Skip to content
Snippets Groups Projects
Commit c8caff82 authored by Jupiter Hu's avatar Jupiter Hu
Browse files

Merge pull request #16 from l1ll1/build_ldap_and_karaage 

Build ldap and karaage
parents 3d165e68 7d770630
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 684 additions and 8 deletions
roles/OpenVPN-Client/meta/main.yml
+ 1
1
View file @ c8caff82
---
dependencies:
- { role: easy-rsa-certificate, x509_csr_args="" }
- { role: easy-rsa-certificate, x509_csr_args: "" }
roles/OpenVPN-Server/meta/main.yml
+ 1
1
View file @ c8caff82
---
dependencies:
- { role: easy-rsa-certificate, x509_csr_args="--server" }
- { role: easy-rsa-certificate, x509_csr_args: "--server" }
roles/OpenVPN-Server/vars/main.yml
+ 4
4
View file @ c8caff82
---
x509_csr_args: "--server"
x509_cacert_file: "/etc/ssl/certs/cacert.pem"
x509_key_file: "/etc/ssl/private/server.key"
x509_cert_file: "/etc/ssl/certs/server.pem"
x509_cacert_file: "/etc/ssl/certs/ca.crt"
x509_key_file: "/etc/openvpn/private/server.key"
x509_cert_file: "/etc/openvpn/certs/server.crt"
x509_common_name: "{{ ansible_fqdn }}_OpenVPN_Server"
dhparms_file: "/etc/ssl/private/dh.pem"
dhparms_file: "/etc/openvpn/private/dh.pem"
roles/easy-rsa-certificate/meta/main.yml
+ 1
0
View file @ c8caff82
---
allow_duplicates: yes
dependencies:
- {role: easy-rsa-common }
roles/easy-rsa-certificate/tasks/buildCert.yml
+ 6
2
View file @ c8caff82
......@@ -39,7 +39,7 @@
when: needcert
- name: "Creating CSR"
shell: " cd /etc/easy-rsa/2.0; source ./vars; export EASY_RSA=\"${EASY_RSA:-.}\"; \"$EASY_RSA\"/pkitool --csr {{ x509_csr_args }} {{ x509_common_name }}"
shell: " cd /etc/easy-rsa/2.0; . ./vars; export EASY_RSA=\"${EASY_RSA:-.}\"; \"$EASY_RSA\"/pkitool --csr {{ x509_csr_args }} {{ x509_common_name }}"
args:
creates: "/etc/easy-rsa/2.0/keys/{{ x509_common_name }}.key"
when: needcert
......@@ -51,26 +51,30 @@
when: needcert
- name: "Copy CSR to CA"
remote_user: "{{ hostvars[x509_ca_server]['ansible_ssh_user'] }}"
delegate_to: "{{ x509_ca_server }}"
copy: "src=/tmp/{{ x509_common_name }}.csr dest=/etc/easy-rsa/2.0/keys/{{ x509_common_name }}.csr force=yes"
when: needcert
sudo: true
- name: "Sign Certificate"
remote_user: "{{ hostvars[x509_ca_server]['ansible_ssh_user'] }}"
delegate_to: "{{ x509_ca_server }}"
shell: "source ./vars; export EASY_RSA=\"${EASY_RSA:-.}\" ;\"$EASY_RSA\"/pkitool --sign {{ x509_sign_args }} {{ x509_common_name }}"
shell: ". ./vars; export EASY_RSA=\"${EASY_RSA:-.}\" ;\"$EASY_RSA\"/pkitool --sign {{ x509_sign_args }} {{ x509_common_name }}"
args:
chdir: "/etc/easy-rsa/2.0"
creates: "/etc/easy-rsa/2.0/keys/{{ x509_common_name }}.crt"
sudo: true
- name: "Copy the Certificate to ansible host"
remote_user: "{{ hostvars[x509_ca_server]['ansible_ssh_user'] }}"
delegate_to: "{{ x509_ca_server }}"
fetch: "src=/etc/easy-rsa/2.0/keys/{{ x509_common_name }}.crt dest=/tmp/ fail_on_missing=yes validate_md5=yes flat=yes"
sudo: true
when: needcert
- name: "Copy the CA Certificate to the ansible host"
remote_user: "{{ hostvars[x509_ca_server]['ansible_ssh_user'] }}"
delegate_to: "{{ x509_ca_server }}"
fetch: "src=/etc/easy-rsa/2.0/keys/ca.crt dest=/tmp/ca.crt fail_on_missing=yes validate_md5=yes flat=yes"
sudo: true
......
roles/easy-rsa-common/tasks/installEasyRsa.yml
+ 22
0
View file @ c8caff82
......@@ -3,9 +3,31 @@
name: "Installing easy-rsa"
yum: "name=easy-rsa state=latest"
sudo: True
when: ansible_os_family == 'RedHat'
-
name: "Installing easy-rsa"
apt: "name=openvpn state=present"
sudo: True
when: ansible_os_family == 'Debian'
-
name: "Moving easy-rsa to /etc"
shell: "cp -rf /usr/share/easy-rsa /etc/"
args:
creates: /etc/easy-rsa
sudo: True
when: ansible_os_family == 'RedHat'
-
name: "Moving easy-rsa to /etc"
shell: "cp -rf /usr/share/doc/openvpn/examples/easy-rsa /etc/"
args:
creates: /etc/easy-rsa
sudo: True
when: ansible_os_family == 'Debian'
register: installed
- name: "Clean all"
shell: " cd /etc/easy-rsa/2.0; . ./vars; export EASY_RSA=\"${EASY_RSA:-.}\"; \"$EASY_RSA\"/clean-all"
args:
creates: "/etc/easy-rsa/2.0/keys/"
when: installed|changed
sudo: true
roles/karaage2.7/files/get_ldap_url.py 0 → 100755
+ 28
0
View file @ c8caff82
#!/usr/bin/python
import sys
import json
filename = sys.argv[1]
ansible_hostname = sys.argv[2]
domain = sys.argv[3]
f=open(filename,'r')
s=f.read()
d=json.loads(s)
f.close()
hosts={}
for group in d['groups'].keys():
for h in d['groups'][group]:
if hosts.has_key(h):
pass
else:
hosts[h] = {}
url=""
try:
for host in d['groups']['ldap']:
fqdn="%s.%s"%(host,domain)
url=url+"ldaps://%s"%fqdn
except:
url="ldaps:///"
print url
roles/karaage2.7/handlers/main.yml 0 → 100644
+ 8
0
View file @ c8caff82
---
- name: restart apache
service: name=apache2 state=restarted
sudo: true
- name: restart postfix
service: name=postfix state=restarted
sudo: true
roles/karaage2.7/meta/main.yml 0 → 100644
+ 3
0
View file @ c8caff82
---
dependencies:
- { role: easy-rsa-certificate, x509_csr_args: "--server" }
roles/karaage2.7/tasks/install_via_apt.yml 0 → 100644
+ 29
0
View file @ c8caff82
---
- name: check repo config
shell: ls -l /etc/apt/sources.list.d/vpac.list
ignore_errors: true
register: repoConfigured
- name: add repo key
shell: wget http://code.vpac.org/debian/vpac-debian-key.gpg -O - | apt-key add -
sudo: true
when: repoConfigured|failed
- name: template vpac.list
template: src=vpac_list.j2 dest=/etc/apt/sources.list.d/vpac.list
sudo: true
when: repoConfigured|failed
- name: update cache
apt: update_cache=true
sudo: true
when: repoConfigured|failed
- name: install karaage
apt: name={{ item }} state=installed
sudo: true
with_items:
- karaage-admin
- karaage-registration
roles/karaage2.7/tasks/main.yml 0 → 100644
+ 308
0
View file @ c8caff82
---
- include_vars: "{{ hostvars[ansible_hostname]['ansible_distribution'] }}_{{ hostvars[ansible_hostname]['ansible_distribution_version'] }}_{{ ansible_architecture }}.yml"
- include_vars: passwords.yml
- name: install system packages apt
apt: name={{ item }} state=installed update_cache=true
sudo: true
with_items: system_packages
when: ansible_os_family == 'Debian'
- name: install system packages yum
yum: name={{ item }} state=installed
sudo: true
with_items: system_packages
when: ansible_os_family == 'RedHat'
- include: set_mysql_root_password.yml
- include: install_via_apt.yml
when: ansible_os_family == 'Debian'
- name: check kg secret key
shell: cat /etc/karaage/global_settings.py | grep "SECRET_KEY = '.*'"
sudo: true
ignore_errors: true
register: kg_secret_key_set
- name: set kg secret key
shell: kg_set_secret_key
sudo: true
when: kg_secret_key_set|failed
- name: mysql db
mysql_db: name=karaage login_user=root login_password={{ sqlrootPasswd }}
- name: mysql user
mysql_user: name='karaage' password={{ karaageSqlPassword }} priv=karaage.*:ALL state=present login_user=root login_password={{ sqlrootPasswd }}
- name: allow public karaage registrations
lineinfile:
args:
dest: /etc/karaage/registration_settings.py
regexp: "#ALLOW_REGISTRATIONS"
line: "ALLOW_REGISTRATIONS = True"
backrefs: yes
sudo: true
# Why not template the whole of global_settings.py?
# Because I don't know what kg_set_secret_key does so I can't easily template my own secret key
- name: chmod global_settings.py
file:
args:
path: /etc/karaage/global_settings.py
owner: root
group: "{{ wwwgroup }}"
mode: 0640
sudo: true
- name: karaage settings db type
lineinfile:
args:
dest: /etc/karaage/global_settings.py
regexp: " 'ENGINE': 'django.db.backends.',"
line: " 'ENGINE': 'django.db.backends.mysql',"
backrefs: yes
sudo: true
- name: karaage settings db db
lineinfile:
args:
dest: /etc/karaage/global_settings.py
regexp: " 'NAME': '',"
line: " 'NAME': 'karaage',"
backrefs: yes
sudo: true
- name: karaage settings db user
lineinfile:
args:
dest: /etc/karaage/global_settings.py
regexp: " 'USER': '',"
line: " 'USER': 'karaage',"
backrefs: yes
sudo: true
- name: karaage settings db password
lineinfile:
args:
dest: /etc/karaage/global_settings.py
regexp: " 'PASSWORD': '',"
line: " 'PASSWORD': '{{ karaageSqlPassword }}',"
backrefs: yes
sudo: true
- name: ldap url
lineinfile:
args:
dest: /etc/karaage/global_settings.py
regexp: "LDAP_URL ="
line: "LDAP_URL = '{{ ldapURL }}'"
backrefs: yes
sudo: true
- include_vars: "roles/ldapserver/vars/main.yml"
- name: ldap base
lineinfile:
args:
dest: /etc/karaage/global_settings.py
regexp: "LDAP_BASE ="
line: "LDAP_BASE = '{{ ldapDomain }}'"
backrefs: yes
sudo: true
- name: ldap user base
lineinfile:
args:
dest: /etc/karaage/global_settings.py
regexp: "LDAP_USER_BASE="
line: "LDAP_USER_BASE = 'ou=Accounts,{{ ldapDomain }}'"
backrefs: yes
sudo: true
- name: ldap group base
lineinfile:
args:
dest: /etc/karaage/global_settings.py
regexp: "LDAP_GROUP_BASE="
line: "LDAP_GROUP_BASE = 'ou=Groups,{{ ldapDomain }}'"
backrefs: yes
sudo: true
- name: ldap admin user
lineinfile:
args:
dest: /etc/karaage/global_settings.py
regexp: "LDAP_ADMIN_USER ="
line: "LDAP_ADMIN_USER = 'cn=Manager,{{ ldapDomain }}'"
backrefs: yes
sudo: true
- name: ldap admin passwd
lineinfile:
args:
dest: /etc/karaage/global_settings.py
regexp: "LDAP_ADMIN_PASSWORD ="
line: "LDAP_ADMIN_PASSWORD = '{{ ldapManagerPassword }}'"
backrefs: yes
sudo: true
- name: ldap use TLS CA
lineinfile:
args:
dest: /etc/karaage/global_settings.py
regexp: "LDAP_USE_TLS ="
line: "LDAP_USE_TLS = True"
backrefs: yes
sudo: true
- name: ldap TLS CA
lineinfile:
args:
dest: /etc/karaage/global_settings.py
insertafter: "LDAP_USE_TLS ="
line: "LDAP_TLS_CA = '/etc/ssl/certs/ca.crt'"
state: present
sudo: true
- name: check karaage tables exist
shell: echo 'describe auth_user' | mysql -u karaage --password={{ karaageSqlPassword }} karaage
ignore_errors: true
register: karaageTablesCreated
- name: template ldap.conf
template: src=ldap_conf.j2 dest=/etc/ldap/ldap.conf
sudo: true
#- name: karaage sql db setup
# shell: kg-manage syncdb --noinput
# sudo: true
# when: karaageTablesCreated|failed
#
#- name: karaage sql db migrate
# shell: yes n | kg-manage migrate --all
# sudo: true
#
# I had to use syncdb --all --noinput migrate --fake then
# sudo vi ./dist-packages/tldap/transaction.py
# add import tldap.django which causes the connection to be setup. Continue from here trying to setup apache
#
#
- name: karaage sql syncdb
shell: kg-manage syncdb --all --noinput
sudo: true
when: karaageTablesCreated|failed
- name: karaage sql db migrate
shell: kg-manage migrate --fake
sudo: true
when: karaageTablesCreated|failed
- name: fix up karaage transactions.py
lineinfile:
args:
line: import tldap.django
insertafter: import tldap
state: present
dest: /usr/lib/python2.7/dist-packages/tldap/transaction.py
sudo: true
- name: fix up karaage tldap/manager.py
lineinfile:
args:
line: import tldap.django
insertafter: import tldap
state: present
dest: /usr/lib/python2.7/dist-packages/tldap/manager.py
sudo: true
- name: enable ssl
shell: a2enmod ssl
sudo: true
- name: enable wsgi
shell: a2enmod wsgi
sudo: true
- name: enable karaage admin
command: ln -s /etc/karaage/kgadmin-apache.conf /etc/apache2/conf.d/karaage-admin.conf
args:
creates: /etc/apache2/conf.d/karaage-admin.conf
sudo: true
notify: restart apache
- name: enable karaage registration
command: ln -s /etc/karaage/kgreg-apache.conf /etc/apache2/conf.d/karaage-registration.conf
args:
creates: /etc/apache2/conf.d/karaage-registration.conf
sudo: true
notify: restart apache
- name: make ssl directory
file: name=/etc/apache2/ssl state=directory
sudo: true
- name: copy ssl key
command: cp /etc/ssl/private/server.key /etc/apache2/ssl/server.key
args:
creates: /etc/apache2/ssl/server.key
sudo: true
- name: chmod ssl key
file: path=/etc/apache2/ssl/server.key mode=600 owner={{ wwwuser }}
sudo: true
- name: copy cert
command: cp /etc/ssl/certs/server.crt /etc/apache2/ssl/server.pem
sudo: true
- name: enable ssl
command: ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/default-ssl
args:
creates: /etc/apache2/sites-enabled/default-ssl
sudo: true
notify: restart apache
- name: configure postfix
template: src=main_cf.j2 dest=/etc/postfix/main.cf
sudo: true
notify: restart postfix
- name: SSL Cert Chain
lineinfile:
args:
dest: /etc/apache2/sites-enabled/default-ssl
regexp: ".*#SSLCertificateChainFile.*"
line: " SSLCertificateChainFile /etc/ssl/certs/ca.crt"
backrefs: yes
sudo: true
notify: restart apache
- name: SSL Cert
lineinfile:
args:
dest: /etc/apache2/sites-enabled/default-ssl
regexp: ".*SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem"
line: " SSLCertificateFile /etc/apache2/ssl/server.pem"
backrefs: yes
sudo: true
notify: restart apache
- name: SSL Key
lineinfile:
args:
dest: /etc/apache2/sites-enabled/default-ssl
regexp: ".*SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key"
line: " SSLCertificateKeyFile /etc/apache2/ssl/server.key"
backrefs: yes
sudo: true
notify: restart apache
roles/karaage2.7/tasks/set_mysql_root_password.yml 0 → 100644
+ 13
0
View file @ c8caff82
---
- name: template secure script
template: src=set_root_passwd_sql.j2 dest=/tmp/set_root_passwd.sql mode=600 owner=root
sudo: true
- name: run script
shell: cat /tmp/set_root_passwd.sql | mysql -u root
sudo: true
ignore_errors: true
- name: test passwd set
shell: echo "show databases" | mysql -u root --password={{ sqlrootPasswd }}
roles/karaage2.7/templates/groups.j2 0 → 100644
+ 4
0
View file @ c8caff82
{
"groups": {{ groups | to_nice_json }},
"hostvars": {{ hostvars | to_nice_json }}
}
roles/karaage2.7/templates/ldap_conf.j2 0 → 100644
+ 1
0
View file @ c8caff82
TLS_CACERT /etc/ssl/certs/cacert.pem
roles/karaage2.7/templates/main_cf.j2 0 → 100644
+ 39
0
View file @ c8caff82
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = {{ ansible_fqdn }}
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = {{ ansible_fqdn }}
mydestination = {{ ansible_fqdn }}, localhost.{{ ansible_domain }}, localhost
relayhost = {{ smtp_smarthost }}
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
roles/karaage2.7/templates/set_root_passwd_sql.j2 0 → 100644
+ 3
0
View file @ c8caff82
SET PASSWORD FOR 'root'@'localhost' = PASSWORD('{{ sqlrootPasswd }}');
SET PASSWORD FOR 'root'@'127.0.0.1' = PASSWORD('{{ sqlrootPasswd }}');
SET PASSWORD FOR 'root'@'{{ ansible_hostname }}' = PASSWORD('{{ sqlrootPasswd }}');
roles/karaage2.7/templates/vpac_list.j2 0 → 100644
+ 2
0
View file @ c8caff82
deb http://code.vpac.org/debian wheezy main
deb-src http://code.vpac.org/debian wheezy main
roles/karaage2.7/vars/Debian_7.6_x86_64.yml 0 → 100644
+ 11
0
View file @ c8caff82
---
system_packages:
- python-django
- mysql-server
- python-mysqldb
- ldap-utils
- apache2
- libapache2-mod-wsgi
- postfix
wwwuser: www-data
wwwgroup: www-data
roles/ldapserver/meta/main.yml 0 → 100644
+ 3
0
View file @ c8caff82
---
dependencies:
- { role: easy-rsa-certificate, x509_csr_args: "--server" }
roles/ldapserver/tasks/main.yml 0 → 100644
+ 197
0
View file @ c8caff82
---
- include_vars: "{{ hostvars[ansible_hostname]['ansible_distribution'] }}_{{ hostvars[ansible_hostname]['ansible_distribution_version'] }}_{{ ansible_architecture }}.yml"
- include_vars: passwords.yml
- name: install system packages apt
apt: name={{ item }} state=installed update_cache=true
sudo: true
with_items: system_packages
when: ansible_os_family == 'Debian'
- name: install system packages yum
yum: name={{ item }} state=installed
sudo: true
with_items: system_packages
when: ansible_os_family == 'RedHat'
- name: hash password
command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapManagerPassword }}
register: ldapManagerHash
- name: hash binddn password
command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapBindDNPassword }}
register: ldapBindDNHash
- name: template ssl.ldif
template: src=ssl_ldif.j2 dest=/tmp/ssl.ldif mode=600
- name: template manager.ldif
template: src=manager_ldif.j2 dest=/tmp/manager.ldif mode=600
sudo: true
- name: template binddn.ldif
template: src=binddn_ldif.j2 dest=/tmp/binddn.ldif mode=600
sudo: true
- name: template root.ldif
template: src=root_ldif.j2 dest=/tmp/root.ldif
- name: template accounts.ldif
template: src=accounts_ldif.j2 dest=/tmp/accounts.ldif
- name: template groups.ldif
template: src=groups_ldif.j2 dest=/tmp/groups.ldif
- name: template acls.ldif
template: src=acls_ldif.j2 dest=/tmp/acls.ldif
- name: template ppolicy_moduleload.ldif
template: src=ppolicy_moduleload_ldif.j2 dest=/tmp/ppolicy_moduleload.ldif
- name: template ppolicy_overlay.ldif
template: src=ppolicy_overlay_ldif.j2 dest=/tmp/ppolicy_overlay.ldif
- name: template pwpolices.ldif
template: src=pwpolicies_ldif.j2 dest=/tmp/pwpolicies.ldif
- name: template default_ppolicy.ldif
template: src=default_ppolicy_ldif.j2 dest=/tmp/default_ppolicy.ldif
- name: copy cert
command: cp /etc/ssl/certs/server.crt /etc/openldap/certs/ldapcert.pem
sudo: true
- name: copy cacert
command: cp /etc/ssl/certs/ca.crt /etc/openldap/certs/cacert.pem
sudo: true
- name: copy key
command: cp /etc/ssl/private/server.key /etc/openldap/certs/ldapkey.pem
sudo: true
- name: chmod key
file: path=/etc/openldap/certs/ldapkey.pem owner={{ ldapuser }} group={{ ldapgroup }} mode=600
sudo: true
- name: enable ssl centos
lineinfile: regexp="SLAPD_LDAPS=no" state=present line="SLAPD_LDAPS=yes" dest=/etc/sysconfig/ldap
sudo: true
when: ansible_os_family == 'RedHat'
- name: start ldap
service: name=slapd state=restarted
sudo: true
- name: check TLS config
shell: "slapcat -b cn=config | grep 'olcTLSCertificateKeyFile: /etc/openldap/certs/ldapkey.pem'"
ignore_errors: true
sudo: true
register: tlsConfigured
- name: check Manager config
shell: "slapcat -b cn=config | grep 'olcRootDN: cn=Manager,{{ ldapDomain }}'"
ignore_errors: true
sudo: true
register: managerConfigured
- name: check ACL config
shell: "slapcat -b cn=config | grep 'olcAccess:' | grep 'cn=Manager'"
ignore_errors: true
sudo: true
register: aclConfigured
- name: check DIT config
shell: "ldapsearch -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -b {{ ldapDomain }} objectClass=dcObject"
ignore_errors: true
register: ditConfigured
- name: check Accounts config
shell: "ldapsearch -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -b ou=Accounts,{{ ldapDomain }} objectClass=*"
ignore_errors: true
register: accountsConfigured
- name: check Groups config
shell: "ldapsearch -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -b ou=Groups,{{ ldapDomain }} objectClass=*"
ignore_errors: true
register: groupsConfigured
- name: check binddn config
shell: "ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b {{ ldapDomain }} objectClass=dcObject"
ignore_errors: true
register: binddnConfigured
- name: initialise server ssl
shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ssl.ldif -D cn=config
sudo: true
when: tlsConfigured|failed
- name: initialise server manager
shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config
sudo: true
when: managerConfigured|failed
- name: initialise server acls
shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
sudo: true
when: aclConfigured|failed
- name: add DIT root
shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/root.ldif
when: ditConfigured|failed
- name: add Accounts OU
shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/accounts.ldif
when: accountsConfigured|failed
- name: add Groups OU
shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/groups.ldif
when: groupsConfigured|failed
- name: add binddn
shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/binddn.ldif
sudo: true
when: binddnConfigured|failed
- name: check ppolicy module loaded
shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}ppolicy"
sudo: true
ignore_errors: true
register: ppolicyModuleLoaded
- name: load ppolicy module
shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_moduleload.ldif -D cn=config
sudo: true
when: ppolicyModuleLoaded|failed
- name: check ppolicy overlay config
shell: "slapcat -b cn=config | grep 'dn: olcOverlay=ppolicy,olcDatabase={.*}bdb,cn=config'"
ignore_errors: true
sudo: true
register: ppolicyOverlayConfigured
- name: add ppolicy overlay
shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_overlay.ldif -D cn=config
sudo: true
when: ppolicyOverlayConfigured|failed
- name: check pwpolicies config
shell: ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b ou=pwpolicies,{{ ldapDomain }} objectClass=*
ignore_errors: true
register: pwpoliciesConfigured
- name: add pwpolicies
shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/pwpolicies.ldif
when: pwpoliciesConfigured|failed
- name: check defaultPwpolicy config
shell: ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b cn=default,ou=pwpolicies,{{ ldapDomain }} objectClass=*
ignore_errors: true
register: defaultPpolicyConfigured
- name: add defaultPwpolicy
shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/default_ppolicy.ldif
when: defaultPpolicyConfigured|failed
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment