blob: 594e30ea03bc6ef13601e87e48c53932b7279cde (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
|
---
- name: Install OpenLDAP
apt:
name:
- slapd
- ldap-utils
- openssl
- python3-ldap
become: yes
- name: Check for changed cert
command: /bin/true
when:
- cert_changed
notify:
- Restart slapd
#
# Global server config
#
- name: Configure TLS Certificate
community.general.ldap_attrs:
dn: cn=config
attributes:
olcTLSCACertificateFile: '{{ ldap.tls.ca }}'
olcTLSCertificateKeyFile: '{{ ldap.tls.key }}'
olcTLSCertificateFile: '{{ ldap.tls.cert }}'
state: exact
become: yes
when: ldap.tls.enable
ignore_errors: yes
- name: Enable ldaps:636
lineinfile:
path: /etc/default/slapd
regexp: '^SLAPD_SERVICES='
line: 'SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"'
become: yes
when: ldap.tls.enable
notify: Restart slapd
- name: Enable modules
community.general.ldap_attrs:
dn: cn=module{0},cn=config
attributes:
olcModuleLoad:
- "{0}pw-sha2.la"
- "{1}memberof.la"
- "{2}refint.la"
state: present
become: yes
- name: Create memberOf Overlay
community.general.ldap_entry:
dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
objectClass:
- olcOverlayConfig
- olcMemberOf
attributes:
olcMemberOfRefint: "TRUE"
olcMemberOfDangling: ignore
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
become: yes
- name: Enable SSHA Hashes
community.general.ldap_attrs:
dn: olcDatabase={-1}frontend,cn=config
attributes:
olcPasswordHash: "{SSHA}"
state: present
become: yes
#
# schema
#
# This assumes the default debian slapd setup with {1}mdb already configured,
# so we are just chaning a few things
- name: Configure LDAP schema
community.general.ldap_attrs:
dn: olcDatabase={1}mdb,cn=config
attributes:
olcSuffix: '{{ ldap.base }}'
olcAccess:
- >-
{0}to attrs=userPassword
by self write
by anonymous auth
by * none
- >-
{1}to attrs=shadowLastChange
by self write
by * read
- >-
{2}to *
by users read
by group/groupOfNames/member=cn=ldap_admin,ou=groups,{{ ldap.base }} manage
olcRootDN: '{{ ldap.root_dn }}'
olcRootPW: '{{ ldap.root_pw_hash }}'
state: exact
become: yes
- name: organization top object
community.general.ldap_entry:
dn: '{{ ldap.base }}'
objectClass:
- dcObject
- organization
- top
attributes:
o: '{{ ldap.o }}'
server_uri: ldap://localhost
bind_dn: '{{ ldap.root_dn }}'
bind_pw: '{{ ldap.root_pw }}'
- name: Create OUs
community.general.ldap_entry:
dn: 'ou={{ item }},{{ ldap.base }}'
objectClass:
- organizationalUnit
- top
attributes:
ou: '{{ item }}'
server_uri: ldap://localhost
bind_dn: '{{ ldap.root_dn }}'
bind_pw: '{{ ldap.root_pw }}'
loop:
- users
- apps
- groups
- unixgroups
- name: Create LDAP Admin group
community.general.ldap_entry:
dn: 'cn=ldap_admin,ou=groups,{{ ldap.base }}'
objectClass:
- groupOfNames
- top
attributes:
cn: 'ldap_admin'
member: ''
server_uri: ldap://localhost
bind_dn: '{{ ldap.root_dn }}'
bind_pw: '{{ ldap.root_pw }}'
|