diff --git a/roles/karaage2.7/tasks/main.yml b/roles/karaage2.7/tasks/main.yml
index aa90c83f204973eb7bf6a6c5f2728c8194d5f37b..fe3197637d6756bbead854ed6806e26fa78ee0a7 100644
--- a/roles/karaage2.7/tasks/main.yml
+++ b/roles/karaage2.7/tasks/main.yml
@@ -1,8 +1,5 @@
---
- include_vars: "{{ hostvars[ansible_hostname]['ansible_distribution'] }}_{{ hostvars[ansible_hostname]['ansible_distribution_version'] }}_{{ ansible_architecture }}.yml"
-- include_vars: passwords.yml
-
-
- name: install system packages apt
apt: name={{ item }} state=installed update_cache=true
@@ -99,8 +96,8 @@
lineinfile:
args:
dest: /etc/karaage/global_settings.py
- regexp: "LDAP_URL ="
- line: "LDAP_URL = '{{ ldapURL }}'"
+ regexp: "LDAP_URL = "
+ line: "LDAP_URL = '{{ ldapURI }}'"
backrefs: yes
sudo: true
@@ -111,7 +108,7 @@
args:
dest: /etc/karaage/global_settings.py
regexp: "LDAP_BASE ="
- line: "LDAP_BASE = '{{ ldapDomain }}'"
+ line: "LDAP_BASE = '{{ ldapBase }}'"
backrefs: yes
sudo: true
@@ -120,7 +117,7 @@
args:
dest: /etc/karaage/global_settings.py
regexp: "LDAP_USER_BASE="
- line: "LDAP_USER_BASE = 'ou=Accounts,{{ ldapDomain }}'"
+ line: "LDAP_USER_BASE = '{{ ldapUserBase }}'"
backrefs: yes
sudo: true
@@ -129,7 +126,7 @@
args:
dest: /etc/karaage/global_settings.py
regexp: "LDAP_GROUP_BASE="
- line: "LDAP_GROUP_BASE = 'ou=Groups,{{ ldapDomain }}'"
+ line: "LDAP_GROUP_BASE = '{{ ldapGroupBase }}'"
backrefs: yes
sudo: true
@@ -138,7 +135,7 @@
args:
dest: /etc/karaage/global_settings.py
regexp: "LDAP_ADMIN_USER ="
- line: "LDAP_ADMIN_USER = 'cn=Manager,{{ ldapDomain }}'"
+ line: "LDAP_ADMIN_USER = '{{ ldapManager }}'"
backrefs: yes
sudo: true
diff --git a/roles/karaage2.7_noppolicy/files/defaultUnlocked.py b/roles/karaage2.7_noppolicy/files/defaultUnlocked.py
new file mode 100644
index 0000000000000000000000000000000000000000..c025f2ed1b7cf77e5ce24eb2569b1c92d76a9c4f
--- /dev/null
+++ b/roles/karaage2.7_noppolicy/files/defaultUnlocked.py
@@ -0,0 +1,22 @@
+# Copyright 2014 Monash University
+#
+# This file integrates with django-tldap.
+#
+# django-tldap is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# django-tldap is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with django-tldap If not, see <http://www.gnu.org/licenses/>.
+
+import placard.ldap_passwd
+class defaultUnlockedMixin(object):
+ @classmethod
+ def is_locked(cls,self):
+ return False
diff --git a/roles/karaage2.7_noppolicy/meta/main.yml b/roles/karaage2.7_noppolicy/meta/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6e5176c2fcd927bdc8074588203fe3a9cd790bcf
--- /dev/null
+++ b/roles/karaage2.7_noppolicy/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+ - { role: karaage2.7 }
diff --git a/roles/karaage2.7_noppolicy/tasks/main.yml b/roles/karaage2.7_noppolicy/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..de944debc7e561409309467791ffe2c7f559fa5c
--- /dev/null
+++ b/roles/karaage2.7_noppolicy/tasks/main.yml
@@ -0,0 +1,37 @@
+---
+- name: install defaultUnlocked mixin
+ copy: dest=/usr/share/pyshared/placard/schemas/defaultUnlocked.py src=defaultUnlocked.py owner=root mode=644
+ sudo: true
+
+- name: link defaultUnlocked mixin
+ shell: ln -s /usr/share/pyshared/placard/schemas/defaultUnlocked.py /usr/lib/python2.7/dist-packages/placard/schemas/defaultUnlocked.py ; ln -s /usr/share/pyshared/placard/schemas/defaultUnlocked.py /usr/lib/python2.6/dist-packages/placard/schemas/defaultUnlocked.py
+ args:
+ creates: /usr/lib/python2.6/dist-packages/placard/schemas/defaultUnlocked.py
+ sudo: true
+
+- name: configure ldap mixins 1
+ lineinfile:
+ args:
+ dest: /etc/karaage/ldap_schemas.py
+ regexp: "from placard.schemas.pwdpolicy import pwdPolicyMixin"
+ line: "from placard.schemas.defaultUnlocked import defaultUnlockedMixin"
+ backrefs: yes
+ sudo: true
+
+- name: configure ldap mixins 2
+ lineinfile:
+ args:
+ dest: /etc/karaage/ldap_schemas.py
+ regexp: " mixin_list = [ common.personMixin, pwdPolicyMixin, kPersonMixin ]"
+ line: " mixin_list = [ common.personMixin, defaultUnlockedMixin, kPersonMixin ]"
+ backrefs: yes
+ sudo: true
+
+- name: configure ldap mixins 3
+ lineinfile:
+ args:
+ dest: /etc/karaage/ldap_schemas.py
+ regexp: "class person(rfc.person, rfc.organizationalPerson, rfc.inetOrgPerson, rfc.pwdPolicy, common.baseMixin):"
+ line: class person(rfc.person, rfc.organizationalPerson, rfc.inetOrgPerson, common.baseMixin):"
+ backrefs: yes
+ sudo: true
diff --git a/roles/ldapserver/tasks/main.yml b/roles/ldapserver/tasks/main.yml
index 625ea2b585b70efc1aec3217f278e9e4ea31055f..a5ec4d6992069cba7b5dcc69e2d51c57829d9e29 100644
--- a/roles/ldapserver/tasks/main.yml
+++ b/roles/ldapserver/tasks/main.yml
@@ -1,7 +1,6 @@
---
- include_vars: "{{ hostvars[ansible_hostname]['ansible_distribution'] }}_{{ hostvars[ansible_hostname]['ansible_distribution_version'] }}_{{ ansible_architecture }}.yml"
-- include_vars: passwords.yml
- name: install system packages apt
apt: name={{ item }} state=installed update_cache=true
@@ -91,11 +90,12 @@
register: tlsConfigured
- name: check Manager config
- shell: "slapcat -b cn=config | grep 'olcRootDN: cn=Manager,{{ ldapDomain }}'"
+ shell: "slapcat -b cn=config | grep 'olcRootDN: {{ ldapManager }}'"
ignore_errors: true
sudo: true
register: managerConfigured
+# slapcat does a line wrap at character 78. Don't attempt to match on {{ ldapManager }} as it will cross two lines
- name: check ACL config
shell: "slapcat -b cn=config | grep 'olcAccess:' | grep 'cn=Manager'"
ignore_errors: true
@@ -104,22 +104,22 @@
- name: check DIT config
- shell: "ldapsearch -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -b {{ ldapDomain }} objectClass=dcObject"
+ shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
ignore_errors: true
register: ditConfigured
- name: check Accounts config
- shell: "ldapsearch -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -b ou=Accounts,{{ ldapDomain }} objectClass=*"
+ shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
ignore_errors: true
register: accountsConfigured
- name: check Groups config
- shell: "ldapsearch -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -b ou=Groups,{{ ldapDomain }} objectClass=*"
+ shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=*"
ignore_errors: true
register: groupsConfigured
- name: check binddn config
- shell: "ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b {{ ldapDomain }} objectClass=dcObject"
+ shell: "ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b {{ ldapDomain }} -x -H ldap://localhost objectClass=dcObject"
ignore_errors: true
register: binddnConfigured
@@ -140,58 +140,18 @@
when: aclConfigured|failed
- name: add DIT root
- shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/root.ldif
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
when: ditConfigured|failed
- name: add Accounts OU
- shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/accounts.ldif
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/accounts.ldif
when: accountsConfigured|failed
- name: add Groups OU
- shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/groups.ldif
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
when: groupsConfigured|failed
- name: add binddn
- shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/binddn.ldif
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/binddn.ldif
sudo: true
when: binddnConfigured|failed
-
-- name: check ppolicy module loaded
- shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}ppolicy"
- sudo: true
- ignore_errors: true
- register: ppolicyModuleLoaded
-
-- name: load ppolicy module
- shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_moduleload.ldif -D cn=config
- sudo: true
- when: ppolicyModuleLoaded|failed
-
-- name: check ppolicy overlay config
- shell: "slapcat -b cn=config | grep 'dn: olcOverlay=ppolicy,olcDatabase={.*}bdb,cn=config'"
- ignore_errors: true
- sudo: true
- register: ppolicyOverlayConfigured
-
-- name: add ppolicy overlay
- shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_overlay.ldif -D cn=config
- sudo: true
- when: ppolicyOverlayConfigured|failed
-
-- name: check pwpolicies config
- shell: ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b ou=pwpolicies,{{ ldapDomain }} objectClass=*
- ignore_errors: true
- register: pwpoliciesConfigured
-
-- name: add pwpolicies
- shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/pwpolicies.ldif
- when: pwpoliciesConfigured|failed
-
-- name: check defaultPwpolicy config
- shell: ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b cn=default,ou=pwpolicies,{{ ldapDomain }} objectClass=*
- ignore_errors: true
- register: defaultPpolicyConfigured
-
-- name: add defaultPwpolicy
- shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/default_ppolicy.ldif
- when: defaultPpolicyConfigured|failed
diff --git a/roles/ldapserver/templates/accounts_ldif.j2 b/roles/ldapserver/templates/accounts_ldif.j2
index 93e5fd93c030454d3da0945627a56726bef56c8a..e057dd1b491e270f831b3d4b79e803ae4c3560a7 100644
--- a/roles/ldapserver/templates/accounts_ldif.j2
+++ b/roles/ldapserver/templates/accounts_ldif.j2
@@ -1,2 +1,2 @@
-dn: ou=Accounts,{{ ldapDomain }}
+dn: {{ ldapUserBase }}
objectClass: organizationalUnit
diff --git a/roles/ldapserver/templates/acls_ldif.j2 b/roles/ldapserver/templates/acls_ldif.j2
index 631f57ed8f8684c843aa87e5c7ae3cf2d53734f6..c9df71971300ed28b1a06cff14f346c36dca8524 100644
--- a/roles/ldapserver/templates/acls_ldif.j2
+++ b/roles/ldapserver/templates/acls_ldif.j2
@@ -1,6 +1,6 @@
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcAccess
-olcAccess: {0}to attrs=userPassword by dn="cn=Manager,{{ ldapDomain }}" write by self write by * auth
-olcAccess: {1}to attrs=shadowLastChange by dn="cn=Manager,{{ ldapDomain }}" write by self write by * read
+olcAccess: {0}to attrs=userPassword by dn="{{ ldapManager }}" write by self write by * auth
+olcAccess: {1}to attrs=shadowLastChange by dn="{{ ldapManager }}" write by self write by * read
olcAccess: {2}to * by users read by anonymous auth
diff --git a/roles/ldapserver/templates/binddn_ldif.j2 b/roles/ldapserver/templates/binddn_ldif.j2
index 553885b1e7fd8ad5e02dcc1f5636e4da13907864..3f2e31b68f556fb535f3ca06cb189d45f48077d3 100644
--- a/roles/ldapserver/templates/binddn_ldif.j2
+++ b/roles/ldapserver/templates/binddn_ldif.j2
@@ -1,4 +1,4 @@
-dn: cn=binddn,ou=Accounts,{{ ldapDomain }}
+dn: {{ ldapBindDN }}
objectClass: inetOrgPerson
cn: binddn
sn: binddn
diff --git a/roles/ldapserver/templates/default_ppolicy_ldif.j2 b/roles/ldapserver/templates/default_ppolicy_ldif.j2
index 5d1847dc905aabb0248c3c5b7d1b11cb9a51e9c1..cc638a27e219461a3b033eee4701d53ca594bff3 100644
--- a/roles/ldapserver/templates/default_ppolicy_ldif.j2
+++ b/roles/ldapserver/templates/default_ppolicy_ldif.j2
@@ -1,6 +1,19 @@
dn: cn=default,ou=pwpolicies,{{ ldapDomain }}
+cn: default
+objectClass: pwdPolicy
objectClass: top
objectClass: device
-objectClass: pwdPolicy
+pwdAllowUserChange: TRUE
pwdAttribute: 2.5.4.35
-cn: default
+pwdExpireWarning: 604800
+pwdFailureCountInterval: 30
+pwdGraceAuthNLimit: 0
+pwdInHistory: 10
+pwdLockout: TRUE
+pwdLockoutDuration: 3600
+pwdMaxAge: 7776000
+pwdMaxFailure: 5
+pwdMinAge: 3600
+pwdMinLength: 12
+pwdMustChange: FALSE
+pwdSafeModify: FALSE
diff --git a/roles/ldapserver/templates/groups_ldif.j2 b/roles/ldapserver/templates/groups_ldif.j2
index 39890b039b41143faec775af91d3b36e433bed05..70386e0f9290e627b128dc7b92834d114bf714c1 100644
--- a/roles/ldapserver/templates/groups_ldif.j2
+++ b/roles/ldapserver/templates/groups_ldif.j2
@@ -1,2 +1,2 @@
-dn: ou=Groups,{{ ldapDomain }}
+dn: {{ ldapGroupBase }}
objectClass: organizationalUnit
diff --git a/roles/ldapserver/templates/manager_ldif.j2 b/roles/ldapserver/templates/manager_ldif.j2
index 103847031a0842eb72fe2126b56eb94b061f5b9d..5cdf02169cbc2dc0e6cffc01122349fbc1cac325 100644
--- a/roles/ldapserver/templates/manager_ldif.j2
+++ b/roles/ldapserver/templates/manager_ldif.j2
@@ -4,7 +4,7 @@ replace: olcSuffix
olcSuffix: {{ ldapDomain }}
-
replace: olcRootDN
-olcRootDN: cn=Manager,{{ ldapDomain }}
+olcRootDN: {{ ldapManager }}
-
add: olcRootPW
olcRootPW: {{ ldapManagerHash.stdout }}
diff --git a/roles/ldapserver/vars/CentOS_6.6_x86_64.yml b/roles/ldapserver/vars/CentOS_6.6_x86_64.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f7898718dcef361447091f6a9b474a6505bd3343
--- /dev/null
+++ b/roles/ldapserver/vars/CentOS_6.6_x86_64.yml
@@ -0,0 +1,5 @@
+---
+ system_packages:
+ - openldap-servers
+ - openldap-clients
+ - openssl
diff --git a/roles/ldapserver/vars/main.yml b/roles/ldapserver/vars/main.yml
index a94437139fc51855a70dff6ad7143258fb21b714..45af19775f162034555d25a5a4eba04c3c82fa6a 100644
--- a/roles/ldapserver/vars/main.yml
+++ b/roles/ldapserver/vars/main.yml
@@ -1,3 +1,3 @@
---
- ldapuser: ldap
- ldapgroup: ldap
+ ldapuser: ldap
+ ldapgroup: ldap
diff --git a/roles/nfs-common/tasks/main.yml b/roles/nfs-common/tasks/main.yml
index c7e34d16ebe7f846fb5433b5c9dfacba4794c9a8..5f1757d5f6b2724de61540f7c82b23921ae46d18 100644
--- a/roles/nfs-common/tasks/main.yml
+++ b/roles/nfs-common/tasks/main.yml
@@ -1,2 +1,6 @@
---
- include: yumPackages.yml
+
+- name: setup idmap.conf
+ template: src=idmap.conf.j2 dest=/etc/idmap.conf
+ sudo: true
diff --git a/roles/openLdapClient/templates/idmapd.conf.j2 b/roles/nfs-common/templates/idmapd.conf.j2
similarity index 99%
rename from roles/openLdapClient/templates/idmapd.conf.j2
rename to roles/nfs-common/templates/idmapd.conf.j2
index 486b6b632d0f2fc0aab24620a6bea9833b8e0736..c5f6ad8544242a0fa4f4bfbe7a52075b4f7a5831 100644
--- a/roles/openLdapClient/templates/idmapd.conf.j2
+++ b/roles/nfs-common/templates/idmapd.conf.j2
@@ -2,7 +2,7 @@
#Verbosity = 0
# The following should be set to the local NFSv4 domain name
# The default is the host's DNS domain name.
-Domain = {{ ldapDomain }}
+Domain = {{ ansible_fqdn }}
# The following is a comma-separated list of Kerberos realm
# names that should be considered to be equivalent to the
diff --git a/roles/openLdapClient/defaults/main.yml b/roles/openLdapClient/defaults/main.yml
index a106dc093b84fc9f6390b1c74bde7cb1f01ab607..943ed859cbbe42cc152c91188f2cf9644469b13e 100644
--- a/roles/openLdapClient/defaults/main.yml
+++ b/roles/openLdapClient/defaults/main.yml
@@ -1,17 +1,3 @@
---
-ldapDomain: "monash.edu.au"
-ldapUri: "ldaps://ldapserver.com/"
-ldapDn: "cn=ldapbind,cn=users,dc=monash,dc=edu,dc=au"
-ldapPassword: "secret"
-ldapBase: "cn=users,dc=monash,dc=edu,dc=au"
-ldapUserClass: "user"
-ldapUserHomeDirectory: "unixHomeDirectory"
-ldapUserPricipal: "userPrincipalName"
-ldapGroupBase: "ou=groups,dc=monash,dc=edu,dc=au"
-tlsCaCertDirectory: "/etc/openldap/certs"
-tlsCaCertFile: "/etc/openldap/certs/ca.pem"
-ldapCaCertFileSource: "/etc/openldap/certs"
-cacertFile: "ca.pem"
ldapRfc2307: ""
ldapRfc2307Pam: ""
-ldapServerHost: "10.0.0.1 ldapserver.com"
diff --git a/roles/openLdapClient/tasks/configLdapClient.yml b/roles/openLdapClient/tasks/configLdapClient.yml
index 9102faf3981c5e246f6fd84f936848a203ff4f68..0bcc83dbdcbe3b10638dafd3126ea5d9380ab25f 100644
--- a/roles/openLdapClient/tasks/configLdapClient.yml
+++ b/roles/openLdapClient/tasks/configLdapClient.yml
@@ -3,7 +3,6 @@
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:
- pam_ldap.conf
- - idmapd.conf
- nsswitch.conf
sudo: true
@@ -15,18 +14,10 @@
template: src=authconfig.j2 dest=/etc/sysconfig/authconfig
sudo: true
-- name: "Insert LDAP IP address LDAP to /etc/hosts"
- lineinfile: dest=/etc/hosts line="{{ ldapServerHost }}" state=present insertafter=EOF
- sudo: true
-
-- name: "Copy ldap.conf file"
+- name: "Copy ldap.conf file "
template: src=ldap.conf.j2 dest=/etc/openldap/ldap.conf
sudo: true
-- name: "Copy ldap cacert file"
- copy: src={{ ldapCaCertFileSource }} dest={{ tlsCaCertFile }} owner=root group=root mode=0644
- sudo: true
-
- name: "Copy sssd.conf to ldap client"
template: src=sssd.j2 dest=/etc/sssd/sssd.conf owner=root group=root mode=600
sudo: true
diff --git a/roles/openLdapClient/templates/ldap.conf.j2 b/roles/openLdapClient/templates/ldap.conf.j2
index 31f04ade64ed84e5e5ccfa5ceae283e83eacd6e3..c20d39ed9758fceac564698f006fcae022a9bec4 100644
--- a/roles/openLdapClient/templates/ldap.conf.j2
+++ b/roles/openLdapClient/templates/ldap.conf.j2
@@ -1,7 +1,6 @@
-TLS_CACERTDIR {{ tlsCaCertDirectory }}
-TLS_CACERT {{ tlsCaCertFile }}
-URI {{ ldapUri }}
-BASE {{ ldapBase }}
+TLS_CACERT {{ ldapCaCertFile }}
+URI {{ ldapURI }}
+BASE {{ ldapBase }}
timelimit 120
bind_timelimit 120
diff --git a/roles/openLdapClient/templates/pam_ldap.conf.j2 b/roles/openLdapClient/templates/pam_ldap.conf.j2
index 5a9804e48b6d4ee7f73f3701439becbafa64e6dc..61b04ce2459518f5b7e491be2e013820742061a8 100644
--- a/roles/openLdapClient/templates/pam_ldap.conf.j2
+++ b/roles/openLdapClient/templates/pam_ldap.conf.j2
@@ -27,7 +27,7 @@ base {{ ldapBase }}
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# [aulmc used to be 11/10/2013 # uri ldap://m2-w.massive.org.au/
-uri {{ ldapDomain }}
+uri {{ ldapURI }}
# The LDAP version to use (defaults to 3
# if supported by client library)
@@ -35,11 +35,11 @@ uri {{ ldapDomain }}
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
-binddn {{ ldapDn }}
+binddn {{ ldapBindDN }}
# The credentials to bind with.
# Optional: default is no credential.
-bindpw {{ ldapPassword }}
+bindpw {{ ldapBindDNPassword }}
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
@@ -220,19 +220,6 @@ nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,rad
#pam_filter objectclass=User
#pam_password ad
-# RFC 2307 (AD) mappings
-nss_base_group ou=Groups,dc=massive,dc=org,dc=au?one
-nss_map_objectclass posixAccount user
-nss_map_objectclass shadowAccount user
-nss_map_attribute uid sAMAccountName
-nss_map_attribute homeDirectory unixHomeDirectory
-nss_map_attribute shadowLastChange pwdLastSet
-nss_map_objectclass posixGroup group
-nss_map_attribute uniqueMember member
-pam_login_attribute sAMAccountName
-pam_filter objectclass=User
-pam_password md5
-
# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword
@@ -300,7 +287,7 @@ pam_password md5
ssl no
#tls_cacertdir /etc/openldap/cacerts
#pam_password md5
-tls_cacertdir {{ tlsCaCertDirectory }}
-tls_cacertfile {{ tlsCaCertFile }}
+tls_cacertfile {{ ldapCaCertFile }}
+# RFC 2307 (AD) mappings
{{ ldapRfc2307Pam }}
diff --git a/roles/openLdapClient/templates/sssd.j2 b/roles/openLdapClient/templates/sssd.j2
index b534db4be5c4b9b7f09edc9d90ab3c6fa10f6968..9b7f8dbc8ed538cd0cd37ecde5c78a67bbf28f4e 100644
--- a/roles/openLdapClient/templates/sssd.j2
+++ b/roles/openLdapClient/templates/sssd.j2
@@ -1,6 +1,6 @@
[sssd]
config_file_version = 2
-domains = {{ ldapDomain }}
+domains = {{ ansible_domain }}
services = nss, pam, autofs
[nss]
@@ -8,7 +8,7 @@ filter_users = root
[pam]
-[domain/{{ ldapDomain }}]
+[domain/{{ ansible_domain }}]
ldap_referrals = false
cache_credentials = false
entry_cache_timeout=3600
@@ -20,14 +20,13 @@ auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
-ldap_uri = {{ ldapUri }}
+ldap_uri = {{ ldapURI }}
ldap_id_use_start_tls = True
ldap_tls_reqcert = allow
-ldap_tls_cacertdir = {{ tlsCaCertDirectory }}
-ldap_tls_cacert = {{ cacertFile }}
-ldap_default_bind_dn = {{ ldapDn }}
+ldap_tls_cacert = {{ ldapCaCertFile }}
+ldap_default_bind_dn = {{ ldapBindDN }}
ldap_default_authtok_type = password
-ldap_default_authtok = {{ ldapPassword }}
+ldap_default_authtok = {{ ldapBindDNPassword }}
{{ ldapRfc2307 }}
diff --git a/roles/slurm/tasks/main.yml b/roles/slurm/tasks/main.yml
index a3a5ca1950ac30106ab54692280e2a7d7d37d82b..d351e4603f55fc1c368adc881526ff4971fae576 100644
--- a/roles/slurm/tasks/main.yml
+++ b/roles/slurm/tasks/main.yml
@@ -1,6 +1,7 @@
---
- name: copy rpms
copy: src=/tmp/rpmbuild dest=/tmp/
+ sudo: true
- name: install munge rpms
shell: "rpm --install /tmp/rpmbuild/RPMS/x86_64/munge*{{ munge_version }}*rpm"
@@ -27,9 +28,6 @@
sudo: true
ignore_errors: true
-- name: load munge key
- include_vars: passwords.yml
-
- name: install munge key
template: src=munge_key.j2 dest=/etc/munge/munge.key
sudo: true
diff --git a/scripts/makehosts.py b/scripts/makehosts.py
index 97e97afac86363a3107f3f066be10586460c05d9..fe0d7d92cc7961d3877eb7e239fb76d09173994a 100755
--- a/scripts/makehosts.py
+++ b/scripts/makehosts.py
@@ -12,7 +12,7 @@ hosts={}
for group in d['groups'].keys():
i=0
for h in d['groups'][group]:
- hosts[h] = ['%s %s.%s'%(h, h, domain)]
+ hosts[h] = ['%s.%s %s'%(h, domain, h)]
for h in hosts.keys():
if d['hostvars'].has_key(h):
diff --git a/topplay.yml b/topplay.yml
deleted file mode 100644
index 3e67293f4d20fa387e08f88557880ec69ef0a26e..0000000000000000000000000000000000000000
--- a/topplay.yml
+++ /dev/null
@@ -1,85 +0,0 @@
----
-
-# First we need hostname -f to return the correct domain
-
-- hosts: '*'
- roles:
- - {role: etcHosts, domain: 'test.massive.org.au' }
-
-# Create an x509 CA. Certificates are used for the VPN, the ldap server and the web server (karaage)
-
-- hosts: ManagmentNodes[0]
- vars:
- roles:
- - { role: easy-rsa-CA }
-
-- hosts: 'ManagmentNodes'
- vars:
- x509_ca_server: "{{ groups['ManagmentNodes'][0] }}"
- ldapDomain: "dc=test,dc=massive,dc=org,dc=au"
- roles:
- - { role: OpenVPN-Server }
- - { role: ldapserver }
-
-- hosts: 'karaage'
- vars:
- x509_ca_server: "{{ groups['ManagmentNodes'][0] }}"
- smtp_smarthost: "does_not_exist.massive.org.au"
- ldapDomain: "dc=test,dc=massive,dc=org,dc=au"
- ldapURL: "ldaps://{{ hostvars[groups['ManagmentNodes'][0]]['ansible_fqdn'] }}"
- roles:
- - { role: karaage2.7 }
-
-# The next two tasks, apply the VPN and recalcuate /etc/hosts. Comment them if you are on a secure network
-
-- hosts: ComputeNodes
- vars:
- x509_ca_server: "{{ groups['ManagmentNodes'][0] }}"
- openvpn_servers: "{{ groups['ManagmentNodes'] }}"
- roles:
- - { role: OpenVPN-Client }
-
-- hosts: '*'
- roles:
- - {role: etcHosts, domain: 'test.massive.org.au' }
-
-# These tasks build some software (slurm, munge and openmpi) and copy them back to localhost. Skip if you have some other way of getting
-# copyies of these software
-
-- hosts: ComputeNodes[0]
- vars:
- slurm_version: 14.11.0
- munge_version: 0.5.11
- roles:
- - { role: slurm-build }
-
-# Slurm and openmpi tasks assume copies of the software in /tmp under a very specific directory strucutre (created by the build tasks above) Modifiy
-# the roles if you have a different way of installing the software
-
-- hosts: ComputeNodes:ManagmentNodes:LoginNodes
- vars:
- slurmqueues:
- - {name: batch, group: ComputeNodes}
- slurmctrl: "{{ groups['ManagmentNodes'][0] }}"
- roles:
- - { role: slurm, slurm_use_vpn: true} # change to false if you are on a secure network
- - { role: test_user }
-
-# These tasks build some software (slurm, munge and openmpi) and copy them back to localhost. Skip if you have some other way of getting
-# copyies of these software
-
-- hosts: ComputeNodes[0]
- vars:
- openmpi_version: 1.8.3
- roles:
- - { role: openmpi-build }
-
-# Slurm and openmpi tasks assume copies of the software in /tmp under a very specific directory strucutre (created by the build tasks above) Modifiy
-# the roles if you have a different way of installing the software
-
-- hosts: ComputeNodes:ManagmentNodes:LoginNodes
- vars:
- openmpi_version: 1.8.3
- roles:
- - { role: openmpi }
-