Merge pull request #23 from l1ll1/cleanup_openLdapClient

Make openldapclient role with the ldapserver role

Merge pull request #23 from l1ll1/cleanup_openLdapClient
51c004f6 · Shahaan Ayyub · 16cbcc52 · c0ee4464 · 51c004f6 · 51c004f6
Commit 51c004f6 authored 10 years ago by Shahaan Ayyub
--- a/roles/karaage2.7/tasks/main.yml
+++ b/roles/karaage2.7/tasks/main.yml
 ---
 - include_vars: "{{ hostvars[ansible_hostname]['ansible_distribution'] }}_{{ hostvars[ansible_hostname]['ansible_distribution_version'] }}_{{ ansible_architecture }}.yml"
- include_vars: passwords.yml
 - name: install system packages apt
  apt: name={{ item }} state=installed update_cache=true
@@ -99,8 +96,8 @@
  lineinfile:
  args:
    dest: /etc/karaage/global_settings.py
-    regexp: "LDAP_URL ="
+    regexp: "LDAP_URL = "
-    line: "LDAP_URL = '{{ ldapURL }}'"
+    line: "LDAP_URL = '{{ ldapURI }}'"
    backrefs: yes
  sudo: true
@@ -111,7 +108,7 @@
  args:
    dest: /etc/karaage/global_settings.py
    regexp: "LDAP_BASE ="
-    line: "LDAP_BASE = '{{ ldapDomain }}'"
+    line: "LDAP_BASE = '{{ ldapBase }}'"
    backrefs: yes
  sudo: true
@@ -120,7 +117,7 @@
  args:
    dest: /etc/karaage/global_settings.py
    regexp: "LDAP_USER_BASE="
-    line: "LDAP_USER_BASE = 'ou=Accounts,{{ ldapDomain }}'"
+    line: "LDAP_USER_BASE = '{{ ldapUserBase }}'"
    backrefs: yes
  sudo: true
@@ -129,7 +126,7 @@
  args:
    dest: /etc/karaage/global_settings.py
    regexp: "LDAP_GROUP_BASE="
-    line: "LDAP_GROUP_BASE = 'ou=Groups,{{ ldapDomain }}'"
+    line: "LDAP_GROUP_BASE = '{{ ldapGroupBase }}'"
    backrefs: yes
  sudo: true
@@ -138,7 +135,7 @@
  args:
    dest: /etc/karaage/global_settings.py
    regexp: "LDAP_ADMIN_USER ="
-    line: "LDAP_ADMIN_USER = 'cn=Manager,{{ ldapDomain }}'"
+    line: "LDAP_ADMIN_USER = '{{ ldapManager }}'"
    backrefs: yes
  sudo: true

--- a/roles/karaage2.7_noppolicy/files/defaultUnlocked.py
+++ b/roles/karaage2.7_noppolicy/files/defaultUnlocked.py
+# Copyright 2014 Monash University
+#
+# This file integrates with django-tldap.
+#
+# django-tldap is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# django-tldap is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with django-tldap  If not, see <http://www.gnu.org/licenses/>.
+import placard.ldap_passwd
+class defaultUnlockedMixin(object):
+    @classmethod
+    def is_locked(cls,self):
+        return False
--- a/roles/karaage2.7_noppolicy/meta/main.yml
+++ b/roles/karaage2.7_noppolicy/meta/main.yml
+---
+dependencies:
+  - { role: karaage2.7 }
--- a/roles/karaage2.7_noppolicy/tasks/main.yml
+++ b/roles/karaage2.7_noppolicy/tasks/main.yml
+---
+- name: install defaultUnlocked mixin
+  copy: dest=/usr/share/pyshared/placard/schemas/defaultUnlocked.py src=defaultUnlocked.py owner=root mode=644
+  sudo: true
+- name: link defaultUnlocked mixin
+  shell: ln -s /usr/share/pyshared/placard/schemas/defaultUnlocked.py /usr/lib/python2.7/dist-packages/placard/schemas/defaultUnlocked.py ;  ln -s /usr/share/pyshared/placard/schemas/defaultUnlocked.py /usr/lib/python2.6/dist-packages/placard/schemas/defaultUnlocked.py 
+  args:
+    creates: /usr/lib/python2.6/dist-packages/placard/schemas/defaultUnlocked.py
+  sudo: true
+- name: configure ldap mixins 1
+  lineinfile:  
+  args:
+    dest: /etc/karaage/ldap_schemas.py 
+    regexp: "from placard.schemas.pwdpolicy import pwdPolicyMixin" 
+    line: "from placard.schemas.defaultUnlocked import defaultUnlockedMixin" 
+    backrefs: yes
+  sudo: true
+- name: configure ldap mixins 2
+  lineinfile:  
+  args:
+    dest: /etc/karaage/ldap_schemas.py 
+    regexp: "    mixin_list = [ common.personMixin, pwdPolicyMixin, kPersonMixin ]"
+    line: "    mixin_list = [ common.personMixin, defaultUnlockedMixin, kPersonMixin ]"
+    backrefs: yes
+  sudo: true
+- name: configure ldap mixins 3
+  lineinfile:  
+  args:
+    dest: /etc/karaage/ldap_schemas.py 
+    regexp: "class person(rfc.person, rfc.organizationalPerson, rfc.inetOrgPerson, rfc.pwdPolicy, common.baseMixin):"
+    line: class person(rfc.person, rfc.organizationalPerson, rfc.inetOrgPerson, common.baseMixin):"
+    backrefs: yes
+  sudo: true
--- a/roles/ldapserver/tasks/main.yml
+++ b/roles/ldapserver/tasks/main.yml
 ---
 - include_vars: "{{ hostvars[ansible_hostname]['ansible_distribution'] }}_{{ hostvars[ansible_hostname]['ansible_distribution_version'] }}_{{ ansible_architecture }}.yml"
- include_vars: passwords.yml
 - name: install system packages apt
  apt: name={{ item }} state=installed update_cache=true
@@ -91,11 +90,12 @@
  register: tlsConfigured
 - name: check Manager config
-  shell: "slapcat -b cn=config | grep 'olcRootDN: cn=Manager,{{ ldapDomain }}'"
+  shell: "slapcat -b cn=config | grep 'olcRootDN: {{ ldapManager }}'"
  ignore_errors: true
  sudo: true
  register: managerConfigured
+# slapcat does a line wrap at character 78. Don't attempt to match on {{ ldapManager }} as it will cross two lines
 - name: check ACL config
  shell: "slapcat -b cn=config | grep 'olcAccess:' | grep 'cn=Manager'"
  ignore_errors: true
@@ -104,22 +104,22 @@
 - name: check DIT config
-  shell: "ldapsearch -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -b {{ ldapDomain }} objectClass=dcObject"
+  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
  ignore_errors: true
  register: ditConfigured
 - name: check Accounts config
-  shell: "ldapsearch -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -b ou=Accounts,{{ ldapDomain }} objectClass=*"
+  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
  ignore_errors: true
  register: accountsConfigured
 - name: check Groups config
-  shell: "ldapsearch -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -b ou=Groups,{{ ldapDomain }} objectClass=*"
+  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=*"
  ignore_errors: true
  register: groupsConfigured
 - name: check binddn config
-  shell: "ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b {{ ldapDomain }} objectClass=dcObject"
+  shell: "ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b {{ ldapDomain }} -x -H ldap://localhost objectClass=dcObject"
  ignore_errors: true
  register: binddnConfigured
@@ -140,58 +140,18 @@
  when: aclConfigured|failed
 - name: add DIT root
-  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/root.ldif
+  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
  when: ditConfigured|failed
 - name: add Accounts OU
-  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/accounts.ldif
+  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/accounts.ldif
  when: accountsConfigured|failed
 - name: add Groups OU
-  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/groups.ldif
+  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
  when: groupsConfigured|failed
 - name: add binddn
-  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/binddn.ldif
+  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/binddn.ldif
  sudo: true
  when: binddnConfigured|failed
- name: check ppolicy module loaded
-  shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}ppolicy"
-  sudo: true
-  ignore_errors: true
-  register: ppolicyModuleLoaded
- name: load ppolicy module
-  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_moduleload.ldif -D cn=config 
-  sudo: true
-  when: ppolicyModuleLoaded|failed
- name: check ppolicy overlay config
-  shell: "slapcat -b cn=config | grep 'dn: olcOverlay=ppolicy,olcDatabase={.*}bdb,cn=config'"
-  ignore_errors: true
-  sudo: true
-  register: ppolicyOverlayConfigured
- name: add ppolicy overlay
-  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_overlay.ldif -D cn=config 
-  sudo: true
-  when: ppolicyOverlayConfigured|failed
- name: check pwpolicies config
-  shell: ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b ou=pwpolicies,{{ ldapDomain }} objectClass=*
-  ignore_errors: true
-  register: pwpoliciesConfigured
- name: add pwpolicies
-  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/pwpolicies.ldif
-  when: pwpoliciesConfigured|failed
- name: check defaultPwpolicy config
-  shell: ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b cn=default,ou=pwpolicies,{{ ldapDomain }} objectClass=*
-  ignore_errors: true
-  register: defaultPpolicyConfigured
- name: add defaultPwpolicy
-  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/default_ppolicy.ldif
-  when: defaultPpolicyConfigured|failed
--- a/roles/ldapserver/templates/accounts_ldif.j2
+++ b/roles/ldapserver/templates/accounts_ldif.j2
-dn: ou=Accounts,{{ ldapDomain }}
+dn: {{ ldapUserBase }}
 objectClass: organizationalUnit
--- a/roles/ldapserver/templates/acls_ldif.j2
+++ b/roles/ldapserver/templates/acls_ldif.j2
 dn: olcDatabase={2}bdb,cn=config
 changetype: modify
 add: olcAccess
-olcAccess: {0}to attrs=userPassword by dn="cn=Manager,{{ ldapDomain }}" write by self write by * auth
+olcAccess: {0}to attrs=userPassword by dn="{{ ldapManager }}" write by self write by * auth
-olcAccess: {1}to attrs=shadowLastChange by dn="cn=Manager,{{ ldapDomain }}" write by self write by * read
+olcAccess: {1}to attrs=shadowLastChange by dn="{{ ldapManager }}" write by self write by * read
 olcAccess: {2}to * by users read by anonymous auth
--- a/roles/ldapserver/templates/binddn_ldif.j2
+++ b/roles/ldapserver/templates/binddn_ldif.j2
-dn: cn=binddn,ou=Accounts,{{ ldapDomain }}
+dn: {{ ldapBindDN }}
 objectClass: inetOrgPerson
 cn: binddn
 sn: binddn

--- a/roles/ldapserver/templates/default_ppolicy_ldif.j2
+++ b/roles/ldapserver/templates/default_ppolicy_ldif.j2
 dn: cn=default,ou=pwpolicies,{{ ldapDomain }}
+cn: default
+objectClass: pwdPolicy
 objectClass: top
 objectClass: device
-objectClass: pwdPolicy
+pwdAllowUserChange: TRUE
 pwdAttribute: 2.5.4.35
-cn: default
+pwdExpireWarning: 604800
+pwdFailureCountInterval: 30
+pwdGraceAuthNLimit: 0
+pwdInHistory: 10
+pwdLockout: TRUE
+pwdLockoutDuration: 3600
+pwdMaxAge: 7776000
+pwdMaxFailure: 5
+pwdMinAge: 3600
+pwdMinLength: 12
+pwdMustChange: FALSE
+pwdSafeModify: FALSE
--- a/roles/ldapserver/templates/groups_ldif.j2
+++ b/roles/ldapserver/templates/groups_ldif.j2
-dn: ou=Groups,{{ ldapDomain }}
+dn: {{ ldapGroupBase }}
 objectClass: organizationalUnit
--- a/roles/ldapserver/templates/manager_ldif.j2
+++ b/roles/ldapserver/templates/manager_ldif.j2
@@ -4,7 +4,7 @@ replace: olcSuffix
 olcSuffix: {{ ldapDomain }}
 -
 replace: olcRootDN
-olcRootDN: cn=Manager,{{ ldapDomain }}
+olcRootDN: {{ ldapManager }}
 -
 add: olcRootPW
 olcRootPW: {{ ldapManagerHash.stdout }}
--- a/roles/ldapserver/vars/CentOS_6.6_x86_64.yml
+++ b/roles/ldapserver/vars/CentOS_6.6_x86_64.yml
+---
+ system_packages:
+  - openldap-servers
+  - openldap-clients
+  - openssl
--- a/roles/ldapserver/vars/main.yml
+++ b/roles/ldapserver/vars/main.yml
 ---
- ldapuser:  ldap
+  ldapuser:  ldap
- ldapgroup: ldap
+  ldapgroup: ldap
--- a/roles/nfs-common/tasks/main.yml
+++ b/roles/nfs-common/tasks/main.yml
 ---
 - include: yumPackages.yml
+- name: setup idmap.conf
+  template: src=idmap.conf.j2 dest=/etc/idmap.conf
+  sudo: true
--- a/roles/openLdapClient/templates/idmapd.conf.j2
+++ b/roles/openLdapClient/templates/idmapd.conf.j2
@@ -2,7 +2,7 @@
 #Verbosity = 0
 # The following should be set to the local NFSv4 domain name
 # The default is the host's DNS domain name.
-Domain = {{ ldapDomain }}
+Domain = {{ ansible_fqdn }} 
 # The following is a comma-separated list of Kerberos realm
 # names that should be considered to be equivalent to the

--- a/roles/openLdapClient/defaults/main.yml
+++ b/roles/openLdapClient/defaults/main.yml
 ---
-ldapDomain: "monash.edu.au" 
-ldapUri: "ldaps://ldapserver.com/"
-ldapDn: "cn=ldapbind,cn=users,dc=monash,dc=edu,dc=au" 
-ldapPassword: "secret"
-ldapBase: "cn=users,dc=monash,dc=edu,dc=au"
-ldapUserClass: "user"
-ldapUserHomeDirectory: "unixHomeDirectory"
-ldapUserPricipal: "userPrincipalName"
-ldapGroupBase: "ou=groups,dc=monash,dc=edu,dc=au"
-tlsCaCertDirectory: "/etc/openldap/certs"
-tlsCaCertFile: "/etc/openldap/certs/ca.pem"
-ldapCaCertFileSource: "/etc/openldap/certs"
-cacertFile: "ca.pem"
 ldapRfc2307: ""
 ldapRfc2307Pam: ""
-ldapServerHost: "10.0.0.1 ldapserver.com"
--- a/roles/openLdapClient/tasks/configLdapClient.yml
+++ b/roles/openLdapClient/tasks/configLdapClient.yml
@@ -3,7 +3,6 @@
  template: src={{ item }}.j2 dest=/etc/{{ item }}
  with_items:
    - pam_ldap.conf
-    - idmapd.conf
    - nsswitch.conf
  sudo: true
@@ -15,18 +14,10 @@
  template: src=authconfig.j2 dest=/etc/sysconfig/authconfig
  sudo: true
- name: "Insert LDAP IP address LDAP to /etc/hosts"
+- name: "Copy ldap.conf file "
-  lineinfile: dest=/etc/hosts line="{{ ldapServerHost }}" state=present insertafter=EOF
-  sudo: true
- name: "Copy ldap.conf file"
  template: src=ldap.conf.j2 dest=/etc/openldap/ldap.conf
  sudo: true
- name: "Copy ldap cacert file"
-  copy: src={{ ldapCaCertFileSource }} dest={{ tlsCaCertFile }} owner=root group=root mode=0644
-  sudo: true
 - name: "Copy sssd.conf to ldap client"
  template: src=sssd.j2 dest=/etc/sssd/sssd.conf owner=root group=root mode=600
  sudo: true

--- a/roles/openLdapClient/templates/ldap.conf.j2
+++ b/roles/openLdapClient/templates/ldap.conf.j2
-TLS_CACERTDIR {{ tlsCaCertDirectory }}
+TLS_CACERT {{ ldapCaCertFile }}
-TLS_CACERT {{ tlsCaCertFile }}
+URI {{ ldapURI }}
-URI {{ ldapUri }}
+BASE {{ ldapBase }} 
-BASE {{ ldapBase }}
 timelimit 120
 bind_timelimit 120

--- a/roles/openLdapClient/templates/pam_ldap.conf.j2
+++ b/roles/openLdapClient/templates/pam_ldap.conf.j2
@@ -27,7 +27,7 @@ base {{ ldapBase }}
 #uri ldapi://%2fvar%2frun%2fldapi_sock/
 # Note: %2f encodes the '/' used as directory separator
 # [aulmc used to be 11/10/2013 # uri ldap://m2-w.massive.org.au/ 
-uri {{ ldapDomain }}
+uri {{ ldapURI }} 
 # The LDAP version to use (defaults to 3
 # if supported by client library)
@@ -35,11 +35,11 @@ uri {{ ldapDomain }}
 # The distinguished name to bind to the server with.
 # Optional: default is to bind anonymously.
-binddn {{ ldapDn }}
+binddn {{ ldapBindDN }}
 # The credentials to bind with. 
 # Optional: default is no credential.
-bindpw {{ ldapPassword }}
+bindpw {{ ldapBindDNPassword }} 
 # The distinguished name to bind to the server with
 # if the effective user ID is root. Password is
@@ -220,19 +220,6 @@ nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,rad
 #pam_filter objectclass=User
 #pam_password ad
-# RFC 2307 (AD) mappings
-nss_base_group         ou=Groups,dc=massive,dc=org,dc=au?one
-nss_map_objectclass posixAccount user
-nss_map_objectclass shadowAccount user
-nss_map_attribute uid sAMAccountName
-nss_map_attribute homeDirectory unixHomeDirectory
-nss_map_attribute shadowLastChange pwdLastSet
-nss_map_objectclass posixGroup group
-nss_map_attribute uniqueMember member
-pam_login_attribute sAMAccountName
-pam_filter objectclass=User
-pam_password md5
 # configure --enable-authpassword is no longer supported
 # AuthPassword mappings
 #nss_map_attribute userPassword authPassword
@@ -300,7 +287,7 @@ pam_password md5
 ssl no
 #tls_cacertdir /etc/openldap/cacerts
 #pam_password md5
-tls_cacertdir {{ tlsCaCertDirectory }}
+tls_cacertfile {{ ldapCaCertFile }}
-tls_cacertfile {{ tlsCaCertFile }}
+# RFC 2307 (AD) mappings
 {{ ldapRfc2307Pam }}
--- a/roles/openLdapClient/templates/sssd.j2
+++ b/roles/openLdapClient/templates/sssd.j2
 [sssd]
 config_file_version = 2
-domains = {{ ldapDomain }}
+domains = {{ ansible_domain }}
 services = nss, pam, autofs
 [nss]
@@ -8,7 +8,7 @@ filter_users = root
 [pam]
-[domain/{{ ldapDomain }}]
+[domain/{{ ansible_domain }}]
 ldap_referrals = false
 cache_credentials = false
 entry_cache_timeout=3600
@@ -20,14 +20,13 @@ auth_provider = ldap
 chpass_provider = ldap
 access_provider = ldap
-ldap_uri = {{ ldapUri }} 
+ldap_uri = {{ ldapURI }} 
 ldap_id_use_start_tls = True
 ldap_tls_reqcert = allow 
-ldap_tls_cacertdir = {{ tlsCaCertDirectory }}
+ldap_tls_cacert = {{ ldapCaCertFile }}
-ldap_tls_cacert = {{ cacertFile }}
+ldap_default_bind_dn = {{ ldapBindDN }} 
-ldap_default_bind_dn = {{ ldapDn }}
 ldap_default_authtok_type = password
-ldap_default_authtok = {{ ldapPassword }}
+ldap_default_authtok = {{ ldapBindDNPassword }} 
 {{ ldapRfc2307 }}