diff --git a/roles/ldapserver/tasks/main.yml b/roles/ldapserver/tasks/main.yml
index e1b9420b33f3fc6a17b2c28850ee110753f923bf..538246448c6916f4e17755dbb896df05b600e5cb 100644
--- a/roles/ldapserver/tasks/main.yml
+++ b/roles/ldapserver/tasks/main.yml
@@ -2,6 +2,7 @@
- include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_version }}_{{ ansible_architecture }}.yml"
- include_vars: "{{ ansible_distribution }}.yml"
+
- name: install system packages apt
apt: name={{ item }} state=installed update_cache=true
sudo: true
@@ -23,10 +24,6 @@
command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapManagerPassword }}
register: ldapManagerHash
-
-
-
-
- name: template root.ldif
template: src=root_ldif.j2 dest=/tmp/root.ldif
@@ -39,7 +36,6 @@
- name: template groups.ldif
template: src=groups_ldif.j2 dest=/tmp/groups.ldif
-
- name: template load_modules.ldif
template: src=load_modules_ldif.j2 dest=/tmp/load_modules.ldif
@@ -65,45 +61,25 @@
template: src=manager_ldif3.j2 dest=/tmp/manager3.ldif mode=600
sudo: true
-
-- name: make cert dir
- file: path={{ ldapcert | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
- sudo: true
-
-- name: make key dir
- file: path={{ ldapkey | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }} mode=700
- sudo: true
-
-- name: make ca dir
- file: path={{ cacert | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
- sudo: true
-
- name: make ldap certs dir
- file: path={{ ldapCertDir }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
+ file: path={{ ldapCertDest | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
sudo: true
- when: ldapCertDir is defined
- name: make ldap private dir
- file: path={{ ldapPrivateDir }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
+ file: path={{ ldapKeyDest | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }} mode=700
sudo: true
- when: ldapPrivateDir is defined
-# Change to remove easy-rsa and to use fixed key and certs
-- name: copy fixed keys and certs from files directory
- template: src=files/{{ item.src }} dest="{{ item.dest }}" mode={{ item.mode }} owner=root group=root
- with_items: ldapCertFiles
- sudo: true
-
- name: copy cert
- copy: src="files/{{ ldap_TLSCert }}" dest="{{ ldapcert }}"
+ copy: src="files/{{ ldapCert }}" dest="{{ ldapCertDest }}"
sudo: true
-- name: copy cacert
- copy: src="files/{{ ldap_TLSCAChain }}" dest="{{ cacert }}"
+- name: copy ca cert
+ copy: src="files/{{ ldapCAChain }}" dest="{{ ldapCAChainDest }}"
sudo: true
+
- name: copy key
- copy: src="files/{{ ldap_TLSKey }}" dest="{{ ldapkey }}" mode=600 owner={{ ldapuser }} group={{ ldapgroup }}
+ copy: src="files/{{ ldapKey }}" dest="{{ ldapKeyDest }}" mode=600 owner={{ ldapuser }} group={{ ldapgroup }}
sudo: true
- name: enable ssl centos
@@ -117,12 +93,11 @@
when: ansible_os_family == 'RedHat' and ansible_distribution_major_version >= '7'
- name: check TLS config
- shell: "slapcat -b cn=config | grep 'olcTLSCertificateKeyFile: {{ ldapkey }}'"
+ shell: "slapcat -b cn=config | grep 'olcTLSCertificateKeyFile: {{ ldapKeyDest }}'"
ignore_errors: true
sudo: true
register: tlsConfigured
-
- name: start ldap
service: name=slapd state=restarted
sudo: true
@@ -133,7 +108,7 @@
when: tlsConfigured|failed
- name: Initialise cosine and ppolicy
- shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/{{ item }}.ldif -D cn=config
+ shell: ldapadd -Y EXTERNAL -H ldapi:/// -f {{ ldapDir }}/schema/{{ item }}.ldif -D cn=config
with_items:
- ppolicy
- cosine
@@ -141,7 +116,6 @@
- inetorgperson
ignore_errors: true
sudo: true
- when: ansible_os_family == 'RedHat' and ansible_distribution_major_version >= '7'
- name: check ppolicy module loaded
shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}ppolicy"
@@ -165,7 +139,6 @@
sudo: true
when: ppolicyOverlayConfigured|failed
-
- name: check Manager config
shell: "slapcat -b cn=config | grep 'olcRootDN: {{ ldapManager }}'"
ignore_errors: true
@@ -201,8 +174,6 @@
sudo: true
when: aclConfigured|failed
-
-
- name: check DIT config
shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
ignore_errors: true
@@ -212,7 +183,6 @@
shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
when: ditConfigured|failed
-
- name: check real Accounts config
shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapAccountBase }} -x -H ldap://localhost objectClass=*"
ignore_errors: true
@@ -259,7 +229,6 @@
sudo: true
when: binddnConfigured|failed
-
- name: check pwpolicies config
shell: ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b ou=pwpolicies,{{ ldapDomain }} objectClass=*
ignore_errors: true
diff --git a/roles/ldapserver/templates/ssl_ldif.j2 b/roles/ldapserver/templates/ssl_ldif.j2
index b60604c40e2b185d7c0001cd30ada14b41eb405a..075e3a262401204d0fc81ff617f9397890a34755 100644
--- a/roles/ldapserver/templates/ssl_ldif.j2
+++ b/roles/ldapserver/templates/ssl_ldif.j2
@@ -1,9 +1,9 @@
dn: cn=config
replace: olcTLSCACertificateFile
-olcTLSCACertificateFile: {{ cacert }}
+olcTLSCACertificateFile: {{ ldapCAChainDest }}
-
replace: olcTLSCertificateFile
-olcTLSCertificateFile: {{ ldapcert }}
+olcTLSCertificateFile: {{ ldapCertDest }}
-
replace: olcTLSCertificateKeyFile
-olcTLSCertificateKeyFile: {{ ldapkey }}
+olcTLSCertificateKeyFile: {{ ldapKeyDest }}
diff --git a/roles/ldapserver/vars/CentOS.yml b/roles/ldapserver/vars/CentOS.yml
index 7159629c2947b81c5502b014b053e4a09c1b4970..e1d68d894c333b3b379f537ea2128c4a5e4ec159 100644
--- a/roles/ldapserver/vars/CentOS.yml
+++ b/roles/ldapserver/vars/CentOS.yml
@@ -1,5 +1,4 @@
---
- ldapcert: /etc/openldap/certs/ldapcert.pem
- ldapkey: /etc/openldap/certs/ldapkey.pem
- cacert: /etc/openldap/certs/cacert.pem
+ ldapDir: "/etc/openldap"
module_path: "/usr/lib64/openldap/"
+
diff --git a/roles/ldapserver/vars/Debian.yml b/roles/ldapserver/vars/Debian.yml
index 7732d830f30bc489eba194ce251fcf02157542dc..c10225e07a2bd8a5f705f6aea96d06b86f130edb 100644
--- a/roles/ldapserver/vars/Debian.yml
+++ b/roles/ldapserver/vars/Debian.yml
@@ -1,5 +1,3 @@
---
- ldapcert: /etc/ldap/certs/ldapcert.pem
- ldapkey: /etc/ldap/certs/ldapkey.pem
- cacert: /etc/ldap/certs/cacert.pem
+ ldapDir: "/etc/ldap"
module_path: "/usr/lib/ldap"
diff --git a/roles/ldapserver/vars/main.yml b/roles/ldapserver/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a80673ceb2d084ad500334c2276ae8a6fdce08c2
--- /dev/null
+++ b/roles/ldapserver/vars/main.yml
@@ -0,0 +1,4 @@
+---
+ldapCertDest: "{{ ldapDir }}/ssl/certs/ldapcert.pem"
+ldapKeyDest: "{{ ldapDir }}/ssl/private/ldapkey.pem"
+ldapCAChainDest: "{{ ldapDir }}/ssl/certs/cacert.pem"
diff --git a/vars/defaults.yml b/vars/defaults.yml
deleted file mode 100644
index 064e7585ebe394f04994ba2e8fbc32b87ec05d21..0000000000000000000000000000000000000000
--- a/vars/defaults.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-packager: yum
-apache: httpd