initial commit

defaults/main.yml

@@ -0,0 +1,24 @@
+---
+ldap_proxy_urls:
+  - "ldapi:/// ldap:///"
+ldap_proxy_options: []
+
+# You can deploy your certificates from a file or from content.
+# If you enable ldap_proxy_tls_source_use_content you have to put the content of your cert files into
+# ldap_proxy_tls_cert_path and ldap_proxy_tls_cert_path.
+ldap_proxy_tls_source_use_content: False
+# If you enable ldap_proxy_tls_source_use_files theses variables have to contain the path to your
+# certificate files located on the ansible "master" host
+ldap_proxy_tls_source_use_files: True
+ldap_proxy_tls_cert_source: mycert.pem
+ldap_proxy_tls_key_source: mykey.pem
+ldap_proxy_tls_ca_source: ca.pem
+ldap_proxy_tls_cert_path: /etc/openldap/certs/mycert.pem
+ldap_proxy_tls_key_path: /etc/openldap/certs/mykey.pem
+ldap_proxy_tls_ca_path: /etc/openldap/certs/ca.path
+
+ldap_proxy_server: "ldap://ad.example.com:389"
+ldap_proxy_server_suffix: "dc=example,dc=com"
+ldap_proxy_readonly_enabled: True
+
+ldap_proxy_loglevel: 0

handlers/main.yml

@@ -0,0 +1,9 @@
+---
+- block:
+    - name: Reload openldap service
+      systemd:
+        state: restarted
+        name: slapd
+      listen: __slapd_restart
+  become: True
+  become_user: root

tasks/main.yml

@@ -0,0 +1,4 @@
+---
+- include_tasks: setup.yml
+- import_tasks: tls.yml
+- include_tasks: post_tasks.yml

tasks/post_tasks.yml

@@ -0,0 +1,8 @@
+---
+- name: Make sure openldap service is up and running
+  systemd:
+    state: started
+    enabled: yes
+    name: slapd
+  become: True
+  become_user: root

tasks/setup.yml

@@ -0,0 +1,29 @@
+---
+- block:
+    - name: Install required packages
+      package:
+        name: "{{ item }}"
+        state: present
+      with_items:
+        - openldap-servers
+        - openldap-clients
+
+    - name: Deploy environment file
+      template:
+        src: "etc/sysconfig/slapd.j2"
+        dest: "/etc/sysconfig/slapd"
+        owner: root
+        group: root
+        mode: 0644
+      notify:  __slapd_restart
+
+    - name: Deploy config file
+      template:
+        src: "etc/openldap/slapd.conf.j2"
+        dest: "/etc/openldap/slapd.conf"
+        owner: root
+        group: root
+        mode: 0644
+      notify:  __slapd_restart
+  become: True
+  become_user: root

tasks/tls.yml

@@ -0,0 +1,50 @@
+---
+- block:
+    - name: Create tls folder structure
+      file:
+        path: "{{ item }}"
+        state: directory
+        owner: root
+        group: root
+        selevel: s0
+        serole: object_r
+        setype: slapd_cert_t
+        seuser: system_u
+        recurse: True
+      with_items:
+        - "{{ ldap_proxy_tls_cert_path | dirname }}"
+        - "{{ ldap_proxy_tls_key_path | dirname }}"
+
+    - name: Copy certs and private key (file)
+      copy:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+        mode: "{{ item.mode }}"
+        selevel: s0
+        serole: object_r
+        setype: slapd_cert_t
+        seuser: system_u
+      with_items:
+        - { src: "{{ ldap_proxy_tls_key_source }}", dest: '{{ ldap_proxy_tls_key_path }}', mode: '0600' }
+        - { src: "{{ ldap_proxy_tls_cert_source }}", dest: '{{ ldap_proxy_tls_cert_path }}', mode: '0750' }
+      loop_control:
+        label: "{{ item.dest }}"
+      when: ldap_proxy_tls_source_use_files
+
+    - name: Copy certs and private key (content)
+      copy:
+        content: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+        mode: "{{ item.mode }}"
+        selevel: s0
+        serole: object_r
+        setype: slapd_cert_t
+        seuser: system_u
+      with_items:
+        - { src: "{{ ldap_proxy_tls_key_source }}", dest: '{{ ldap_proxy_tls_key_path }}', mode: '0600' }
+        - { src: "{{ ldap_proxy_tls_cert_source }}", dest: '{{ ldap_proxy_tls_cert_path }}', mode: '0750' }
+      loop_control:
+        label: "{{ item.dest }}"
+      when: ldap_proxy_tls_source_use_content
+  become: True
+  become_user: root

templates/etc/openldap/slapd.conf.j2

@@ -0,0 +1,44 @@
+#jinja2: lstrip_blocks: True
+# {{ ansible_managed }}
+### Schema includes ###########################################################
+include         /etc/openldap/schema/corba.schema
+include         /etc/openldap/schema/core.schema
+include         /etc/openldap/schema/cosine.schema
+include         /etc/openldap/schema/duaconf.schema
+include         /etc/openldap/schema/dyngroup.schema
+include         /etc/openldap/schema/inetorgperson.schema
+include         /etc/openldap/schema/java.schema
+include         /etc/openldap/schema/misc.schema
+include         /etc/openldap/schema/nis.schema
+include         /etc/openldap/schema/openldap.schema
+include         /etc/openldap/schema/ppolicy.schema
+include         /etc/openldap/schema/collective.schema
+
+## Module paths ##############################################################
+modulepath              /usr/lib64/openldap/
+modulepath              /usr/lib64/openldap
+moduleload              back_ldap
+moduleload              rwm
+
+# Main settings ###############################################################
+pidfile                 /var/run/openldap/slapd.pid
+argsfile                /var/run/openldap/slapd.args
+
+TLSCertificateFile      {{ ldap_proxy_tls_cert_path }}
+TLSCertificateKeyFile   {{ ldap_proxy_tls_key_path }}
+TLSCACertificateFile    {{ ldap_proxy_tls_ca_path }}
+TLSCipherSuite          HIGH:MEDIUM:!aNULL:!MD5:!RC4
+TLSProtocolMin          3.1
+
+### Database definition (Proxy to AD) #########################################
+database                ldap
+{% if ldap_proxy_readonly_enabled %}
+readonly                yes
+{% endif %}
+lastmod                 off
+rebind-as-user
+uri                     "{{ ldap_proxy_server }}"
+suffix                  "{{ ldap_proxy_server_suffix }}"
+
+### Logging ###################################################################
+loglevel                {{ ldap_proxy_loglevel }}

templates/etc/sysconfig/slapd.j2

@@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+# OpenLDAP server configuration
+# see 'man slapd' for additional information
+
+# Where the server will run (-h option)
+SLAPD_URLS="{{ ldap_proxy_urls | join(' ') }}"
+
+# Any custom options
+SLAPD_OPTIONS="{{ ldap_proxy_options | join(' ') }}"
+
+# Keytab location for GSSAPI Kerberos authentication
+#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"