aboutsummaryrefslogtreecommitdiff
path: root/roles/openldap/tasks/main.yml
blob: 444f47f18ce163fb4dbcd4b04de6bb65e38245cb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
---
- name: Install OpenLDAP
  apt:
    name:
      - slapd
      - ldap-utils
      - openssl
      - python3-ldap
  become: yes

- name: Check for changed cert
  command: /bin/true
  when:
    - cert_changed
  notify:
    - Restart slapd

#
# Global server config
#

- name: Configure TLS Certificate
  community.general.ldap_attrs:
    dn: cn=config
    attributes:
      olcTLSCACertificateFile: '{{ ldap.tls.ca }}'
      olcTLSCertificateKeyFile: '{{ ldap.tls.key }}'
      olcTLSCertificateFile: '{{ ldap.tls.cert }}'
    state: exact
  become: yes
  when: ldap.tls.enable
  ignore_errors: yes

- name: Enable ldaps:636
  lineinfile:
    path: /etc/default/slapd
    regexp: '^SLAPD_SERVICES='
    line: 'SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"'
  become: yes
  when: ldap.tls.enable
  notify: Restart slapd

- name: Enable modules
  community.general.ldap_attrs:
    dn: cn=module{0},cn=config
    attributes:
      olcModuleLoad:
        - "{0}pw-sha2.la"
        - "{1}memberof.la"
        - "{2}refint.la"
    state: present
  become: yes

- name: Create memberOf Overlay
  community.general.ldap_entry:
    dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
    objectClass:
      - olcOverlayConfig
      - olcMemberOf
    attributes:
      olcMemberOfRefint: "TRUE"
      olcMemberOfDangling: ignore
      olcMemberOfGroupOC: groupOfNames
      olcMemberOfMemberAD: member
      olcMemberOfMemberOfAD: memberOf
  become: yes

- name: Enable SSHA Hashes
  community.general.ldap_attrs:
    dn: olcDatabase={-1}frontend,cn=config
    attributes:
      olcPasswordHash: "{SSHA}"
    state: present
  become: yes

- name: Install custom schema
  include_tasks: schema.yml
  loop: '{{ ldap.schema | default([]) }}'

#
# schema
#

# This assumes the default debian slapd setup with {1}mdb already configured,
# so we are just chaning a few things
- name: Configure LDAP schema
  community.general.ldap_attrs:
    dn: olcDatabase={1}mdb,cn=config
    attributes:
      olcSuffix: '{{ ldap.base }}'
      olcAccess:
        - >-
          {0}to attrs=userPassword
          by self write
          by group/groupOfNames/member=cn=external_auth,ou=groups,{{ ldap.base }} read
          by anonymous auth
          by * none
        - >-
          {1}to attrs=shadowLastChange
          by self write
          by * read
        - >-
          {2}to *
          by users read
          by group/groupOfNames/member=cn=ldap_admin,ou=groups,{{ ldap.base }} manage
      olcRootDN: '{{ ldap.root_dn }}'
      olcRootPW: '{{ ldap.root_pw_hash }}'
    state: exact
  become: yes

- name: organization top object
  community.general.ldap_entry:
    dn: '{{ ldap.base }}'
    objectClass:
      - dcObject
      - organization
      - top
    attributes:
      o: '{{ ldap.o }}'
    server_uri: ldap://localhost
    bind_dn: '{{ ldap.root_dn }}'
    bind_pw: '{{ ldap.root_pw }}'

- name: Create OUs
  community.general.ldap_entry:
    dn: 'ou={{ item }},{{ ldap.base }}'
    objectClass:
      - organizationalUnit
      - top
    attributes:
      ou: '{{ item }}'
    server_uri: ldap://localhost
    bind_dn: '{{ ldap.root_dn }}'
    bind_pw: '{{ ldap.root_pw }}'
  loop:
    - users
    - apps
    - groups
    - unixgroups

- name: Create LDAP Admin group
  community.general.ldap_entry:
    dn: 'cn={{ item }},ou=groups,{{ ldap.base }}'
    objectClass:
      - groupOfNames
      - top
    attributes:
      cn: '{{ item }}'
      member: ''
    server_uri: ldap://localhost
    bind_dn: '{{ ldap.root_dn }}'
    bind_pw: '{{ ldap.root_pw }}'
  loop:
    - ldap_admin
    - external_auth