aboutsummaryrefslogtreecommitdiff
path: root/roles/openldap/tasks/main.yml
diff options
context:
space:
mode:
Diffstat (limited to 'roles/openldap/tasks/main.yml')
-rw-r--r--roles/openldap/tasks/main.yml146
1 files changed, 146 insertions, 0 deletions
diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml
new file mode 100644
index 0000000..1e152ae
--- /dev/null
+++ b/roles/openldap/tasks/main.yml
@@ -0,0 +1,146 @@
+---
+- name: Install OpenLDAP
+ apt:
+ name:
+ - slapd
+ - ldap-utils
+ - openssl
+ - python3-ldap
+ become: yes
+
+- name: Check for changed cert
+ command: /bin/true
+ when:
+ - cert_changed
+ notify:
+ - Restart slapd
+
+#
+# Global server config
+#
+
+- name: Configure TLS Certificate
+ community.general.ldap_attrs:
+ dn: cn=config
+ attributes:
+ olcTLSCACertificateFile: '{{ ldap.tls.ca }}'
+ olcTLSCertificateKeyFile: '{{ ldap.tls.key }}'
+ olcTLSCertificateFile: '{{ ldap.tls.cert }}'
+ state: exact
+ become: yes
+ when: ldap.tls.enable
+
+- name: Enable ldaps:636
+ lineinfile:
+ path: /etc/default/slapd
+ regexp: '^SLAPD_SERVICES='
+ line: 'SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"'
+ become: yes
+ when: ldap.tls.enable
+ notify: Restart slapd
+
+- name: Enable modules
+ community.general.ldap_attrs:
+ dn: cn=module{0},cn=config
+ attributes:
+ olcModuleLoad:
+ - "{0}pw-sha2.la"
+ - "{1}memberof.la"
+ - "{2}refint.la"
+ state: present
+ become: yes
+
+- name: Create memberOf Overlay
+ community.general.ldap_entry:
+ dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
+ objectClass:
+ - olcOverlayConfig
+ - olcMemberOf
+ attributes:
+ olcMemberOfRefint: "TRUE"
+ olcMemberOfDangling: ignore
+ olcMemberOfGroupOC: groupOfNames
+ olcMemberOfMemberAD: member
+ olcMemberOfMemberOfAD: memberOf
+ become: yes
+
+- name: Enable SSHA Hashes
+ community.general.ldap_attrs:
+ dn: olcDatabase={-1}frontend,cn=config
+ attributes:
+ olcPasswordHash: "{SSHA}"
+ state: present
+ become: yes
+
+#
+# schema
+#
+
+# This assumes the default debian slapd setup with {1}mdb already configured,
+# so we are just chaning a few things
+- name: Configure LDAP schema
+ community.general.ldap_attrs:
+ dn: olcDatabase={1}mdb,cn=config
+ attributes:
+ olcSuffix: '{{ ldap.base }}'
+ olcAccess:
+ - >-
+ {0}to attrs=userPassword
+ by self write
+ by anonymous auth
+ by * none
+ - >-
+ {1}to attrs=shadowLastChange
+ by self write
+ by * read
+ - >-
+ {2}to *
+ by users read
+ by group/groupOfNames/member=cn=ldap_admin,ou=groups,{{ ldap.base }} manage
+ olcRootDN: '{{ ldap.root_dn }}'
+ olcRootPW: '{{ ldap.root_pw_hash }}'
+ state: exact
+ become: yes
+
+- name: organization top object
+ community.general.ldap_entry:
+ dn: '{{ ldap.base }}'
+ objectClass:
+ - dcObject
+ - organization
+ - top
+ attributes:
+ o: '{{ ldap.o }}'
+ server_uri: ldap://localhost
+ bind_dn: '{{ ldap.root_dn }}'
+ bind_pw: '{{ ldap.root_pw }}'
+
+- name: Create OUs
+ community.general.ldap_entry:
+ dn: 'ou={{ item }},{{ ldap.base }}'
+ objectClass:
+ - organizationalUnit
+ - top
+ attributes:
+ ou: '{{ item }}'
+ server_uri: ldap://localhost
+ bind_dn: '{{ ldap.root_dn }}'
+ bind_pw: '{{ ldap.root_pw }}'
+ loop:
+ - users
+ - apps
+ - groups
+ - unixgroups
+
+- name: Create LDAP Admin group
+ community.general.ldap_entry:
+ dn: 'cn=ldap_admin,ou=groups,{{ ldap.base }}'
+ objectClass:
+ - groupOfNames
+ - top
+ attributes:
+ cn: 'ldap_admin'
+ member: ''
+ server_uri: ldap://localhost
+ bind_dn: '{{ ldap.root_dn }}'
+ bind_pw: '{{ ldap.root_pw }}'