From 204ada270742d63519f64eaf1a65649be948a91b Mon Sep 17 00:00:00 2001 From: Nemo Date: Sat, 8 Aug 2020 16:50:33 +0200 Subject: [PATCH] Start working on LDAP server role --- roles/ldap_server/defaults/main.yml | 72 ++++++++++++ roles/ldap_server/handlers/main.yml | 5 + roles/ldap_server/meta/main.yml | 32 ++++++ roles/ldap_server/tasks/ldap_attributes.yml | 120 ++++++++++++++++++++ roles/ldap_server/tasks/ldap_config.yml | 64 +++++++++++ roles/ldap_server/tasks/ldap_entries.yml | 101 ++++++++++++++++ roles/ldap_server/tasks/main.yml | 10 ++ roles/ldap_server/tasks/package.yml | 6 + roles/ldap_server/tasks/service.yml | 6 + roles/ldap_server/vars/Debian.yml | 13 +++ roles/ldap_server/vars/FreeBSD.yml | 13 +++ roles/ldap_server/vars/OpenBSD.yml | 13 +++ 12 files changed, 455 insertions(+) create mode 100644 roles/ldap_server/defaults/main.yml create mode 100644 roles/ldap_server/handlers/main.yml create mode 100644 roles/ldap_server/meta/main.yml create mode 100644 roles/ldap_server/tasks/ldap_attributes.yml create mode 100644 roles/ldap_server/tasks/ldap_config.yml create mode 100644 roles/ldap_server/tasks/ldap_entries.yml create mode 100644 roles/ldap_server/tasks/main.yml create mode 100644 roles/ldap_server/tasks/package.yml create mode 100644 roles/ldap_server/tasks/service.yml create mode 100644 roles/ldap_server/vars/Debian.yml create mode 100644 roles/ldap_server/vars/FreeBSD.yml create mode 100644 roles/ldap_server/vars/OpenBSD.yml diff --git a/roles/ldap_server/defaults/main.yml b/roles/ldap_server/defaults/main.yml new file mode 100644 index 0000000..56ad1fe --- /dev/null +++ b/roles/ldap_server/defaults/main.yml @@ -0,0 +1,72 @@ +# defaults are debian-compatible +--- +openldap_confdir: /etc/ldap +openldap_user: openldap +openldap_group: openldap +openldap_datadir: /var/lib/ldap +openldap_db_engine: mdb +openldap_db_maxsize: 1073741824 +openldap_modsdir: /usr/lib/ldap +slapd_package: slapd +slapd_service_name: slapd +slapd_exec: /usr/sbin/slapd +slapd_pidfile: /var/run/slapd/slapd.pid +slapd_argsfile: /var/run/slapd/slapd.args + +#openldap_slave_rid: 0 +openldap_schmas: + - core + - cosine + - inetorgperson + - nis + +openldap_tls_cert: +openldap_tls_key: +openldap_tls_cacert: + +ldap_host: "localhost" +ldap_port: "389" + +ldap_root_dn: "dc=example,dc=org" +ldap_domain: "example.org" + +ldap_admin_user_dn: "cn=admin,dc=example,dc=org" +ldap_admin_user_password: "" + +ldap_config_admin_user_dn: "cn=admin,cn=config" +ldap_config_admin_user_password: "" + +ldap_people: + - userA: + uid: userA + cn: userA + uidNumber: 60012 + gidNumber: 60012 + - userB: + uid: userB + cn: userB + uidNumber: 60013 + gidNumber: 60013 + +ldap_groups: + - marketing: + cn: marketing + gidNumber: 60002 + description: "Service MARKETING" + memberUid: + - userB + - userA + - it: + cn: it + gidNumber: 60003 + description: "Service Informatique" + + +ldap_accounts: + - svc-ssh: + cn: svc-ssh + description: "SSH read user" + userPassword: "test" + +ldap_applications: + - sudoers diff --git a/roles/ldap_server/handlers/main.yml b/roles/ldap_server/handlers/main.yml new file mode 100644 index 0000000..7b8bc52 --- /dev/null +++ b/roles/ldap_server/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart slapd + service: + name: '{{ slapd_service_name }}' + state: restarted diff --git a/roles/ldap_server/meta/main.yml b/roles/ldap_server/meta/main.yml new file mode 100644 index 0000000..8c223fe --- /dev/null +++ b/roles/ldap_server/meta/main.yml @@ -0,0 +1,32 @@ +galaxy_info: + author: Nemo + description: deploy and configure OpenLDAP server + company: Wirebrass + + license: BSD + + min_ansible_version: 2.4 + + platforms: + - name: FreeBSD + versions: + - 11.0 + - 10.3 + - name: Debian + versions: + - jessie + - stretch + - buster + - name: OpenBSD + versions: + - 6.1 + + galaxy_tags: + - openldap + - ldap + - sso + - linux + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/ldap_server/tasks/ldap_attributes.yml b/roles/ldap_server/tasks/ldap_attributes.yml new file mode 100644 index 0000000..68c6af5 --- /dev/null +++ b/roles/ldap_server/tasks/ldap_attributes.yml @@ -0,0 +1,120 @@ +--- + +- name: people cn configured + ldap_attr: + dn: "uid={{ item.uid }},ou=people,{{ ldap_root_dn }}" + name: cn + values: "{{ item.cn }}" + state: exact + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_admin_user_dn }}" + bind_pw: "{{ ldap_admin_user_password }}" + loop: "{{ ldap_people }}" + when: ldap_people | length > 0 + +- name: people loginShell configured + ldap_attr: + dn: "uid={{ item.uid }},ou=people,{{ ldap_root_dn }}" + name: loginShell + values: "/bin/bash" + state: exact + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_admin_user_dn }}" + bind_pw: "{{ ldap_admin_user_password }}" + loop: "{{ ldap_people }}" + when: ldap_people | length > 0 + +- name: people homeDirectory configured + ldap_attr: + dn: "uid={{ item.uid }},ou=people,{{ ldap_root_dn }}" + name: homeDirectory + values: "/home/{{ item.uid }}" + state: exact + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_admin_user_dn }}" + bind_pw: "{{ ldap_admin_user_password }}" + loop: "{{ ldap_people }}" + when: ldap_people | length > 0 + +- name: people uidNumber configured + ldap_attr: + dn: "uid={{ item.uid }},ou=people,{{ ldap_root_dn }}" + name: uidNumber + values: "{{ item.uidNumber }}" + state: exact + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_admin_user_dn }}" + bind_pw: "{{ ldap_admin_user_password }}" + loop: "{{ ldap_people }}" + when: ldap_people | length > 0 + +- name: people gidNumber configured + ldap_attr: + dn: "uid={{ item.uid }},ou=people,{{ ldap_root_dn }}" + name: gidNumber + values: "{{ item.gidNumber }}" + state: exact + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_admin_user_dn }}" + bind_pw: "{{ ldap_admin_user_password }}" + loop: "{{ ldap_people }}" + when: ldap_people | length > 0 + +- name: groups gidNumber configured + ldap_attr: + dn: "cn={{ item.cn }},ou=groups,{{ ldap_root_dn }}" + name: gidNumber + values: "{{ item.gidNumber }}" + state: exact + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_admin_user_dn }}" + bind_pw: "{{ ldap_admin_user_password }}" + loop: "{{ ldap_groups }}" + when: ldap_groups | length > 0 + +- name: groups description configured + ldap_attr: + dn: "cn={{ item.cn }},ou=groups,{{ ldap_root_dn }}" + name: description + values: "{{ item.description }}" + state: exact + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_admin_user_dn }}" + bind_pw: "{{ ldap_admin_user_password }}" + loop: "{{ ldap_groups }}" + when: ldap_groups | length > 0 + +- name: groups memberUid configured + ldap_attr: + dn: "cn={{ item.cn }},ou=groups,{{ ldap_root_dn }}" + name: memberUid + values: "{{ item.memberUid }}" + state: exact + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_admin_user_dn }}" + bind_pw: "{{ ldap_admin_user_password }}" + loop: "{{ ldap_groups }}" + when: ldap_groups | length > 0 and item.memberUid is defined and item.memberUid | length > 0 + +- name: accounts description configured + ldap_attr: + dn: "cn={{ item.cn }},ou=accounts,{{ ldap_root_dn }}" + name: description + values: "{{ item.description }}" + state: exact + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_admin_user_dn }}" + bind_pw: "{{ ldap_admin_user_password }}" + loop: "{{ ldap_accounts }}" + when: ldap_accounts | length > 0 + +- name: accounts userPassword configured + ldap_passwd: + dn: "cn={{ item.cn }},ou=accounts,{{ ldap_root_dn }}" + passwd: "{{ item.userPassword }}" + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_admin_user_dn }}" + bind_pw: "{{ ldap_admin_user_password }}" + loop: "{{ ldap_accounts }}" + when: ldap_accounts | length > 0 + diff --git a/roles/ldap_server/tasks/ldap_config.yml b/roles/ldap_server/tasks/ldap_config.yml new file mode 100644 index 0000000..f603f83 --- /dev/null +++ b/roles/ldap_server/tasks/ldap_config.yml @@ -0,0 +1,64 @@ +--- + +- name: anonymous access disabled (cn=config) + ldap_attr: + dn: "cn=config" + name: olcDisallows + values: bind_anon + state: exact + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_config_admin_user_dn }}" + bind_pw: "{{ ldap_config_admin_user_password }}" + +- name: authentication required (cn=config) + ldap_attr: + dn: "cn=config" + name: olcRequires + values: authc + state: exact + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_config_admin_user_dn }}" + bind_pw: "{{ ldap_config_admin_user_password }}" + +- name: authentication required (olcDatabase={-1}frontend,cn=config) + ldap_attr: + dn: "olcDatabase={-1}frontend,cn=config" + name: olcRequires + values: authc + state: exact + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_config_admin_user_dn }}" + bind_pw: "{{ ldap_config_admin_user_password }}" + +- name: authentication required (olcDatabase={0}config,cn=config) + ldap_attr: + dn: "olcDatabase={0}config,cn=config" + name: olcRequires + values: authc + state: exact + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_config_admin_user_dn }}" + bind_pw: "{{ ldap_config_admin_user_password }}" + +- name: authentication required (olcDatabase={1}mdb,cn=config) + ldap_attr: + dn: "olcDatabase={1}mdb,cn=config" + name: olcRequires + values: authc + state: exact + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_config_admin_user_dn }}" + bind_pw: "{{ ldap_config_admin_user_password }}" + +- name: aci defined (olcDatabase={1}mdb,cn=config) + ldap_attr: + dn: "olcDatabase={1}mdb,cn=config" + name: olcAccess + values: + - "{0}to attrs=userPassword by self write by anonymous auth by * none" + - "{1}to attrs=shadowLastChange by self write by * read" + state: exact + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_config_admin_user_dn }}" + bind_pw: "{{ ldap_config_admin_user_password }}" + diff --git a/roles/ldap_server/tasks/ldap_entries.yml b/roles/ldap_server/tasks/ldap_entries.yml new file mode 100644 index 0000000..fe5ee3f --- /dev/null +++ b/roles/ldap_server/tasks/ldap_entries.yml @@ -0,0 +1,101 @@ +--- + +- name: root DN created + ldap_entry: + dn: "{{ ldap_root_dn }}" + objectClass: + - dcObject + - organization + attributes: + o: "{{ ldap_domain }}" + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_admin_user_dn }}" + bind_pw: "{{ ldap_admin_user_password }}" + +- name: people OU created + ldap_entry: + dn: "ou=people,{{ ldap_root_dn }}" + objectClass: + - organizationalUnit + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_admin_user_dn }}" + bind_pw: "{{ ldap_admin_user_password }}" + +- name: groups OU created + ldap_entry: + dn: "ou=groups,{{ ldap_root_dn }}" + objectClass: + - organizationalUnit + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_admin_user_dn }}" + bind_pw: "{{ ldap_admin_user_password }}" + +- name: accounts OU created + ldap_entry: + dn: "ou=accounts,{{ ldap_root_dn }}" + objectClass: + - organizationalUnit + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_admin_user_dn }}" + bind_pw: "{{ ldap_admin_user_password }}" + +- name: applications OU created + ldap_entry: + dn: "ou=applications,{{ ldap_root_dn }}" + objectClass: + - organizationalUnit + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_admin_user_dn }}" + bind_pw: "{{ ldap_admin_user_password }}" + +- name: people created + ldap_entry: + dn: "uid={{ item.uid }},ou=people,{{ ldap_root_dn }}" + objectClass: + - account + - posixAccount + - shadowAccount + attributes: + uid: "{{ item.uid }}" + cn: "{{ item.cn }}" + loginShell: "/bin/bash" + homeDirectory: "/home/{{ item.uid }}" + uidNumber: "{{ item.uidNumber }}" + gidNumber: "{{ item.gidNumber }}" + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_admin_user_dn }}" + bind_pw: "{{ ldap_admin_user_password }}" + loop: "{{ ldap_people }}" + when: ldap_people | length > 0 + +- name: groups created + ldap_entry: + dn: "cn={{ item.cn }},ou=groups,{{ ldap_root_dn }}" + objectClass: + - posixGroup + attributes: + cn: "{{ item.cn }}" + description: "{{ item.description }}" + gidNumber: "{{ item.gidNumber }}" + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_admin_user_dn }}" + bind_pw: "{{ ldap_admin_user_password }}" + loop: "{{ ldap_groups }}" + when: ldap_groups | length > 0 + +- name: accounts created + ldap_entry: + dn: "cn={{ item.cn }},ou=accounts,{{ ldap_root_dn }}" + objectClass: + - simpleSecurityObject + - organizationalRole + attributes: + cn: "{{ item.cn }}" + description: "{{ item.description }}" + userPassword: "{{ item.userPassword }}" + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_admin_user_dn }}" + bind_pw: "{{ ldap_admin_user_password }}" + loop: "{{ ldap_accounts }}" + when: ldap_accounts | length > 0 + diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml new file mode 100644 index 0000000..d733864 --- /dev/null +++ b/roles/ldap_server/tasks/main.yml @@ -0,0 +1,10 @@ +--- + +- name: Include OS-specific variables. + include_vars: "{{ ansible_os_family }}.yml" + +- include_tasks: package.yml +- include_tasks: service.yml +- include_tasks: ldap_entries.yml +- include_tasks: ldap_attributes.yml +- include_tasks: ldap_config.yml diff --git a/roles/ldap_server/tasks/package.yml b/roles/ldap_server/tasks/package.yml new file mode 100644 index 0000000..600d5f7 --- /dev/null +++ b/roles/ldap_server/tasks/package.yml @@ -0,0 +1,6 @@ +--- +- name: install OpenLDAP + package: + name: "{{ slapd_package }}" + state: present + diff --git a/roles/ldap_server/tasks/service.yml b/roles/ldap_server/tasks/service.yml new file mode 100644 index 0000000..21c5d7a --- /dev/null +++ b/roles/ldap_server/tasks/service.yml @@ -0,0 +1,6 @@ +--- +- name: slapd started and enabled + service: + name: '{{ slapd_service_name }}' + enabled: true + state: started diff --git a/roles/ldap_server/vars/Debian.yml b/roles/ldap_server/vars/Debian.yml new file mode 100644 index 0000000..9f54276 --- /dev/null +++ b/roles/ldap_server/vars/Debian.yml @@ -0,0 +1,13 @@ +--- +openldap_confdir: /etc/ldap +openldap_user: openldap +openldap_group: openldap +openldap_datadir: /var/lib/ldap +openldap_db_engine: mdb +openldap_db_maxsize: 1073741824 +openldap_modsdir: /usr/lib/ldap +slapd_package: slapd +slapd_service_name: slapd +slapd_exec: /usr/sbin/slapd +slapd_pidfile: /var/run/slapd/slapd.pid +slapd_argsfile: /var/run/slapd/slapd.args diff --git a/roles/ldap_server/vars/FreeBSD.yml b/roles/ldap_server/vars/FreeBSD.yml new file mode 100644 index 0000000..2ab98fa --- /dev/null +++ b/roles/ldap_server/vars/FreeBSD.yml @@ -0,0 +1,13 @@ +--- +openldap_confdir: /usr/local/etc/openldap +openldap_user: ldap +openldap_group: ldap +openldap_datadir: /var/db/openldap-data +openldap_modsdir: /usr/local/libexec/openldap +openldap_db_engine: mdb +openldap_db_maxsize: 1073741824 +slapd_package: openldap-sasl-server +slapd_service_name: slapd +slapd_exec: /usr/local/libexec/slapd +slapd_pidfile: /var/run/openldap/slapd.pid +slapd_argsfile: /var/run/openldap/slapd.args diff --git a/roles/ldap_server/vars/OpenBSD.yml b/roles/ldap_server/vars/OpenBSD.yml new file mode 100644 index 0000000..3e19025 --- /dev/null +++ b/roles/ldap_server/vars/OpenBSD.yml @@ -0,0 +1,13 @@ +--- +openldap_confdir: /etc/openldap +openldap_user: _openldap +openldap_group: _openldap +openldap_datadir: /var/openldap-data +openldap_db_engine: hdb +openldap_db_maxsize: 1073741824 +openldap_modsdir: +slapd_package: openldap-server-- +slapd_service_name: slapd +slapd_exec: /usr/local/libexec/slapd +slapd_pidfile: /var/run/openldap/slapd.pid +slapd_argsfile: /var/run/openldap/slapd.args