_tls_source_use_content
become: True
become_user: root

View File

@ -0,0 +1,44 @@
#jinja2: lstrip_blocks: True
# {{ ansible_managed }}
### Schema includes ###########################################################
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
## Module paths ##############################################################
modulepath /usr/lib64/openldap/
modulepath /usr/lib64/openldap
moduleload back_ldap
moduleload rwm
# Main settings ###############################################################
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCertificateFile {{ ldap_proxy_tls_cert_path }}
TLSCertificateKeyFile {{ ldap_proxy_tls_key_path }}
TLSCACertificateFile {{ ldap_proxy_tls_ca_path }}
TLSCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
TLSProtocolMin 3.1
### Database definition (Proxy to AD) #########################################
database ldap
{% if ldap_proxy_readonly_enabled %}
readonly yes
{% endif %}
lastmod off
rebind-as-user
uri "{{ ldap_proxy_server }}"
suffix "{{ ldap_proxy_server_suffix }}"
### Logging ###################################################################
loglevel {{ ldap_proxy_loglevel }}

View File

@ -0,0 +1,12 @@
# {{ ansible_managed }}
# OpenLDAP server configuration
# see 'man slapd' for additional information
# Where the server will run (-h option)
SLAPD_URLS="{{ ldap_proxy_urls | join(' ') }}"
# Any custom options
SLAPD_OPTIONS="{{ ldap_proxy_options | join(' ') }}"
# Keytab location for GSSAPI Kerberos authentication
#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"