initial commit
This commit is contained in:
parent
817124f36b
commit
d00768f623
24
defaults/main.yml
Normal file
24
defaults/main.yml
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
---
|
||||||
|
ldap_proxy_urls:
|
||||||
|
- "ldapi:/// ldap:///"
|
||||||
|
ldap_proxy_options: []
|
||||||
|
|
||||||
|
# You can deploy your certificates from a file or from content.
|
||||||
|
# If you enable ldap_proxy_tls_source_use_content you have to put the content of your cert files into
|
||||||
|
# ldap_proxy_tls_cert_path and ldap_proxy_tls_cert_path.
|
||||||
|
ldap_proxy_tls_source_use_content: False
|
||||||
|
# If you enable ldap_proxy_tls_source_use_files theses variables have to contain the path to your
|
||||||
|
# certificate files located on the ansible "master" host
|
||||||
|
ldap_proxy_tls_source_use_files: True
|
||||||
|
ldap_proxy_tls_cert_source: mycert.pem
|
||||||
|
ldap_proxy_tls_key_source: mykey.pem
|
||||||
|
ldap_proxy_tls_ca_source: ca.pem
|
||||||
|
ldap_proxy_tls_cert_path: /etc/openldap/certs/mycert.pem
|
||||||
|
ldap_proxy_tls_key_path: /etc/openldap/certs/mykey.pem
|
||||||
|
ldap_proxy_tls_ca_path: /etc/openldap/certs/ca.path
|
||||||
|
|
||||||
|
ldap_proxy_server: "ldap://ad.example.com:389"
|
||||||
|
ldap_proxy_server_suffix: "dc=example,dc=com"
|
||||||
|
ldap_proxy_readonly_enabled: True
|
||||||
|
|
||||||
|
ldap_proxy_loglevel: 0
|
9
handlers/main.yml
Normal file
9
handlers/main.yml
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: Reload openldap service
|
||||||
|
systemd:
|
||||||
|
state: restarted
|
||||||
|
name: slapd
|
||||||
|
listen: __slapd_restart
|
||||||
|
become: True
|
||||||
|
become_user: root
|
4
tasks/main.yml
Normal file
4
tasks/main.yml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
- include_tasks: setup.yml
|
||||||
|
- import_tasks: tls.yml
|
||||||
|
- include_tasks: post_tasks.yml
|
8
tasks/post_tasks.yml
Normal file
8
tasks/post_tasks.yml
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
- name: Make sure openldap service is up and running
|
||||||
|
systemd:
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
||||||
|
name: slapd
|
||||||
|
become: True
|
||||||
|
become_user: root
|
29
tasks/setup.yml
Normal file
29
tasks/setup.yml
Normal file
@ -0,0 +1,29 @@
|
|||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: Install required packages
|
||||||
|
package:
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- openldap-servers
|
||||||
|
- openldap-clients
|
||||||
|
|
||||||
|
- name: Deploy environment file
|
||||||
|
template:
|
||||||
|
src: "etc/sysconfig/slapd.j2"
|
||||||
|
dest: "/etc/sysconfig/slapd"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
notify: __slapd_restart
|
||||||
|
|
||||||
|
- name: Deploy config file
|
||||||
|
template:
|
||||||
|
src: "etc/openldap/slapd.conf.j2"
|
||||||
|
dest: "/etc/openldap/slapd.conf"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
notify: __slapd_restart
|
||||||
|
become: True
|
||||||
|
become_user: root
|
50
tasks/tls.yml
Normal file
50
tasks/tls.yml
Normal file
@ -0,0 +1,50 @@
|
|||||||
|
---
|
||||||
|
- block:
|
||||||
|
- name: Create tls folder structure
|
||||||
|
file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: directory
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
selevel: s0
|
||||||
|
serole: object_r
|
||||||
|
setype: slapd_cert_t
|
||||||
|
seuser: system_u
|
||||||
|
recurse: True
|
||||||
|
with_items:
|
||||||
|
- "{{ ldap_proxy_tls_cert_path | dirname }}"
|
||||||
|
- "{{ ldap_proxy_tls_key_path | dirname }}"
|
||||||
|
|
||||||
|
- name: Copy certs and private key (file)
|
||||||
|
copy:
|
||||||
|
src: "{{ item.src }}"
|
||||||
|
dest: "{{ item.dest }}"
|
||||||
|
mode: "{{ item.mode }}"
|
||||||
|
selevel: s0
|
||||||
|
serole: object_r
|
||||||
|
setype: slapd_cert_t
|
||||||
|
seuser: system_u
|
||||||
|
with_items:
|
||||||
|
- { src: "{{ ldap_proxy_tls_key_source }}", dest: '{{ ldap_proxy_tls_key_path }}', mode: '0600' }
|
||||||
|
- { src: "{{ ldap_proxy_tls_cert_source }}", dest: '{{ ldap_proxy_tls_cert_path }}', mode: '0750' }
|
||||||
|
loop_control:
|
||||||
|
label: "{{ item.dest }}"
|
||||||
|
when: ldap_proxy_tls_source_use_files
|
||||||
|
|
||||||
|
- name: Copy certs and private key (content)
|
||||||
|
copy:
|
||||||
|
content: "{{ item.src }}"
|
||||||
|
dest: "{{ item.dest }}"
|
||||||
|
mode: "{{ item.mode }}"
|
||||||
|
selevel: s0
|
||||||
|
serole: object_r
|
||||||
|
setype: slapd_cert_t
|
||||||
|
seuser: system_u
|
||||||
|
with_items:
|
||||||
|
- { src: "{{ ldap_proxy_tls_key_source }}", dest: '{{ ldap_proxy_tls_key_path }}', mode: '0600' }
|
||||||
|
- { src: "{{ ldap_proxy_tls_cert_source }}", dest: '{{ ldap_proxy_tls_cert_path }}', mode: '0750' }
|
||||||
|
loop_control:
|
||||||
|
label: "{{ item.dest }}"
|
||||||
|
when: ldap_proxy_tls_source_use_content
|
||||||
|
become: True
|
||||||
|
become_user: root
|
44
templates/etc/openldap/slapd.conf.j2
Normal file
44
templates/etc/openldap/slapd.conf.j2
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
#jinja2: lstrip_blocks: True
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
### Schema includes ###########################################################
|
||||||
|
include /etc/openldap/schema/corba.schema
|
||||||
|
include /etc/openldap/schema/core.schema
|
||||||
|
include /etc/openldap/schema/cosine.schema
|
||||||
|
include /etc/openldap/schema/duaconf.schema
|
||||||
|
include /etc/openldap/schema/dyngroup.schema
|
||||||
|
include /etc/openldap/schema/inetorgperson.schema
|
||||||
|
include /etc/openldap/schema/java.schema
|
||||||
|
include /etc/openldap/schema/misc.schema
|
||||||
|
include /etc/openldap/schema/nis.schema
|
||||||
|
include /etc/openldap/schema/openldap.schema
|
||||||
|
include /etc/openldap/schema/ppolicy.schema
|
||||||
|
include /etc/openldap/schema/collective.schema
|
||||||
|
|
||||||
|
## Module paths ##############################################################
|
||||||
|
modulepath /usr/lib64/openldap/
|
||||||
|
modulepath /usr/lib64/openldap
|
||||||
|
moduleload back_ldap
|
||||||
|
moduleload rwm
|
||||||
|
|
||||||
|
# Main settings ###############################################################
|
||||||
|
pidfile /var/run/openldap/slapd.pid
|
||||||
|
argsfile /var/run/openldap/slapd.args
|
||||||
|
|
||||||
|
TLSCertificateFile {{ ldap_proxy_tls_cert_path }}
|
||||||
|
TLSCertificateKeyFile {{ ldap_proxy_tls_key_path }}
|
||||||
|
TLSCACertificateFile {{ ldap_proxy_tls_ca_path }}
|
||||||
|
TLSCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!RC4
|
||||||
|
TLSProtocolMin 3.1
|
||||||
|
|
||||||
|
### Database definition (Proxy to AD) #########################################
|
||||||
|
database ldap
|
||||||
|
{% if ldap_proxy_readonly_enabled %}
|
||||||
|
readonly yes
|
||||||
|
{% endif %}
|
||||||
|
lastmod off
|
||||||
|
rebind-as-user
|
||||||
|
uri "{{ ldap_proxy_server }}"
|
||||||
|
suffix "{{ ldap_proxy_server_suffix }}"
|
||||||
|
|
||||||
|
### Logging ###################################################################
|
||||||
|
loglevel {{ ldap_proxy_loglevel }}
|
12
templates/etc/sysconfig/slapd.j2
Normal file
12
templates/etc/sysconfig/slapd.j2
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
# {{ ansible_managed }}
|
||||||
|
# OpenLDAP server configuration
|
||||||
|
# see 'man slapd' for additional information
|
||||||
|
|
||||||
|
# Where the server will run (-h option)
|
||||||
|
SLAPD_URLS="{{ ldap_proxy_urls | join(' ') }}"
|
||||||
|
|
||||||
|
# Any custom options
|
||||||
|
SLAPD_OPTIONS="{{ ldap_proxy_options | join(' ') }}"
|
||||||
|
|
||||||
|
# Keytab location for GSSAPI Kerberos authentication
|
||||||
|
#KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
|
Loading…
Reference in New Issue
Block a user