resolve conflict

roles/enable_root/templates/authorized_keys.j2

+ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAvjn5cQuMkqTo04ZnkuDXfUBeAt7oZ6xrT4phfMemqx12dDqLyFrMgUWOoVMFj+TNyR5M8WOCI6CRT6EXOMtqaxhPtWB1QlDNo0Ml8xTzSKckUO0EhdqNKh+nlQfVeaVIx0DZZeWWNpPCrKPCM4TSAXXiwtZuImd6/Zo4RI1x+oTcFR9zQulUGUuX8rf7+4c/oKr58B+La8bXP8QujtfLm29pl1kawSouCfdxt93wRfbISM7mGs/WqzttRXL9m5AeOMuo5S4Ia0GPMcIEUfsQhEyEU7tiTpEq5lDdf6H7a9SlHXzhd9f2Dn3mlv3mmQHaGBJvUuWmVwydxkdtCRQhOQ== root@m2-m
 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA2xrAkFRdYBpYs14AYSzdPFcIOt2zKXIgjPpyj/6eg/yl3y8N84T9VNw9ATRzb3+PJEw1lOfah6xLkFl7FueT6359y14c7wkNByGHgcL022SludkhM2zBe/3ebhcBs11L4Z725rqVnGDSKdKuwZjbCmUtu/nHwGYU/BnLKbQXMVyq53L5cbIyWGfvItPnwCF2ZMy1v0lmnFs1O3qDK9U/qcwc/77MTB0Z/ey0zsoXvmxjkdYr+zgQLRNm2+fkCXn+ZorbeDwWjhHE21arhMym5x3VG0XU2Ob9nL1Z2xEGQVSnBVWeadTMNzkfM8U07Md2tSOIC5B3ePETxk97puxbEQ== root@m2-m
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPijQ597uLqEPAvVZXQlSjrUfFl2h7SRBTCRhH4hQJMVu55dhFYiojJZ0tjjV3jTcgWs1AsyRp3wDtNp8iQxbwEY2JPxCOjNuH0et4I/y3y6VUjcVWanSaIkdPf5AFNb9KIXo3Hvdyvav8SfFpioRQ0FKp8SZs1JYXpuQ0mZY26oKCKcNsWXv9ZN7knUN0xvYNMycpCnI2Nl666Zrs0gGyJ6e+Xq5bpk1lm8nuK9q52bTRjxqtdEBuSGwkZea+NBJzpYw5rEucteQI66y6tzFuYJk2WC4bUifffIxnkQXKYVynJg1MJ2CGI69r9hXt9eUtH3WrDxrJGmCau8jD3lib hines@sparge
 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAnakq6Lgq2n6yjcMaC7xQXMDMRdN33T6mPCqRy+TPdu0aPvVty0UFeAWsCyTxHeVfst9Vr0HwRRBvNihp1CJuOWGbk0H5a8yALDhLqoHazv2jlMQcLDgTktw0Jgo38+tcBShJyey1iHh8X5WgsS5/hgxR3OzoNBEzqzHUidMO/EI0ahNlM60l8EYL8Ww799NmPgqdPbwxK9nHsoFmx/NKhnUdronSg33L0CJZT3t2fccXAq+4Pbm7uYEkL3T/NgMdgpG5mKS3mKDtKyyKm2gOf3fVzExFew2etBxB3ANPEWvSuJ2XwXQv8sFE1722XQVR4RFgilCWUqXSN7EmqoHkNQ== jupiter@cvlproject

roles/karaage3.1.17/tasks/karaage.yml

@@ -96,7 +96,21 @@
 -
  name: "enabling Karaage configuration"
  shell: cp -rvpf /root/karaage3.1.7/conf/karaage3-wsgi.conf /etc/httpd/conf.d/karaage3-wsgi.conf
+ sudo: true
  when: ansible_os_family == "RedHat"
+-
+ name: "Enable shibboleth, should it be in shibboleth-sp role?"
+ lineinfile: insertafter="{{ item.after }}" line="{{ item.line }}" dest=/etc/{% if ansible_os_family == 'RedHat'  %}httpd{% else %}apache2{% endif %}/conf-available/karaage3-wsgi.conf state=present
+ with_items:
+   - { after: 'EOF', line: '<Location /karaage>' } 
+   - { after: '^<Location /karaage>', line: 'AuthType Shibboleth' }
+   - { after: '^AuthType Shibboleth', line: 'ShibRequireSession On' }
+   - { after: '^ShibRequireSession On', line: 'ShibUseHeaders On' }
+   - { after: '^ShibUseHeaders On', line: 'require valid-user' }
+   - { after: 'EOF', line: '</Location>' }
+#   - { after: '^require valid-user', line: '</Location>' }
+ sudo: true
+
 -
  name: "Installing other packages Debian"
  apt: name={{ item }} update_cache=yes
@@ -139,11 +153,8 @@
  sudo: true
 
 -
- # TODO: Fix it
- name: "Check DB tables has been created or not"
- shell: ls /root/.karaage_db_init
- ignore_errors: true
- sudo: true
+ name: "Check karaage DB has been initialized or not"
+ shell: mysql -h {{ karaageDbHost }}  -u {{ karaageDbName }} --password={{ mysql_user_password }} -Bse 'use karaage; show tables;' | wc -l 
  register: karaage_db_init
 
 -
@@ -158,9 +169,9 @@
 
 -
  name: " Create DB tables"
- shell: kg-manage migrate && touch /root/.karaage_db_init 
+ shell: kg-manage migrate 
  sudo: true
- when: karaage_db_init is not defined
+ when: karaage_db_init.stdout.find("0") == 0
 
 -
  name: "Restarting Celery"

roles/karaage3.1.17/tasks/main.yml

 ---
+ - name: "Copying the apache key file"
+   template: src="files/{{ apache_key_file }}" dest="{{ x509_key_file }}" mode=0644
+   sudo: true
+   when: apache_key_file is defined
+ 
+ - name: "Copying the apache cert file"
+   template: src="files/{{ apache_cert_file }}" dest="{{ x509_cert_file }}" mode=0644
+   sudo: true
+   when: apache_cert_file is defined
+
  - include: prerequisitesDebian.yml
    when: ansible_os_family == "Debian"
  - include: apacheDebian.yml

roles/karaage3.1.17/templates/default-ssl.j2

@@ -59,12 +59,13 @@
 	#   Note: Inside SSLCACertificatePath you need hash symlinks
 	#         to point to the certificate files. Use the provided
 	#         Makefile to update the hash symlinks after changes.
-    {% if x509_cert_path is defined %}
-	SSLCACertificatePath {{ x509_cert_path }} 
+    {% if ldapCaCertFile is defined and ldapCaCertDir is defined %}
+    SSLCACertificatePath {{ ldapCaCertDir }} 
+    SSLCACertificateFile {{ ldapCaCertDir }}/{{ ldapCaCertFile }}
     {% else %}
-	SSLCACertificatePath /etc/ssl/certs/
+    SSLCACertificatePath /etc/ssl/certs/
+    SSLCACertificateFile {{ x509_cacert_file }}
     {% endif %}
-	SSLCACertificateFile {{ x509_cacert_file }}
 
 	#   Certificate Revocation Lists (CRL):
 	#   Set the CA revocation path where to find CA CRLs for client

roles/karaage3.1.17/templates/settings.py.j2

@@ -294,7 +294,8 @@ ACCOUNTS_ORG_NAME = '{{ karaageAcountName }}'
 #
 # default: SHIB_SUPPORTED = False
 #
-# SHIB_SUPPORTED = True
+# TODO: Should we add a variable to use shibboleth or not???
+SHIB_SUPPORTED = True
 
 # Path to AUP policy. Note that setting this will not disable the Karaage
 # default page, it might be better to replace the AUP with a file in

roles/karaage3.1.17/vars/readme.txt

+
+apache_cert_file: "{{ inventory_hostname }}.{{ domain }}.crt"
+apache_key_file: "{{ inventory_hostname }}.{{ domain }}.key"
+

roles/ldapserver/meta/main.yml

----
-dependencies:
-    - { role: easy-rsa-certificate, x509_csr_args: "", x509_sign_args: "--server", x509_cacert_file: "/etc/ssl/certs/ca.crt", x509_key_file: "/etc/ssl/private/server.key", x509_cert_file: "/etc/ssl/certs/server.crt", x509_common_name: "{{ ansible_fqdn }}" }

roles/ldapserver/tasks/main.yml

 ---
 
 - include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_version }}_{{ ansible_architecture }}.yml"
+- include_vars: "{{ ansible_distribution }}.yml"
 - name: install system packages apt
   apt: name={{ item }} state=installed update_cache=true
   sudo: true
@@ -13,6 +14,11 @@
   with_items: system_packages
   when: ansible_os_family == 'RedHat'
 
+- name: Fixed default configuration 
+  lineinfile: dest=/etc/default/slapd regexp='^SLAPD_SERVICES="ldap:/// ldapi:///"' line='SLAPD_SERVICES="ldaps:/// ldap:/// ldapi:///"'
+  sudo: true
+  when: ansible_os_family == 'Debian'
+
 - name: hash password
   command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapManagerPassword }}
   register: ldapManagerHash
@@ -53,8 +59,8 @@
 - name: template acls.ldif
   template: src=acls_ldif.j2 dest=/tmp/acls.ldif
 
-- name: template ppolicy_moduleload.ldif
-  template: src=ppolicy_moduleload_ldif.j2 dest=/tmp/ppolicy_moduleload.ldif
+- name: template load_modules.ldif
+  template: src=load_modules_ldif.j2 dest=/tmp/load_modules.ldif
 
 - name: template ppolicy_overlay.ldif
   template: src=ppolicy_overlay_ldif.j2 dest=/tmp/ppolicy_overlay.ldif
@@ -77,6 +83,12 @@
   file: path={{ cacert | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
   sudo: true
 
+# Change to remove easy-rsa and to use fixed key and certs
+- name: copy fixed keys and certs from files directory
+  template: src=files/{{ item.src }} dest="{{ item.dest }}" mode={{ item.mode }} owner=root group=root
+  with_items: ldapCertFiles 
+  sudo: true
+  
 - name: copy cert
   command: cp /etc/ssl/certs/server.crt {{ ldapcert }}
   sudo: true
@@ -127,16 +139,6 @@
   register: aclConfigured
 
 
-- name: check DIT config
-  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
-  ignore_errors: true
-  register: ditConfigured
-
-- name: check Accounts config
-  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
-  ignore_errors: true
-  register: accountsConfigured
-
 - name: check real Accounts config
   shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapAccountBase }} -x -H ldap://localhost objectClass=*"
   ignore_errors: true
@@ -153,8 +155,7 @@
   ignore_errors: true
   register: binddnConfigured
 
--
-  name: Initialise cosine and ppolicy
+- name: Initialise cosine and ppolicy
   shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/{{ item }}.ldif -D cn=config
   with_items:
    - ppolicy
@@ -170,22 +171,33 @@
   sudo: true
   when: tlsConfigured|failed
 
+- name: check DIT config
+  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
+  ignore_errors: true
+  register: ditConfigured
+
+- name: check Accounts config
+  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
+  ignore_errors: true
+  register: accountsConfigured
+
 - name: initialise server manager
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config 
+  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config
   sudo: true
   when: managerConfigured|failed
+
 - name: initialise server manager
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager2.ldif -D cn=config 
+  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager2.ldif -D cn=config 
   sudo: true
   ignore_errors: true
   when: managerConfigured|failed
 - name: initialise server manager
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager3.ldif -D cn=config 
+  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager3.ldif -D cn=config 
   sudo: true
   when: managerConfigured|failed
 
 - name: initialise server acls
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
+  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
   sudo: true
   when: aclConfigured|failed
 
@@ -209,3 +221,44 @@
   shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/binddn.ldif
   sudo: true
   when: binddnConfigured|failed
+      
+- name: check ppolicy module loaded
+  shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}ppolicy"
+  sudo: true
+  ignore_errors: true
+  register: ppolicyModuleLoaded
+
+- name: load ppolicy module
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/load_modules.ldif -D cn=config 
+  sudo: true
+  when: ppolicyModuleLoaded|failed
+
+- name: check ppolicy overlay config
+  shell: "slapcat -b cn=config | grep 'dn: olcOverlay=ppolicy,olcDatabase={.*}.db,cn=config'"
+  ignore_errors: true
+  sudo: true
+  register: ppolicyOverlayConfigured
+
+- name: add ppolicy overlay
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_overlay.ldif -D cn=config 
+  sudo: true
+  when: ppolicyOverlayConfigured|failed
+
+- name: check pwpolicies config
+  shell: ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b ou=pwpolicies,{{ ldapDomain }} objectClass=*
+  ignore_errors: true
+  register: pwpoliciesConfigured
+
+- name: add pwpolicies
+  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/pwpolicies.ldif
+  when: pwpoliciesConfigured|failed
+
+- name: check defaultPwpolicy config
+  shell: ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b cn=default,ou=pwpolicies,{{ ldapDomain }} objectClass=*
+  ignore_errors: true
+  register: defaultPpolicyConfigured
+
+- name: add defaultPwpolicy
+  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/default_ppolicy.ldif
+  when: defaultPpolicyConfigured|failed
+

roles/ldapserver/templates/ppolicy_moduleload_ldif.j2 → roles/ldapserver/templates/load_modules_ldif.j2

 dn: cn=module,cn=config
 objectClass: olcModuleList
 cn: module
-olcModulePath: /usr/lib64/openldap/
+olcModulePath: {{ module_path }} 
 olcModuleLoad: ppolicy.la

roles/ldapserver/vars/main.yml → roles/ldapserver/vars/CentOS.yml

@@ -2,4 +2,4 @@
   ldapcert: /etc/openldap/certs/ldapcert.pem
   ldapkey: /etc/openldap/certs/ldapkey.pem
   cacert: /etc/openldap/certs/cacert.pem
-
+  module_path: "/usr/lib64/openldap/"

roles/ldapserver/vars/Debian.yml

+---
+  ldapcert: /etc/ldap/certs/ldapcert.pem
+  ldapkey: /etc/ldap/certs/ldapkey.pem
+  cacert: /etc/ldap/certs/cacert.pem
+  module_path: "/usr/lib/ldap"

roles/mysql/tasks/mysql_server.yml

@@ -45,7 +45,7 @@
   sudo: true
 
 - name: "Templating mysql configure file"
-  template: src="mysql.cnf.j2" dest=/etc/mysql/conf.d/{{ mysql_config_file_name }}.cnf owner=root group=root
+  template: src="mysql.cnf.j2" dest=/etc/mysql/conf.d/mysqld_safe_syslog.cnf owner=root group=root
   sudo: true
 
 - name: "Adding root"

roles/mysql/vars/readme.txt

@@ -4,7 +4,6 @@ mysql_type: mysql_client | mysql_server
 mysql_user_db_name: "my_database" 
 mysql_user_name: "my_database" 
 mysql_user_host: "localhost"
-mysql_config_file_name: "mysql_config"
 mysql_root_password: "secret"
 mysql_user_password: "secret"
 

roles/shibboleth-sp/tasks/shibbolethConfig.yml

 ---
 -
- name: "Copying the metadata.aaf.xml and aaf-metadata-cert.pem"
- template: src="{{ item }}.j2" dest="/etc/shibboleth/{{ item }}" mode=0644
+ name: "Copying the shibboleth files"
+ template: src=files/{{ item.src }} dest="{{ item.dest }}" mode=0644
+ with_items: shibboleth_file
  sudo: true
- with_items:
-  - metadata.aaf.xml
-  - aaf-metadata-cert.pem
+
 - 
   name: "Setting shibboleth2.xml sp.example.org"
   sudo: true
@@ -13,10 +12,14 @@
   args:
    dest: /etc/shibboleth/shibboleth2.xml 
    regexp: sp.example.org 
-   replace: "{{ ansible_fqdn }}"
+   replace: "{{ ansible_hostname }}.{{ domain }}"
    backup: yes
    
-  
+-
+ name: "Remove SSO entityID"
+ lineinfile: dest=/etc/shibboleth/shibboleth2.xml regexp="^<SSO entityID=" line="<SSO" state=present
+ sudo: true
+
 - 
   name: "Setting shibboleth2.xml handlerSSL"
   sudo: true
@@ -24,7 +27,7 @@
   args:
    dest: /etc/shibboleth/shibboleth2.xml 
    regexp: 'handlerSSL="false"' 
-   replace: 'handlerSSL="true"   handlerURL="https://{{ ansible_fqdn }}/Shibboleth.sso"' 
+   replace: 'handlerSSL="true"   handlerURL="https://{{ ansible_hostname }}.{{ domain }}/Shibboleth.sso"' 
    
 
 - 
@@ -97,7 +100,16 @@
   args:
    dest: /etc/shibboleth/shibboleth2.xml 
    regexp: '<CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/>' 
-   replace: '<CredentialResolver type="File" key="{{ x509_key_file }}" certificate="{{ x509_cert_file }}"/>'
+   replace: '<CredentialResolver type="File" key="{{ x509_key_file }}" certificate="{{ x509_cert_path }}/{{ x509_common_name }}.cert"/>'
+
+- 
+ name: "fix directory access permission"
+ file: path={{ x509_key_file | dirname }} owner=root group=_shibd state=directory mode=750
+ sudo: true
+- 
+ name: "fix key access permission"
+ file: path={{ x509_key_file }} owner=root group=_shibd mode=644
+ sudo: true
 
 -
  name: "Templating attribute-map.xml"
@@ -109,18 +121,22 @@
  notify:
    - Restarting Apache
    - Restarting shibboleth
+-
+ name: "Copy shib.conf"
+ sudo: true
+ template: src=shib.conf dest="/etc/apache2/conf-available/shib.conf" mode=0644
+-
+ name: "Link shib.conf"
+ sudo: true
+ file: src=/etc/apache2/conf-available/shib.conf path=/etc/apache2/conf-enabled/shib.conf state=link 
+ notify: Restarting Apache
+
 -
  name: "Starting Apache"
  sudo: true
- service:
- args:
-  name: apache2
-  state: started
+ service: name=apache2 state=started
 
 -
  name: "Starting shibboleth"
  sudo: true
- service:
- args:
-  name: shibd
-  state: started
+ service: name=shibd state=started

roles/shibboleth-sp/templates/shib.conf

+<Location /secure>
+  AuthType shibboleth
+  ShibRequestSetting requireSession 1
+  require valid-user
+</Location>