Start working on LDAP server role
This commit is contained in:
parent
1b1f616c74
commit
204ada2707
72
roles/ldap_server/defaults/main.yml
Normal file
72
roles/ldap_server/defaults/main.yml
Normal file
|
@ -0,0 +1,72 @@
|
|||
# defaults are debian-compatible
|
||||
---
|
||||
openldap_confdir: /etc/ldap
|
||||
openldap_user: openldap
|
||||
openldap_group: openldap
|
||||
openldap_datadir: /var/lib/ldap
|
||||
openldap_db_engine: mdb
|
||||
openldap_db_maxsize: 1073741824
|
||||
openldap_modsdir: /usr/lib/ldap
|
||||
slapd_package: slapd
|
||||
slapd_service_name: slapd
|
||||
slapd_exec: /usr/sbin/slapd
|
||||
slapd_pidfile: /var/run/slapd/slapd.pid
|
||||
slapd_argsfile: /var/run/slapd/slapd.args
|
||||
|
||||
#openldap_slave_rid: 0
|
||||
openldap_schmas:
|
||||
- core
|
||||
- cosine
|
||||
- inetorgperson
|
||||
- nis
|
||||
|
||||
openldap_tls_cert:
|
||||
openldap_tls_key:
|
||||
openldap_tls_cacert:
|
||||
|
||||
ldap_host: "localhost"
|
||||
ldap_port: "389"
|
||||
|
||||
ldap_root_dn: "dc=example,dc=org"
|
||||
ldap_domain: "example.org"
|
||||
|
||||
ldap_admin_user_dn: "cn=admin,dc=example,dc=org"
|
||||
ldap_admin_user_password: ""
|
||||
|
||||
ldap_config_admin_user_dn: "cn=admin,cn=config"
|
||||
ldap_config_admin_user_password: ""
|
||||
|
||||
ldap_people:
|
||||
- userA:
|
||||
uid: userA
|
||||
cn: userA
|
||||
uidNumber: 60012
|
||||
gidNumber: 60012
|
||||
- userB:
|
||||
uid: userB
|
||||
cn: userB
|
||||
uidNumber: 60013
|
||||
gidNumber: 60013
|
||||
|
||||
ldap_groups:
|
||||
- marketing:
|
||||
cn: marketing
|
||||
gidNumber: 60002
|
||||
description: "Service MARKETING"
|
||||
memberUid:
|
||||
- userB
|
||||
- userA
|
||||
- it:
|
||||
cn: it
|
||||
gidNumber: 60003
|
||||
description: "Service Informatique"
|
||||
|
||||
|
||||
ldap_accounts:
|
||||
- svc-ssh:
|
||||
cn: svc-ssh
|
||||
description: "SSH read user"
|
||||
userPassword: "test"
|
||||
|
||||
ldap_applications:
|
||||
- sudoers
|
5
roles/ldap_server/handlers/main.yml
Normal file
5
roles/ldap_server/handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
- name: restart slapd
|
||||
service:
|
||||
name: '{{ slapd_service_name }}'
|
||||
state: restarted
|
32
roles/ldap_server/meta/main.yml
Normal file
32
roles/ldap_server/meta/main.yml
Normal file
|
@ -0,0 +1,32 @@
|
|||
galaxy_info:
|
||||
author: Nemo
|
||||
description: deploy and configure OpenLDAP server
|
||||
company: Wirebrass
|
||||
|
||||
license: BSD
|
||||
|
||||
min_ansible_version: 2.4
|
||||
|
||||
platforms:
|
||||
- name: FreeBSD
|
||||
versions:
|
||||
- 11.0
|
||||
- 10.3
|
||||
- name: Debian
|
||||
versions:
|
||||
- jessie
|
||||
- stretch
|
||||
- buster
|
||||
- name: OpenBSD
|
||||
versions:
|
||||
- 6.1
|
||||
|
||||
galaxy_tags:
|
||||
- openldap
|
||||
- ldap
|
||||
- sso
|
||||
- linux
|
||||
|
||||
dependencies: []
|
||||
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
|
||||
# if you add dependencies to this list.
|
120
roles/ldap_server/tasks/ldap_attributes.yml
Normal file
120
roles/ldap_server/tasks/ldap_attributes.yml
Normal file
|
@ -0,0 +1,120 @@
|
|||
---
|
||||
|
||||
- name: people cn configured
|
||||
ldap_attr:
|
||||
dn: "uid={{ item.uid }},ou=people,{{ ldap_root_dn }}"
|
||||
name: cn
|
||||
values: "{{ item.cn }}"
|
||||
state: exact
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_admin_user_password }}"
|
||||
loop: "{{ ldap_people }}"
|
||||
when: ldap_people | length > 0
|
||||
|
||||
- name: people loginShell configured
|
||||
ldap_attr:
|
||||
dn: "uid={{ item.uid }},ou=people,{{ ldap_root_dn }}"
|
||||
name: loginShell
|
||||
values: "/bin/bash"
|
||||
state: exact
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_admin_user_password }}"
|
||||
loop: "{{ ldap_people }}"
|
||||
when: ldap_people | length > 0
|
||||
|
||||
- name: people homeDirectory configured
|
||||
ldap_attr:
|
||||
dn: "uid={{ item.uid }},ou=people,{{ ldap_root_dn }}"
|
||||
name: homeDirectory
|
||||
values: "/home/{{ item.uid }}"
|
||||
state: exact
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_admin_user_password }}"
|
||||
loop: "{{ ldap_people }}"
|
||||
when: ldap_people | length > 0
|
||||
|
||||
- name: people uidNumber configured
|
||||
ldap_attr:
|
||||
dn: "uid={{ item.uid }},ou=people,{{ ldap_root_dn }}"
|
||||
name: uidNumber
|
||||
values: "{{ item.uidNumber }}"
|
||||
state: exact
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_admin_user_password }}"
|
||||
loop: "{{ ldap_people }}"
|
||||
when: ldap_people | length > 0
|
||||
|
||||
- name: people gidNumber configured
|
||||
ldap_attr:
|
||||
dn: "uid={{ item.uid }},ou=people,{{ ldap_root_dn }}"
|
||||
name: gidNumber
|
||||
values: "{{ item.gidNumber }}"
|
||||
state: exact
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_admin_user_password }}"
|
||||
loop: "{{ ldap_people }}"
|
||||
when: ldap_people | length > 0
|
||||
|
||||
- name: groups gidNumber configured
|
||||
ldap_attr:
|
||||
dn: "cn={{ item.cn }},ou=groups,{{ ldap_root_dn }}"
|
||||
name: gidNumber
|
||||
values: "{{ item.gidNumber }}"
|
||||
state: exact
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_admin_user_password }}"
|
||||
loop: "{{ ldap_groups }}"
|
||||
when: ldap_groups | length > 0
|
||||
|
||||
- name: groups description configured
|
||||
ldap_attr:
|
||||
dn: "cn={{ item.cn }},ou=groups,{{ ldap_root_dn }}"
|
||||
name: description
|
||||
values: "{{ item.description }}"
|
||||
state: exact
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_admin_user_password }}"
|
||||
loop: "{{ ldap_groups }}"
|
||||
when: ldap_groups | length > 0
|
||||
|
||||
- name: groups memberUid configured
|
||||
ldap_attr:
|
||||
dn: "cn={{ item.cn }},ou=groups,{{ ldap_root_dn }}"
|
||||
name: memberUid
|
||||
values: "{{ item.memberUid }}"
|
||||
state: exact
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_admin_user_password }}"
|
||||
loop: "{{ ldap_groups }}"
|
||||
when: ldap_groups | length > 0 and item.memberUid is defined and item.memberUid | length > 0
|
||||
|
||||
- name: accounts description configured
|
||||
ldap_attr:
|
||||
dn: "cn={{ item.cn }},ou=accounts,{{ ldap_root_dn }}"
|
||||
name: description
|
||||
values: "{{ item.description }}"
|
||||
state: exact
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_admin_user_password }}"
|
||||
loop: "{{ ldap_accounts }}"
|
||||
when: ldap_accounts | length > 0
|
||||
|
||||
- name: accounts userPassword configured
|
||||
ldap_passwd:
|
||||
dn: "cn={{ item.cn }},ou=accounts,{{ ldap_root_dn }}"
|
||||
passwd: "{{ item.userPassword }}"
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_admin_user_password }}"
|
||||
loop: "{{ ldap_accounts }}"
|
||||
when: ldap_accounts | length > 0
|
||||
|
64
roles/ldap_server/tasks/ldap_config.yml
Normal file
64
roles/ldap_server/tasks/ldap_config.yml
Normal file
|
@ -0,0 +1,64 @@
|
|||
---
|
||||
|
||||
- name: anonymous access disabled (cn=config)
|
||||
ldap_attr:
|
||||
dn: "cn=config"
|
||||
name: olcDisallows
|
||||
values: bind_anon
|
||||
state: exact
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||
|
||||
- name: authentication required (cn=config)
|
||||
ldap_attr:
|
||||
dn: "cn=config"
|
||||
name: olcRequires
|
||||
values: authc
|
||||
state: exact
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||
|
||||
- name: authentication required (olcDatabase={-1}frontend,cn=config)
|
||||
ldap_attr:
|
||||
dn: "olcDatabase={-1}frontend,cn=config"
|
||||
name: olcRequires
|
||||
values: authc
|
||||
state: exact
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||
|
||||
- name: authentication required (olcDatabase={0}config,cn=config)
|
||||
ldap_attr:
|
||||
dn: "olcDatabase={0}config,cn=config"
|
||||
name: olcRequires
|
||||
values: authc
|
||||
state: exact
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||
|
||||
- name: authentication required (olcDatabase={1}mdb,cn=config)
|
||||
ldap_attr:
|
||||
dn: "olcDatabase={1}mdb,cn=config"
|
||||
name: olcRequires
|
||||
values: authc
|
||||
state: exact
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||
|
||||
- name: aci defined (olcDatabase={1}mdb,cn=config)
|
||||
ldap_attr:
|
||||
dn: "olcDatabase={1}mdb,cn=config"
|
||||
name: olcAccess
|
||||
values:
|
||||
- "{0}to attrs=userPassword by self write by anonymous auth by * none"
|
||||
- "{1}to attrs=shadowLastChange by self write by * read"
|
||||
state: exact
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||
|
101
roles/ldap_server/tasks/ldap_entries.yml
Normal file
101
roles/ldap_server/tasks/ldap_entries.yml
Normal file
|
@ -0,0 +1,101 @@
|
|||
---
|
||||
|
||||
- name: root DN created
|
||||
ldap_entry:
|
||||
dn: "{{ ldap_root_dn }}"
|
||||
objectClass:
|
||||
- dcObject
|
||||
- organization
|
||||
attributes:
|
||||
o: "{{ ldap_domain }}"
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_admin_user_password }}"
|
||||
|
||||
- name: people OU created
|
||||
ldap_entry:
|
||||
dn: "ou=people,{{ ldap_root_dn }}"
|
||||
objectClass:
|
||||
- organizationalUnit
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_admin_user_password }}"
|
||||
|
||||
- name: groups OU created
|
||||
ldap_entry:
|
||||
dn: "ou=groups,{{ ldap_root_dn }}"
|
||||
objectClass:
|
||||
- organizationalUnit
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_admin_user_password }}"
|
||||
|
||||
- name: accounts OU created
|
||||
ldap_entry:
|
||||
dn: "ou=accounts,{{ ldap_root_dn }}"
|
||||
objectClass:
|
||||
- organizationalUnit
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_admin_user_password }}"
|
||||
|
||||
- name: applications OU created
|
||||
ldap_entry:
|
||||
dn: "ou=applications,{{ ldap_root_dn }}"
|
||||
objectClass:
|
||||
- organizationalUnit
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_admin_user_password }}"
|
||||
|
||||
- name: people created
|
||||
ldap_entry:
|
||||
dn: "uid={{ item.uid }},ou=people,{{ ldap_root_dn }}"
|
||||
objectClass:
|
||||
- account
|
||||
- posixAccount
|
||||
- shadowAccount
|
||||
attributes:
|
||||
uid: "{{ item.uid }}"
|
||||
cn: "{{ item.cn }}"
|
||||
loginShell: "/bin/bash"
|
||||
homeDirectory: "/home/{{ item.uid }}"
|
||||
uidNumber: "{{ item.uidNumber }}"
|
||||
gidNumber: "{{ item.gidNumber }}"
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_admin_user_password }}"
|
||||
loop: "{{ ldap_people }}"
|
||||
when: ldap_people | length > 0
|
||||
|
||||
- name: groups created
|
||||
ldap_entry:
|
||||
dn: "cn={{ item.cn }},ou=groups,{{ ldap_root_dn }}"
|
||||
objectClass:
|
||||
- posixGroup
|
||||
attributes:
|
||||
cn: "{{ item.cn }}"
|
||||
description: "{{ item.description }}"
|
||||
gidNumber: "{{ item.gidNumber }}"
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_admin_user_password }}"
|
||||
loop: "{{ ldap_groups }}"
|
||||
when: ldap_groups | length > 0
|
||||
|
||||
- name: accounts created
|
||||
ldap_entry:
|
||||
dn: "cn={{ item.cn }},ou=accounts,{{ ldap_root_dn }}"
|
||||
objectClass:
|
||||
- simpleSecurityObject
|
||||
- organizationalRole
|
||||
attributes:
|
||||
cn: "{{ item.cn }}"
|
||||
description: "{{ item.description }}"
|
||||
userPassword: "{{ item.userPassword }}"
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_admin_user_password }}"
|
||||
loop: "{{ ldap_accounts }}"
|
||||
when: ldap_accounts | length > 0
|
||||
|
10
roles/ldap_server/tasks/main.yml
Normal file
10
roles/ldap_server/tasks/main.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
|
||||
- name: Include OS-specific variables.
|
||||
include_vars: "{{ ansible_os_family }}.yml"
|
||||
|
||||
- include_tasks: package.yml
|
||||
- include_tasks: service.yml
|
||||
- include_tasks: ldap_entries.yml
|
||||
- include_tasks: ldap_attributes.yml
|
||||
- include_tasks: ldap_config.yml
|
6
roles/ldap_server/tasks/package.yml
Normal file
6
roles/ldap_server/tasks/package.yml
Normal file
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
- name: install OpenLDAP
|
||||
package:
|
||||
name: "{{ slapd_package }}"
|
||||
state: present
|
||||
|
6
roles/ldap_server/tasks/service.yml
Normal file
6
roles/ldap_server/tasks/service.yml
Normal file
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
- name: slapd started and enabled
|
||||
service:
|
||||
name: '{{ slapd_service_name }}'
|
||||
enabled: true
|
||||
state: started
|
13
roles/ldap_server/vars/Debian.yml
Normal file
13
roles/ldap_server/vars/Debian.yml
Normal file
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
openldap_confdir: /etc/ldap
|
||||
openldap_user: openldap
|
||||
openldap_group: openldap
|
||||
openldap_datadir: /var/lib/ldap
|
||||
openldap_db_engine: mdb
|
||||
openldap_db_maxsize: 1073741824
|
||||
openldap_modsdir: /usr/lib/ldap
|
||||
slapd_package: slapd
|
||||
slapd_service_name: slapd
|
||||
slapd_exec: /usr/sbin/slapd
|
||||
slapd_pidfile: /var/run/slapd/slapd.pid
|
||||
slapd_argsfile: /var/run/slapd/slapd.args
|
13
roles/ldap_server/vars/FreeBSD.yml
Normal file
13
roles/ldap_server/vars/FreeBSD.yml
Normal file
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
openldap_confdir: /usr/local/etc/openldap
|
||||
openldap_user: ldap
|
||||
openldap_group: ldap
|
||||
openldap_datadir: /var/db/openldap-data
|
||||
openldap_modsdir: /usr/local/libexec/openldap
|
||||
openldap_db_engine: mdb
|
||||
openldap_db_maxsize: 1073741824
|
||||
slapd_package: openldap-sasl-server
|
||||
slapd_service_name: slapd
|
||||
slapd_exec: /usr/local/libexec/slapd
|
||||
slapd_pidfile: /var/run/openldap/slapd.pid
|
||||
slapd_argsfile: /var/run/openldap/slapd.args
|
13
roles/ldap_server/vars/OpenBSD.yml
Normal file
13
roles/ldap_server/vars/OpenBSD.yml
Normal file
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
openldap_confdir: /etc/openldap
|
||||
openldap_user: _openldap
|
||||
openldap_group: _openldap
|
||||
openldap_datadir: /var/openldap-data
|
||||
openldap_db_engine: hdb
|
||||
openldap_db_maxsize: 1073741824
|
||||
openldap_modsdir:
|
||||
slapd_package: openldap-server--
|
||||
slapd_service_name: slapd
|
||||
slapd_exec: /usr/local/libexec/slapd
|
||||
slapd_pidfile: /var/run/openldap/slapd.pid
|
||||
slapd_argsfile: /var/run/openldap/slapd.args
|
Loading…
Reference in a new issue