From c750bc95a70a12da333550aad36b950f254946d5 Mon Sep 17 00:00:00 2001
From: Chris Hines <chris.hines@monash.edu>
Date: Thu, 20 Nov 2014 04:25:16 +0000
Subject: [PATCH] ldap and karaage roles
---
roles/karaage2.7/files/get_ldap_url.py | 28 ++
roles/karaage2.7/handlers/main.yml | 8 +
roles/karaage2.7/meta/main.yml | 3 +
roles/karaage2.7/tasks/install_via_apt.yml | 29 ++
roles/karaage2.7/tasks/main.yml | 308 ++++++++++++++++++
.../tasks/set_mysql_root_password.yml | 13 +
roles/karaage2.7/templates/groups.j2 | 4 +
roles/karaage2.7/templates/ldap_conf.j2 | 1 +
roles/karaage2.7/templates/main_cf.j2 | 39 +++
.../templates/set_root_passwd_sql.j2 | 3 +
roles/karaage2.7/templates/vpac_list.j2 | 2 +
roles/karaage2.7/vars/Debian_7.6_x86_64.yml | 11 +
roles/ldapserver/meta/main.yml | 3 +
roles/ldapserver/tasks/main.yml | 197 +++++++++++
roles/ldapserver/templates/accounts_ldif.j2 | 2 +
roles/ldapserver/templates/acls_ldif.j2 | 6 +
roles/ldapserver/templates/binddn_ldif.j2 | 5 +
.../templates/default_ppolicy_ldif.j2 | 6 +
roles/ldapserver/templates/groups_ldif.j2 | 2 +
roles/ldapserver/templates/manager_ldif.j2 | 10 +
.../templates/ppolicy_moduleload_ldif.j2 | 5 +
.../templates/ppolicy_overlay_ldif.j2 | 7 +
roles/ldapserver/templates/pwpolicies_ldif.j2 | 4 +
roles/ldapserver/templates/root_ldif.j2 | 5 +
roles/ldapserver/templates/ssl_ldif.j2 | 9 +
roles/ldapserver/vars/CentOS_6.5_x86_64.yml | 5 +
roles/ldapserver/vars/main.yml | 4 +
scripts/make_passwords.py | 45 +++
28 files changed, 764 insertions(+)
create mode 100755 roles/karaage2.7/files/get_ldap_url.py
create mode 100644 roles/karaage2.7/handlers/main.yml
create mode 100644 roles/karaage2.7/meta/main.yml
create mode 100644 roles/karaage2.7/tasks/install_via_apt.yml
create mode 100644 roles/karaage2.7/tasks/main.yml
create mode 100644 roles/karaage2.7/tasks/set_mysql_root_password.yml
create mode 100644 roles/karaage2.7/templates/groups.j2
create mode 100644 roles/karaage2.7/templates/ldap_conf.j2
create mode 100644 roles/karaage2.7/templates/main_cf.j2
create mode 100644 roles/karaage2.7/templates/set_root_passwd_sql.j2
create mode 100644 roles/karaage2.7/templates/vpac_list.j2
create mode 100644 roles/karaage2.7/vars/Debian_7.6_x86_64.yml
create mode 100644 roles/ldapserver/meta/main.yml
create mode 100644 roles/ldapserver/tasks/main.yml
create mode 100644 roles/ldapserver/templates/accounts_ldif.j2
create mode 100644 roles/ldapserver/templates/acls_ldif.j2
create mode 100644 roles/ldapserver/templates/binddn_ldif.j2
create mode 100644 roles/ldapserver/templates/default_ppolicy_ldif.j2
create mode 100644 roles/ldapserver/templates/groups_ldif.j2
create mode 100644 roles/ldapserver/templates/manager_ldif.j2
create mode 100644 roles/ldapserver/templates/ppolicy_moduleload_ldif.j2
create mode 100644 roles/ldapserver/templates/ppolicy_overlay_ldif.j2
create mode 100644 roles/ldapserver/templates/pwpolicies_ldif.j2
create mode 100644 roles/ldapserver/templates/root_ldif.j2
create mode 100644 roles/ldapserver/templates/ssl_ldif.j2
create mode 100644 roles/ldapserver/vars/CentOS_6.5_x86_64.yml
create mode 100644 roles/ldapserver/vars/main.yml
create mode 100644 scripts/make_passwords.py
diff --git a/roles/karaage2.7/files/get_ldap_url.py b/roles/karaage2.7/files/get_ldap_url.py
new file mode 100755
index 0000000..65ef984
--- /dev/null
+++ b/roles/karaage2.7/files/get_ldap_url.py
@@ -0,0 +1,28 @@
+#!/usr/bin/python
+import sys
+import json
+filename = sys.argv[1]
+ansible_hostname = sys.argv[2]
+domain = sys.argv[3]
+f=open(filename,'r')
+s=f.read()
+d=json.loads(s)
+f.close()
+hosts={}
+for group in d['groups'].keys():
+ for h in d['groups'][group]:
+ if hosts.has_key(h):
+ pass
+ else:
+ hosts[h] = {}
+
+
+url=""
+try:
+ for host in d['groups']['ldap']:
+ fqdn="%s.%s"%(host,domain)
+ url=url+"ldaps://%s"%fqdn
+except:
+ url="ldaps:///"
+print url
+
diff --git a/roles/karaage2.7/handlers/main.yml b/roles/karaage2.7/handlers/main.yml
new file mode 100644
index 0000000..ed584cc
--- /dev/null
+++ b/roles/karaage2.7/handlers/main.yml
@@ -0,0 +1,8 @@
+---
+- name: restart apache
+ service: name=apache2 state=restarted
+ sudo: true
+
+- name: restart postfix
+ service: name=postfix state=restarted
+ sudo: true
diff --git a/roles/karaage2.7/meta/main.yml b/roles/karaage2.7/meta/main.yml
new file mode 100644
index 0000000..fea9520
--- /dev/null
+++ b/roles/karaage2.7/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+ - { role: easy-rsa-certificate, x509_csr_args="--server" }
diff --git a/roles/karaage2.7/tasks/install_via_apt.yml b/roles/karaage2.7/tasks/install_via_apt.yml
new file mode 100644
index 0000000..4e947e7
--- /dev/null
+++ b/roles/karaage2.7/tasks/install_via_apt.yml
@@ -0,0 +1,29 @@
+---
+- name: check repo config
+ shell: ls -l /etc/apt/sources.list.d/vpac.list
+ ignore_errors: true
+ register: repoConfigured
+
+- name: add repo key
+ shell: wget http://code.vpac.org/debian/vpac-debian-key.gpg -O - | apt-key add -
+ sudo: true
+ when: repoConfigured|failed
+
+- name: template vpac.list
+ template: src=vpac_list.j2 dest=/etc/apt/sources.list.d/vpac.list
+ sudo: true
+ when: repoConfigured|failed
+
+- name: update cache
+ apt: update_cache=true
+ sudo: true
+ when: repoConfigured|failed
+
+
+- name: install karaage
+ apt: name={{ item }} state=installed
+ sudo: true
+ with_items:
+ - karaage-admin
+ - karaage-registration
+
diff --git a/roles/karaage2.7/tasks/main.yml b/roles/karaage2.7/tasks/main.yml
new file mode 100644
index 0000000..aa90c83
--- /dev/null
+++ b/roles/karaage2.7/tasks/main.yml
@@ -0,0 +1,308 @@
+---
+- include_vars: "{{ hostvars[ansible_hostname]['ansible_distribution'] }}_{{ hostvars[ansible_hostname]['ansible_distribution_version'] }}_{{ ansible_architecture }}.yml"
+- include_vars: passwords.yml
+
+
+
+- name: install system packages apt
+ apt: name={{ item }} state=installed update_cache=true
+ sudo: true
+ with_items: system_packages
+ when: ansible_os_family == 'Debian'
+
+- name: install system packages yum
+ yum: name={{ item }} state=installed
+ sudo: true
+ with_items: system_packages
+ when: ansible_os_family == 'RedHat'
+
+- include: set_mysql_root_password.yml
+
+- include: install_via_apt.yml
+ when: ansible_os_family == 'Debian'
+
+- name: check kg secret key
+ shell: cat /etc/karaage/global_settings.py | grep "SECRET_KEY = '.*'"
+ sudo: true
+ ignore_errors: true
+ register: kg_secret_key_set
+
+- name: set kg secret key
+ shell: kg_set_secret_key
+ sudo: true
+ when: kg_secret_key_set|failed
+
+- name: mysql db
+ mysql_db: name=karaage login_user=root login_password={{ sqlrootPasswd }}
+
+- name: mysql user
+ mysql_user: name='karaage' password={{ karaageSqlPassword }} priv=karaage.*:ALL state=present login_user=root login_password={{ sqlrootPasswd }}
+
+- name: allow public karaage registrations
+ lineinfile:
+ args:
+ dest: /etc/karaage/registration_settings.py
+ regexp: "#ALLOW_REGISTRATIONS"
+ line: "ALLOW_REGISTRATIONS = True"
+ backrefs: yes
+ sudo: true
+
+# Why not template the whole of global_settings.py?
+# Because I don't know what kg_set_secret_key does so I can't easily template my own secret key
+
+- name: chmod global_settings.py
+ file:
+ args:
+ path: /etc/karaage/global_settings.py
+ owner: root
+ group: "{{ wwwgroup }}"
+ mode: 0640
+ sudo: true
+
+- name: karaage settings db type
+ lineinfile:
+ args:
+ dest: /etc/karaage/global_settings.py
+ regexp: " 'ENGINE': 'django.db.backends.',"
+ line: " 'ENGINE': 'django.db.backends.mysql',"
+ backrefs: yes
+ sudo: true
+
+- name: karaage settings db db
+ lineinfile:
+ args:
+ dest: /etc/karaage/global_settings.py
+ regexp: " 'NAME': '',"
+ line: " 'NAME': 'karaage',"
+ backrefs: yes
+ sudo: true
+
+- name: karaage settings db user
+ lineinfile:
+ args:
+ dest: /etc/karaage/global_settings.py
+ regexp: " 'USER': '',"
+ line: " 'USER': 'karaage',"
+ backrefs: yes
+ sudo: true
+
+- name: karaage settings db password
+ lineinfile:
+ args:
+ dest: /etc/karaage/global_settings.py
+ regexp: " 'PASSWORD': '',"
+ line: " 'PASSWORD': '{{ karaageSqlPassword }}',"
+ backrefs: yes
+ sudo: true
+
+- name: ldap url
+ lineinfile:
+ args:
+ dest: /etc/karaage/global_settings.py
+ regexp: "LDAP_URL ="
+ line: "LDAP_URL = '{{ ldapURL }}'"
+ backrefs: yes
+ sudo: true
+
+- include_vars: "roles/ldapserver/vars/main.yml"
+
+- name: ldap base
+ lineinfile:
+ args:
+ dest: /etc/karaage/global_settings.py
+ regexp: "LDAP_BASE ="
+ line: "LDAP_BASE = '{{ ldapDomain }}'"
+ backrefs: yes
+ sudo: true
+
+- name: ldap user base
+ lineinfile:
+ args:
+ dest: /etc/karaage/global_settings.py
+ regexp: "LDAP_USER_BASE="
+ line: "LDAP_USER_BASE = 'ou=Accounts,{{ ldapDomain }}'"
+ backrefs: yes
+ sudo: true
+
+- name: ldap group base
+ lineinfile:
+ args:
+ dest: /etc/karaage/global_settings.py
+ regexp: "LDAP_GROUP_BASE="
+ line: "LDAP_GROUP_BASE = 'ou=Groups,{{ ldapDomain }}'"
+ backrefs: yes
+ sudo: true
+
+- name: ldap admin user
+ lineinfile:
+ args:
+ dest: /etc/karaage/global_settings.py
+ regexp: "LDAP_ADMIN_USER ="
+ line: "LDAP_ADMIN_USER = 'cn=Manager,{{ ldapDomain }}'"
+ backrefs: yes
+ sudo: true
+
+
+- name: ldap admin passwd
+ lineinfile:
+ args:
+ dest: /etc/karaage/global_settings.py
+ regexp: "LDAP_ADMIN_PASSWORD ="
+ line: "LDAP_ADMIN_PASSWORD = '{{ ldapManagerPassword }}'"
+ backrefs: yes
+ sudo: true
+
+- name: ldap use TLS CA
+ lineinfile:
+ args:
+ dest: /etc/karaage/global_settings.py
+ regexp: "LDAP_USE_TLS ="
+ line: "LDAP_USE_TLS = True"
+ backrefs: yes
+ sudo: true
+
+- name: ldap TLS CA
+ lineinfile:
+ args:
+ dest: /etc/karaage/global_settings.py
+ insertafter: "LDAP_USE_TLS ="
+ line: "LDAP_TLS_CA = '/etc/ssl/certs/ca.crt'"
+ state: present
+ sudo: true
+
+- name: check karaage tables exist
+ shell: echo 'describe auth_user' | mysql -u karaage --password={{ karaageSqlPassword }} karaage
+ ignore_errors: true
+ register: karaageTablesCreated
+
+- name: template ldap.conf
+ template: src=ldap_conf.j2 dest=/etc/ldap/ldap.conf
+ sudo: true
+
+#- name: karaage sql db setup
+# shell: kg-manage syncdb --noinput
+# sudo: true
+# when: karaageTablesCreated|failed
+#
+#- name: karaage sql db migrate
+# shell: yes n | kg-manage migrate --all
+# sudo: true
+#
+# I had to use syncdb --all --noinput migrate --fake then
+ # sudo vi ./dist-packages/tldap/transaction.py
+ # add import tldap.django which causes the connection to be setup. Continue from here trying to setup apache
+ #
+ #
+
+- name: karaage sql syncdb
+ shell: kg-manage syncdb --all --noinput
+ sudo: true
+ when: karaageTablesCreated|failed
+
+- name: karaage sql db migrate
+ shell: kg-manage migrate --fake
+ sudo: true
+ when: karaageTablesCreated|failed
+
+- name: fix up karaage transactions.py
+ lineinfile:
+ args:
+ line: import tldap.django
+ insertafter: import tldap
+ state: present
+ dest: /usr/lib/python2.7/dist-packages/tldap/transaction.py
+ sudo: true
+
+- name: fix up karaage tldap/manager.py
+ lineinfile:
+ args:
+ line: import tldap.django
+ insertafter: import tldap
+ state: present
+ dest: /usr/lib/python2.7/dist-packages/tldap/manager.py
+ sudo: true
+
+- name: enable ssl
+ shell: a2enmod ssl
+ sudo: true
+
+- name: enable wsgi
+ shell: a2enmod wsgi
+ sudo: true
+
+
+
+- name: enable karaage admin
+ command: ln -s /etc/karaage/kgadmin-apache.conf /etc/apache2/conf.d/karaage-admin.conf
+ args:
+ creates: /etc/apache2/conf.d/karaage-admin.conf
+ sudo: true
+ notify: restart apache
+
+- name: enable karaage registration
+ command: ln -s /etc/karaage/kgreg-apache.conf /etc/apache2/conf.d/karaage-registration.conf
+ args:
+ creates: /etc/apache2/conf.d/karaage-registration.conf
+ sudo: true
+ notify: restart apache
+
+- name: make ssl directory
+ file: name=/etc/apache2/ssl state=directory
+ sudo: true
+
+- name: copy ssl key
+ command: cp /etc/ssl/private/server.key /etc/apache2/ssl/server.key
+ args:
+ creates: /etc/apache2/ssl/server.key
+ sudo: true
+
+- name: chmod ssl key
+ file: path=/etc/apache2/ssl/server.key mode=600 owner={{ wwwuser }}
+ sudo: true
+
+- name: copy cert
+ command: cp /etc/ssl/certs/server.crt /etc/apache2/ssl/server.pem
+ sudo: true
+
+- name: enable ssl
+ command: ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/default-ssl
+ args:
+ creates: /etc/apache2/sites-enabled/default-ssl
+ sudo: true
+ notify: restart apache
+
+
+- name: configure postfix
+ template: src=main_cf.j2 dest=/etc/postfix/main.cf
+ sudo: true
+ notify: restart postfix
+
+- name: SSL Cert Chain
+ lineinfile:
+ args:
+ dest: /etc/apache2/sites-enabled/default-ssl
+ regexp: ".*#SSLCertificateChainFile.*"
+ line: " SSLCertificateChainFile /etc/ssl/certs/ca.crt"
+ backrefs: yes
+ sudo: true
+ notify: restart apache
+
+- name: SSL Cert
+ lineinfile:
+ args:
+ dest: /etc/apache2/sites-enabled/default-ssl
+ regexp: ".*SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem"
+ line: " SSLCertificateFile /etc/apache2/ssl/server.pem"
+ backrefs: yes
+ sudo: true
+ notify: restart apache
+
+- name: SSL Key
+ lineinfile:
+ args:
+ dest: /etc/apache2/sites-enabled/default-ssl
+ regexp: ".*SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key"
+ line: " SSLCertificateKeyFile /etc/apache2/ssl/server.key"
+ backrefs: yes
+ sudo: true
+ notify: restart apache
diff --git a/roles/karaage2.7/tasks/set_mysql_root_password.yml b/roles/karaage2.7/tasks/set_mysql_root_password.yml
new file mode 100644
index 0000000..365a18d
--- /dev/null
+++ b/roles/karaage2.7/tasks/set_mysql_root_password.yml
@@ -0,0 +1,13 @@
+---
+
+- name: template secure script
+ template: src=set_root_passwd_sql.j2 dest=/tmp/set_root_passwd.sql mode=600 owner=root
+ sudo: true
+
+- name: run script
+ shell: cat /tmp/set_root_passwd.sql | mysql -u root
+ sudo: true
+ ignore_errors: true
+
+- name: test passwd set
+ shell: echo "show databases" | mysql -u root --password={{ sqlrootPasswd }}
diff --git a/roles/karaage2.7/templates/groups.j2 b/roles/karaage2.7/templates/groups.j2
new file mode 100644
index 0000000..dffc133
--- /dev/null
+++ b/roles/karaage2.7/templates/groups.j2
@@ -0,0 +1,4 @@
+{
+ "groups": {{ groups | to_nice_json }},
+ "hostvars": {{ hostvars | to_nice_json }}
+}
diff --git a/roles/karaage2.7/templates/ldap_conf.j2 b/roles/karaage2.7/templates/ldap_conf.j2
new file mode 100644
index 0000000..0964be7
--- /dev/null
+++ b/roles/karaage2.7/templates/ldap_conf.j2
@@ -0,0 +1 @@
+TLS_CACERT /etc/ssl/certs/cacert.pem
diff --git a/roles/karaage2.7/templates/main_cf.j2 b/roles/karaage2.7/templates/main_cf.j2
new file mode 100644
index 0000000..2823b28
--- /dev/null
+++ b/roles/karaage2.7/templates/main_cf.j2
@@ -0,0 +1,39 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific: Specifying a file name will cause the first
+# line of that file to be used as the name. The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+myhostname = {{ ansible_fqdn }}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = {{ ansible_fqdn }}
+mydestination = {{ ansible_fqdn }}, localhost.{{ ansible_domain }}, localhost
+relayhost = {{ smtp_smarthost }}
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = loopback-only
diff --git a/roles/karaage2.7/templates/set_root_passwd_sql.j2 b/roles/karaage2.7/templates/set_root_passwd_sql.j2
new file mode 100644
index 0000000..59fce05
--- /dev/null
+++ b/roles/karaage2.7/templates/set_root_passwd_sql.j2
@@ -0,0 +1,3 @@
+SET PASSWORD FOR 'root'@'localhost' = PASSWORD('{{ sqlrootPasswd }}');
+SET PASSWORD FOR 'root'@'127.0.0.1' = PASSWORD('{{ sqlrootPasswd }}');
+SET PASSWORD FOR 'root'@'{{ ansible_hostname }}' = PASSWORD('{{ sqlrootPasswd }}');
diff --git a/roles/karaage2.7/templates/vpac_list.j2 b/roles/karaage2.7/templates/vpac_list.j2
new file mode 100644
index 0000000..5fb9ef5
--- /dev/null
+++ b/roles/karaage2.7/templates/vpac_list.j2
@@ -0,0 +1,2 @@
+deb http://code.vpac.org/debian wheezy main
+deb-src http://code.vpac.org/debian wheezy main
diff --git a/roles/karaage2.7/vars/Debian_7.6_x86_64.yml b/roles/karaage2.7/vars/Debian_7.6_x86_64.yml
new file mode 100644
index 0000000..cd01a2b
--- /dev/null
+++ b/roles/karaage2.7/vars/Debian_7.6_x86_64.yml
@@ -0,0 +1,11 @@
+---
+ system_packages:
+ - python-django
+ - mysql-server
+ - python-mysqldb
+ - ldap-utils
+ - apache2
+ - libapache2-mod-wsgi
+ - postfix
+ wwwuser: www-data
+ wwwgroup: www-data
diff --git a/roles/ldapserver/meta/main.yml b/roles/ldapserver/meta/main.yml
new file mode 100644
index 0000000..fea9520
--- /dev/null
+++ b/roles/ldapserver/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+ - { role: easy-rsa-certificate, x509_csr_args="--server" }
diff --git a/roles/ldapserver/tasks/main.yml b/roles/ldapserver/tasks/main.yml
new file mode 100644
index 0000000..625ea2b
--- /dev/null
+++ b/roles/ldapserver/tasks/main.yml
@@ -0,0 +1,197 @@
+---
+
+- include_vars: "{{ hostvars[ansible_hostname]['ansible_distribution'] }}_{{ hostvars[ansible_hostname]['ansible_distribution_version'] }}_{{ ansible_architecture }}.yml"
+- include_vars: passwords.yml
+
+- name: install system packages apt
+ apt: name={{ item }} state=installed update_cache=true
+ sudo: true
+ with_items: system_packages
+ when: ansible_os_family == 'Debian'
+
+- name: install system packages yum
+ yum: name={{ item }} state=installed
+ sudo: true
+ with_items: system_packages
+ when: ansible_os_family == 'RedHat'
+
+- name: hash password
+ command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapManagerPassword }}
+ register: ldapManagerHash
+
+- name: hash binddn password
+ command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapBindDNPassword }}
+ register: ldapBindDNHash
+
+- name: template ssl.ldif
+ template: src=ssl_ldif.j2 dest=/tmp/ssl.ldif mode=600
+
+- name: template manager.ldif
+ template: src=manager_ldif.j2 dest=/tmp/manager.ldif mode=600
+ sudo: true
+
+- name: template binddn.ldif
+ template: src=binddn_ldif.j2 dest=/tmp/binddn.ldif mode=600
+ sudo: true
+
+- name: template root.ldif
+ template: src=root_ldif.j2 dest=/tmp/root.ldif
+
+- name: template accounts.ldif
+ template: src=accounts_ldif.j2 dest=/tmp/accounts.ldif
+
+- name: template groups.ldif
+ template: src=groups_ldif.j2 dest=/tmp/groups.ldif
+
+- name: template acls.ldif
+ template: src=acls_ldif.j2 dest=/tmp/acls.ldif
+
+- name: template ppolicy_moduleload.ldif
+ template: src=ppolicy_moduleload_ldif.j2 dest=/tmp/ppolicy_moduleload.ldif
+
+- name: template ppolicy_overlay.ldif
+ template: src=ppolicy_overlay_ldif.j2 dest=/tmp/ppolicy_overlay.ldif
+
+- name: template pwpolices.ldif
+ template: src=pwpolicies_ldif.j2 dest=/tmp/pwpolicies.ldif
+
+- name: template default_ppolicy.ldif
+ template: src=default_ppolicy_ldif.j2 dest=/tmp/default_ppolicy.ldif
+
+
+- name: copy cert
+ command: cp /etc/ssl/certs/server.crt /etc/openldap/certs/ldapcert.pem
+ sudo: true
+
+- name: copy cacert
+ command: cp /etc/ssl/certs/ca.crt /etc/openldap/certs/cacert.pem
+ sudo: true
+
+- name: copy key
+ command: cp /etc/ssl/private/server.key /etc/openldap/certs/ldapkey.pem
+ sudo: true
+
+- name: chmod key
+ file: path=/etc/openldap/certs/ldapkey.pem owner={{ ldapuser }} group={{ ldapgroup }} mode=600
+ sudo: true
+
+- name: enable ssl centos
+ lineinfile: regexp="SLAPD_LDAPS=no" state=present line="SLAPD_LDAPS=yes" dest=/etc/sysconfig/ldap
+ sudo: true
+ when: ansible_os_family == 'RedHat'
+
+- name: start ldap
+ service: name=slapd state=restarted
+ sudo: true
+
+- name: check TLS config
+ shell: "slapcat -b cn=config | grep 'olcTLSCertificateKeyFile: /etc/openldap/certs/ldapkey.pem'"
+ ignore_errors: true
+ sudo: true
+ register: tlsConfigured
+
+- name: check Manager config
+ shell: "slapcat -b cn=config | grep 'olcRootDN: cn=Manager,{{ ldapDomain }}'"
+ ignore_errors: true
+ sudo: true
+ register: managerConfigured
+
+- name: check ACL config
+ shell: "slapcat -b cn=config | grep 'olcAccess:' | grep 'cn=Manager'"
+ ignore_errors: true
+ sudo: true
+ register: aclConfigured
+
+
+- name: check DIT config
+ shell: "ldapsearch -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -b {{ ldapDomain }} objectClass=dcObject"
+ ignore_errors: true
+ register: ditConfigured
+
+- name: check Accounts config
+ shell: "ldapsearch -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -b ou=Accounts,{{ ldapDomain }} objectClass=*"
+ ignore_errors: true
+ register: accountsConfigured
+
+- name: check Groups config
+ shell: "ldapsearch -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -b ou=Groups,{{ ldapDomain }} objectClass=*"
+ ignore_errors: true
+ register: groupsConfigured
+
+- name: check binddn config
+ shell: "ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b {{ ldapDomain }} objectClass=dcObject"
+ ignore_errors: true
+ register: binddnConfigured
+
+
+- name: initialise server ssl
+ shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ssl.ldif -D cn=config
+ sudo: true
+ when: tlsConfigured|failed
+
+- name: initialise server manager
+ shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config
+ sudo: true
+ when: managerConfigured|failed
+
+- name: initialise server acls
+ shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
+ sudo: true
+ when: aclConfigured|failed
+
+- name: add DIT root
+ shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/root.ldif
+ when: ditConfigured|failed
+
+- name: add Accounts OU
+ shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/accounts.ldif
+ when: accountsConfigured|failed
+
+- name: add Groups OU
+ shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/groups.ldif
+ when: groupsConfigured|failed
+
+- name: add binddn
+ shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/binddn.ldif
+ sudo: true
+ when: binddnConfigured|failed
+
+- name: check ppolicy module loaded
+ shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}ppolicy"
+ sudo: true
+ ignore_errors: true
+ register: ppolicyModuleLoaded
+
+- name: load ppolicy module
+ shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_moduleload.ldif -D cn=config
+ sudo: true
+ when: ppolicyModuleLoaded|failed
+
+- name: check ppolicy overlay config
+ shell: "slapcat -b cn=config | grep 'dn: olcOverlay=ppolicy,olcDatabase={.*}bdb,cn=config'"
+ ignore_errors: true
+ sudo: true
+ register: ppolicyOverlayConfigured
+
+- name: add ppolicy overlay
+ shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_overlay.ldif -D cn=config
+ sudo: true
+ when: ppolicyOverlayConfigured|failed
+
+- name: check pwpolicies config
+ shell: ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b ou=pwpolicies,{{ ldapDomain }} objectClass=*
+ ignore_errors: true
+ register: pwpoliciesConfigured
+
+- name: add pwpolicies
+ shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/pwpolicies.ldif
+ when: pwpoliciesConfigured|failed
+
+- name: check defaultPwpolicy config
+ shell: ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b cn=default,ou=pwpolicies,{{ ldapDomain }} objectClass=*
+ ignore_errors: true
+ register: defaultPpolicyConfigured
+
+- name: add defaultPwpolicy
+ shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/default_ppolicy.ldif
+ when: defaultPpolicyConfigured|failed
diff --git a/roles/ldapserver/templates/accounts_ldif.j2 b/roles/ldapserver/templates/accounts_ldif.j2
new file mode 100644
index 0000000..93e5fd9
--- /dev/null
+++ b/roles/ldapserver/templates/accounts_ldif.j2
@@ -0,0 +1,2 @@
+dn: ou=Accounts,{{ ldapDomain }}
+objectClass: organizationalUnit
diff --git a/roles/ldapserver/templates/acls_ldif.j2 b/roles/ldapserver/templates/acls_ldif.j2
new file mode 100644
index 0000000..631f57e
--- /dev/null
+++ b/roles/ldapserver/templates/acls_ldif.j2
@@ -0,0 +1,6 @@
+dn: olcDatabase={2}bdb,cn=config
+changetype: modify
+add: olcAccess
+olcAccess: {0}to attrs=userPassword by dn="cn=Manager,{{ ldapDomain }}" write by self write by * auth
+olcAccess: {1}to attrs=shadowLastChange by dn="cn=Manager,{{ ldapDomain }}" write by self write by * read
+olcAccess: {2}to * by users read by anonymous auth
diff --git a/roles/ldapserver/templates/binddn_ldif.j2 b/roles/ldapserver/templates/binddn_ldif.j2
new file mode 100644
index 0000000..553885b
--- /dev/null
+++ b/roles/ldapserver/templates/binddn_ldif.j2
@@ -0,0 +1,5 @@
+dn: cn=binddn,ou=Accounts,{{ ldapDomain }}
+objectClass: inetOrgPerson
+cn: binddn
+sn: binddn
+userPassword: {{ ldapBindDNHash.stdout }}
diff --git a/roles/ldapserver/templates/default_ppolicy_ldif.j2 b/roles/ldapserver/templates/default_ppolicy_ldif.j2
new file mode 100644
index 0000000..5d1847d
--- /dev/null
+++ b/roles/ldapserver/templates/default_ppolicy_ldif.j2
@@ -0,0 +1,6 @@
+dn: cn=default,ou=pwpolicies,{{ ldapDomain }}
+objectClass: top
+objectClass: device
+objectClass: pwdPolicy
+pwdAttribute: 2.5.4.35
+cn: default
diff --git a/roles/ldapserver/templates/groups_ldif.j2 b/roles/ldapserver/templates/groups_ldif.j2
new file mode 100644
index 0000000..39890b0
--- /dev/null
+++ b/roles/ldapserver/templates/groups_ldif.j2
@@ -0,0 +1,2 @@
+dn: ou=Groups,{{ ldapDomain }}
+objectClass: organizationalUnit
diff --git a/roles/ldapserver/templates/manager_ldif.j2 b/roles/ldapserver/templates/manager_ldif.j2
new file mode 100644
index 0000000..1038470
--- /dev/null
+++ b/roles/ldapserver/templates/manager_ldif.j2
@@ -0,0 +1,10 @@
+dn: olcDatabase={2}bdb,cn=config
+changetype: modify
+replace: olcSuffix
+olcSuffix: {{ ldapDomain }}
+-
+replace: olcRootDN
+olcRootDN: cn=Manager,{{ ldapDomain }}
+-
+add: olcRootPW
+olcRootPW: {{ ldapManagerHash.stdout }}
diff --git a/roles/ldapserver/templates/ppolicy_moduleload_ldif.j2 b/roles/ldapserver/templates/ppolicy_moduleload_ldif.j2
new file mode 100644
index 0000000..084cc60
--- /dev/null
+++ b/roles/ldapserver/templates/ppolicy_moduleload_ldif.j2
@@ -0,0 +1,5 @@
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModulePath: /usr/lib64/openldap/
+olcModuleLoad: ppolicy.la
diff --git a/roles/ldapserver/templates/ppolicy_overlay_ldif.j2 b/roles/ldapserver/templates/ppolicy_overlay_ldif.j2
new file mode 100644
index 0000000..942c69c
--- /dev/null
+++ b/roles/ldapserver/templates/ppolicy_overlay_ldif.j2
@@ -0,0 +1,7 @@
+dn: olcOverlay=ppolicy,olcDatabase={2}bdb,cn=config
+olcOverlay: ppolicy
+objectClass: olcOverlayConfig
+objectClass: olcPPolicyConfig
+olcPPolicyHashCleartext: TRUE
+olcPPolicyUseLockout: FALSE
+olcPPolicyDefault: cn=default,ou=pwpolicies,{{ ldapDomain }}
diff --git a/roles/ldapserver/templates/pwpolicies_ldif.j2 b/roles/ldapserver/templates/pwpolicies_ldif.j2
new file mode 100644
index 0000000..1f0b93c
--- /dev/null
+++ b/roles/ldapserver/templates/pwpolicies_ldif.j2
@@ -0,0 +1,4 @@
+dn: ou=pwpolicies,{{ ldapDomain }}
+objectClass: organizationalUnit
+objectClass: top
+ou: pwpolicies
diff --git a/roles/ldapserver/templates/root_ldif.j2 b/roles/ldapserver/templates/root_ldif.j2
new file mode 100644
index 0000000..c3a43f3
--- /dev/null
+++ b/roles/ldapserver/templates/root_ldif.j2
@@ -0,0 +1,5 @@
+dn: {{ ldapDomain }}
+objectClass: dcObject
+objectClass: organization
+o: {{ ansible_domain }}
+description: root
diff --git a/roles/ldapserver/templates/ssl_ldif.j2 b/roles/ldapserver/templates/ssl_ldif.j2
new file mode 100644
index 0000000..9d7d804
--- /dev/null
+++ b/roles/ldapserver/templates/ssl_ldif.j2
@@ -0,0 +1,9 @@
+dn: cn=config
+replace: olcTLSCACertificateFile
+olcTLSCACertificateFile: /etc/openldap/certs/cacert.pem
+-
+replace: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/openldap/certs/ldapcert.pem
+-
+replace: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/openldap/certs/ldapkey.pem
diff --git a/roles/ldapserver/vars/CentOS_6.5_x86_64.yml b/roles/ldapserver/vars/CentOS_6.5_x86_64.yml
new file mode 100644
index 0000000..f789871
--- /dev/null
+++ b/roles/ldapserver/vars/CentOS_6.5_x86_64.yml
@@ -0,0 +1,5 @@
+---
+ system_packages:
+ - openldap-servers
+ - openldap-clients
+ - openssl
diff --git a/roles/ldapserver/vars/main.yml b/roles/ldapserver/vars/main.yml
new file mode 100644
index 0000000..12de2dc
--- /dev/null
+++ b/roles/ldapserver/vars/main.yml
@@ -0,0 +1,4 @@
+---
+ ldapDomain: dc=imbl,dc=massive,dc=org,dc=au
+ ldapuser: ldap
+ ldapgroup: ldap
diff --git a/scripts/make_passwords.py b/scripts/make_passwords.py
new file mode 100644
index 0000000..f9fd8a9
--- /dev/null
+++ b/scripts/make_passwords.py
@@ -0,0 +1,45 @@
+# This program writes a yaml varaible file where each varible is suitable as a password
+# If a variable is not defined it will pick a new random varaible for you
+# If a variable is already defined it will not change
+import random
+import sys
+import string
+import yaml
+
+def new_pass(length):
+ return ''.join(random.choice(string.ascii_uppercase + string.digits+string.ascii_lowercase) for _ in range(length))
+
+# required_passwords is a dictionay consisting of variable names and the length of random password you would like to associate with that variable
+required_passwords={}
+# Passwords for munge and slurm
+required_passwords['mungekey']=32
+# Passwords for karaage and ldap
+required_passwords['ldapManagerPassword']=8
+required_passwords['ldapBindDNPassword']=8
+required_passwords['karaageSqlPassword']=8
+required_passwords['sqlrootPasswd']=8
+
+changed=False
+pwpath='./passwords.yml'
+try:
+ f=open(pwpath,'r')
+ data=yaml.load(f.read())
+ f.close()
+except Exception as e:
+ pass
+if data==None:
+ data={}
+
+print data
+
+for pw in required_passwords.keys():
+ if data.has_key(pw):
+ pass
+ else:
+ data[pw]=new_pass(required_passwords[pw])
+ changed=True
+if changed:
+ f=open(pwpath,'w+')
+ f.write(yaml.dump(data,default_flow_style=False,explicit_start=True))
+ f.close()
+
--
GitLab