Start working on LDAP server role

roles/ldap_server/defaults/main.yml

@@ -0,0 +1,72 @@
+# defaults are debian-compatible
+---
+openldap_confdir: /etc/ldap
+openldap_user: openldap
+openldap_group: openldap
+openldap_datadir: /var/lib/ldap
+openldap_db_engine: mdb
+openldap_db_maxsize: 1073741824
+openldap_modsdir: /usr/lib/ldap
+slapd_package: slapd
+slapd_service_name: slapd
+slapd_exec: /usr/sbin/slapd
+slapd_pidfile: /var/run/slapd/slapd.pid
+slapd_argsfile: /var/run/slapd/slapd.args
+
+#openldap_slave_rid: 0
+openldap_schmas:
+  - core
+  - cosine
+  - inetorgperson
+  - nis
+
+openldap_tls_cert:
+openldap_tls_key:
+openldap_tls_cacert:
+
+ldap_host: "localhost"
+ldap_port: "389"
+
+ldap_root_dn: "dc=example,dc=org"
+ldap_domain: "example.org"
+
+ldap_admin_user_dn: "cn=admin,dc=example,dc=org"
+ldap_admin_user_password: ""
+
+ldap_config_admin_user_dn: "cn=admin,cn=config"
+ldap_config_admin_user_password: ""
+
+ldap_people:
+  - userA:
+    uid: userA
+    cn: userA
+    uidNumber: 60012
+    gidNumber: 60012
+  - userB:
+    uid: userB
+    cn: userB
+    uidNumber: 60013
+    gidNumber: 60013
+
+ldap_groups:
+  - marketing:
+    cn: marketing
+    gidNumber: 60002
+    description: "Service MARKETING"
+    memberUid:
+      - userB
+      - userA
+  - it:
+    cn: it
+    gidNumber: 60003
+    description: "Service Informatique"
+
+
+ldap_accounts:
+  - svc-ssh:
+    cn: svc-ssh
+    description: "SSH read user"
+    userPassword: "test"
+
+ldap_applications:
+  - sudoers

roles/ldap_server/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart slapd
+  service:
+    name: '{{ slapd_service_name }}'
+    state: restarted

roles/ldap_server/meta/main.yml

@@ -0,0 +1,32 @@
+galaxy_info:
+  author: Nemo
+  description: deploy and configure OpenLDAP server
+  company: Wirebrass
+
+  license: BSD
+
+  min_ansible_version: 2.4
+
+  platforms:
+    - name: FreeBSD
+      versions:
+        - 11.0
+        - 10.3
+    - name: Debian
+      versions:
+        - jessie
+        - stretch
+        - buster
+    - name: OpenBSD
+      versions:
+        - 6.1
+
+  galaxy_tags:
+    - openldap
+    - ldap
+    - sso
+    - linux
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/ldap_server/tasks/ldap_attributes.yml

@@ -0,0 +1,120 @@
+---
+
+- name: people cn configured
+  ldap_attr:
+    dn: "uid={{ item.uid }},ou=people,{{ ldap_root_dn }}"
+    name: cn
+    values: "{{ item.cn }}"
+    state: exact
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_admin_user_dn }}"
+    bind_pw: "{{ ldap_admin_user_password }}"
+  loop: "{{ ldap_people }}"
+  when: ldap_people | length > 0
+
+- name: people loginShell configured
+  ldap_attr:
+    dn: "uid={{ item.uid }},ou=people,{{ ldap_root_dn }}"
+    name: loginShell
+    values: "/bin/bash"
+    state: exact
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_admin_user_dn }}"
+    bind_pw: "{{ ldap_admin_user_password }}"
+  loop: "{{ ldap_people }}"
+  when: ldap_people | length > 0
+
+- name: people homeDirectory configured
+  ldap_attr:
+    dn: "uid={{ item.uid }},ou=people,{{ ldap_root_dn }}"
+    name: homeDirectory
+    values: "/home/{{ item.uid }}"
+    state: exact
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_admin_user_dn }}"
+    bind_pw: "{{ ldap_admin_user_password }}"
+  loop: "{{ ldap_people }}"
+  when: ldap_people | length > 0
+
+- name: people uidNumber configured
+  ldap_attr:
+    dn: "uid={{ item.uid }},ou=people,{{ ldap_root_dn }}"
+    name: uidNumber
+    values: "{{ item.uidNumber }}"
+    state: exact
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_admin_user_dn }}"
+    bind_pw: "{{ ldap_admin_user_password }}"
+  loop: "{{ ldap_people }}"
+  when: ldap_people | length > 0
+
+- name: people gidNumber configured
+  ldap_attr:
+    dn: "uid={{ item.uid }},ou=people,{{ ldap_root_dn }}"
+    name: gidNumber
+    values: "{{ item.gidNumber }}"
+    state: exact
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_admin_user_dn }}"
+    bind_pw: "{{ ldap_admin_user_password }}"
+  loop: "{{ ldap_people }}"
+  when: ldap_people | length > 0
+
+- name: groups gidNumber configured
+  ldap_attr:
+    dn: "cn={{ item.cn }},ou=groups,{{ ldap_root_dn }}"
+    name: gidNumber
+    values: "{{ item.gidNumber }}"
+    state: exact
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_admin_user_dn }}"
+    bind_pw: "{{ ldap_admin_user_password }}"
+  loop: "{{ ldap_groups }}"
+  when: ldap_groups | length > 0
+
+- name: groups description configured
+  ldap_attr:
+    dn: "cn={{ item.cn }},ou=groups,{{ ldap_root_dn }}"
+    name: description
+    values: "{{ item.description }}"
+    state: exact
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_admin_user_dn }}"
+    bind_pw: "{{ ldap_admin_user_password }}"
+  loop: "{{ ldap_groups }}"
+  when: ldap_groups | length > 0
+
+- name: groups memberUid configured
+  ldap_attr:
+    dn: "cn={{ item.cn }},ou=groups,{{ ldap_root_dn }}"
+    name: memberUid
+    values: "{{ item.memberUid }}"
+    state: exact
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_admin_user_dn }}"
+    bind_pw: "{{ ldap_admin_user_password }}"
+  loop: "{{ ldap_groups }}"
+  when: ldap_groups | length > 0 and item.memberUid is defined and item.memberUid | length > 0
+
+- name: accounts description configured
+  ldap_attr:
+    dn: "cn={{ item.cn }},ou=accounts,{{ ldap_root_dn }}"
+    name: description
+    values: "{{ item.description }}"
+    state: exact
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_admin_user_dn }}"
+    bind_pw: "{{ ldap_admin_user_password }}"
+  loop: "{{ ldap_accounts }}"
+  when: ldap_accounts | length > 0
+
+- name: accounts userPassword configured
+  ldap_passwd:
+    dn: "cn={{ item.cn }},ou=accounts,{{ ldap_root_dn }}"
+    passwd: "{{ item.userPassword }}"
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_admin_user_dn }}"
+    bind_pw: "{{ ldap_admin_user_password }}"
+  loop: "{{ ldap_accounts }}"
+  when: ldap_accounts | length > 0
+

roles/ldap_server/tasks/ldap_config.yml

@@ -0,0 +1,64 @@
+---
+
+- name: anonymous access disabled (cn=config)
+  ldap_attr:
+    dn: "cn=config"
+    name: olcDisallows
+    values: bind_anon
+    state: exact
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_config_admin_user_dn }}"
+    bind_pw: "{{ ldap_config_admin_user_password }}"
+
+- name: authentication required (cn=config)
+  ldap_attr:
+    dn: "cn=config"
+    name: olcRequires
+    values: authc
+    state: exact
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_config_admin_user_dn }}"
+    bind_pw: "{{ ldap_config_admin_user_password }}"
+
+- name: authentication required (olcDatabase={-1}frontend,cn=config)
+  ldap_attr:
+    dn: "olcDatabase={-1}frontend,cn=config"
+    name: olcRequires
+    values: authc
+    state: exact
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_config_admin_user_dn }}"
+    bind_pw: "{{ ldap_config_admin_user_password }}"
+
+- name: authentication required (olcDatabase={0}config,cn=config)
+  ldap_attr:
+    dn: "olcDatabase={0}config,cn=config"
+    name: olcRequires
+    values: authc
+    state: exact
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_config_admin_user_dn }}"
+    bind_pw: "{{ ldap_config_admin_user_password }}"
+
+- name: authentication required (olcDatabase={1}mdb,cn=config)
+  ldap_attr:
+    dn: "olcDatabase={1}mdb,cn=config"
+    name: olcRequires
+    values: authc
+    state: exact
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_config_admin_user_dn }}"
+    bind_pw: "{{ ldap_config_admin_user_password }}"
+
+- name: aci defined (olcDatabase={1}mdb,cn=config)
+  ldap_attr:
+    dn: "olcDatabase={1}mdb,cn=config"
+    name: olcAccess
+    values:
+      - "{0}to attrs=userPassword by self write by anonymous auth by * none"
+      - "{1}to attrs=shadowLastChange by self write by * read"
+    state: exact
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_config_admin_user_dn }}"
+    bind_pw: "{{ ldap_config_admin_user_password }}"
+

roles/ldap_server/tasks/ldap_entries.yml

@@ -0,0 +1,101 @@
+---
+
+- name: root DN created
+  ldap_entry:
+    dn: "{{ ldap_root_dn }}"
+    objectClass:
+      - dcObject
+      - organization
+    attributes:
+      o: "{{ ldap_domain }}"
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_admin_user_dn }}"
+    bind_pw: "{{ ldap_admin_user_password }}"
+
+- name: people OU created
+  ldap_entry:
+    dn: "ou=people,{{ ldap_root_dn }}"
+    objectClass:
+      - organizationalUnit
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_admin_user_dn }}"
+    bind_pw: "{{ ldap_admin_user_password }}"
+
+- name: groups OU created
+  ldap_entry:
+    dn: "ou=groups,{{ ldap_root_dn }}"
+    objectClass:
+      - organizationalUnit
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_admin_user_dn }}"
+    bind_pw: "{{ ldap_admin_user_password }}"
+
+- name: accounts OU created
+  ldap_entry:
+    dn: "ou=accounts,{{ ldap_root_dn }}"
+    objectClass:
+      - organizationalUnit
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_admin_user_dn }}"
+    bind_pw: "{{ ldap_admin_user_password }}"
+
+- name: applications OU created
+  ldap_entry:
+    dn: "ou=applications,{{ ldap_root_dn }}"
+    objectClass:
+      - organizationalUnit
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_admin_user_dn }}"
+    bind_pw: "{{ ldap_admin_user_password }}"
+
+- name: people created
+  ldap_entry:
+    dn: "uid={{ item.uid }},ou=people,{{ ldap_root_dn }}"
+    objectClass:
+      - account
+      - posixAccount
+      - shadowAccount
+    attributes:
+      uid: "{{ item.uid }}"
+      cn: "{{ item.cn }}"
+      loginShell: "/bin/bash"
+      homeDirectory: "/home/{{ item.uid }}"
+      uidNumber: "{{ item.uidNumber }}"
+      gidNumber: "{{ item.gidNumber }}"
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_admin_user_dn }}"
+    bind_pw: "{{ ldap_admin_user_password }}"
+  loop: "{{ ldap_people }}"
+  when: ldap_people | length > 0
+
+- name: groups created
+  ldap_entry:
+    dn: "cn={{ item.cn }},ou=groups,{{ ldap_root_dn }}"
+    objectClass:
+      - posixGroup
+    attributes:
+      cn: "{{ item.cn }}"
+      description: "{{ item.description }}"
+      gidNumber: "{{ item.gidNumber }}"
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_admin_user_dn }}"
+    bind_pw: "{{ ldap_admin_user_password }}"
+  loop: "{{ ldap_groups }}"
+  when: ldap_groups | length > 0
+
+- name: accounts created
+  ldap_entry:
+    dn: "cn={{ item.cn }},ou=accounts,{{ ldap_root_dn }}"
+    objectClass:
+      - simpleSecurityObject
+      - organizationalRole
+    attributes:
+      cn: "{{ item.cn }}"
+      description: "{{ item.description }}"
+      userPassword: "{{ item.userPassword }}"
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_admin_user_dn }}"
+    bind_pw: "{{ ldap_admin_user_password }}"
+  loop: "{{ ldap_accounts }}"
+  when: ldap_accounts | length > 0
+

roles/ldap_server/tasks/main.yml

@@ -0,0 +1,10 @@
+---
+
+- name: Include OS-specific variables.
+  include_vars: "{{ ansible_os_family }}.yml"
+
+- include_tasks: package.yml
+- include_tasks: service.yml
+- include_tasks: ldap_entries.yml
+- include_tasks: ldap_attributes.yml
+- include_tasks: ldap_config.yml

roles/ldap_server/tasks/package.yml

@@ -0,0 +1,6 @@
+---
+- name: install OpenLDAP
+  package:
+    name: "{{ slapd_package }}"
+    state: present
+

roles/ldap_server/tasks/service.yml

@@ -0,0 +1,6 @@
+---
+- name: slapd started and enabled
+  service:
+    name: '{{ slapd_service_name }}'
+    enabled: true
+    state: started

roles/ldap_server/vars/Debian.yml

@@ -0,0 +1,13 @@
+---
+openldap_confdir: /etc/ldap
+openldap_user: openldap
+openldap_group: openldap
+openldap_datadir: /var/lib/ldap
+openldap_db_engine: mdb
+openldap_db_maxsize: 1073741824
+openldap_modsdir: /usr/lib/ldap
+slapd_package: slapd
+slapd_service_name: slapd
+slapd_exec: /usr/sbin/slapd
+slapd_pidfile: /var/run/slapd/slapd.pid
+slapd_argsfile: /var/run/slapd/slapd.args

roles/ldap_server/vars/FreeBSD.yml

@@ -0,0 +1,13 @@
+---
+openldap_confdir: /usr/local/etc/openldap
+openldap_user: ldap
+openldap_group: ldap
+openldap_datadir: /var/db/openldap-data
+openldap_modsdir: /usr/local/libexec/openldap
+openldap_db_engine: mdb
+openldap_db_maxsize: 1073741824
+slapd_package: openldap-sasl-server
+slapd_service_name: slapd
+slapd_exec: /usr/local/libexec/slapd
+slapd_pidfile: /var/run/openldap/slapd.pid
+slapd_argsfile: /var/run/openldap/slapd.args

roles/ldap_server/vars/OpenBSD.yml

@@ -0,0 +1,13 @@
+---
+openldap_confdir: /etc/openldap
+openldap_user: _openldap
+openldap_group: _openldap
+openldap_datadir: /var/openldap-data
+openldap_db_engine: hdb
+openldap_db_maxsize: 1073741824
+openldap_modsdir:
+slapd_package: openldap-server--
+slapd_service_name: slapd
+slapd_exec: /usr/local/libexec/slapd
+slapd_pidfile: /var/run/openldap/slapd.pid
+slapd_argsfile: /var/run/openldap/slapd.args