fixed ldap server configuration

roles/karaage3.1.17/tasks/karaage.yml

@@ -107,7 +107,8 @@
    - { after: '^AuthType Shibboleth', line: 'ShibRequireSession On' }
    - { after: '^ShibRequireSession On', line: 'ShibUseHeaders On' }
    - { after: '^ShibUseHeaders On', line: 'require valid-user' }
-   - { after: '^require valid-user', line: '</Location>' }
+   - { after: 'EOF', line: '</Location>' }
+#   - { after: '^require valid-user', line: '</Location>' }
  sudo: true
 
 -

roles/ldapserver/meta/main.yml

----
-dependencies:
-    - { role: easy-rsa-certificate, x509_csr_args: "", x509_sign_args: "--server", x509_cacert_file: "/etc/ssl/certs/ca.crt", x509_key_file: "/etc/ssl/private/server.key", x509_cert_file: "/etc/ssl/certs/server.crt", x509_common_name: "{{ ansible_fqdn }}" }

roles/ldapserver/tasks/main.yml

@@ -19,7 +19,6 @@
   sudo: true
   when: ansible_os_family == 'Debian'
 
-
 - name: hash password
   command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapManagerPassword }}
   register: ldapManagerHash
@@ -60,8 +59,8 @@
 - name: template acls.ldif
   template: src=acls_ldif.j2 dest=/tmp/acls.ldif
 
-- name: template ppolicy_moduleload.ldif
-  template: src=ppolicy_moduleload_ldif.j2 dest=/tmp/ppolicy_moduleload.ldif
+- name: template load_modules.ldif
+  template: src=load_modules_ldif.j2 dest=/tmp/load_modules.ldif
 
 - name: template ppolicy_overlay.ldif
   template: src=ppolicy_overlay_ldif.j2 dest=/tmp/ppolicy_overlay.ldif
@@ -84,6 +83,12 @@
   file: path={{ cacert | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
   sudo: true
 
+# Change to remove easy-rsa and to use fixed key and certs
+- name: copy fixed keys and certs from files directory
+  template: src=files/{{ item.src }} dest="{{ item.dest }}" mode={{ item.mode }} owner=root group=root
+  with_items: ldapCertFiles 
+  sudo: true
+  
 - name: copy cert
   command: cp /etc/ssl/certs/server.crt {{ ldapcert }}
   sudo: true
@@ -134,16 +139,6 @@
   register: aclConfigured
 
 
-- name: check DIT config
-  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
-  ignore_errors: true
-  register: ditConfigured
-
-- name: check Accounts config
-  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
-  ignore_errors: true
-  register: accountsConfigured
-
 - name: check real Accounts config
   shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapAccountBase }} -x -H ldap://localhost objectClass=*"
   ignore_errors: true
@@ -160,8 +155,7 @@
   ignore_errors: true
   register: binddnConfigured
 
--
-  name: Initialise cosine and ppolicy
+- name: Initialise cosine and ppolicy
   shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/{{ item }}.ldif -D cn=config
   with_items:
    - ppolicy
@@ -177,46 +171,94 @@
   sudo: true
   when: tlsConfigured|failed
 
+- name: check DIT config
+  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
+  ignore_errors: true
+  register: ditConfigured
+
+- name: check Accounts config
+  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
+  ignore_errors: true
+  register: accountsConfigured
+
 - name: initialise server manager
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config 
+  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config
   sudo: true
   when: managerConfigured|failed
+
 - name: initialise server manager
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager2.ldif -D cn=config 
+  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager2.ldif -D cn=config 
   sudo: true
   ignore_errors: true
   when: managerConfigured|failed
 - name: initialise server manager
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager3.ldif -D cn=config 
+  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager3.ldif -D cn=config 
   sudo: true
   when: managerConfigured|failed
 
 - name: initialise server acls
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
+  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
   sudo: true
   when: aclConfigured|failed
 
 - name: add DIT root
   shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
-  sudo: true
   when: ditConfigured|failed
 
 - name: add Accounts OU
   shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/accounts.ldif
-  sudo: true
   when: accountsConfigured|failed
 
 - name: add real Accounts OU
   shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/real_accounts.ldif
-  sudo: true
   when: realAccountsConfigured is defined and realAccountsConfigured|failed
 
 - name: add Groups OU
   shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
-  sudo: true
   when: groupsConfigured|failed
 
 - name: add binddn
   shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/binddn.ldif
   sudo: true
   when: binddnConfigured|failed
+      
+- name: check ppolicy module loaded
+  shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}ppolicy"
+  sudo: true
+  ignore_errors: true
+  register: ppolicyModuleLoaded
+
+- name: load ppolicy module
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/load_modules.ldif -D cn=config 
+  sudo: true
+  when: ppolicyModuleLoaded|failed
+
+- name: check ppolicy overlay config
+  shell: "slapcat -b cn=config | grep 'dn: olcOverlay=ppolicy,olcDatabase={.*}.db,cn=config'"
+  ignore_errors: true
+  sudo: true
+  register: ppolicyOverlayConfigured
+
+- name: add ppolicy overlay
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_overlay.ldif -D cn=config 
+  sudo: true
+  when: ppolicyOverlayConfigured|failed
+
+- name: check pwpolicies config
+  shell: ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b ou=pwpolicies,{{ ldapDomain }} objectClass=*
+  ignore_errors: true
+  register: pwpoliciesConfigured
+
+- name: add pwpolicies
+  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/pwpolicies.ldif
+  when: pwpoliciesConfigured|failed
+
+- name: check defaultPwpolicy config
+  shell: ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b cn=default,ou=pwpolicies,{{ ldapDomain }} objectClass=*
+  ignore_errors: true
+  register: defaultPpolicyConfigured
+
+- name: add defaultPwpolicy
+  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/default_ppolicy.ldif
+  when: defaultPpolicyConfigured|failed
+

roles/ldapserver/templates/ppolicy_moduleload_ldif.j2 → roles/ldapserver/templates/load_modules_ldif.j2

 dn: cn=module,cn=config
 objectClass: olcModuleList
 cn: module
-olcModulePath: /usr/lib64/openldap/
+olcModulePath: {{ module_path }} 
 olcModuleLoad: ppolicy.la

roles/ldapserver/vars/CentOS.yml

@@ -2,3 +2,4 @@
   ldapcert: /etc/openldap/certs/ldapcert.pem
   ldapkey: /etc/openldap/certs/ldapkey.pem
   cacert: /etc/openldap/certs/cacert.pem
+  module_path: "/usr/lib64/openldap/"

roles/ldapserver/vars/Debian.yml

@@ -2,3 +2,4 @@
   ldapcert: /etc/ldap/certs/ldapcert.pem
   ldapkey: /etc/ldap/certs/ldapkey.pem
   cacert: /etc/ldap/certs/cacert.pem
+  module_path: "/usr/lib/ldap"

roles/shibboleth-sp/tasks/shibbolethConfig.yml

 ---
 -
  name: "Copying the shibboleth files"
- template: src=files/{{ item.src }} dest="/etc/shibboleth/{{ item.dest }}" mode=0644
- sudo: true
+ template: src=files/{{ item.src }} dest="{{ item.dest }}" mode=0644
  with_items: shibboleth_file
- when: shibboleth_file is defined
+ sudo: true
 
 - 
   name: "Setting shibboleth2.xml sp.example.org"
@@ -28,7 +27,7 @@
   args:
    dest: /etc/shibboleth/shibboleth2.xml 
    regexp: 'handlerSSL="false"' 
-   replace: 'handlerSSL="true"   handlerURL="https://{{ ansible_fqdn }}/Shibboleth.sso"' 
+   replace: 'handlerSSL="true"   handlerURL="https://{{ ansible_hostname }}.{{ domain }}/Shibboleth.sso"' 
    
 
 - 
@@ -101,7 +100,16 @@
   args:
    dest: /etc/shibboleth/shibboleth2.xml 
    regexp: '<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>' 
-   replace: '<CredentialResolver type="File" key="{{ x509_key_file }}" certificate="{{ x509_cert_file }}"/>'
+   replace: '<CredentialResolver type="File" key="{{ x509_key_file }}" certificate="{{ x509_cert_path }}/{{ x509_common_name }}.cert"/>'
+
+- 
+ name: "fix directory access permission"
+ file: path={{ x509_key_file | dirname }} owner=root group=_shibd state=directory mode=750
+ sudo: true
+- 
+ name: "fix key access permission"
+ file: path={{ x509_key_file }} owner=root group=_shibd mode=644
+ sudo: true
 
 -
  name: "Templating attribute-map.xml"