From a95f2f0d70e62bd8acef3bef783322fc593bcb44 Mon Sep 17 00:00:00 2001
From: CVL-GitHub <jupiter.hu@monash.edu>
Date: Thu, 13 Aug 2015 13:35:07 +1000
Subject: [PATCH] (1) fixed ldapserver issues for centos 8; (2) add shib.conf
to shibboleth; (3) removed certificate role
---
roles/certificates/tasks/main.yml | 25 -------------------
roles/certificates/vars/readme.txt | 5 ----
.../enable_root/templates/authorized_keys.j2 | 1 +
roles/karaage3.1.17/tasks/main.yml | 10 ++++++++
roles/karaage3.1.17/templates/default-ssl.j2 | 12 ++++-----
roles/karaage3.1.17/vars/readme.txt | 4 +++
roles/ldapserver/tasks/main.yml | 11 ++++++++
.../ldapserver/vars/{main.yml => CentOS.yml} | 1 -
roles/ldapserver/vars/Debian.yml | 4 +++
.../shibboleth-sp/tasks/shibbolethConfig.yml | 20 ++++++++++++---
roles/shibboleth-sp/templates/shib.conf | 5 ++++
11 files changed, 57 insertions(+), 41 deletions(-)
delete mode 100644 roles/certificates/tasks/main.yml
delete mode 100644 roles/certificates/vars/readme.txt
create mode 100644 roles/karaage3.1.17/vars/readme.txt
rename roles/ldapserver/vars/{main.yml => CentOS.yml} (99%)
create mode 100644 roles/ldapserver/vars/Debian.yml
create mode 100644 roles/shibboleth-sp/templates/shib.conf
diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml
deleted file mode 100644
index 356c0eda..00000000
--- a/roles/certificates/tasks/main.yml
+++ /dev/null
@@ -1,25 +0,0 @@
----
-- name: "Check shibboleth directory"
- file: dest=/etc/shibboleth state=directory mode=0655
- sudo: true
- when: shibboleth_file is defined
-
-- name: "Copying the shisbbolenth files"
- template: src=files/{{ item }} dest="/etc/shibboleth/{{ item }}" mode=0644
- sudo: true
- with_items:
- - "{{ shibboleth_file.aaf }}"
- - "{{ shibboleth_file.cert }}"
- when: shibboleth_file is defined
-
-- name: "Copying the apache key file"
- template: src="files/{{ apache_key_file }}" dest="{{ x509_key_file }}" mode=0644
- sudo: true
- when: apache_key_file is defined
-
-- name: "Copying the apache cert file"
- template: src="files/{{ apache_cert_file }}" dest="{{ x509_cert_file }}" mode=0644
- sudo: true
- when: apache_cert_file is defined
-
-
diff --git a/roles/certificates/vars/readme.txt b/roles/certificates/vars/readme.txt
deleted file mode 100644
index 5a25d5e4..00000000
--- a/roles/certificates/vars/readme.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-pache_cert_file: "{{ inventory_hostname }}.{{ domain }}.crt"
-apache_key_file: "{{ inventory_hostname }}.{{ domain }}.key"
-
-shibbolenth_file: {aaf: "{{ inventory_hostname }}.metadata.aaf.xml", cert: "{{ inventory_hostname }}.aaf-metadata-cert.pem" }
-
diff --git a/roles/enable_root/templates/authorized_keys.j2 b/roles/enable_root/templates/authorized_keys.j2
index 5ee0159b..f7eff2cc 100644
--- a/roles/enable_root/templates/authorized_keys.j2
+++ b/roles/enable_root/templates/authorized_keys.j2
@@ -1,3 +1,4 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvjn5cQuMkqTo04ZnkuDXfUBeAt7oZ6xrT4phfMemqx12dDqLyFrMgUWOoVMFj+TNyR5M8WOCI6CRT6EXOMtqaxhPtWB1QlDNo0Ml8xTzSKckUO0EhdqNKh+nlQfVeaVIx0DZZeWWNpPCrKPCM4TSAXXiwtZuImd6/Zo4RI1x+oTcFR9zQulUGUuX8rf7+4c/oKr58B+La8bXP8QujtfLm29pl1kawSouCfdxt93wRfbISM7mGs/WqzttRXL9m5AeOMuo5S4Ia0GPMcIEUfsQhEyEU7tiTpEq5lDdf6H7a9SlHXzhd9f2Dn3mlv3mmQHaGBJvUuWmVwydxkdtCRQhOQ== root@m2-m
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA2xrAkFRdYBpYs14AYSzdPFcIOt2zKXIgjPpyj/6eg/yl3y8N84T9VNw9ATRzb3+PJEw1lOfah6xLkFl7FueT6359y14c7wkNByGHgcL022SludkhM2zBe/3ebhcBs11L4Z725rqVnGDSKdKuwZjbCmUtu/nHwGYU/BnLKbQXMVyq53L5cbIyWGfvItPnwCF2ZMy1v0lmnFs1O3qDK9U/qcwc/77MTB0Z/ey0zsoXvmxjkdYr+zgQLRNm2+fkCXn+ZorbeDwWjhHE21arhMym5x3VG0XU2Ob9nL1Z2xEGQVSnBVWeadTMNzkfM8U07Md2tSOIC5B3ePETxk97puxbEQ== root@m2-m
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPijQ597uLqEPAvVZXQlSjrUfFl2h7SRBTCRhH4hQJMVu55dhFYiojJZ0tjjV3jTcgWs1AsyRp3wDtNp8iQxbwEY2JPxCOjNuH0et4I/y3y6VUjcVWanSaIkdPf5AFNb9KIXo3Hvdyvav8SfFpioRQ0FKp8SZs1JYXpuQ0mZY26oKCKcNsWXv9ZN7knUN0xvYNMycpCnI2Nl666Zrs0gGyJ6e+Xq5bpk1lm8nuK9q52bTRjxqtdEBuSGwkZea+NBJzpYw5rEucteQI66y6tzFuYJk2WC4bUifffIxnkQXKYVynJg1MJ2CGI69r9hXt9eUtH3WrDxrJGmCau8jD3lib hines@sparge
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAnakq6Lgq2n6yjcMaC7xQXMDMRdN33T6mPCqRy+TPdu0aPvVty0UFeAWsCyTxHeVfst9Vr0HwRRBvNihp1CJuOWGbk0H5a8yALDhLqoHazv2jlMQcLDgTktw0Jgo38+tcBShJyey1iHh8X5WgsS5/hgxR3OzoNBEzqzHUidMO/EI0ahNlM60l8EYL8Ww799NmPgqdPbwxK9nHsoFmx/NKhnUdronSg33L0CJZT3t2fccXAq+4Pbm7uYEkL3T/NgMdgpG5mKS3mKDtKyyKm2gOf3fVzExFew2etBxB3ANPEWvSuJ2XwXQv8sFE1722XQVR4RFgilCWUqXSN7EmqoHkNQ== jupiter@cvlproject
diff --git a/roles/karaage3.1.17/tasks/main.yml b/roles/karaage3.1.17/tasks/main.yml
index 66d2a9b7..97bee766 100644
--- a/roles/karaage3.1.17/tasks/main.yml
+++ b/roles/karaage3.1.17/tasks/main.yml
@@ -1,4 +1,14 @@
---
+ - name: "Copying the apache key file"
+ template: src="files/{{ apache_key_file }}" dest="{{ x509_key_file }}" mode=0644
+ sudo: true
+ when: apache_key_file is defined
+
+ - name: "Copying the apache cert file"
+ template: src="files/{{ apache_cert_file }}" dest="{{ x509_cert_file }}" mode=0644
+ sudo: true
+ when: apache_cert_file is defined
+
- include: prerequisitesDebian.yml
when: ansible_os_family == "Debian"
- include: apacheDebian.yml
diff --git a/roles/karaage3.1.17/templates/default-ssl.j2 b/roles/karaage3.1.17/templates/default-ssl.j2
index 690c03cc..82832418 100644
--- a/roles/karaage3.1.17/templates/default-ssl.j2
+++ b/roles/karaage3.1.17/templates/default-ssl.j2
@@ -59,12 +59,12 @@
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
- {% if x509_cert_path is defined %}
- SSLCACertificatePath {{ x509_cert_path }}
- {% else %}
- SSLCACertificatePath /etc/ssl/certs/
- {% endif %}
- SSLCACertificateFile {{ x509_cacert_file }}
+# {% if x509_cert_path is defined %}
+# SSLCACertificatePath {{ x509_cert_path }}
+# {% else %}
+# SSLCACertificatePath /etc/ssl/certs/
+# {% endif %}
+# SSLCACertificateFile {{ x509_cacert_file }}
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
diff --git a/roles/karaage3.1.17/vars/readme.txt b/roles/karaage3.1.17/vars/readme.txt
new file mode 100644
index 00000000..ab2fcb04
--- /dev/null
+++ b/roles/karaage3.1.17/vars/readme.txt
@@ -0,0 +1,4 @@
+
+apache_cert_file: "{{ inventory_hostname }}.{{ domain }}.crt"
+apache_key_file: "{{ inventory_hostname }}.{{ domain }}.key"
+
diff --git a/roles/ldapserver/tasks/main.yml b/roles/ldapserver/tasks/main.yml
index 437211fa..9aee1345 100644
--- a/roles/ldapserver/tasks/main.yml
+++ b/roles/ldapserver/tasks/main.yml
@@ -1,6 +1,7 @@
---
- include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_version }}_{{ ansible_architecture }}.yml"
+- include_vars: "{{ ansible_distribution }}.yml"
- name: install system packages apt
apt: name={{ item }} state=installed update_cache=true
sudo: true
@@ -13,6 +14,12 @@
with_items: system_packages
when: ansible_os_family == 'RedHat'
+- name: Fixed default configuration
+ lineinfile: dest=/etc/default/slapd regexp='^SLAPD_SERVICES="ldap:/// ldapi:///"' line='SLAPD_SERVICES="ldaps:/// ldap:/// ldapi:///"'
+ sudo: true
+ when: ansible_os_family == 'Debian'
+
+
- name: hash password
command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapManagerPassword }}
register: ldapManagerHash
@@ -191,18 +198,22 @@
- name: add DIT root
shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
+ sudo: true
when: ditConfigured|failed
- name: add Accounts OU
shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/accounts.ldif
+ sudo: true
when: accountsConfigured|failed
- name: add real Accounts OU
shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/real_accounts.ldif
+ sudo: true
when: realAccountsConfigured is defined and realAccountsConfigured|failed
- name: add Groups OU
shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
+ sudo: true
when: groupsConfigured|failed
- name: add binddn
diff --git a/roles/ldapserver/vars/main.yml b/roles/ldapserver/vars/CentOS.yml
similarity index 99%
rename from roles/ldapserver/vars/main.yml
rename to roles/ldapserver/vars/CentOS.yml
index c3953ac3..38cf871d 100644
--- a/roles/ldapserver/vars/main.yml
+++ b/roles/ldapserver/vars/CentOS.yml
@@ -2,4 +2,3 @@
ldapcert: /etc/openldap/certs/ldapcert.pem
ldapkey: /etc/openldap/certs/ldapkey.pem
cacert: /etc/openldap/certs/cacert.pem
-
diff --git a/roles/ldapserver/vars/Debian.yml b/roles/ldapserver/vars/Debian.yml
new file mode 100644
index 00000000..1ffc4bc6
--- /dev/null
+++ b/roles/ldapserver/vars/Debian.yml
@@ -0,0 +1,4 @@
+---
+ ldapcert: /etc/ldap/certs/ldapcert.pem
+ ldapkey: /etc/ldap/certs/ldapkey.pem
+ cacert: /etc/ldap/certs/cacert.pem
diff --git a/roles/shibboleth-sp/tasks/shibbolethConfig.yml b/roles/shibboleth-sp/tasks/shibbolethConfig.yml
index 4485997d..1de31780 100644
--- a/roles/shibboleth-sp/tasks/shibbolethConfig.yml
+++ b/roles/shibboleth-sp/tasks/shibbolethConfig.yml
@@ -1,10 +1,12 @@
---
-
- name: "Check the metadata.aaf.xml and aaf-metadata-cert.pem"
- shell: ls /etc/shibboleth/*{{ item }}
+ name: "Copying the shibboleth files"
+ template: src=files/{{ item }} dest="/etc/shibboleth/{{ item }}" mode=0644
+ sudo: true
with_items:
- - metadata.aaf.xml
- - aaf-metadata-cert.pem
+ - "{{ shibboleth_file.aaf }}"
+ - "{{ shibboleth_file.cert }}"
+ when: shibboleth_file is defined
-
name: "Setting shibboleth2.xml sp.example.org"
@@ -109,6 +111,16 @@
notify:
- Restarting Apache
- Restarting shibboleth
+-
+ name: "Copy shib.conf"
+ sudo: true
+ template: src=shib.conf dest="/etc/apache2/conf-available/shib.conf" mode=0644
+-
+ name: "Link shib.conf"
+ sudo: true
+ file: src=/etc/apache2/conf-available/shib.conf path=/etc/apache2/conf-enabled/shib.conf state=link
+ notify: Restarting Apache
+
-
name: "Starting Apache"
sudo: true
diff --git a/roles/shibboleth-sp/templates/shib.conf b/roles/shibboleth-sp/templates/shib.conf
new file mode 100644
index 00000000..13be15af
--- /dev/null
+++ b/roles/shibboleth-sp/templates/shib.conf
@@ -0,0 +1,5 @@
+<Location /secure>
+ AuthType shibboleth
+ ShibRequestSetting requireSession 1
+ require valid-user
+</Location>
--
GitLab