Merge branch 'ldaptest' into 'master'

adding Ubuntu20 support, chg ldapManager to ldapManagerDN; chg: ldapDomain to ldapBase See merge request !410

Merge branch 'ldaptest' into 'master'
adding Ubuntu20 support, chg ldapManager to ldapManagerDN; chg: ldapDomain to ldapBase See merge request !410
0a7000b3 · Chris Hines · 8a5f6a2f · c25b6084 · 0a7000b3 · 0a7000b3
Commit 0a7000b3 authored 3 years ago by Chris Hines
--- a/roles/ldapserver/tasks/main.yml
+++ b/roles/ldapserver/tasks/main.yml
@@ -8,15 +8,13 @@
    file: "{{ ansible_distribution }}.yml"

 - name: install system packages apt
-  apt: name={{ item }} state=present update_cache=true
+  apt: name={{ system_packages }} state=present update_cache=true
  become: true
-  with_items: "{{ system_packages }}"
  when: ansible_os_family == 'Debian'

 - name: install system packages yum
-  yum: name={{ item }} state=present
+  yum: name={{ system_packages }} state=present
  become: true
-  with_items: "{{ system_packages }}"
  when: ansible_os_family == 'RedHat'

 - name: Fixed default configuration
@@ -89,20 +87,20 @@
  become: true

 - name: copy cert
-  copy: src="files/{{ ldapCert }}" dest="{{ ldapCertDest }}"
+  copy: src="files_services/{{ ldapCert }}" dest="{{ ldapCertDest }}"
  become: true

 - name: copy ca cert
-  copy: src="files/{{ ldapCAChain }}" dest="{{ ldapCAChainDest }}"
+  copy: src="files_services/{{ ldapCAChain }}" dest="{{ ldapCAChainDest }}"
  become: true

 - name: copy ca root cert
-  copy: src="files/{{ ldap_TLSCARoot }}" dest="{{ ldapCARootDest }}"
+  copy: src="files_services/{{ ldap_TLSCARoot }}" dest="{{ ldapCARootDest }}"
  become: true
  when: ldap_TLSCARoot is defined

 - name: copy key
-  copy: src="files/{{ ldapKey }}" dest="{{ ldapKeyDest }}" mode=600 owner={{ ldapuser }} group={{ ldapgroup }}
+  copy: src="files_services/{{ ldapKey }}" dest="{{ ldapKeyDest }}" mode=600 owner={{ ldapuser }} group={{ ldapgroup }}
  become: true

 - name: enable ssl centos
@@ -115,14 +113,14 @@
  become: true
  when: ansible_os_family == 'RedHat' and ansible_distribution_major_version >= '7'

- name: check TLS config
+- name: check TLS config is present
  shell: "slapcat -b cn=config | grep 'olcTLSCertificateKeyFile: {{ ldapKeyDest }}'"
  ignore_errors: true
  become: true
  register: tlsConfigured

 - name: copy db config
-  copy: src=files/DB_CONFIG dest=/var/lib/ldap/DB_CONFIG owner=ldap group=ldap mode=644
+  copy: src=files/DB_CONFIG dest=/var/lib/ldap/DB_CONFIG owner={{ ldapuser }} group={{ ldapgroup }} mode=644
  become: true

 - name: start ldap
@@ -132,7 +130,7 @@
 - name: initialise server ssl
  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ssl.ldif -D cn=config
  become: true
-  when: tlsConfigured|failed
+  when: tlsConfigured.failed

 - name: Initialise cosine and ppolicy
  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f {{ ldapDir }}/schema/{{ item }}.ldif -D cn=config
@@ -144,15 +142,22 @@
  ignore_errors: true
  become: true

+- name: check auxposixgroup is present
+  shell: "slapcat -b cn=auxPosixGroup,cn=schema,cn=config | grep auxPosixGroup"
+  ignore_errors: true
+  become: true
+  register: auxposixgroup
+
 - name: copy the auxposixgroup schema
  copy: src="files/auxposixgroup.ldif" dest="{{ ldapDir }}/schema/auxposixgroup.ldif"
-  become: True
+  become: true
  become_user: root

 - name: load the auxposixgroup schema
  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f "{{ ldapDir }}/schema/auxposixgroup.ldif" -D cn=config
  become_user: root
-  become: True
+  become: true
+  when: auxposixgroup.failed

 - name: check ppolicy module loaded
  shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}ppolicy"
@@ -163,7 +168,7 @@
 - name: load ppolicy module
  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/load_modules.ldif -D cn=config
  become: true
-  when: ppolicyModuleLoaded|failed
+  when: ppolicyModuleLoaded.failed

 - name: check ppolicy overlay config
  shell: "slapcat -b cn=config | grep 'dn: olcOverlay={.*}ppolicy,olcDatabase={.*}.db,cn=config'"
@@ -174,7 +179,7 @@
 - name: add ppolicy overlay
  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_overlay.ldif -D cn=config
  become: true
-  when: ppolicyOverlayConfigured|failed
+  when: ppolicyOverlayConfigured.failed

 - name: check refint module loaded
  shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}refint"
@@ -185,7 +190,7 @@
 - name: load refint module
  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/load_refint.ldif -D cn=config
  become: true
-  when: refintModuleLoaded|failed
+  when: refintModuleLoaded.failed

 - name: check memberof module loaded
  shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}memberof"
@@ -196,28 +201,10 @@
 - name: load memberof module
  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/load_memberof.ldif -D cn=config
  become: true
-  when: memberofModuleLoaded|failed
-
- name: check member of config
-  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=olcMemberOf"
-  ignore_errors: true
-  register: memberOfConfigured
-
- name: add member of config
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/memberOfConfig.ldif
-  when: memberOfConfigured|failed
-
- name: check refinit config
-  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=olcRefintConfig"
-  ignore_errors: true
-  register: refintConfigured
-
- name: add refint config
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/refint_config.ldif
-  when: refintConfigured|failed
+  when: memberofModuleLoaded.failed

 - name: check Manager config
-  shell: "slapcat -b cn=config | grep 'olcRootDN: {{ ldapManager }}'"
+  shell: "slapcat -b cn=config | grep 'olcRootDN: {{ ldapManagerDN }}'"
  ignore_errors: true
  become: true
  register: managerConfigured
@@ -225,16 +212,33 @@
 - name: initialise server manager
  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config
  become: true
-  when: managerConfigured|failed
- name: initialise server manager
+#  when: managerConfigured.failed
+  
+- name: initialise server manager2
  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager2.ldif -D cn=config
  become: true
  ignore_errors: true
-  when: managerConfigured|failed
- name: initialise server manager
-  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager3.ldif -D cn=config
+#  when: managerConfigured.failed
+
+- name: check member of config
+  shell: "ldapsearch -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=olcMemberOf"
+  ignore_errors: true
+  register: memberOfConfigured
+
+- name: add member of config
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/memberOfConfig.ldif -D cn=config
+  when: memberOfConfigured.failed
+  become: true
+
+- name: check refinit config
+  shell: "ldapsearch -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=olcRefintConfig"
+  ignore_errors: true
+  register: refintConfigured
+
+- name: add refint config
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/refint_config.ldif
+  when: refintConfigured.failed
  become: true
-  when: managerConfigured|failed

 # slapcat does a line wrap at character 78. Don't attempt to match on {{ ldapManager }} as it will cross two lines
 - name: check ACL config
@@ -249,57 +253,57 @@
 - name: initialise server acls
  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
  become: true
-  when: aclConfigured|failed
+  when: aclConfigured.failed

 - name: check DIT config
-  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
+  shell: "ldapsearch -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
  ignore_errors: true
  register: ditConfigured

 - name: add DIT root
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
-  when: ditConfigured|failed
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
+  when: ditConfigured.failed

 - name: check real Accounts config
-  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapAccountBase }} -x -H ldap://localhost objectClass=*"
+  shell: "ldapsearch -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -b {{ ldapAccountBase }} -x -H ldap://localhost objectClass=*"
  ignore_errors: true
  register: realAccountsConfigured
  when: ldapAccountBase is defined

 - name: add real Accounts OU
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/real_accounts.ldif
-  when: realAccountsConfigured is defined and realAccountsConfigured|failed
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/real_accounts.ldif
+  when: realAccountsConfigured is defined and realAccountsConfigured.failed

 - name: check Groups config
-  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=*"
+  shell: "ldapsearch -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=*"
  ignore_errors: true
  register: groupsConfigured

 - name: add Groups OU
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
-  when: groupsConfigured|failed
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
+  when: groupsConfigured.failed

 - name: check aclroups config
-  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapAclGroupBase }} -x -H ldap://localhost objectClass=*"
+  shell: "ldapsearch -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -b {{ ldapAclGroupBase }} -x -H ldap://localhost objectClass=*"
  ignore_errors: true
  register: aclgroupsConfigured

 - name: add aclgroups OU
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/acl_groups.ldif
-  when: aclgroupsConfigured|failed
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/acl_groups.ldif
+  when: aclgroupsConfigured.failed


 - name: check Accounts config
-  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
+  shell: "ldapsearch -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
  ignore_errors: true
  register: accountsConfigured

 - name: add Accounts OU
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/accounts.ldif
-  when: accountsConfigured|failed
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/accounts.ldif
+  when: accountsConfigured.failed

 - name: check binddn config
-  shell: "ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b {{ ldapDomain }} -x -H ldap://localhost objectClass=dcObject"
+  shell: "ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
  ignore_errors: true
  register: binddnConfigured

@@ -312,25 +316,45 @@
  become: true

 - name: add binddn
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/binddn.ldif
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/binddn.ldif
  become: true
-  when: binddnConfigured|failed
+  when: binddnConfigured.failed

 - name: check pwpolicies config
-  shell: ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b ou=pwpolicies,{{ ldapDomain }} objectClass=*
+  shell: ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b ou=pwpolicies,{{ ldapBase }} objectClass=*
  ignore_errors: true
  register: pwpoliciesConfigured

 - name: add pwpolicies
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -f /tmp/pwpolicies.ldif
-  when: pwpoliciesConfigured|failed
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -f /tmp/pwpolicies.ldif
+  when: pwpoliciesConfigured.failed

 - name: check defaultPwpolicy config
-  shell: ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b cn=default,ou=pwpolicies,{{ ldapDomain }} objectClass=*
+  shell: ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b cn=default,ou=pwpolicies,{{ ldapBase }} objectClass=*
  ignore_errors: true
  register: defaultPpolicyConfigured

 - name: add defaultPwpolicy
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -f /tmp/default_ppolicy.ldif
-  when: defaultPpolicyConfigured|failed
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -f /tmp/default_ppolicy.ldif
+  when: defaultPpolicyConfigured.failed
+
+- name: template monitoruser.ldif
+  template: src=monitoruser.ldif.j2 dest=/tmp/monitoruser.ldif
+
+- name: template monitoruser.ldif
+  template: src=monitoring.ldif.j2 dest=/tmp/monitoring.ldif
+
+- name: check monitoruser
+  shell: 'slapcat -b cn=monitor,ou=People,dc=erc,dc=monash,dc=edu,dc=au | grep "cn: monitor"'
+  ignore_errors: true
+  register: monitoruser
+  become: true
+
+- name: add monitoruser
+  #shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -f /tmp/default_ppolicy.ldif
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -H ldap://localhost -f /tmp/monitoruser.ldif
+  when: monitoruser.failed

+- name: add monitoruser
+  shell: ldapmodify -Y external -H ldapi:// -f /tmp/monitoring.ldif
+  when: monitoruser.failed
--- a/roles/ldapserver/templates/acls_ldif.j2
+++ b/roles/ldapserver/templates/acls_ldif.j2
 dn: {{ dbname }},cn=config
 changetype: modify
 add: olcAccess
-olcAccess: {0}to attrs=userPassword by dn="{{ ldapManager }}" write by self write by * auth
-olcAccess: {1}to attrs=shadowLastChange by dn="{{ ldapManager }}" write by self write by * read
+olcAccess: {0}to attrs=userPassword by dn="{{ ldapManagerDN }}" write by self write by * auth
+olcAccess: {1}to attrs=shadowLastChange by dn="{{ ldapManagerDN }}" write by self write by * read
 olcAccess: {2}to * by users read by anonymous auth
--- a/roles/ldapserver/templates/default_ppolicy_ldif.j2
+++ b/roles/ldapserver/templates/default_ppolicy_ldif.j2
-dn: cn=default,ou=pwpolicies,{{ ldapDomain }}
+dn: cn=default,ou=pwpolicies,{{ ldapBase }}
 cn: default
 objectClass: pwdPolicy
 objectClass: top

--- a/roles/ldapserver/templates/load_memberof_ldif.j2
+++ b/roles/ldapserver/templates/load_memberof_ldif.j2
-dn: cn=module{0},cn=config
-changetype: modify
-add: olcModuleLoad
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModulePath: {{ module_path }}
 olcModuleLoad: memberof.la
--- a/roles/ldapserver/templates/load_refint_ldif.j2
+++ b/roles/ldapserver/templates/load_refint_ldif.j2
-dn: cn=module{0},cn=config
-changetype: modify
-add: olcModuleLoad 
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModulePath: {{ module_path }}
 olcModuleLoad: refint.la
--- a/roles/ldapserver/templates/manager_ldif.j2
+++ b/roles/ldapserver/templates/manager_ldif.j2
 dn: {{ dbname }},cn=config
 changetype: modify
 replace: olcSuffix
-olcSuffix: {{ ldapDomain }}
+olcSuffix: {{ ldapBase }}
 -
 replace: olcRootDN
-olcRootDN: {{ ldapManager }}
+olcRootDN: {{ ldapManagerDN }}
--- a/roles/ldapserver/templates/memberOfConfig_ldif.j2
+++ b/roles/ldapserver/templates/memberOfConfig_ldif.j2
-dn: olcOverlay=memberof,olcDatabase={2}bdb,cn=config
+dn: olcOverlay=memberof,{{ dbname }},cn=config
 objectClass: olcConfig
 objectClass: olcMemberOf
 objectClass: olcOverlayConfig

--- a/roles/ldapserver/templates/monitoring.ldif.j2
+++ b/roles/ldapserver/templates/monitoring.ldif.j2
--- a/roles/ldapserver/templates/monitoruser.ldif.j2
+++ b/roles/ldapserver/templates/monitoruser.ldif.j2
+dn: cn=monitor,ou=People,dc=erc,dc=monash,dc=edu,dc=au
+objectClass: inetOrgPerson
+cn: binddn
+sn: binddn
+userPassword: {{ ldapBindDNHash.stdout }}
\ No newline at end of file
--- a/roles/ldapserver/templates/ppolicy_overlay_ldif.j2
+++ b/roles/ldapserver/templates/ppolicy_overlay_ldif.j2
@@ -4,4 +4,4 @@ objectClass: olcOverlayConfig
 objectClass: olcPPolicyConfig
 olcPPolicyHashCleartext: TRUE
 olcPPolicyUseLockout: FALSE
-olcPPolicyDefault: cn=default,ou=pwpolicies,{{ ldapDomain }}
+olcPPolicyDefault: cn=default,ou=pwpolicies,{{ ldapBase }}
--- a/roles/ldapserver/templates/pwpolicies_ldif.j2
+++ b/roles/ldapserver/templates/pwpolicies_ldif.j2
-dn: ou=pwpolicies,{{ ldapDomain }}
+dn: ou=pwpolicies,{{ ldapBase }}
 objectClass: organizationalUnit
 objectClass: top
 ou: pwpolicies
--- a/roles/ldapserver/templates/refint_config_ldif.j2
+++ b/roles/ldapserver/templates/refint_config_ldif.j2
-dn: olcOverlay=refint,olcDatabase={2}bdb,cn=config
+dn: olcOverlay=refint,{{ dbname }},cn=config
 objectClass: olcConfig
 objectClass: olcOverlayConfig
 objectClass: olcRefintConfig

--- a/roles/ldapserver/templates/root_ldif.j2
+++ b/roles/ldapserver/templates/root_ldif.j2
-dn: {{ ldapDomain }}
+dn: {{ ldapBase }}
 objectClass: dcObject
 objectClass: organization
 o: {{ ansible_domain }}

--- a/roles/ldapserver/vars/Ubuntu.yml
+++ b/roles/ldapserver/vars/Ubuntu.yml
+---
+  ldapDir: "/etc/ldap"
+  module_path: "/usr/lib/ldap"
--- a/roles/ldapserver/vars/Ubuntu_20.04_x86_64.yml
+++ b/roles/ldapserver/vars/Ubuntu_20.04_x86_64.yml
+---
+ system_packages:
+  - slapd
+  - ldap-utils
+  - openssl
+
+ ldapuser: openldap
+ ldapgroup: openldap
+ dbname: olcDatabase={1}mdb