ldap and karaage roles

roles/karaage2.7/files/get_ldap_url.py

+#!/usr/bin/python
+import sys
+import json
+filename = sys.argv[1]
+ansible_hostname = sys.argv[2]
+domain = sys.argv[3]
+f=open(filename,'r')
+s=f.read()
+d=json.loads(s)
+f.close()
+hosts={}
+for group in d['groups'].keys():
+    for h in d['groups'][group]:
+        if hosts.has_key(h):
+            pass
+        else:
+            hosts[h] = {}
+
+
+url=""
+try:
+    for host in d['groups']['ldap']:
+        fqdn="%s.%s"%(host,domain)
+        url=url+"ldaps://%s"%fqdn
+except:
+    url="ldaps:///"
+print url
+	

roles/karaage2.7/handlers/main.yml

+---
+- name: restart apache
+  service: name=apache2 state=restarted
+  sudo: true
+
+- name: restart postfix
+  service: name=postfix state=restarted
+  sudo: true

roles/karaage2.7/meta/main.yml

+---
+dependencies:
+  - { role: easy-rsa-certificate, x509_csr_args="--server" }

roles/karaage2.7/tasks/install_via_apt.yml

+---
+- name: check repo config
+  shell: ls -l /etc/apt/sources.list.d/vpac.list
+  ignore_errors: true
+  register: repoConfigured
+
+- name: add repo key
+  shell: wget http://code.vpac.org/debian/vpac-debian-key.gpg -O - | apt-key add -
+  sudo: true
+  when: repoConfigured|failed
+
+- name: template vpac.list
+  template: src=vpac_list.j2 dest=/etc/apt/sources.list.d/vpac.list
+  sudo: true
+  when: repoConfigured|failed
+
+- name: update cache
+  apt: update_cache=true
+  sudo: true
+  when: repoConfigured|failed
+  
+
+- name: install karaage
+  apt: name={{ item }} state=installed
+  sudo: true
+  with_items:
+    - karaage-admin
+    - karaage-registration
+

roles/karaage2.7/tasks/main.yml

+---
+- include_vars: "{{ hostvars[ansible_hostname]['ansible_distribution'] }}_{{ hostvars[ansible_hostname]['ansible_distribution_version'] }}_{{ ansible_architecture }}.yml"
+- include_vars: passwords.yml
+
+
+
+- name: install system packages apt
+  apt: name={{ item }} state=installed update_cache=true
+  sudo: true
+  with_items: system_packages
+  when: ansible_os_family == 'Debian'
+
+- name: install system packages yum
+  yum: name={{ item }} state=installed
+  sudo: true
+  with_items: system_packages
+  when: ansible_os_family == 'RedHat'
+
+- include: set_mysql_root_password.yml
+
+- include: install_via_apt.yml
+  when: ansible_os_family == 'Debian'
+
+- name: check kg secret key
+  shell: cat /etc/karaage/global_settings.py | grep "SECRET_KEY = '.*'"
+  sudo: true
+  ignore_errors: true
+  register: kg_secret_key_set
+
+- name: set kg secret key
+  shell: kg_set_secret_key
+  sudo: true
+  when: kg_secret_key_set|failed
+
+- name: mysql db
+  mysql_db: name=karaage login_user=root login_password={{ sqlrootPasswd }}
+
+- name: mysql user
+  mysql_user: name='karaage' password={{ karaageSqlPassword }} priv=karaage.*:ALL state=present login_user=root login_password={{ sqlrootPasswd }}
+
+- name: allow public karaage registrations
+  lineinfile: 
+  args:
+    dest: /etc/karaage/registration_settings.py 
+    regexp: "#ALLOW_REGISTRATIONS" 
+    line: "ALLOW_REGISTRATIONS = True" 
+    backrefs: yes
+  sudo: true
+
+# Why not template the whole of global_settings.py? 
+# Because I don't know what kg_set_secret_key does so I can't easily template my own secret key
+
+- name: chmod global_settings.py
+  file: 
+  args: 
+    path: /etc/karaage/global_settings.py
+    owner: root
+    group: "{{ wwwgroup }}"
+    mode: 0640
+  sudo: true
+
+- name: karaage settings db type
+  lineinfile: 
+  args:
+    dest: /etc/karaage/global_settings.py 
+    regexp: "        'ENGINE': 'django.db.backends.'," 
+    line: "        'ENGINE': 'django.db.backends.mysql'," 
+    backrefs: yes
+  sudo: true
+
+- name: karaage settings db db
+  lineinfile: 
+  args:
+    dest: /etc/karaage/global_settings.py 
+    regexp: "       'NAME': ''," 
+    line: "        'NAME': 'karaage'," 
+    backrefs: yes
+  sudo: true
+
+- name: karaage settings db user
+  lineinfile: 
+  args:
+    dest: /etc/karaage/global_settings.py 
+    regexp: "       'USER': ''," 
+    line: "        'USER': 'karaage'," 
+    backrefs: yes
+  sudo: true
+
+- name: karaage settings db password
+  lineinfile: 
+  args:
+    dest: /etc/karaage/global_settings.py 
+    regexp: "       'PASSWORD': ''," 
+    line: "        'PASSWORD': '{{ karaageSqlPassword }}'," 
+    backrefs: yes
+  sudo: true
+
+- name: ldap url
+  lineinfile:
+  args:
+    dest: /etc/karaage/global_settings.py
+    regexp: "LDAP_URL ="
+    line: "LDAP_URL = '{{ ldapURL }}'"
+    backrefs: yes
+  sudo: true
+
+- include_vars: "roles/ldapserver/vars/main.yml"
+
+- name: ldap base
+  lineinfile:
+  args:
+    dest: /etc/karaage/global_settings.py
+    regexp: "LDAP_BASE ="
+    line: "LDAP_BASE = '{{ ldapDomain }}'"
+    backrefs: yes
+  sudo: true
+
+- name: ldap user base
+  lineinfile:
+  args:
+    dest: /etc/karaage/global_settings.py
+    regexp: "LDAP_USER_BASE="
+    line: "LDAP_USER_BASE = 'ou=Accounts,{{ ldapDomain }}'"
+    backrefs: yes
+  sudo: true
+
+- name: ldap group base
+  lineinfile:
+  args:
+    dest: /etc/karaage/global_settings.py
+    regexp: "LDAP_GROUP_BASE="
+    line: "LDAP_GROUP_BASE = 'ou=Groups,{{ ldapDomain }}'"
+    backrefs: yes
+  sudo: true
+
+- name: ldap admin user
+  lineinfile:
+  args:
+    dest: /etc/karaage/global_settings.py
+    regexp: "LDAP_ADMIN_USER ="
+    line: "LDAP_ADMIN_USER = 'cn=Manager,{{ ldapDomain }}'"
+    backrefs: yes
+  sudo: true
+  
+
+- name: ldap admin passwd
+  lineinfile:
+  args:
+    dest: /etc/karaage/global_settings.py
+    regexp: "LDAP_ADMIN_PASSWORD ="
+    line: "LDAP_ADMIN_PASSWORD = '{{ ldapManagerPassword }}'"
+    backrefs: yes
+  sudo: true
+
+- name: ldap use TLS CA
+  lineinfile:
+  args:
+    dest: /etc/karaage/global_settings.py
+    regexp: "LDAP_USE_TLS ="
+    line: "LDAP_USE_TLS = True"
+    backrefs: yes
+  sudo: true
+
+- name: ldap TLS CA
+  lineinfile:
+  args:
+    dest: /etc/karaage/global_settings.py
+    insertafter: "LDAP_USE_TLS ="
+    line: "LDAP_TLS_CA = '/etc/ssl/certs/ca.crt'"
+    state: present
+  sudo: true
+
+- name: check karaage tables exist
+  shell: echo 'describe auth_user' | mysql -u karaage --password={{ karaageSqlPassword }} karaage
+  ignore_errors: true
+  register: karaageTablesCreated
+  
+- name: template ldap.conf
+  template: src=ldap_conf.j2 dest=/etc/ldap/ldap.conf
+  sudo: true
+
+#- name: karaage sql db setup
+#  shell: kg-manage syncdb --noinput
+#  sudo: true
+#  when: karaageTablesCreated|failed
+#
+#- name: karaage sql db migrate
+#  shell: yes n | kg-manage migrate --all
+#  sudo: true
+#
+# I had to use syncdb --all --noinput migrate --fake then
+      #  sudo vi ./dist-packages/tldap/transaction.py
+      #  add import tldap.django which causes the connection to be setup. Continue from here trying to setup apache
+      #
+      #
+
+- name: karaage sql syncdb
+  shell: kg-manage syncdb --all --noinput
+  sudo: true
+  when: karaageTablesCreated|failed
+
+- name: karaage sql db migrate
+  shell: kg-manage migrate --fake
+  sudo: true
+  when: karaageTablesCreated|failed
+
+- name: fix up karaage transactions.py
+  lineinfile: 
+  args:
+    line: import tldap.django
+    insertafter: import tldap
+    state: present
+    dest: /usr/lib/python2.7/dist-packages/tldap/transaction.py
+  sudo: true
+
+- name: fix up karaage tldap/manager.py
+  lineinfile: 
+  args:
+    line: import tldap.django
+    insertafter: import tldap
+    state: present
+    dest: /usr/lib/python2.7/dist-packages/tldap/manager.py
+  sudo: true
+
+- name: enable ssl
+  shell: a2enmod ssl
+  sudo: true
+
+- name: enable wsgi
+  shell: a2enmod wsgi
+  sudo: true
+
+
+
+- name: enable karaage admin
+  command: ln -s /etc/karaage/kgadmin-apache.conf /etc/apache2/conf.d/karaage-admin.conf
+  args:
+    creates: /etc/apache2/conf.d/karaage-admin.conf
+  sudo: true
+  notify: restart apache
+
+- name: enable karaage registration
+  command: ln -s /etc/karaage/kgreg-apache.conf /etc/apache2/conf.d/karaage-registration.conf
+  args:
+    creates: /etc/apache2/conf.d/karaage-registration.conf
+  sudo: true
+  notify: restart apache
+
+- name: make ssl directory
+  file: name=/etc/apache2/ssl state=directory
+  sudo: true
+
+- name: copy ssl key
+  command: cp /etc/ssl/private/server.key /etc/apache2/ssl/server.key
+  args:
+    creates: /etc/apache2/ssl/server.key
+  sudo: true
+
+- name: chmod ssl key
+  file: path=/etc/apache2/ssl/server.key mode=600 owner={{ wwwuser }}
+  sudo: true
+
+- name: copy cert
+  command: cp /etc/ssl/certs/server.crt /etc/apache2/ssl/server.pem
+  sudo: true
+
+- name: enable ssl
+  command: ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/default-ssl
+  args:
+    creates: /etc/apache2/sites-enabled/default-ssl
+  sudo: true
+  notify: restart apache
+
+
+- name: configure postfix
+  template: src=main_cf.j2 dest=/etc/postfix/main.cf
+  sudo: true
+  notify: restart postfix
+
+- name: SSL Cert Chain
+  lineinfile:
+  args:
+    dest: /etc/apache2/sites-enabled/default-ssl
+    regexp: ".*#SSLCertificateChainFile.*"
+    line: "        SSLCertificateChainFile    /etc/ssl/certs/ca.crt"
+    backrefs: yes
+  sudo: true
+  notify: restart apache
+
+- name: SSL Cert
+  lineinfile:
+  args:
+    dest: /etc/apache2/sites-enabled/default-ssl
+    regexp: ".*SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem"
+    line: "        SSLCertificateFile    /etc/apache2/ssl/server.pem"
+    backrefs: yes
+  sudo: true
+  notify: restart apache
+
+- name: SSL Key
+  lineinfile:
+  args:
+    dest: /etc/apache2/sites-enabled/default-ssl
+    regexp: ".*SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key"
+    line: "        SSLCertificateKeyFile /etc/apache2/ssl/server.key"
+    backrefs: yes
+  sudo: true
+  notify: restart apache

roles/karaage2.7/tasks/set_mysql_root_password.yml

+---
+
+- name: template secure script
+  template: src=set_root_passwd_sql.j2 dest=/tmp/set_root_passwd.sql mode=600 owner=root
+  sudo: true
+
+- name: run script
+  shell: cat /tmp/set_root_passwd.sql | mysql -u root
+  sudo: true
+  ignore_errors: true
+
+- name: test passwd set
+  shell: echo "show databases" | mysql -u root --password={{ sqlrootPasswd }}

roles/karaage2.7/templates/groups.j2

+{ 
+  "groups": {{ groups | to_nice_json }},
+  "hostvars": {{ hostvars | to_nice_json }}
+}

roles/karaage2.7/templates/ldap_conf.j2

+TLS_CACERT /etc/ssl/certs/cacert.pem

roles/karaage2.7/templates/main_cf.j2

+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+myhostname = {{ ansible_fqdn }}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin =  {{ ansible_fqdn }}
+mydestination = {{ ansible_fqdn }}, localhost.{{ ansible_domain }}, localhost
+relayhost =  {{ smtp_smarthost }}
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = loopback-only

roles/karaage2.7/templates/set_root_passwd_sql.j2

+SET PASSWORD FOR 'root'@'localhost' = PASSWORD('{{ sqlrootPasswd }}');
+SET PASSWORD FOR 'root'@'127.0.0.1' = PASSWORD('{{ sqlrootPasswd }}');
+SET PASSWORD FOR 'root'@'{{ ansible_hostname }}' = PASSWORD('{{ sqlrootPasswd }}');

roles/karaage2.7/templates/vpac_list.j2

+deb     http://code.vpac.org/debian  wheezy main
+deb-src http://code.vpac.org/debian  wheezy main

roles/karaage2.7/vars/Debian_7.6_x86_64.yml

+---
+  system_packages:
+    - python-django
+    - mysql-server
+    - python-mysqldb
+    - ldap-utils
+    - apache2
+    - libapache2-mod-wsgi
+    - postfix
+  wwwuser: www-data
+  wwwgroup: www-data

roles/ldapserver/meta/main.yml

+---
+dependencies:
+  - { role: easy-rsa-certificate, x509_csr_args="--server" }

roles/ldapserver/tasks/main.yml

+---
+
+- include_vars: "{{ hostvars[ansible_hostname]['ansible_distribution'] }}_{{ hostvars[ansible_hostname]['ansible_distribution_version'] }}_{{ ansible_architecture }}.yml"
+- include_vars: passwords.yml
+
+- name: install system packages apt
+  apt: name={{ item }} state=installed update_cache=true
+  sudo: true
+  with_items: system_packages
+  when: ansible_os_family == 'Debian'
+
+- name: install system packages yum
+  yum: name={{ item }} state=installed
+  sudo: true
+  with_items: system_packages
+  when: ansible_os_family == 'RedHat'
+
+- name: hash password
+  command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapManagerPassword }}
+  register: ldapManagerHash
+
+- name: hash binddn password
+  command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapBindDNPassword }}
+  register: ldapBindDNHash
+
+- name: template ssl.ldif
+  template: src=ssl_ldif.j2 dest=/tmp/ssl.ldif mode=600
+
+- name: template manager.ldif
+  template: src=manager_ldif.j2 dest=/tmp/manager.ldif mode=600
+  sudo: true
+
+- name: template binddn.ldif
+  template: src=binddn_ldif.j2 dest=/tmp/binddn.ldif mode=600
+  sudo: true
+
+- name: template root.ldif
+  template: src=root_ldif.j2 dest=/tmp/root.ldif
+
+- name: template accounts.ldif
+  template: src=accounts_ldif.j2 dest=/tmp/accounts.ldif
+
+- name: template groups.ldif
+  template: src=groups_ldif.j2 dest=/tmp/groups.ldif
+
+- name: template acls.ldif
+  template: src=acls_ldif.j2 dest=/tmp/acls.ldif
+
+- name: template ppolicy_moduleload.ldif
+  template: src=ppolicy_moduleload_ldif.j2 dest=/tmp/ppolicy_moduleload.ldif
+
+- name: template ppolicy_overlay.ldif
+  template: src=ppolicy_overlay_ldif.j2 dest=/tmp/ppolicy_overlay.ldif
+
+- name: template pwpolices.ldif
+  template: src=pwpolicies_ldif.j2 dest=/tmp/pwpolicies.ldif
+
+- name: template default_ppolicy.ldif
+  template: src=default_ppolicy_ldif.j2 dest=/tmp/default_ppolicy.ldif
+
+
+- name: copy cert
+  command: cp /etc/ssl/certs/server.crt /etc/openldap/certs/ldapcert.pem
+  sudo: true
+
+- name: copy cacert
+  command: cp /etc/ssl/certs/ca.crt /etc/openldap/certs/cacert.pem
+  sudo: true
+
+- name: copy key
+  command: cp /etc/ssl/private/server.key /etc/openldap/certs/ldapkey.pem
+  sudo: true
+
+- name: chmod key
+  file: path=/etc/openldap/certs/ldapkey.pem owner={{ ldapuser }} group={{ ldapgroup }} mode=600
+  sudo: true
+
+- name: enable ssl centos
+  lineinfile: regexp="SLAPD_LDAPS=no" state=present line="SLAPD_LDAPS=yes" dest=/etc/sysconfig/ldap
+  sudo: true
+  when: ansible_os_family == 'RedHat'
+
+- name: start ldap
+  service: name=slapd state=restarted
+  sudo: true
+
+- name: check TLS config
+  shell: "slapcat -b cn=config | grep 'olcTLSCertificateKeyFile: /etc/openldap/certs/ldapkey.pem'"
+  ignore_errors: true
+  sudo: true
+  register: tlsConfigured
+
+- name: check Manager config
+  shell: "slapcat -b cn=config | grep 'olcRootDN: cn=Manager,{{ ldapDomain }}'"
+  ignore_errors: true
+  sudo: true
+  register: managerConfigured
+
+- name: check ACL config
+  shell: "slapcat -b cn=config | grep 'olcAccess:' | grep 'cn=Manager'"
+  ignore_errors: true
+  sudo: true
+  register: aclConfigured
+
+
+- name: check DIT config
+  shell: "ldapsearch -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -b {{ ldapDomain }} objectClass=dcObject"
+  ignore_errors: true
+  register: ditConfigured
+
+- name: check Accounts config
+  shell: "ldapsearch -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -b ou=Accounts,{{ ldapDomain }} objectClass=*"
+  ignore_errors: true
+  register: accountsConfigured
+
+- name: check Groups config
+  shell: "ldapsearch -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -b ou=Groups,{{ ldapDomain }} objectClass=*"
+  ignore_errors: true
+  register: groupsConfigured
+
+- name: check binddn config
+  shell: "ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b {{ ldapDomain }} objectClass=dcObject"
+  ignore_errors: true
+  register: binddnConfigured
+
+
+- name: initialise server ssl
+  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ssl.ldif -D cn=config 
+  sudo: true
+  when: tlsConfigured|failed
+
+- name: initialise server manager
+  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config 
+  sudo: true
+  when: managerConfigured|failed
+
+- name: initialise server acls
+  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
+  sudo: true
+  when: aclConfigured|failed
+
+- name: add DIT root
+  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/root.ldif
+  when: ditConfigured|failed
+
+- name: add Accounts OU
+  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/accounts.ldif
+  when: accountsConfigured|failed
+
+- name: add Groups OU
+  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/groups.ldif
+  when: groupsConfigured|failed
+
+- name: add binddn
+  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/binddn.ldif
+  sudo: true
+  when: binddnConfigured|failed
+
+- name: check ppolicy module loaded
+  shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}ppolicy"
+  sudo: true
+  ignore_errors: true
+  register: ppolicyModuleLoaded
+
+- name: load ppolicy module
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_moduleload.ldif -D cn=config 
+  sudo: true
+  when: ppolicyModuleLoaded|failed
+
+- name: check ppolicy overlay config
+  shell: "slapcat -b cn=config | grep 'dn: olcOverlay=ppolicy,olcDatabase={.*}bdb,cn=config'"
+  ignore_errors: true
+  sudo: true
+  register: ppolicyOverlayConfigured
+
+- name: add ppolicy overlay
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_overlay.ldif -D cn=config 
+  sudo: true
+  when: ppolicyOverlayConfigured|failed
+
+- name: check pwpolicies config
+  shell: ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b ou=pwpolicies,{{ ldapDomain }} objectClass=*
+  ignore_errors: true
+  register: pwpoliciesConfigured
+
+- name: add pwpolicies
+  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/pwpolicies.ldif
+  when: pwpoliciesConfigured|failed
+
+- name: check defaultPwpolicy config
+  shell: ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b cn=default,ou=pwpolicies,{{ ldapDomain }} objectClass=*
+  ignore_errors: true
+  register: defaultPpolicyConfigured
+
+- name: add defaultPwpolicy
+  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/default_ppolicy.ldif
+  when: defaultPpolicyConfigured|failed

roles/ldapserver/templates/accounts_ldif.j2

+dn: ou=Accounts,{{ ldapDomain }}
+objectClass: organizationalUnit

roles/ldapserver/templates/acls_ldif.j2

+dn: olcDatabase={2}bdb,cn=config
+changetype: modify
+add: olcAccess
+olcAccess: {0}to attrs=userPassword by dn="cn=Manager,{{ ldapDomain }}" write by self write by * auth
+olcAccess: {1}to attrs=shadowLastChange by dn="cn=Manager,{{ ldapDomain }}" write by self write by * read
+olcAccess: {2}to * by users read by anonymous auth

roles/ldapserver/templates/binddn_ldif.j2

+dn: cn=binddn,ou=Accounts,{{ ldapDomain }}
+objectClass: inetOrgPerson
+cn: binddn
+sn: binddn
+userPassword: {{ ldapBindDNHash.stdout }}

roles/ldapserver/templates/default_ppolicy_ldif.j2

+dn: cn=default,ou=pwpolicies,{{ ldapDomain }}
+objectClass: top
+objectClass: device
+objectClass: pwdPolicy
+pwdAttribute: 2.5.4.35
+cn: default

roles/ldapserver/templates/groups_ldif.j2

+dn: ou=Groups,{{ ldapDomain }}
+objectClass: organizationalUnit

roles/ldapserver/templates/manager_ldif.j2

+dn: olcDatabase={2}bdb,cn=config
+changetype: modify
+replace: olcSuffix
+olcSuffix: {{ ldapDomain }}
+-
+replace: olcRootDN
+olcRootDN: cn=Manager,{{ ldapDomain }}
+-
+add: olcRootPW
+olcRootPW: {{ ldapManagerHash.stdout }}