add openldap

3 files changed, 165 insertions, 0 deletions

diff --git a/roles/openldap/defaults/main.yml b/roles/openldap/defaults/main.yml
new file mode 100644
index 0000000..17bb5bc
--- /dev/null
+++ b/roles/openldap/defaults/main.yml
@@ -0,0 +1,13 @@
+---
+ldap:
+  o: 'Example Com'
+  base: 'dc=example,dc=com'
+  root_dn: 'cn=admin,dc=example,dc=com'
+  root_pw: 'admin'
+  root_pw_hash: '{SSHA}T4NWs0yED2vORnKH4fWMSicNH0n0jtwP'
+  tls:
+    enable: false
+    ca: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+    key: '/etc/ssl/private/ssl-cert-snakeoil.key'
+    cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+
diff --git a/roles/openldap/handlers/main.yml b/roles/openldap/handlers/main.yml
new file mode 100644
index 0000000..85685b4
--- /dev/null
+++ b/roles/openldap/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart slapd
+  systemd:
+    name: slapd
+    state: restarted
+  become: yes
diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml
new file mode 100644
index 0000000..1e152ae
--- /dev/null
+++ b/roles/openldap/tasks/main.yml
@@ -0,0 +1,146 @@
+---
+- name: Install OpenLDAP
+  apt:
+    name:
+      - slapd
+      - ldap-utils
+      - openssl
+      - python3-ldap
+  become: yes
+
+- name: Check for changed cert
+  command: /bin/true
+  when:
+    - cert_changed
+  notify:
+    - Restart slapd
+
+#
+# Global server config
+#
+
+- name: Configure TLS Certificate
+  community.general.ldap_attrs:
+    dn: cn=config
+    attributes:
+      olcTLSCACertificateFile: '{{ ldap.tls.ca }}'
+      olcTLSCertificateKeyFile: '{{ ldap.tls.key }}'
+      olcTLSCertificateFile: '{{ ldap.tls.cert }}'
+    state: exact
+  become: yes
+  when: ldap.tls.enable
+
+- name: Enable ldaps:636
+  lineinfile:
+    path: /etc/default/slapd
+    regexp: '^SLAPD_SERVICES='
+    line: 'SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"'
+  become: yes
+  when: ldap.tls.enable
+  notify: Restart slapd
+
+- name: Enable modules
+  community.general.ldap_attrs:
+    dn: cn=module{0},cn=config
+    attributes:
+      olcModuleLoad:
+        - "{0}pw-sha2.la"
+        - "{1}memberof.la"
+        - "{2}refint.la"
+    state: present
+  become: yes
+
+- name: Create memberOf Overlay
+  community.general.ldap_entry:
+    dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
+    objectClass:
+      - olcOverlayConfig
+      - olcMemberOf
+    attributes:
+      olcMemberOfRefint: "TRUE"
+      olcMemberOfDangling: ignore
+      olcMemberOfGroupOC: groupOfNames
+      olcMemberOfMemberAD: member
+      olcMemberOfMemberOfAD: memberOf
+  become: yes
+
+- name: Enable SSHA Hashes
+  community.general.ldap_attrs:
+    dn: olcDatabase={-1}frontend,cn=config
+    attributes:
+      olcPasswordHash: "{SSHA}"
+    state: present
+  become: yes
+
+#
+# schema
+#
+
+# This assumes the default debian slapd setup with {1}mdb already configured,
+# so we are just chaning a few things
+- name: Configure LDAP schema
+  community.general.ldap_attrs:
+    dn: olcDatabase={1}mdb,cn=config
+    attributes:
+      olcSuffix: '{{ ldap.base }}'
+      olcAccess:
+        - >-
+          {0}to attrs=userPassword
+          by self write
+          by anonymous auth
+          by * none
+        - >-
+          {1}to attrs=shadowLastChange
+          by self write
+          by * read
+        - >-
+          {2}to *
+          by users read
+          by group/groupOfNames/member=cn=ldap_admin,ou=groups,{{ ldap.base }} manage
+    olcRootDN: '{{ ldap.root_dn }}'
+      olcRootPW: '{{ ldap.root_pw_hash }}'
+    state: exact
+  become: yes
+
+- name: organization top object
+  community.general.ldap_entry:
+    dn: '{{ ldap.base }}'
+    objectClass:
+      - dcObject
+      - organization
+      - top
+    attributes:
+      o: '{{ ldap.o }}'
+    server_uri: ldap://localhost
+    bind_dn: '{{ ldap.root_dn }}'
+    bind_pw: '{{ ldap.root_pw }}'
+
+- name: Create OUs
+  community.general.ldap_entry:
+    dn: 'ou={{ item }},{{ ldap.base }}'
+    objectClass:
+      - organizationalUnit
+      - top
+    attributes:
+      ou: '{{ item }}'
+    server_uri: ldap://localhost
+    bind_dn: '{{ ldap.root_dn }}'
+    bind_pw: '{{ ldap.root_pw }}'
+  loop:
+    - users
+    - apps
+    - groups
+    - unixgroups
+
+- name: Create LDAP Admin group
+  community.general.ldap_entry:
+    dn: 'cn=ldap_admin,ou=groups,{{ ldap.base }}'
+    objectClass:
+      - groupOfNames
+      - top
+    attributes:
+      cn: 'ldap_admin'
+      member: ''
+    server_uri: ldap://localhost
+    bind_dn: '{{ ldap.root_dn }}'
+    bind_pw: '{{ ldap.root_pw }}'