blob: ce5df73d68ccbbb7de82e4afe5b21faeb59d6db7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
---
- name: Install OpenLDAP
apt:
name:
- slapd
- ldap-utils
- openssl
- python3-ldap
become: yes
#
# Global server config
#
- name: Configure TLS Certificate
community.general.ldap_attrs:
dn: cn=config
attributes:
olcTLSCACertificateFile: '{{ ldap.tls.ca }}'
olcTLSCertificateKeyFile: '{{ ldap.tls.key }}'
olcTLSCertificateFile: '{{ ldap.tls.cert }}'
state: exact
become: yes
when: ldap.tls.enable
ignore_errors: yes
- name: Enable ldaps:636
lineinfile:
path: /etc/default/slapd
regexp: '^SLAPD_SERVICES='
line: 'SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"'
become: yes
when: ldap.tls.enable
notify: Restart slapd
- name: Enable modules
community.general.ldap_attrs:
dn: cn=module{0},cn=config
attributes:
olcModuleLoad:
- "{0}pw-sha2.la"
- "{1}memberof.la"
- "{2}refint.la"
state: present
become: yes
- name: Create memberOf Overlay
community.general.ldap_entry:
dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
objectClass:
- olcOverlayConfig
- olcMemberOf
attributes:
olcMemberOfRefint: "TRUE"
olcMemberOfDangling: ignore
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
become: yes
- name: Enable SSHA Hashes
community.general.ldap_attrs:
dn: olcDatabase={-1}frontend,cn=config
attributes:
olcPasswordHash: "{SSHA}"
state: present
become: yes
- name: Install custom schema
include_tasks: schema.yml
loop: '{{ ldap.schema | default([]) }}'
#
# schema
#
# This assumes the default debian slapd setup with {1}mdb already configured,
# so we are just chaning a few things
- name: Configure LDAP schema
community.general.ldap_attrs:
dn: olcDatabase={1}mdb,cn=config
attributes:
olcSuffix: '{{ ldap.base }}'
olcAccess: '{{ ldap.access_control }}'
olcRootDN: '{{ ldap.root_dn }}'
olcRootPW: '{{ ldap.root_pw_hash }}'
state: exact
become: yes
- name: organization top object
community.general.ldap_entry:
dn: '{{ ldap.base }}'
objectClass:
- dcObject
- organization
- top
attributes:
o: '{{ ldap.o }}'
server_uri: ldap://localhost
bind_dn: '{{ ldap.root_dn }}'
bind_pw: '{{ ldap.root_pw }}'
- name: Create OUs
community.general.ldap_entry:
dn: 'ou={{ item }},{{ ldap.base }}'
objectClass:
- organizationalUnit
- top
attributes:
ou: '{{ item }}'
server_uri: ldap://localhost
bind_dn: '{{ ldap.root_dn }}'
bind_pw: '{{ ldap.root_pw }}'
loop: '{{ ldap.ous }}'
- name: Create LDAP Admin group
community.general.ldap_entry:
dn: 'cn={{ item }},{{ ldap.groupsofnames.in }}'
objectClass:
- groupOfNames
- top
attributes:
cn: '{{ item }}'
member: ''
server_uri: ldap://localhost
bind_dn: '{{ ldap.root_dn }}'
bind_pw: '{{ ldap.root_pw }}'
loop: '{{ ldap.groupsofnames.names }}'
|