diff options
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/openldap/defaults/main.yml | 13 | ||||
| -rw-r--r-- | roles/openldap/handlers/main.yml | 6 | ||||
| -rw-r--r-- | roles/openldap/tasks/main.yml | 146 |
3 files changed, 165 insertions, 0 deletions
diff --git a/roles/openldap/defaults/main.yml b/roles/openldap/defaults/main.yml new file mode 100644 index 0000000..17bb5bc --- /dev/null +++ b/roles/openldap/defaults/main.yml @@ -0,0 +1,13 @@ +--- +ldap: + o: 'Example Com' + base: 'dc=example,dc=com' + root_dn: 'cn=admin,dc=example,dc=com' + root_pw: 'admin' + root_pw_hash: '{SSHA}T4NWs0yED2vORnKH4fWMSicNH0n0jtwP' + tls: + enable: false + ca: '/etc/ssl/certs/ssl-cert-snakeoil.pem' + key: '/etc/ssl/private/ssl-cert-snakeoil.key' + cert: '/etc/ssl/certs/ssl-cert-snakeoil.pem' + diff --git a/roles/openldap/handlers/main.yml b/roles/openldap/handlers/main.yml new file mode 100644 index 0000000..85685b4 --- /dev/null +++ b/roles/openldap/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: Restart slapd + systemd: + name: slapd + state: restarted + become: yes diff --git a/roles/openldap/tasks/main.yml b/roles/openldap/tasks/main.yml new file mode 100644 index 0000000..1e152ae --- /dev/null +++ b/roles/openldap/tasks/main.yml @@ -0,0 +1,146 @@ +--- +- name: Install OpenLDAP + apt: + name: + - slapd + - ldap-utils + - openssl + - python3-ldap + become: yes + +- name: Check for changed cert + command: /bin/true + when: + - cert_changed + notify: + - Restart slapd + +# +# Global server config +# + +- name: Configure TLS Certificate + community.general.ldap_attrs: + dn: cn=config + attributes: + olcTLSCACertificateFile: '{{ ldap.tls.ca }}' + olcTLSCertificateKeyFile: '{{ ldap.tls.key }}' + olcTLSCertificateFile: '{{ ldap.tls.cert }}' + state: exact + become: yes + when: ldap.tls.enable + +- name: Enable ldaps:636 + lineinfile: + path: /etc/default/slapd + regexp: '^SLAPD_SERVICES=' + line: 'SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"' + become: yes + when: ldap.tls.enable + notify: Restart slapd + +- name: Enable modules + community.general.ldap_attrs: + dn: cn=module{0},cn=config + attributes: + olcModuleLoad: + - "{0}pw-sha2.la" + - "{1}memberof.la" + - "{2}refint.la" + state: present + become: yes + +- name: Create memberOf Overlay + community.general.ldap_entry: + dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config + objectClass: + - olcOverlayConfig + - olcMemberOf + attributes: + olcMemberOfRefint: "TRUE" + olcMemberOfDangling: ignore + olcMemberOfGroupOC: groupOfNames + olcMemberOfMemberAD: member + olcMemberOfMemberOfAD: memberOf + become: yes + +- name: Enable SSHA Hashes + community.general.ldap_attrs: + dn: olcDatabase={-1}frontend,cn=config + attributes: + olcPasswordHash: "{SSHA}" + state: present + become: yes + +# +# schema +# + +# This assumes the default debian slapd setup with {1}mdb already configured, +# so we are just chaning a few things +- name: Configure LDAP schema + community.general.ldap_attrs: + dn: olcDatabase={1}mdb,cn=config + attributes: + olcSuffix: '{{ ldap.base }}' + olcAccess: + - >- + {0}to attrs=userPassword + by self write + by anonymous auth + by * none + - >- + {1}to attrs=shadowLastChange + by self write + by * read + - >- + {2}to * + by users read + by group/groupOfNames/member=cn=ldap_admin,ou=groups,{{ ldap.base }} manage + olcRootDN: '{{ ldap.root_dn }}' + olcRootPW: '{{ ldap.root_pw_hash }}' + state: exact + become: yes + +- name: organization top object + community.general.ldap_entry: + dn: '{{ ldap.base }}' + objectClass: + - dcObject + - organization + - top + attributes: + o: '{{ ldap.o }}' + server_uri: ldap://localhost + bind_dn: '{{ ldap.root_dn }}' + bind_pw: '{{ ldap.root_pw }}' + +- name: Create OUs + community.general.ldap_entry: + dn: 'ou={{ item }},{{ ldap.base }}' + objectClass: + - organizationalUnit + - top + attributes: + ou: '{{ item }}' + server_uri: ldap://localhost + bind_dn: '{{ ldap.root_dn }}' + bind_pw: '{{ ldap.root_pw }}' + loop: + - users + - apps + - groups + - unixgroups + +- name: Create LDAP Admin group + community.general.ldap_entry: + dn: 'cn=ldap_admin,ou=groups,{{ ldap.base }}' + objectClass: + - groupOfNames + - top + attributes: + cn: 'ldap_admin' + member: '' + server_uri: ldap://localhost + bind_dn: '{{ ldap.root_dn }}' + bind_pw: '{{ ldap.root_pw }}' |