From d00768f62341928250994754d03a9382927078fc Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Sat, 1 Dec 2018 01:31:11 +0100 Subject: [PATCH] initial commit --- defaults/main.yml | 24 +++++++++++++ handlers/main.yml | 9 +++++ tasks/main.yml | 4 +++ tasks/post_tasks.yml | 8 +++++ tasks/setup.yml | 29 ++++++++++++++++ tasks/tls.yml | 50 ++++++++++++++++++++++++++++ templates/etc/openldap/slapd.conf.j2 | 44 ++++++++++++++++++++++++ templates/etc/sysconfig/slapd.j2 | 12 +++++++ 8 files changed, 180 insertions(+) create mode 100644 defaults/main.yml create mode 100644 handlers/main.yml create mode 100644 tasks/main.yml create mode 100644 tasks/post_tasks.yml create mode 100644 tasks/setup.yml create mode 100644 tasks/tls.yml create mode 100644 templates/etc/openldap/slapd.conf.j2 create mode 100644 templates/etc/sysconfig/slapd.j2 diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..c9ada2a --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,24 @@ +--- +ldap_proxy_urls: + - "ldapi:/// ldap:///" +ldap_proxy_options: [] + +# You can deploy your certificates from a file or from content. +# If you enable ldap_proxy_tls_source_use_content you have to put the content of your cert files into +# ldap_proxy_tls_cert_path and ldap_proxy_tls_cert_path. +ldap_proxy_tls_source_use_content: False +# If you enable ldap_proxy_tls_source_use_files theses variables have to contain the path to your +# certificate files located on the ansible "master" host +ldap_proxy_tls_source_use_files: True +ldap_proxy_tls_cert_source: mycert.pem +ldap_proxy_tls_key_source: mykey.pem +ldap_proxy_tls_ca_source: ca.pem +ldap_proxy_tls_cert_path: /etc/openldap/certs/mycert.pem +ldap_proxy_tls_key_path: /etc/openldap/certs/mykey.pem +ldap_proxy_tls_ca_path: /etc/openldap/certs/ca.path + +ldap_proxy_server: "ldap://ad.example.com:389" +ldap_proxy_server_suffix: "dc=example,dc=com" +ldap_proxy_readonly_enabled: True + +ldap_proxy_loglevel: 0 diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..e4b1846 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,9 @@ +--- +- block: + - name: Reload openldap service + systemd: + state: restarted + name: slapd + listen: __slapd_restart + become: True + become_user: root diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..b477939 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,4 @@ +--- +- include_tasks: setup.yml +- import_tasks: tls.yml +- include_tasks: post_tasks.yml diff --git a/tasks/post_tasks.yml b/tasks/post_tasks.yml new file mode 100644 index 0000000..c406c64 --- /dev/null +++ b/tasks/post_tasks.yml @@ -0,0 +1,8 @@ +--- +- name: Make sure openldap service is up and running + systemd: + state: started + enabled: yes + name: slapd + become: True + become_user: root diff --git a/tasks/setup.yml b/tasks/setup.yml new file mode 100644 index 0000000..290d8c2 --- /dev/null +++ b/tasks/setup.yml @@ -0,0 +1,29 @@ +--- +- block: + - name: Install required packages + package: + name: "{{ item }}" + state: present + with_items: + - openldap-servers + - openldap-clients + + - name: Deploy environment file + template: + src: "etc/sysconfig/slapd.j2" + dest: "/etc/sysconfig/slapd" + owner: root + group: root + mode: 0644 + notify: __slapd_restart + + - name: Deploy config file + template: + src: "etc/openldap/slapd.conf.j2" + dest: "/etc/openldap/slapd.conf" + owner: root + group: root + mode: 0644 + notify: __slapd_restart + become: True + become_user: root diff --git a/tasks/tls.yml b/tasks/tls.yml new file mode 100644 index 0000000..e2fed1b --- /dev/null +++ b/tasks/tls.yml @@ -0,0 +1,50 @@ +--- +- block: + - name: Create tls folder structure + file: + path: "{{ item }}" + state: directory + owner: root + group: root + selevel: s0 + serole: object_r + setype: slapd_cert_t + seuser: system_u + recurse: True + with_items: + - "{{ ldap_proxy_tls_cert_path | dirname }}" + - "{{ ldap_proxy_tls_key_path | dirname }}" + + - name: Copy certs and private key (file) + copy: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: "{{ item.mode }}" + selevel: s0 + serole: object_r + setype: slapd_cert_t + seuser: system_u + with_items: + - { src: "{{ ldap_proxy_tls_key_source }}", dest: '{{ ldap_proxy_tls_key_path }}', mode: '0600' } + - { src: "{{ ldap_proxy_tls_cert_source }}", dest: '{{ ldap_proxy_tls_cert_path }}', mode: '0750' } + loop_control: + label: "{{ item.dest }}" + when: ldap_proxy_tls_source_use_files + + - name: Copy certs and private key (content) + copy: + content: "{{ item.src }}" + dest: "{{ item.dest }}" + mode: "{{ item.mode }}" + selevel: s0 + serole: object_r + setype: slapd_cert_t + seuser: system_u + with_items: + - { src: "{{ ldap_proxy_tls_key_source }}", dest: '{{ ldap_proxy_tls_key_path }}', mode: '0600' } + - { src: "{{ ldap_proxy_tls_cert_source }}", dest: '{{ ldap_proxy_tls_cert_path }}', mode: '0750' } + loop_control: + label: "{{ item.dest }}" + when: ldap_proxy_tls_source_use_content + become: True + become_user: root diff --git a/templates/etc/openldap/slapd.conf.j2 b/templates/etc/openldap/slapd.conf.j2 new file mode 100644 index 0000000..b3acdee --- /dev/null +++ b/templates/etc/openldap/slapd.conf.j2 @@ -0,0 +1,44 @@ +#jinja2: lstrip_blocks: True +# {{ ansible_managed }} +### Schema includes ########################################################### +include /etc/openldap/schema/corba.schema +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/duaconf.schema +include /etc/openldap/schema/dyngroup.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/java.schema +include /etc/openldap/schema/misc.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/openldap.schema +include /etc/openldap/schema/ppolicy.schema +include /etc/openldap/schema/collective.schema + +## Module paths ############################################################## +modulepath /usr/lib64/openldap/ +modulepath /usr/lib64/openldap +moduleload back_ldap +moduleload rwm + +# Main settings ############################################################### +pidfile /var/run/openldap/slapd.pid +argsfile /var/run/openldap/slapd.args + +TLSCertificateFile {{ ldap_proxy_tls_cert_path }} +TLSCertificateKeyFile {{ ldap_proxy_tls_key_path }} +TLSCACertificateFile {{ ldap_proxy_tls_ca_path }} +TLSCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4 +TLSProtocolMin 3.1 + +### Database definition (Proxy to AD) ######################################### +database ldap +{% if ldap_proxy_readonly_enabled %} +readonly yes +{% endif %} +lastmod off +rebind-as-user +uri "{{ ldap_proxy_server }}" +suffix "{{ ldap_proxy_server_suffix }}" + +### Logging ################################################################### +loglevel {{ ldap_proxy_loglevel }} diff --git a/templates/etc/sysconfig/slapd.j2 b/templates/etc/sysconfig/slapd.j2 new file mode 100644 index 0000000..5a25f15 --- /dev/null +++ b/templates/etc/sysconfig/slapd.j2 @@ -0,0 +1,12 @@ +# {{ ansible_managed }} +# OpenLDAP server configuration +# see 'man slapd' for additional information + +# Where the server will run (-h option) +SLAPD_URLS="{{ ldap_proxy_urls | join(' ') }}" + +# Any custom options +SLAPD_OPTIONS="{{ ldap_proxy_options | join(' ') }}" + +# Keytab location for GSSAPI Kerberos authentication +#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"