Change role to use for LDAP server

3 years ago · 5fd4e21d2e
parent cbca659113
commit 5fd4e21d2e
5 changed files with 71 additions and 3 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,5 +1,4 @@
 roles/geerlingguy.*
-roles/criecm.*
 roles/vavrusa.*
 .vault-password
 *.retry
--- a/inventory_template/group_vars/all/vault.yml.template
+++ b/inventory_template/group_vars/all/vault.yml.template
@ -14,3 +14,6 @@ vault_public_key_munin_user_host: SSH_PUB_KEY_OF_munin_user_USER_ON_USER_HOST
 vault_private_key_backup_user_host: |
  SSH_PRIV_KEY_OF_backup_user_USER_ON_USER_HOST
 vault_public_key_backup_user_host: SSH_PUBKEY_OF_backup_user_USER_ON_BACKUP_HOST
+
+vault_ldap_admin_user_password: LDAP_ADMIN_PASSWORD
+vault_ldap_config_admin_user_password: LDAP_CONFIG_ADMIN_PASSWORD
--- a/inventory_template/group_vars/ldap_server.yml
+++ b/inventory_template/group_vars/ldap_server.yml
@ -0,0 +1,67 @@
+---
+
+openldap_schemas:
+  - core
+  - cosine
+  - nis
+  - inetorgperson
+  - rfc2739
+openldap_bases:
+  rootdn: cn=admin
+  suffix: dc=example,dc=org
+  includes: [ slapd.access ]
+  indexes:
+    - [ "uid,uidNumber,gidNumber,memberUID", "pres,eq" ]
+#  slave:
+#    rid: 
+#    provider: ldaps://:636
+#    binddn: cn=bind,dc=dn
+#    credentials: bindpw
+#    bindmethod: simple
+
+ldap_host: "localhost"
+ldap_port: "389"
+
+ldap_root_dn: "dc=example,dc=org"
+ldap_domain: "example.org"
+
+ldap_admin_user_dn: "cn=admin,dc=example,dc=org"
+ldap_admin_user_password: "{{ vault_ldap_admin_user_password }}"
+
+ldap_config_admin_user_dn: "cn=admin,cn=config"
+ldap_config_admin_user_password: "{{ vault_ldap_config_admin_user_password }}"
+
+ldap_people:
+  - userA:
+    uid: userA
+    cn: userA
+    uidNumber: 60012
+    gidNumber: 60012
+  - userB:
+    uid: userB
+    cn: userB
+    uidNumber: 60013
+    gidNumber: 60013
+
+ldap_groups:
+  - marketing:
+    cn: marketing
+    gidNumber: 60002
+    description: "Service MARKETING"
+    memberUid:
+      - userB
+      - userA
+  - it:
+    cn: it
+    gidNumber: 60003
+    description: "Service Informatique"
+
+
+ldap_accounts:
+  - svc-ssh:
+    cn: svc-ssh
+    description: "SSH read user"
+    userPassword: "test"
+
+ldap_applications:
+  - sudoers
--- a/playbook_ldap_deploy.yml
+++ b/playbook_ldap_deploy.yml
@ -1,4 +1,4 @@
 ---
 - hosts: ldap_server
  roles:
-    - criecm.openldap
+    - ldap_server
--- a/requirements.yml
+++ b/requirements.yml
@ -2,5 +2,4 @@
 - name: geerlingguy.munin
 - name: geerlingguy.nginx
 - name: geerlingguy.certbot
- name: criecm.openldap
 - name: vavrusa.knot