initial commit
This commit is contained in:
parent
817124f36b
commit
d00768f623
|
|
@ -0,0 +1,24 @@
|
|||
---
|
||||
ldap_proxy_urls:
|
||||
- "ldapi:/// ldap:///"
|
||||
ldap_proxy_options: []
|
||||
|
||||
# You can deploy your certificates from a file or from content.
|
||||
# If you enable ldap_proxy_tls_source_use_content you have to put the content of your cert files into
|
||||
# ldap_proxy_tls_cert_path and ldap_proxy_tls_cert_path.
|
||||
ldap_proxy_tls_source_use_content: False
|
||||
# If you enable ldap_proxy_tls_source_use_files theses variables have to contain the path to your
|
||||
# certificate files located on the ansible "master" host
|
||||
ldap_proxy_tls_source_use_files: True
|
||||
ldap_proxy_tls_cert_source: mycert.pem
|
||||
ldap_proxy_tls_key_source: mykey.pem
|
||||
ldap_proxy_tls_ca_source: ca.pem
|
||||
ldap_proxy_tls_cert_path: /etc/openldap/certs/mycert.pem
|
||||
ldap_proxy_tls_key_path: /etc/openldap/certs/mykey.pem
|
||||
ldap_proxy_tls_ca_path: /etc/openldap/certs/ca.path
|
||||
|
||||
ldap_proxy_server: "ldap://ad.example.com:389"
|
||||
ldap_proxy_server_suffix: "dc=example,dc=com"
|
||||
ldap_proxy_readonly_enabled: True
|
||||
|
||||
ldap_proxy_loglevel: 0
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
- block:
|
||||
- name: Reload openldap service
|
||||
systemd:
|
||||
state: restarted
|
||||
name: slapd
|
||||
listen: __slapd_restart
|
||||
become: True
|
||||
become_user: root
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
- include_tasks: setup.yml
|
||||
- import_tasks: tls.yml
|
||||
- include_tasks: post_tasks.yml
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
- name: Make sure openldap service is up and running
|
||||
systemd:
|
||||
state: started
|
||||
enabled: yes
|
||||
name: slapd
|
||||
become: True
|
||||
become_user: root
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
---
|
||||
- block:
|
||||
- name: Install required packages
|
||||
package:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- openldap-servers
|
||||
- openldap-clients
|
||||
|
||||
- name: Deploy environment file
|
||||
template:
|
||||
src: "etc/sysconfig/slapd.j2"
|
||||
dest: "/etc/sysconfig/slapd"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: __slapd_restart
|
||||
|
||||
- name: Deploy config file
|
||||
template:
|
||||
src: "etc/openldap/slapd.conf.j2"
|
||||
dest: "/etc/openldap/slapd.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: __slapd_restart
|
||||
become: True
|
||||
become_user: root
|
||||
|
|
@ -0,0 +1,50 @@
|
|||
---
|
||||
- block:
|
||||
- name: Create tls folder structure
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
selevel: s0
|
||||
serole: object_r
|
||||
setype: slapd_cert_t
|
||||
seuser: system_u
|
||||
recurse: True
|
||||
with_items:
|
||||
- "{{ ldap_proxy_tls_cert_path | dirname }}"
|
||||
- "{{ ldap_proxy_tls_key_path | dirname }}"
|
||||
|
||||
- name: Copy certs and private key (file)
|
||||
copy:
|
||||
src: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
mode: "{{ item.mode }}"
|
||||
selevel: s0
|
||||
serole: object_r
|
||||
setype: slapd_cert_t
|
||||
seuser: system_u
|
||||
with_items:
|
||||
- { src: "{{ ldap_proxy_tls_key_source }}", dest: '{{ ldap_proxy_tls_key_path }}', mode: '0600' }
|
||||
- { src: "{{ ldap_proxy_tls_cert_source }}", dest: '{{ ldap_proxy_tls_cert_path }}', mode: '0750' }
|
||||
loop_control:
|
||||
label: "{{ item.dest }}"
|
||||
when: ldap_proxy_tls_source_use_files
|
||||
|
||||
- name: Copy certs and private key (content)
|
||||
copy:
|
||||
content: "{{ item.src }}"
|
||||
dest: "{{ item.dest }}"
|
||||
mode: "{{ item.mode }}"
|
||||
selevel: s0
|
||||
serole: object_r
|
||||
setype: slapd_cert_t
|
||||
seuser: system_u
|
||||
with_items:
|
||||
- { src: "{{ ldap_proxy_tls_key_source }}", dest: '{{ ldap_proxy_tls_key_path }}', mode: '0600' }
|
||||
- { src: "{{ ldap_proxy_tls_cert_source }}", dest: '{{ ldap_proxy_tls_cert_path }}', mode: '0750' }
|
||||
loop_control:
|
||||
label: "{{ item.dest }}"
|
||||
when: ldap_proxy_tls_source_use_content
|
||||
become: True
|
||||
become_user: root
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
#jinja2: lstrip_blocks: True
|
||||
# {{ ansible_managed }}
|
||||
### Schema includes ###########################################################
|
||||
include /etc/openldap/schema/corba.schema
|
||||
include /etc/openldap/schema/core.schema
|
||||
include /etc/openldap/schema/cosine.schema
|
||||
include /etc/openldap/schema/duaconf.schema
|
||||
include /etc/openldap/schema/dyngroup.schema
|
||||
include /etc/openldap/schema/inetorgperson.schema
|
||||
include /etc/openldap/schema/java.schema
|
||||
include /etc/openldap/schema/misc.schema
|
||||
include /etc/openldap/schema/nis.schema
|
||||
include /etc/openldap/schema/openldap.schema
|
||||
include /etc/openldap/schema/ppolicy.schema
|
||||
include /etc/openldap/schema/collective.schema
|
||||
|
||||
## Module paths ##############################################################
|
||||
modulepath /usr/lib64/openldap/
|
||||
modulepath /usr/lib64/openldap
|
||||
moduleload back_ldap
|
||||
moduleload rwm
|
||||
|
||||
# Main settings ###############################################################
|
||||
pidfile /var/run/openldap/slapd.pid
|
||||
argsfile /var/run/openldap/slapd.args
|
||||
|
||||
TLSCertificateFile {{ ldap_proxy_tls_cert_path }}
|
||||
TLSCertificateKeyFile {{ ldap_proxy_tls_key_path }}
|
||||
TLSCACertificateFile {{ ldap_proxy_tls_ca_path }}
|
||||
TLSCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
|
||||
TLSProtocolMin 3.1
|
||||
|
||||
### Database definition (Proxy to AD) #########################################
|
||||
database ldap
|
||||
{% if ldap_proxy_readonly_enabled %}
|
||||
readonly yes
|
||||
{% endif %}
|
||||
lastmod off
|
||||
rebind-as-user
|
||||
uri "{{ ldap_proxy_server }}"
|
||||
suffix "{{ ldap_proxy_server_suffix }}"
|
||||
|
||||
### Logging ###################################################################
|
||||
loglevel {{ ldap_proxy_loglevel }}
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
# {{ ansible_managed }}
|
||||
# OpenLDAP server configuration
|
||||
# see 'man slapd' for additional information
|
||||
|
||||
# Where the server will run (-h option)
|
||||
SLAPD_URLS="{{ ldap_proxy_urls | join(' ') }}"
|
||||
|
||||
# Any custom options
|
||||
SLAPD_OPTIONS="{{ ldap_proxy_options | join(' ') }}"
|
||||
|
||||
# Keytab location for GSSAPI Kerberos authentication
|
||||
#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
|
||||
Loading…
Reference in New Issue