diff --git a/roles/karaage3.1.17/tasks/apacheDebian.yml b/roles/apache2/tasks/apacheDebian.yml
similarity index 59%
rename from roles/karaage3.1.17/tasks/apacheDebian.yml
rename to roles/apache2/tasks/apacheDebian.yml
index 2ee1fdbb820e03f72bad26f7096f6dec62d5624f..44ffcdc4a675736cfdf50a9d0be0c1d5016cc565 100644
--- a/roles/karaage3.1.17/tasks/apacheDebian.yml
+++ b/roles/apache2/tasks/apacheDebian.yml
@@ -7,14 +7,6 @@
- apache2-dev
sudo: true
--
- name: "Setting default-ssl site"
- lineinfile: dest=/etc/apache2/sites-available/default-ssl.conf regexp="{{ item.regexp }}" line="{{ item.line }}" backrefs=yes
- with_items:
- - { regexp : "^\\s+SSLCertificateFile", line : " SSLCertificateFile {{ x509_cert_file }}" }
- - { regexp : "SSLCertificateKeyFile", line : " SSLCertificateKeyFile {{ x509_key_file }}" }
- - { regexp : "SSLCACertificateFile", line : " SSLCACertificateFile {{ x509_cacert_file }}" }
- sudo: true
-
name: "Templating default-ssl site"
template: src=default-ssl.j2 dest=/etc/apache2/sites-available/default-ssl.conf owner=www-data group=www-data
diff --git a/roles/karaage3.1.17/tasks/apacheRedHat.yml b/roles/apache2/tasks/apacheRedHat.yml
similarity index 56%
rename from roles/karaage3.1.17/tasks/apacheRedHat.yml
rename to roles/apache2/tasks/apacheRedHat.yml
index 3515c7c200e7b4dd18045dcc478b2d61b535322b..584ed275655dbff3b919d20679e9c8ce3a56be03 100644
--- a/roles/karaage3.1.17/tasks/apacheRedHat.yml
+++ b/roles/apache2/tasks/apacheRedHat.yml
@@ -14,14 +14,12 @@
name: Setting httpd.conf
sudo: true
replace: dest=/etc/httpd/conf/httpd.conf regexp="^#ServerName www.example.com:80" replace="ServerName {{ ansible_fqdn }}"
+
-
- name: Setting ssl.conf
+ name: "Templating default-ssl site"
+ template: src=default-ssl.j2 dest=/etc/httpd/conf.d/ssl.conf owner=apache group=apache
sudo: true
- lineinfile: dest=/etc/httpd/conf.d/ssl.conf regexp="{{ item.regexp }}" line="{{ item.line }}" backrefs=yes
- with_items:
- - { regexp : "^SSLCertificateFile", line : "SSLCertificateFile {{ x509_cert_file }}" }
- - { regexp : "SSLCertificateKeyFile", line : "SSLCertificateKeyFile {{ x509_key_file }}" }
- - { regexp : "SSLCACertificateFile", line : "SSLCACertificateFile {{ x509_cacert_file }}" }
+
-
name: Templating wsgi.conf
sudo: true
diff --git a/roles/apache2/tasks/main.yml b/roles/apache2/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..0783dadda1e585aab27d19bf67b35ac7fbc6ed47
--- /dev/null
+++ b/roles/apache2/tasks/main.yml
@@ -0,0 +1,32 @@
+---
+- include: apacheDebian.yml
+ when: ansible_os_family == "Debian"
+- include: apacheRedHat.yml
+ when: ansible_os_family == 'RedHat'
+
+- name: "Create apache key directory"
+ file: path={{ x509_key | dirname }} state=directory owner={{ apache_user }} mode=700
+ sudo: true
+
+- name: "Create apache cert directory"
+ file: path={{ x509_cert | dirname }} state=directory owner={{ apache_user }} mode=755
+ sudo: true
+
+- name: "Copying the apache key file"
+ template: src="files/{{ apache_key_file }}" dest="{{ x509_key }}" mode=0600 owner={{ apache_user }} group={{ apache_group }}
+ sudo: true
+ when: apache_key_file is defined
+
+- name: "Copying the apache cert file"
+ template: src="files/{{ apache_cert_file }}" dest="{{ x509_cert }}" mode=0644 owner={{ apache_user }} group={{ apache_group }}
+ sudo: true
+ when: apache_cert_file is defined
+
+- name: "Create log directory, start aoacge will have errors without it"
+ file: dest=/etc/apache2/logs state=directory
+ sudo: true
+
+-
+ name: "Change permissions for /var/www"
+ file: path=/var/www state=directory owner=root group={{ apache_user }} mode=0775
+ sudo: true
diff --git a/roles/karaage3.1.17/templates/default-ssl.j2 b/roles/apache2/templates/default-ssl.j2
similarity index 95%
rename from roles/karaage3.1.17/templates/default-ssl.j2
rename to roles/apache2/templates/default-ssl.j2
index 690c03cc63901cc0eebeb5ece72d62393fe3b373..8652aed013edc66fa2f047db52712e273fd965c0 100644
--- a/roles/karaage3.1.17/templates/default-ssl.j2
+++ b/roles/apache2/templates/default-ssl.j2
@@ -42,15 +42,16 @@
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
- SSLCertificateFile {{ x509_cert_file }}
- SSLCertificateKeyFile {{ x509_key_file }}
+ SSLCertificateFile {{ x509_cert }}
+ SSLCertificateKeyFile {{ x509_key }}
+
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# when the CA certificates are directly appended to the server
# certificate for convinience.
- #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
+ # SSLCertificateChainFile
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
@@ -59,12 +60,6 @@
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
- {% if x509_cert_path is defined %}
- SSLCACertificatePath {{ x509_cert_path }}
- {% else %}
- SSLCACertificatePath /etc/ssl/certs/
- {% endif %}
- SSLCACertificateFile {{ x509_cacert_file }}
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
diff --git a/roles/karaage3.1.17/templates/default.j2 b/roles/apache2/templates/default.j2
similarity index 88%
rename from roles/karaage3.1.17/templates/default.j2
rename to roles/apache2/templates/default.j2
index e79e43d03bac20f7d97939307f1b2dbafdbde24b..ddb95b6dffb640d445270ddc26c1dc86163178b2 100644
--- a/roles/karaage3.1.17/templates/default.j2
+++ b/roles/apache2/templates/default.j2
@@ -14,10 +14,10 @@
Order allow,deny
allow from all
</Directory>
- <Directory /etc/karaage3>
- Options FollowSymLinks
- AllowOverride None
- </Directory>
+# <Directory /etc/karaage3>
+# Options FollowSymLinks
+# AllowOverride None
+# </Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
diff --git a/roles/apache2/vars/main.yml b/roles/apache2/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d207e0b1c80a8e8d67331273eade3fcfeef0af35
--- /dev/null
+++ b/roles/apache2/vars/main.yml
@@ -0,0 +1,6 @@
+---
+ apache_user: "{% if ansible_os_family == 'RedHat' %}apache{% else %}www-data{% endif %}"
+ apache_group: "{% if ansible_os_family == 'RedHat' %}apache{% else %}www-data{% endif %}"
+ apache_config: "/etc/{% if ansible_os_family == 'RedHat' %}httpd{% else %}apache2{% endif %}"
+ x509_cert: "{{ apache_config }}/ssl/certs/server.cert.pem"
+ x509_key: "{{ apache_config }}/ssl/private/server.key.pem"
diff --git a/roles/enable_root/templates/authorized_keys.j2 b/roles/enable_root/templates/authorized_keys.j2
index 5ee0159b9ffdf0b9c7959ba0cb5830511a11f31b..f7eff2cc56bea11fdd047d2e1741798a1da2c71b 100644
--- a/roles/enable_root/templates/authorized_keys.j2
+++ b/roles/enable_root/templates/authorized_keys.j2
@@ -1,3 +1,4 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvjn5cQuMkqTo04ZnkuDXfUBeAt7oZ6xrT4phfMemqx12dDqLyFrMgUWOoVMFj+TNyR5M8WOCI6CRT6EXOMtqaxhPtWB1QlDNo0Ml8xTzSKckUO0EhdqNKh+nlQfVeaVIx0DZZeWWNpPCrKPCM4TSAXXiwtZuImd6/Zo4RI1x+oTcFR9zQulUGUuX8rf7+4c/oKr58B+La8bXP8QujtfLm29pl1kawSouCfdxt93wRfbISM7mGs/WqzttRXL9m5AeOMuo5S4Ia0GPMcIEUfsQhEyEU7tiTpEq5lDdf6H7a9SlHXzhd9f2Dn3mlv3mmQHaGBJvUuWmVwydxkdtCRQhOQ== root@m2-m
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA2xrAkFRdYBpYs14AYSzdPFcIOt2zKXIgjPpyj/6eg/yl3y8N84T9VNw9ATRzb3+PJEw1lOfah6xLkFl7FueT6359y14c7wkNByGHgcL022SludkhM2zBe/3ebhcBs11L4Z725rqVnGDSKdKuwZjbCmUtu/nHwGYU/BnLKbQXMVyq53L5cbIyWGfvItPnwCF2ZMy1v0lmnFs1O3qDK9U/qcwc/77MTB0Z/ey0zsoXvmxjkdYr+zgQLRNm2+fkCXn+ZorbeDwWjhHE21arhMym5x3VG0XU2Ob9nL1Z2xEGQVSnBVWeadTMNzkfM8U07Md2tSOIC5B3ePETxk97puxbEQ== root@m2-m
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPijQ597uLqEPAvVZXQlSjrUfFl2h7SRBTCRhH4hQJMVu55dhFYiojJZ0tjjV3jTcgWs1AsyRp3wDtNp8iQxbwEY2JPxCOjNuH0et4I/y3y6VUjcVWanSaIkdPf5AFNb9KIXo3Hvdyvav8SfFpioRQ0FKp8SZs1JYXpuQ0mZY26oKCKcNsWXv9ZN7knUN0xvYNMycpCnI2Nl666Zrs0gGyJ6e+Xq5bpk1lm8nuK9q52bTRjxqtdEBuSGwkZea+NBJzpYw5rEucteQI66y6tzFuYJk2WC4bUifffIxnkQXKYVynJg1MJ2CGI69r9hXt9eUtH3WrDxrJGmCau8jD3lib hines@sparge
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAnakq6Lgq2n6yjcMaC7xQXMDMRdN33T6mPCqRy+TPdu0aPvVty0UFeAWsCyTxHeVfst9Vr0HwRRBvNihp1CJuOWGbk0H5a8yALDhLqoHazv2jlMQcLDgTktw0Jgo38+tcBShJyey1iHh8X5WgsS5/hgxR3OzoNBEzqzHUidMO/EI0ahNlM60l8EYL8Ww799NmPgqdPbwxK9nHsoFmx/NKhnUdronSg33L0CJZT3t2fccXAq+4Pbm7uYEkL3T/NgMdgpG5mKS3mKDtKyyKm2gOf3fVzExFew2etBxB3ANPEWvSuJ2XwXQv8sFE1722XQVR4RFgilCWUqXSN7EmqoHkNQ== jupiter@cvlproject
diff --git a/roles/extra_rpms/tasks/main.yml b/roles/extra_rpms/tasks/main.yml
index 1075221a13e750f30ea95ec284b8f186d50687ff..8dcf07de56a4a03f8cf52aaf3349a5a8193d224d 100644
--- a/roles/extra_rpms/tasks/main.yml
+++ b/roles/extra_rpms/tasks/main.yml
@@ -1,10 +1,4 @@
---
-
-- name: "update cache"
- shell: yum update -y
- sudo: true
- when: ansible_os_family == 'RedHat'
-
- name: "Install extra packages"
yum: "name={{ item }} state=latest"
with_items:
diff --git a/roles/karaage3.1.17/handlers/main.yml b/roles/karaage3.1.17/handlers/main.yml
index d6a6cfb778cf5f17c29b904dab32dfe4c4a9e0b5..fb97f1971ff637b1d7e27713e2386c53603d6a8c 100644
--- a/roles/karaage3.1.17/handlers/main.yml
+++ b/roles/karaage3.1.17/handlers/main.yml
@@ -2,3 +2,7 @@
- name: restart apache2
service: name=apache2 state=restarted
sudo: true
+
+- name: restart postfix
+ service: name=postfix state=restarted
+ sudo: true
diff --git a/roles/karaage3.1.17/tasks/karaage.yml b/roles/karaage3.1.17/tasks/karaage.yml
index 7b1149bae000a3f59eb24e68beed1abb123cf420..e406942b0b9652149aa128985b208398af6497cb 100644
--- a/roles/karaage3.1.17/tasks/karaage.yml
+++ b/roles/karaage3.1.17/tasks/karaage.yml
@@ -13,7 +13,17 @@
- python-cracklib
- git
- apache2-dev
+ - python-mysqldb
+ - python-pip
+ - python-pyasn1
+ - libapache2-mod-wsgi
+ - gcc
+ - libmysqlclient-dev
+ - python-dev
+ - python-matplotlib
+ - python-numpy
when: ansible_os_family == "Debian"
+
-
name: "Installing prerequisites Redhat"
yum: name={{ item }} state=latest
@@ -34,33 +44,29 @@
- blas-devel
- libffi-devel
when: ansible_os_family == "RedHat"
--
- name: Install the latest pip
- shell: easy_install pip
- when: ansible_os_family == "RedHat"
+ #-
+ # name: Install the latest pip
+ # shell: easy_install pip
+ # when: ansible_os_family == "RedHat"
-
name: "Getting Karaage from Github"
git: repo="https://github.com/monash-merc/karaage.git" dest="/root/karaage3.1.7" force=yes
sudo: true
--
- name: "Create log directory, start aoacge will have errors without it"
- file: dest=/etc/apache2/logs state=directory
- sudo: true
-
-
name: "Installing Karaage Dependencies"
pip: name={{ item }}
sudo: true
with_items:
- six
- - MySQL-python
- slimit
- ply
- cython
- django-celery
- - mod_wsgi
+ - pyasn1
+ - ldap3
+# - mod_wsgi
-
name: "Restrict Django version to 1.7.8"
sudo: true
@@ -84,10 +90,11 @@
- /var/lib/karaage3
- /var/cache/karaage3
sudo: true
--
- name: "Change permissions for /var/www"
- file: path=/var/www state=directory owner=root group={{ apache_user }} mode=0775
- sudo: true
+
+- name: install karaage3-wsgi.conf
+ template: src=karaage3-wsgi.conf.j2 dest=/etc/apache2/conf-available/karaage3-wsgi.conf
+ sudo: true
+
-
name: "enabling Karaage configuration"
shell: a2enconf karaage3-wsgi
@@ -96,77 +103,43 @@
-
name: "enabling Karaage configuration"
shell: cp -rvpf /root/karaage3.1.7/conf/karaage3-wsgi.conf /etc/httpd/conf.d/karaage3-wsgi.conf
- when: ansible_os_family == "RedHat"
--
- name: "Installing other packages Debian"
- apt: name={{ item }} update_cache=yes
- with_items:
- - python-kgusage
- - karaage-cluster-tools
- - karaage3-celery
- sudo: true
- when: ansible_os_family == "Debian"
--
- name: Downloading other packages RedHat
- git: repo={{ item.repo }} dest={{ item.dest }}
- with_items:
- - { repo : 'https://github.com/numpy/numpy.git', dest : '/root/numpy' }
- - { repo : 'https://github.com/matplotlib/matplotlib.git', dest : '/root/matplotlib' }
- - { repo : 'https://github.com/Karaage-Cluster/karaage-software.git', dest : '/root/karaage-software' }
- - { repo : 'https://github.com/Karaage-Cluster/karaage-usage.git', dest : '/root/karaage-usage' }
- - { repo : 'https://github.com/Karaage-Cluster/karaage-applications.git', dest : '/root/karaage-applications' }
- - { repo : 'https://github.com/Karaage-Cluster/karaage-cluster-tools.git', dest : '/root/karaage-cluster-tools' }
sudo: true
when: ansible_os_family == "RedHat"
--
- args:
- chdir: "/root/{{ item }}"
- creates: "/root/{{ item }}/build/bdist.linux-x86_64"
- name: "Installing other packages RedHat"
- sudo: true
- shell: "env python setup.py install"
- when: ansible_os_family == "RedHat"
- with_items:
- - numpy
- - matplotlib
- - karaage-applications
- - karaage-software
- - karaage-usage
- - karaage-cluster-tools
+
+
-
name: "Set Secret Key"
lineinfile: dest=/etc/karaage3/settings.py regexp="SECRET_KEY = ''" line="SECRET_KEY = '{{ karaageSecretKey }}'" state=present
sudo: true
-
- # TODO: Fix it
- name: "Check DB tables has been created or not"
- shell: ls /root/.karaage_db_init
- ignore_errors: true
- sudo: true
+ name: "Check karaage DB has been initialized or not"
+ shell: mysql -h {{ karaageDbHost }} -u {{ karaageDbName }} --password={{ karaagePassword }} -Bse 'use karaage; show tables;' | wc -l
register: karaage_db_init
--
- name: "Enable wsgi config"
- file: src=/etc/apache2/mods-available/wsgi.conf path=/etc/apache2/mods-enabled/wsgi.conf state=link
- sudo: true
+- name: enable wsgi
+ shell: a2enmod wsgi
+ sudo: true
--
- name: "Enable wsgi load"
- file: src=/etc/apache2/mods-available/wsgi.load path=/etc/apache2/mods-enabled/wsgi.load state=link
- sudo: true
+- name: enable shibboleth
+ shell: a2enmod shib2
+ sudo: true
-
name: " Create DB tables"
- shell: kg-manage migrate && touch /root/.karaage_db_init
+ shell: kg-manage migrate
sudo: true
- when: karaage_db_init is not defined
+ when: karaage_db_init.stdout.find("0") == 0
+
+- name: install postfix
+ apt: name=postfix state=present
+ sudo: true
+
+- name: configure postfix
+ template: src=main_cf.j2 dest=/etc/postfix/main.cf
+ sudo: true
+ notify: restart postfix
--
- name: "Restarting Celery"
- service: name=karaage3-celery state=restarted
- sudo: true
- when: ansible_os_family == "Debian"
-
name: "Reloading apache"
service: name=apache2 state=reloaded
@@ -178,3 +151,5 @@
service: name=httpd state=reloaded
sudo: true
when: ansible_os_family == "RedHat"
+
+
diff --git a/roles/karaage3.1.17/tasks/main.yml b/roles/karaage3.1.17/tasks/main.yml
index 66d2a9b7fc01263ffe647ed8d4961bd90f63d7ec..d8657d099b129c88e7ee30713d2bfeddb602ec26 100644
--- a/roles/karaage3.1.17/tasks/main.yml
+++ b/roles/karaage3.1.17/tasks/main.yml
@@ -1,8 +1,10 @@
---
+
+ - name: "Copying the ldap ca cert file"
+ template: src="files/{{ ldap_TLSCARoot }}" dest="/etc/apache2/ssl/certs/ldap_ca.cert.pem" mode=0644
+ sudo: true
+ when: apache_cert_file is defined
+
- include: prerequisitesDebian.yml
when: ansible_os_family == "Debian"
- - include: apacheDebian.yml
- when: ansible_os_family == "Debian"
- - include: apacheRedHat.yml
- when: ansible_os_family == 'RedHat'
- include: karaage.yml
diff --git a/roles/karaage3.1.17/templates/karaage3-wsgi.conf.j2 b/roles/karaage3.1.17/templates/karaage3-wsgi.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..9ce8c092c1a7bcd2969bd33df724b9346af2d18e
--- /dev/null
+++ b/roles/karaage3.1.17/templates/karaage3-wsgi.conf.j2
@@ -0,0 +1,38 @@
+#-*-apache-*-
+
+WSGIScriptAlias /karaage /etc/karaage3/karaage.wsgi
+<IfVersion >= 2.4>
+ <Directory /etc/karaage3>
+ <Files karaage.wsgi>
+ Require all granted
+ </Files>
+ </Directory>
+</IfVersion>
+
+# support old URLs.
+Redirect permanent /kgadmin /karaage
+Redirect permanent /users /karaage
+
+Alias /kgstatic "/var/lib/karaage3/static"
+<Location "/kgstatic">
+ SetHandler None
+ <IfVersion >= 2.4>
+ Require all granted
+ </IfVersion>
+</Location>
+
+Alias /kgfiles "/var/cache/karaage3/files"
+<Location "/kgfiles">
+ SetHandler None
+ <IfVersion >= 2.4>
+ Require all granted
+ </IfVersion>
+</Location>
+
+<Location /karaage>
+AuthType Shibboleth
+ShibRequireSession On
+ShibUseHeaders On
+require valid-user
+</Location>
+
diff --git a/roles/karaage3.1.17/templates/main_cf.j2 b/roles/karaage3.1.17/templates/main_cf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..2823b289dc68bb169f0f6a2556a314876762bf61
--- /dev/null
+++ b/roles/karaage3.1.17/templates/main_cf.j2
@@ -0,0 +1,39 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific: Specifying a file name will cause the first
+# line of that file to be used as the name. The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+myhostname = {{ ansible_fqdn }}
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = {{ ansible_fqdn }}
+mydestination = {{ ansible_fqdn }}, localhost.{{ ansible_domain }}, localhost
+relayhost = {{ smtp_smarthost }}
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = loopback-only
diff --git a/roles/karaage3.1.17/templates/settings.py.j2 b/roles/karaage3.1.17/templates/settings.py.j2
index 2a2a211601e59558fb5272534130040e6312fe46..ceb441480ac8dd5bfb897fa8da95b5c4e7bc6b26 100644
--- a/roles/karaage3.1.17/templates/settings.py.j2
+++ b/roles/karaage3.1.17/templates/settings.py.j2
@@ -106,7 +106,7 @@ LDAP = {
'PASSWORD': '{{ ldapManagerPassword }}',
'REQUIRE_TLS': True,
'START_TLS': True,
- 'TLS_CA': '{{ x509_cacert_file }}',
+ 'TLS_CA': '{{ apache_config }}/ssl/certs/ldap_ca.cert.pem',
}
}
@@ -294,7 +294,8 @@ ACCOUNTS_ORG_NAME = '{{ karaageAcountName }}'
#
# default: SHIB_SUPPORTED = False
#
-# SHIB_SUPPORTED = True
+# TODO: Should we add a variable to use shibboleth or not???
+SHIB_SUPPORTED = True
# Path to AUP policy. Note that setting this will not disable the Karaage
# default page, it might be better to replace the AUP with a file in
@@ -335,5 +336,5 @@ PLUGINS = [
'karaage.plugins.kgapplications.plugin',
'karaage.plugins.kgsoftware.plugin',
'karaage.plugins.kgsoftware.applications.plugin',
- 'karaage.plugins.kgusage.plugin',
+# 'karaage.plugins.kgusage.plugin',
]
diff --git a/roles/karaage3.1.17/templates/ssl.conf.j2 b/roles/karaage3.1.17/templates/ssl.conf.j2
deleted file mode 100644
index 1b2e1339b99987915ecf6957f993c24d20fa4691..0000000000000000000000000000000000000000
--- a/roles/karaage3.1.17/templates/ssl.conf.j2
+++ /dev/null
@@ -1,221 +0,0 @@
-#
-# This is the Apache server configuration file providing SSL support.
-# It contains the configuration directives to instruct the server how to
-# serve pages over an https connection. For detailing information about these
-# directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
-#
-# Do NOT simply read the instructions in here without understanding
-# what they do. They're here only as hints or reminders. If you are unsure
-# consult the online docs. You have been warned.
-#
-
-LoadModule ssl_module modules/mod_ssl.so
-
-#
-# When we also provide SSL we have to listen to the
-# the HTTPS port in addition.
-#
-Listen 443
-
-##
-## SSL Global Context
-##
-## All SSL configuration in this context applies both to
-## the main server and all SSL-enabled virtual hosts.
-##
-
-# Pass Phrase Dialog:
-# Configure the pass phrase gathering process.
-# The filtering dialog program (`builtin' is a internal
-# terminal dialog) has to provide the pass phrase on stdout.
-SSLPassPhraseDialog builtin
-
-# Inter-Process Session Cache:
-# Configure the SSL Session Cache: First the mechanism
-# to use and second the expiring timeout (in seconds).
-SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
-SSLSessionCacheTimeout 300
-
-# Semaphore:
-# Configure the path to the mutual exclusion semaphore the
-# SSL engine uses internally for inter-process synchronization.
-Mutex sysvsem default
-# Pseudo Random Number Generator (PRNG):
-# Configure one or more sources to seed the PRNG of the
-# SSL library. The seed data should be of good random quality.
-# WARNING! On some platforms /dev/random blocks if not enough entropy
-# is available. This means you then cannot use the /dev/random device
-# because it would lead to very long connection times (as long as
-# it requires to make more entropy available). But usually those
-# platforms additionally provide a /dev/urandom device which doesn't
-# block. So, if available, use this one instead. Read the mod_ssl User
-# Manual for more details.
-SSLRandomSeed startup file:/dev/urandom 256
-SSLRandomSeed connect builtin
-#SSLRandomSeed startup file:/dev/random 512
-#SSLRandomSeed connect file:/dev/random 512
-#SSLRandomSeed connect file:/dev/urandom 512
-
-#
-# Use "SSLCryptoDevice" to enable any supported hardware
-# accelerators. Use "openssl engine -v" to list supported
-# engine names. NOTE: If you enable an accelerator and the
-# server does not start, consult the error logs and ensure
-# your accelerator is functioning properly.
-#
-SSLCryptoDevice builtin
-#SSLCryptoDevice ubsec
-
-##
-## SSL Virtual Host Context
-##
-
-### <VirtualHost {{ ansible_fqdn }}:443>
-<VirtualHost {{ ansible_nodename }}.{{ ansible_domain }}:443>
-
-# General setup for the virtual host, inherited from global configuration
-#DocumentRoot "/var/www/html"
-ServerName {{ ansible_nodename }}.{{ ansible_domain }}:443
-
-# Use separate log files for the SSL virtual host; note that LogLevel
-# is not inherited from httpd.conf.
-ErrorLog logs/ssl_error_log
-TransferLog logs/ssl_access_log
-LogLevel warn
-
-# SSL Engine Switch:
-# Enable/Disable SSL for this virtual host.
-SSLEngine on
-
-# SSL Protocol support:
-# List the enable protocol levels with which clients will be able to
-# connect. Disable SSLv2 access by default:
-SSLProtocol all -SSLv2 -SSLv3
-
-# SSL Cipher Suite:
-# List the ciphers that the client is permitted to negotiate.
-# See the mod_ssl documentation for a complete list.
-SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
-
-# Server Certificate:
-# Point SSLCertificateFile at a PEM encoded certificate. If
-# the certificate is encrypted, then you will be prompted for a
-# pass phrase. Note that a kill -HUP will prompt again. A new
-# certificate can be generated using the genkey(1) command.
-SSLCertificateFile {{ x509_cert_file }}
-
-# Server Private Key:
-# If the key is not combined with the certificate, use this
-# directive to point at the key file. Keep in mind that if
-# you've both a RSA and a DSA private key you can configure
-# both in parallel (to also allow the use of DSA ciphers, etc.)
-SSLCertificateKeyFile {{ x509_key_file }}
-
-# Server Certificate Chain:
-# Point SSLCertificateChainFile at a file containing the
-# concatenation of PEM encoded CA certificates which form the
-# certificate chain for the server certificate. Alternatively
-# the referenced file can be the same as SSLCertificateFile
-# when the CA certificates are directly appended to the server
-# certificate for convinience.
-#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
-
-# Certificate Authority (CA):
-# Set the CA certificate verification path where to find CA
-# certificates for client authentication or alternatively one
-# huge file containing all of them (file must be PEM encoded)
-SSLCACertificateFile {{ x509_cacert_file }}
-
-# Client Authentication (Type):
-# Client certificate verification type and depth. Types are
-# none, optional, require and optional_no_ca. Depth is a
-# number which specifies how deeply to verify the certificate
-# issuer chain before deciding the certificate is not valid.
-#SSLVerifyClient require
-#SSLVerifyDepth 10
-
-# Access Control:
-# With SSLRequire you can do per-directory access control based
-# on arbitrary complex boolean expressions containing server
-# variable checks and other lookup directives. The syntax is a
-# mixture between C and Perl. See the mod_ssl documentation
-# for more details.
-#<Location />
-#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
-# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
-# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
-# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
-# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
-# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
-#</Location>
-
-# SSL Engine Options:
-# Set various options for the SSL engine.
-# o FakeBasicAuth:
-# Translate the client X.509 into a Basic Authorisation. This means that
-# the standard Auth/DBMAuth methods can be used for access control. The
-# user name is the `one line' version of the client's X.509 certificate.
-# Note that no password is obtained from the user. Every entry in the user
-# file needs this password: `xxj31ZMTZzkVA'.
-# o ExportCertData:
-# This exports two additional environment variables: SSL_CLIENT_CERT and
-# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
-# server (always existing) and the client (only existing when client
-# authentication is used). This can be used to import the certificates
-# into CGI scripts.
-# o StdEnvVars:
-# This exports the standard SSL/TLS related `SSL_*' environment variables.
-# Per default this exportation is switched off for performance reasons,
-# because the extraction step is an expensive operation and is usually
-# useless for serving static content. So one usually enables the
-# exportation for CGI and SSI requests only.
-# o StrictRequire:
-# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
-# under a "Satisfy any" situation, i.e. when it applies access is denied
-# and no other module can change it.
-# o OptRenegotiate:
-# This enables optimized SSL connection renegotiation handling when SSL
-# directives are used in per-directory context.
-#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
-<Files ~ "\.(cgi|shtml|phtml|php3?)$">
- SSLOptions +StdEnvVars
-</Files>
-<Directory "/var/www/cgi-bin">
- SSLOptions +StdEnvVars
-</Directory>
-
-# SSL Protocol Adjustments:
-# The safe and default but still SSL/TLS standard compliant shutdown
-# approach is that mod_ssl sends the close notify alert but doesn't wait for
-# the close notify alert from client. When you need a different shutdown
-# approach you can use one of the following variables:
-# o ssl-unclean-shutdown:
-# This forces an unclean shutdown when the connection is closed, i.e. no
-# SSL close notify alert is send or allowed to received. This violates
-# the SSL/TLS standard but is needed for some brain-dead browsers. Use
-# this when you receive I/O errors because of the standard approach where
-# mod_ssl sends the close notify alert.
-# o ssl-accurate-shutdown:
-# This forces an accurate shutdown when the connection is closed, i.e. a
-# SSL close notify alert is send and mod_ssl waits for the close notify
-# alert of the client. This is 100% SSL/TLS standard compliant, but in
-# practice often causes hanging connections with brain-dead browsers. Use
-# this only for browsers where you know that their SSL implementation
-# works correctly.
-# Notice: Most problems of broken clients are also related to the HTTP
-# keep-alive facility, so you usually additionally want to disable
-# keep-alive for those clients, too. Use variable "nokeepalive" for this.
-# Similarly, one has to force some clients to use HTTP/1.0 to workaround
-# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
-# "force-response-1.0" for this.
-SetEnvIf User-Agent ".*MSIE.*" \
- nokeepalive ssl-unclean-shutdown \
- downgrade-1.0 force-response-1.0
-
-# Per-Server Logging:
-# The home of a custom SSL log file. Use this when you want a
-# compact non-error SSL logfile on a virtual host basis.
-CustomLog logs/ssl_request_log \
- "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
-
-</VirtualHost>
diff --git a/roles/karaage3.1.17/vars/main.yml b/roles/karaage3.1.17/vars/main.yml
deleted file mode 100644
index eb18be12737723fe5638423409d64b3166d5acbb..0000000000000000000000000000000000000000
--- a/roles/karaage3.1.17/vars/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
- apache_user: "{% if ansible_os_family == 'RedHat' %}apache{% else %}www-data{% endif %}"
- karaageSecretKey: "imkaraage"
diff --git a/roles/karaage3.1.17/vars/readme.txt b/roles/karaage3.1.17/vars/readme.txt
new file mode 100644
index 0000000000000000000000000000000000000000..d12bb5aeb0431479afb3a6f5e193e2a2281a320d
--- /dev/null
+++ b/roles/karaage3.1.17/vars/readme.txt
@@ -0,0 +1,5 @@
+
+apache_cert_file: "{{ inventory_hostname }}.{{ domain }}.crt"
+apache_key_file: "{{ inventory_hostname }}.{{ domain }}.key"
+apache_chain_file: "merc_hpc_apache_chain.pem"
+
diff --git a/roles/openLdapClient/defaults/main.yml b/roles/ldapclient/defaults/main.yml
similarity index 100%
rename from roles/openLdapClient/defaults/main.yml
rename to roles/ldapclient/defaults/main.yml
diff --git a/roles/openLdapClient/handlers/main.yml b/roles/ldapclient/handlers/main.yml
similarity index 100%
rename from roles/openLdapClient/handlers/main.yml
rename to roles/ldapclient/handlers/main.yml
diff --git a/roles/openLdapClient/tasks/configLdapClient.yml b/roles/ldapclient/tasks/configLdapClient.yml
similarity index 85%
rename from roles/openLdapClient/tasks/configLdapClient.yml
rename to roles/ldapclient/tasks/configLdapClient.yml
index d9058ca2b727dd5f8bb15f9c71ff51840c34cefc..836dcdd809692626eba503b08a67ec3916453dc0 100644
--- a/roles/openLdapClient/tasks/configLdapClient.yml
+++ b/roles/ldapclient/tasks/configLdapClient.yml
@@ -6,14 +6,8 @@
- nsswitch.conf
sudo: true
-- name: "get cert dir"
- shell: "dirname {{ ldapCaCertFile }}"
- delegate_to: localhost
- run_once: true
- register: ldapCaCertDir
-
- name: "make basedir"
- file: path={{ ldapCaCertDir.stdout }} state=directory owner=root
+ file: path="{{ ldapCaCertFile | dirname }}" state=directory owner=root
sudo: true
ignore_errors: true
diff --git a/roles/openLdapClient/tasks/installOpenLdap.yml b/roles/ldapclient/tasks/installOpenLdap.yml
similarity index 100%
rename from roles/openLdapClient/tasks/installOpenLdap.yml
rename to roles/ldapclient/tasks/installOpenLdap.yml
diff --git a/roles/openLdapClient/tasks/main.yml b/roles/ldapclient/tasks/main.yml
similarity index 100%
rename from roles/openLdapClient/tasks/main.yml
rename to roles/ldapclient/tasks/main.yml
diff --git a/roles/openLdapClient/templates/authconfig.j2 b/roles/ldapclient/templates/authconfig.j2
similarity index 100%
rename from roles/openLdapClient/templates/authconfig.j2
rename to roles/ldapclient/templates/authconfig.j2
diff --git a/roles/openLdapClient/templates/ldap.conf.j2 b/roles/ldapclient/templates/ldap.conf.j2
similarity index 100%
rename from roles/openLdapClient/templates/ldap.conf.j2
rename to roles/ldapclient/templates/ldap.conf.j2
diff --git a/roles/openLdapClient/templates/ldapCaCert.j2 b/roles/ldapclient/templates/ldapCaCert.j2
similarity index 100%
rename from roles/openLdapClient/templates/ldapCaCert.j2
rename to roles/ldapclient/templates/ldapCaCert.j2
diff --git a/roles/openLdapClient/templates/nsswitch.conf.j2 b/roles/ldapclient/templates/nsswitch.conf.j2
similarity index 100%
rename from roles/openLdapClient/templates/nsswitch.conf.j2
rename to roles/ldapclient/templates/nsswitch.conf.j2
diff --git a/roles/openLdapClient/templates/pam_ldap.conf.j2 b/roles/ldapclient/templates/pam_ldap.conf.j2
similarity index 100%
rename from roles/openLdapClient/templates/pam_ldap.conf.j2
rename to roles/ldapclient/templates/pam_ldap.conf.j2
diff --git a/roles/openLdapClient/templates/password-auth.j2 b/roles/ldapclient/templates/password-auth.j2
similarity index 100%
rename from roles/openLdapClient/templates/password-auth.j2
rename to roles/ldapclient/templates/password-auth.j2
diff --git a/roles/openLdapClient/templates/sssd.j2 b/roles/ldapclient/templates/sssd.j2
similarity index 100%
rename from roles/openLdapClient/templates/sssd.j2
rename to roles/ldapclient/templates/sssd.j2
diff --git a/roles/openLdapClient/templates/system-auth.j2 b/roles/ldapclient/templates/system-auth.j2
similarity index 100%
rename from roles/openLdapClient/templates/system-auth.j2
rename to roles/ldapclient/templates/system-auth.j2
diff --git a/roles/ldapserver/meta/main.yml b/roles/ldapserver/meta/main.yml
deleted file mode 100644
index 11e79807cceb222f4d145464d2f0db20a1aefec7..0000000000000000000000000000000000000000
--- a/roles/ldapserver/meta/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-dependencies:
- - { role: easy-rsa-certificate, x509_csr_args: "", x509_sign_args: "--server", x509_cacert_file: "/etc/ssl/certs/ca.crt", x509_key_file: "/etc/ssl/private/server.key", x509_cert_file: "/etc/ssl/certs/server.crt", x509_common_name: "{{ ansible_fqdn }}" }
diff --git a/roles/ldapserver/tasks/main.yml b/roles/ldapserver/tasks/main.yml
index 437211fad504ad1049c7dd3322ff2a61eb4fcbc7..538246448c6916f4e17755dbb896df05b600e5cb 100644
--- a/roles/ldapserver/tasks/main.yml
+++ b/roles/ldapserver/tasks/main.yml
@@ -1,6 +1,8 @@
---
- include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_version }}_{{ ansible_architecture }}.yml"
+- include_vars: "{{ ansible_distribution }}.yml"
+
- name: install system packages apt
apt: name={{ item }} state=installed update_cache=true
sudo: true
@@ -13,31 +15,15 @@
with_items: system_packages
when: ansible_os_family == 'RedHat'
+- name: Fixed default configuration
+ lineinfile: dest=/etc/default/slapd regexp='^SLAPD_SERVICES="ldap:/// ldapi:///"' line='SLAPD_SERVICES="ldaps:/// ldap:/// ldapi:///"'
+ sudo: true
+ when: ansible_os_family == 'Debian'
+
- name: hash password
command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapManagerPassword }}
register: ldapManagerHash
-- name: hash binddn password
- command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapBindDNPassword }}
- register: ldapBindDNHash
-
-- name: template ssl.ldif
- template: src=ssl_ldif.j2 dest=/tmp/ssl.ldif mode=600
-
-- name: template manager.ldif
- template: src=manager_ldif.j2 dest=/tmp/manager.ldif mode=600
- sudo: true
-- name: template manager2.ldif
- template: src=manager_ldif2.j2 dest=/tmp/manager2.ldif mode=600
- sudo: true
-- name: template manager3.ldif
- template: src=manager_ldif3.j2 dest=/tmp/manager3.ldif mode=600
- sudo: true
-
-- name: template binddn.ldif
- template: src=binddn_ldif.j2 dest=/tmp/binddn.ldif mode=600
- sudo: true
-
- name: template root.ldif
template: src=root_ldif.j2 dest=/tmp/root.ldif
@@ -50,11 +36,8 @@
- name: template groups.ldif
template: src=groups_ldif.j2 dest=/tmp/groups.ldif
-- name: template acls.ldif
- template: src=acls_ldif.j2 dest=/tmp/acls.ldif
-
-- name: template ppolicy_moduleload.ldif
- template: src=ppolicy_moduleload_ldif.j2 dest=/tmp/ppolicy_moduleload.ldif
+- name: template load_modules.ldif
+ template: src=load_modules_ldif.j2 dest=/tmp/load_modules.ldif
- name: template ppolicy_overlay.ldif
template: src=ppolicy_overlay_ldif.j2 dest=/tmp/ppolicy_overlay.ldif
@@ -65,32 +48,38 @@
- name: template default_ppolicy.ldif
template: src=default_ppolicy_ldif.j2 dest=/tmp/default_ppolicy.ldif
-- name: make cert dir
- file: path={{ ldapcert | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
+- name: template ssl.ldif
+ template: src=ssl_ldif.j2 dest=/tmp/ssl.ldif mode=600
+
+- name: template manager.ldif
+ template: src=manager_ldif.j2 dest=/tmp/manager.ldif mode=600
+ sudo: true
+- name: template manager2.ldif
+ template: src=manager_ldif2.j2 dest=/tmp/manager2.ldif mode=600
+ sudo: true
+- name: template manager3.ldif
+ template: src=manager_ldif3.j2 dest=/tmp/manager3.ldif mode=600
sudo: true
-- name: make key dir
- file: path={{ ldapkey | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
+- name: make ldap certs dir
+ file: path={{ ldapCertDest | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
sudo: true
-- name: make ca dir
- file: path={{ cacert | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
+- name: make ldap private dir
+ file: path={{ ldapKeyDest | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }} mode=700
sudo: true
- name: copy cert
- command: cp /etc/ssl/certs/server.crt {{ ldapcert }}
+ copy: src="files/{{ ldapCert }}" dest="{{ ldapCertDest }}"
sudo: true
-- name: copy cacert
- command: cp /etc/ssl/certs/ca.crt {{ cacert }}
+- name: copy ca cert
+ copy: src="files/{{ ldapCAChain }}" dest="{{ ldapCAChainDest }}"
sudo: true
-- name: copy key
- command: cp /etc/ssl/private/server.key {{ ldapkey }}
- sudo: true
-- name: chmod key
- file: path={{ ldapkey }} owner={{ ldapuser }} group={{ ldapgroup }} mode=600
+- name: copy key
+ copy: src="files/{{ ldapKey }}" dest="{{ ldapKeyDest }}" mode=600 owner={{ ldapuser }} group={{ ldapgroup }}
sudo: true
- name: enable ssl centos
@@ -103,15 +92,52 @@
sudo: true
when: ansible_os_family == 'RedHat' and ansible_distribution_major_version >= '7'
+- name: check TLS config
+ shell: "slapcat -b cn=config | grep 'olcTLSCertificateKeyFile: {{ ldapKeyDest }}'"
+ ignore_errors: true
+ sudo: true
+ register: tlsConfigured
+
- name: start ldap
service: name=slapd state=restarted
sudo: true
-- name: check TLS config
- shell: "slapcat -b cn=config | grep 'olcTLSCertificateKeyFile: {{ ldapkey }}'"
+- name: initialise server ssl
+ shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ssl.ldif -D cn=config
+ sudo: true
+ when: tlsConfigured|failed
+
+- name: Initialise cosine and ppolicy
+ shell: ldapadd -Y EXTERNAL -H ldapi:/// -f {{ ldapDir }}/schema/{{ item }}.ldif -D cn=config
+ with_items:
+ - ppolicy
+ - cosine
+ - nis
+ - inetorgperson
ignore_errors: true
sudo: true
- register: tlsConfigured
+
+- name: check ppolicy module loaded
+ shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}ppolicy"
+ sudo: true
+ ignore_errors: true
+ register: ppolicyModuleLoaded
+
+- name: load ppolicy module
+ shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/load_modules.ldif -D cn=config
+ sudo: true
+ when: ppolicyModuleLoaded|failed
+
+- name: check ppolicy overlay config
+ shell: "slapcat -b cn=config | grep 'dn: olcOverlay=ppolicy,olcDatabase={.*}.db,cn=config'"
+ ignore_errors: true
+ sudo: true
+ register: ppolicyOverlayConfigured
+
+- name: add ppolicy overlay
+ shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_overlay.ldif -D cn=config
+ sudo: true
+ when: ppolicyOverlayConfigured|failed
- name: check Manager config
shell: "slapcat -b cn=config | grep 'olcRootDN: {{ ldapManager }}'"
@@ -119,6 +145,20 @@
sudo: true
register: managerConfigured
+- name: initialise server manager
+ shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config
+ sudo: true
+ when: managerConfigured|failed
+- name: initialise server manager
+ shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager2.ldif -D cn=config
+ sudo: true
+ ignore_errors: true
+ when: managerConfigured|failed
+- name: initialise server manager
+ shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager3.ldif -D cn=config
+ sudo: true
+ when: managerConfigured|failed
+
# slapcat does a line wrap at character 78. Don't attempt to match on {{ ldapManager }} as it will cross two lines
- name: check ACL config
shell: "slapcat -b cn=config | grep 'olcAccess:' | grep 'cn=Manager'"
@@ -126,16 +166,22 @@
sudo: true
register: aclConfigured
+- name: template acls.ldif
+ template: src=acls_ldif.j2 dest=/tmp/acls.ldif
+
+- name: initialise server acls
+ shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
+ sudo: true
+ when: aclConfigured|failed
- name: check DIT config
shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
ignore_errors: true
register: ditConfigured
-- name: check Accounts config
- shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
- ignore_errors: true
- register: accountsConfigured
+- name: add DIT root
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
+ when: ditConfigured|failed
- name: check real Accounts config
shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapAccountBase }} -x -H ldap://localhost objectClass=*"
@@ -143,69 +189,61 @@
register: realAccountsConfigured
when: ldapAccountBase is defined
+- name: add real Accounts OU
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/real_accounts.ldif
+ when: realAccountsConfigured is defined and realAccountsConfigured|failed
+
- name: check Groups config
shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=*"
ignore_errors: true
register: groupsConfigured
+- name: add Groups OU
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
+ when: groupsConfigured|failed
+
+- name: check Accounts config
+ shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
+ ignore_errors: true
+ register: accountsConfigured
+
+- name: add Accounts OU
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/accounts.ldif
+ when: accountsConfigured|failed
+
- name: check binddn config
shell: "ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b {{ ldapDomain }} -x -H ldap://localhost objectClass=dcObject"
ignore_errors: true
register: binddnConfigured
--
- name: Initialise cosine and ppolicy
- shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/{{ item }}.ldif -D cn=config
- with_items:
- - ppolicy
- - cosine
- - nis
- - inetorgperson
- ignore_errors: true
- sudo: true
- when: ansible_os_family == 'RedHat' and ansible_distribution_major_version >= '7'
-
-- name: initialise server ssl
- shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ssl.ldif -D cn=config
- sudo: true
- when: tlsConfigured|failed
+- name: hash binddn password
+ command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapBindDNPassword }}
+ register: ldapBindDNHash
-- name: initialise server manager
- shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config
- sudo: true
- when: managerConfigured|failed
-- name: initialise server manager
- shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager2.ldif -D cn=config
- sudo: true
- ignore_errors: true
- when: managerConfigured|failed
-- name: initialise server manager
- shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager3.ldif -D cn=config
+- name: template binddn.ldif
+ template: src=binddn_ldif.j2 dest=/tmp/binddn.ldif mode=600
sudo: true
- when: managerConfigured|failed
-- name: initialise server acls
- shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
+- name: add binddn
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/binddn.ldif
sudo: true
- when: aclConfigured|failed
+ when: binddnConfigured|failed
-- name: add DIT root
- shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
- when: ditConfigured|failed
+- name: check pwpolicies config
+ shell: ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b ou=pwpolicies,{{ ldapDomain }} objectClass=*
+ ignore_errors: true
+ register: pwpoliciesConfigured
-- name: add Accounts OU
- shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/accounts.ldif
- when: accountsConfigured|failed
+- name: add pwpolicies
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -f /tmp/pwpolicies.ldif
+ when: pwpoliciesConfigured|failed
-- name: add real Accounts OU
- shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/real_accounts.ldif
- when: realAccountsConfigured is defined and realAccountsConfigured|failed
+- name: check defaultPwpolicy config
+ shell: ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b cn=default,ou=pwpolicies,{{ ldapDomain }} objectClass=*
+ ignore_errors: true
+ register: defaultPpolicyConfigured
-- name: add Groups OU
- shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
- when: groupsConfigured|failed
+- name: add defaultPwpolicy
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -f /tmp/default_ppolicy.ldif
+ when: defaultPpolicyConfigured|failed
-- name: add binddn
- shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/binddn.ldif
- sudo: true
- when: binddnConfigured|failed
diff --git a/roles/ldapserver/templates/ppolicy_moduleload_ldif.j2 b/roles/ldapserver/templates/load_modules_ldif.j2
similarity index 70%
rename from roles/ldapserver/templates/ppolicy_moduleload_ldif.j2
rename to roles/ldapserver/templates/load_modules_ldif.j2
index 084cc60366dc216b2c24ae1a3d5ef29cdf5e4957..fd643276f003704e547e7b5136f62440f13cef08 100644
--- a/roles/ldapserver/templates/ppolicy_moduleload_ldif.j2
+++ b/roles/ldapserver/templates/load_modules_ldif.j2
@@ -1,5 +1,5 @@
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
-olcModulePath: /usr/lib64/openldap/
+olcModulePath: {{ module_path }}
olcModuleLoad: ppolicy.la
diff --git a/roles/ldapserver/templates/ssl_ldif.j2 b/roles/ldapserver/templates/ssl_ldif.j2
index b60604c40e2b185d7c0001cd30ada14b41eb405a..075e3a262401204d0fc81ff617f9397890a34755 100644
--- a/roles/ldapserver/templates/ssl_ldif.j2
+++ b/roles/ldapserver/templates/ssl_ldif.j2
@@ -1,9 +1,9 @@
dn: cn=config
replace: olcTLSCACertificateFile
-olcTLSCACertificateFile: {{ cacert }}
+olcTLSCACertificateFile: {{ ldapCAChainDest }}
-
replace: olcTLSCertificateFile
-olcTLSCertificateFile: {{ ldapcert }}
+olcTLSCertificateFile: {{ ldapCertDest }}
-
replace: olcTLSCertificateKeyFile
-olcTLSCertificateKeyFile: {{ ldapkey }}
+olcTLSCertificateKeyFile: {{ ldapKeyDest }}
diff --git a/roles/ldapserver/vars/CentOS.yml b/roles/ldapserver/vars/CentOS.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e1d68d894c333b3b379f537ea2128c4a5e4ec159
--- /dev/null
+++ b/roles/ldapserver/vars/CentOS.yml
@@ -0,0 +1,4 @@
+---
+ ldapDir: "/etc/openldap"
+ module_path: "/usr/lib64/openldap/"
+
diff --git a/roles/ldapserver/vars/Debian.yml b/roles/ldapserver/vars/Debian.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c10225e07a2bd8a5f705f6aea96d06b86f130edb
--- /dev/null
+++ b/roles/ldapserver/vars/Debian.yml
@@ -0,0 +1,3 @@
+---
+ ldapDir: "/etc/ldap"
+ module_path: "/usr/lib/ldap"
diff --git a/roles/ldapserver/vars/main.yml b/roles/ldapserver/vars/main.yml
index c3953ac3b4519d1c524c869bf716230d12821911..a80673ceb2d084ad500334c2276ae8a6fdce08c2 100644
--- a/roles/ldapserver/vars/main.yml
+++ b/roles/ldapserver/vars/main.yml
@@ -1,5 +1,4 @@
---
- ldapcert: /etc/openldap/certs/ldapcert.pem
- ldapkey: /etc/openldap/certs/ldapkey.pem
- cacert: /etc/openldap/certs/cacert.pem
-
+ldapCertDest: "{{ ldapDir }}/ssl/certs/ldapcert.pem"
+ldapKeyDest: "{{ ldapDir }}/ssl/private/ldapkey.pem"
+ldapCAChainDest: "{{ ldapDir }}/ssl/certs/cacert.pem"
diff --git a/roles/mysql/tasks/main.yml b/roles/mysql/tasks/main.yml
index bc39805e12f63115eb9d0d88fc9d19af77fbb8de..fd7181ba5206b53ab92a9a0802a239a2f0b0fde2 100644
--- a/roles/mysql/tasks/main.yml
+++ b/roles/mysql/tasks/main.yml
@@ -1,3 +1,3 @@
---
- - include: mysql_client.yml mysql_type=mysql_client
- - include: mysql_server.yml mysql_type=mysql_server
+- include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_major_version }}.yml"
+- include: "{{ mysql_type }}.yml"
diff --git a/roles/mysql/tasks/mysql_client.yml b/roles/mysql/tasks/mysql_client.yml
index 3c69675b3b9d74e7bdb2a975f2a364fe5901d431..f8c23a1ce160d20be5df10b9f76da1e0f5ca3801 100644
--- a/roles/mysql/tasks/mysql_client.yml
+++ b/roles/mysql/tasks/mysql_client.yml
@@ -1,18 +1,12 @@
---
- name: "Installing MySQL Debian"
apt: name="{{ item }}" update_cache=yes cache_valid_time=3600 state=present
- with_items:
- - python
- - mysql-client
+ with_items: client_packages
sudo: true
when: ansible_os_family == "Debian"
- name: Installing MySQL RedHat
yum: name="{{ item }}" state=latest
- with_items:
- - python
- - mysql
- - mysql-connector-odbc
- - MySQL-python
+ with_items: client_packages
sudo: true
when: ansible_os_family == "RedHat"
diff --git a/roles/mysql/tasks/mysql_server.yml b/roles/mysql/tasks/mysql_server.yml
index 1a78037bda44bd95fb4117e875a3f68201827bf3..9dba15d6cd8e7a972eee074713a27b392d0694dd 100644
--- a/roles/mysql/tasks/mysql_server.yml
+++ b/roles/mysql/tasks/mysql_server.yml
@@ -1,15 +1,7 @@
---
- name: "Installing MySQL Debian"
apt: name="{{ item }}" update_cache=yes cache_valid_time=3600 state=present
- with_items:
- - python
- - python-dev
- - libmysqlclient-dev
- - python-pip
- - libapache2-mod-wsgi
- - python-mysql.connector
- - mysql-server
- - python-mysqldb
+ with_items: server_packages
sudo: true
when: ansible_os_family == "Debian"
@@ -36,26 +28,22 @@
- name: "Starting MySQL"
service: name=mysql state=started enabled=true
sudo: true
- when: ansible_os_family == "Debian"
+ when: ansible_os_family == "RedHat" and ansible_distribution_major_version >= 7
-- name: "Starting MySQL"
- service: name=mysqld state=started enabled=true
+- name: Installing MySQL RedHat
+ yum: name={{ item }}
+ with_items: server_packages
sudo: true
- when: ansible_os_family == "RedHat" and ansible_distribution_major_version < 7
+ when: ansible_os_family == "RedHat"
- name: "Starting MySQL"
- service: name=mariadb state=started enabled=true
+ service: name={{ sqlServiceName }} state=started enabled=true
sudo: true
- when: ansible_os_family == "RedHat" and ansible_distribution_major_version >= 7
- name: make sure mysql conf directory exists
file: dest=/etc/mysql/conf.d state=directory
sudo: true
-- name: "Templating mysql configure file"
- template: src="mysql.cnf.j2" dest=/etc/mysql/conf.d/{{ mysql_config_file_name }}.cnf owner=root group=root
- sudo: true
-
- name: "Adding root"
sudo: true
mysql_user: name=root host="{{ item }}" password="{{ mysql_root_password }}" login_user=root login_password="{{ mysql_root_password }}" check_implicit_admin=yes
diff --git a/roles/mysql/templates/mysql.cnf.j2 b/roles/mysql/templates/mysql.cnf.j2
deleted file mode 100644
index bcfe4d87c32c8602b88dd3a11659ea5c68420eb6..0000000000000000000000000000000000000000
--- a/roles/mysql/templates/mysql.cnf.j2
+++ /dev/null
@@ -1,9 +0,0 @@
-[mysqld]
-character_set_server=utf8
-default-storage-engine = innodb
-sql_mode = STRICT_ALL_TABLES
-log_warnings = 2
-log_error = /var/log/mysql/error.log
-
-[client]
-default-character-set = utf8
diff --git a/roles/mysql/vars/CentOS_6.yml b/roles/mysql/vars/CentOS_6.yml
new file mode 100644
index 0000000000000000000000000000000000000000..544e8a130a5d7627f4a2c6e9449bb970a3d9643b
--- /dev/null
+++ b/roles/mysql/vars/CentOS_6.yml
@@ -0,0 +1,15 @@
+server_packages:
+ - python
+ - python-devel
+ - mysql-devel
+ - mysql-libs
+ - MySQL-python
+ - mysql-server
+
+client_packages:
+ - python
+ - mysql
+ - mysql-connector-odbc
+ - MySQL-python
+
+sqlServiceName: mysqld
diff --git a/roles/mysql/vars/CentOS_7.yml b/roles/mysql/vars/CentOS_7.yml
new file mode 100644
index 0000000000000000000000000000000000000000..24834c49a59e0a5ae210ed9065d018efab0a26c5
--- /dev/null
+++ b/roles/mysql/vars/CentOS_7.yml
@@ -0,0 +1,12 @@
+server_packages:
+ - python
+ - python-devel
+ - MySQL-python
+ - mariadb-server
+
+client_packages:
+ - mariadb
+ - python
+ - MySQL-python
+
+sqlServiceName: mariadb
diff --git a/roles/mysql/vars/Debian_7.yml b/roles/mysql/vars/Debian_7.yml
new file mode 100644
index 0000000000000000000000000000000000000000..cc3cfc58df2ba585640418514aed6f463034f37f
--- /dev/null
+++ b/roles/mysql/vars/Debian_7.yml
@@ -0,0 +1,15 @@
+server_packages:
+ - python
+ - python-dev
+ - libmysqlclient-dev
+ - python-pip
+ - libapache2-mod-wsgi
+ - python-mysql.connector
+ - mysql-server
+ - python-mysqldb
+
+client_packages:
+ - python
+ - mysql-client
+
+sqlServiceName: "mysql"
diff --git a/roles/mysql/vars/Debian_8.yml b/roles/mysql/vars/Debian_8.yml
new file mode 100644
index 0000000000000000000000000000000000000000..cc3cfc58df2ba585640418514aed6f463034f37f
--- /dev/null
+++ b/roles/mysql/vars/Debian_8.yml
@@ -0,0 +1,15 @@
+server_packages:
+ - python
+ - python-dev
+ - libmysqlclient-dev
+ - python-pip
+ - libapache2-mod-wsgi
+ - python-mysql.connector
+ - mysql-server
+ - python-mysqldb
+
+client_packages:
+ - python
+ - mysql-client
+
+sqlServiceName: "mysql"
diff --git a/roles/mysql/vars/main.yml b/roles/mysql/vars/main.yml
deleted file mode 100644
index 5ab6594867c30436d4a67277577cfc5cae58f643..0000000000000000000000000000000000000000
--- a/roles/mysql/vars/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-mysql_config_file_name: mysql_config
diff --git a/roles/mysql/vars/readme.txt b/roles/mysql/vars/readme.txt
index a17f539ae37d149078df23444a80a1c00d611cb1..097faecb47318cb8565539b44c6a1975a5b6c7d7 100644
--- a/roles/mysql/vars/readme.txt
+++ b/roles/mysql/vars/readme.txt
@@ -4,7 +4,6 @@ mysql_type: mysql_client | mysql_server
mysql_user_db_name: "my_database"
mysql_user_name: "my_database"
mysql_user_host: "localhost"
-mysql_config_file_name: "mysql_config"
mysql_root_password: "secret"
mysql_user_password: "secret"
-
+mysql_config_file_name: mysql_config
diff --git a/roles/package_update/tasks/main.yml b/roles/package_update/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..acbd63e0395b03dd4fe71fd80d203d1c1abc1405
--- /dev/null
+++ b/roles/package_update/tasks/main.yml
@@ -0,0 +1,13 @@
+---
+
+- name: "update cache centos"
+ shell: yum update -y
+ sudo: true
+ when: ansible_os_family == 'RedHat'
+
+- name: "update cache debian"
+ shell: apt-get update -y
+ sudo: true
+ when: ansible_os_family == 'Debian'
+
+
diff --git a/roles/shibboleth-sp/tasks/shibbolethConfig.yml b/roles/shibboleth-sp/tasks/shibbolethConfig.yml
index 00c0b6348ef9394324471d628ddd919d39e000b8..3ccd12c1d401bb7346ff52902f63375ea5eab3a9 100644
--- a/roles/shibboleth-sp/tasks/shibbolethConfig.yml
+++ b/roles/shibboleth-sp/tasks/shibbolethConfig.yml
@@ -1,11 +1,10 @@
---
--
- name: "Copying the metadata.aaf.xml and aaf-metadata-cert.pem"
- template: src="{{ item }}.j2" dest="/etc/shibboleth/{{ item }}" mode=0644
- sudo: true
- with_items:
- - metadata.aaf.xml
- - aaf-metadata-cert.pem
+#-
+# name: "Copying the shibboleth files"
+# template: src=files/{{ item.src }} dest="{{ item.dest }}" mode=0644
+# with_items: shibboleth_file
+# sudo: true
+
-
name: "Setting shibboleth2.xml sp.example.org"
sudo: true
@@ -13,10 +12,19 @@
args:
dest: /etc/shibboleth/shibboleth2.xml
regexp: sp.example.org
- replace: "{{ ansible_fqdn }}"
+ replace: "{{ ansible_hostname }}.{{ domain }}"
backup: yes
-
+-
+ name: "Remove SSO entityID"
+ lineinfile:
+ args:
+ dest: /etc/shibboleth/shibboleth2.xml
+ regexp: '^(\s*)<SSO entityID="https://idp.example.org/idp/shibboleth"'
+ line: '\1<SSO'
+ backrefs: true
+ sudo: true
+
-
name: "Setting shibboleth2.xml handlerSSL"
sudo: true
@@ -24,7 +32,7 @@
args:
dest: /etc/shibboleth/shibboleth2.xml
regexp: 'handlerSSL="false"'
- replace: 'handlerSSL="true" handlerURL="https://{{ ansible_fqdn }}/Shibboleth.sso"'
+ replace: 'handlerSSL="true" handlerURL="https://{{ ansible_hostname }}.{{ domain }}/Shibboleth.sso"'
-
@@ -72,8 +80,12 @@
regexp: 'backingFilePath="federation-metadata.xml"'
replace: 'backingFilePath="metadata.aaf.xml"'
--
- name: "Setting shibboleth2.xml aaf Certificate"
+- name: copy AAF metadata cert
+ copy: src=files/{{ shib_metadata_cert }} dest=/etc/shibboleth/aaf-metadata-cert.pem mode=644
+ sudo: true
+
+
+- name: "Setting shibboleth2.xml aaf Certificate"
sudo: true
replace:
args:
@@ -87,17 +99,33 @@
replace:
args:
dest: /etc/shibboleth/shibboleth2.xml
- regexp: 'discoveryURL="https://ds.example.org/DS/WAYF"'
+ regexp: 'discoveryURL=".*"'
replace: 'discoveryURL="{{ aaf_discovery_url }}"'
+- name: make shib private directory
+ file: path=/etc/shibboleth/private state=directory mode=700 owner="_shibd"
+ sudo: true
+
+- name: copy shib key
+ sudo: true
+ copy: src=files/{{ shib_key }} dest=/etc/shibboleth/private/{{ shib_key }} owner="_shibd" mode=600
+
+- name: make shib certs directory
+ file: path=/etc/shibboleth/certs state=directory mode=755 owner="_shibd"
+ sudo: true
+
+- name: copy shib cert
+ sudo: true
+ copy: src=files/{{ shib_cert }} dest=/etc/shibboleth/certs/{{ shib_cert }} owner="_shibd" mode=644
+
-
name: "Setting shibboleth2.xml Credential Resolver"
sudo: true
replace:
args:
dest: /etc/shibboleth/shibboleth2.xml
- regexp: '<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>'
- replace: '<CredentialResolver type="File" key="{{ x509_key_file }}" certificate="{{ x509_cert_file }}"/>'
+ regexp: '<CredentialResolver type="File" key=".*" certificate=".*"/>'
+ replace: '<CredentialResolver type="File" key="/etc/shibboleth/private/{{ shib_key }}" certificate="/etc/shibboleth/certs/{{ shib_cert }}"/>'
-
name: "Templating attribute-map.xml"
@@ -109,18 +137,7 @@
notify:
- Restarting Apache
- Restarting shibboleth
--
- name: "Starting Apache"
- sudo: true
- service:
- args:
- name: apache2
- state: started
-
-
name: "Starting shibboleth"
sudo: true
- service:
- args:
- name: shibd
- state: started
+ service: name=shibd state=started
diff --git a/roles/shibboleth-sp/templates/attribute-map.xml.j2 b/roles/shibboleth-sp/templates/attribute-map.xml.j2
index 6b8a8c85270e92ea601908afd94eb399d05d59e8..b25ca20e519c99ba45852d94c5d795bcc7669cab 100644
--- a/roles/shibboleth-sp/templates/attribute-map.xml.j2
+++ b/roles/shibboleth-sp/templates/attribute-map.xml.j2
@@ -149,5 +149,6 @@
<Attribute name="urn:oid:2.5.4.15" id="businessCategory"/>
<Attribute name="urn:oid:2.5.4.19" id="physicalDeliveryOfficeName"/>
-->
-
+ <Attribute name="urn:mace:dir:attribute-def:auEduPersonSharedToken" id="auEduPersonSharedToken"/>
+ <Attribute name="urn:oid:1.3.6.1.4.1.27856.1.2.5" id="auEduPersonSharedToken"/>
</Attributes>
diff --git a/roles/shibboleth-sp/templates/shib.conf b/roles/shibboleth-sp/templates/shib.conf
new file mode 100644
index 0000000000000000000000000000000000000000..13be15aff19f9f0a39785ced2cc550d2b2dc52e2
--- /dev/null
+++ b/roles/shibboleth-sp/templates/shib.conf
@@ -0,0 +1,5 @@
+<Location /secure>
+ AuthType shibboleth
+ ShibRequestSetting requireSession 1
+ require valid-user
+</Location>
diff --git a/vars/defaults.yml b/vars/defaults.yml
deleted file mode 100644
index 064e7585ebe394f04994ba2e8fbc32b87ec05d21..0000000000000000000000000000000000000000
--- a/vars/defaults.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-packager: yum
-apache: httpd