code ldapserver final localtion ldap keys and certs; fix explict copies for ldap key and certs

b39f6048 · Jupiter Hu · ec69cf6a · b39f6048 · b39f6048 · b39f6048
Commit b39f6048 authored 9 years ago by Jupiter Hu
--- a/roles/ldapserver/tasks/main.yml
+++ b/roles/ldapserver/tasks/main.yml
@@ -2,6 +2,7 @@

 - include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_version }}_{{ ansible_architecture }}.yml"
 - include_vars: "{{ ansible_distribution }}.yml"
+
 - name: install system packages apt
  apt: name={{ item }} state=installed update_cache=true
  sudo: true
@@ -23,10 +24,6 @@
  command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapManagerPassword }}
  register: ldapManagerHash

-
-
-
-
 - name: template root.ldif
  template: src=root_ldif.j2 dest=/tmp/root.ldif

@@ -39,7 +36,6 @@
 - name: template groups.ldif
  template: src=groups_ldif.j2 dest=/tmp/groups.ldif

-
 - name: template load_modules.ldif
  template: src=load_modules_ldif.j2 dest=/tmp/load_modules.ldif

@@ -65,45 +61,28 @@
  template: src=manager_ldif3.j2 dest=/tmp/manager3.ldif mode=600
  sudo: true

-
- name: make cert dir
-  file: path={{ ldapcert | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
-  sudo: true
-
- name: make key dir
-  file: path={{ ldapkey | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }} mode=700
-  sudo: true
-
 - name: make ca dir
-  file: path={{ cacert | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
+  file: path={{ ldapCAChainDest | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
  sudo: true

 - name: make ldap certs dir
-  file: path={{ ldapCertDir }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
+  file: path={{ ldapCertDest | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
  sudo: true
-  when: ldapCertDir is defined

 - name: make ldap private dir
-  file: path={{ ldapPrivateDir }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
+  file: path={{ ldapKeyDest | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
  sudo: true
-  when: ldapPrivateDir is defined

-# Change to remove easy-rsa and to use fixed key and certs
- name: copy fixed keys and certs from files directory
-  template: src=files/{{ item.src }} dest="{{ item.dest }}" mode={{ item.mode }} owner=root group=root
-  with_items: ldapCertFiles 
-  sudo: true
-  
 - name: copy cert
-  copy: src="files/{{ ldap_TLSCert }}" dest="{{ ldapcert }}"
+  copy: src="files/{{ ldapCertSrc }}" dest="{{ ldapCertDest }}"
  sudo: true

 - name: copy cacert
-  copy: src="files/{{ ldap_TLSCAChain }}" dest="{{ cacert }}"
+  copy: src="files/{{ ldapCAChainSrc }}" dest="{{ ldapCAChainDest }}"
  sudo: true

 - name: copy key
-  copy: src="files/{{ ldap_TLSKey }}" dest="{{ ldapkey }}" mode=600 owner={{ ldapuser }} group={{ ldapgroup }}
+  copy: src="files/{{ ldapKeySrc }}" dest="{{ ldapKeyDest }}" mode=600 owner={{ ldapuser }} group={{ ldapgroup }}
  sudo: true

 - name: enable ssl centos
@@ -117,12 +96,11 @@
  when: ansible_os_family == 'RedHat' and ansible_distribution_major_version >= '7'

 - name: check TLS config
-  shell: "slapcat -b cn=config | grep 'olcTLSCertificateKeyFile: {{ ldapkey }}'"
+  shell: "slapcat -b cn=config | grep 'olcTLSCertificateKeyFile: {{ ldapKeyDest }}'"
  ignore_errors: true
  sudo: true
  register: tlsConfigured

-
 - name: start ldap
  service: name=slapd state=restarted
  sudo: true
@@ -133,7 +111,7 @@
  when: tlsConfigured|failed

 - name: Initialise cosine and ppolicy
-  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/{{ item }}.ldif -D cn=config
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/{{ ldapDir }}/schema/{{ item }}.ldif -D cn=config
  with_items:
   - ppolicy
   - cosine
@@ -141,7 +119,6 @@
   - inetorgperson
  ignore_errors: true
  sudo: true
-  when: ansible_os_family == 'RedHat' and ansible_distribution_major_version >= '7'
      
 - name: check ppolicy module loaded
  shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}ppolicy"
@@ -165,7 +142,6 @@
  sudo: true
  when: ppolicyOverlayConfigured|failed

-
 - name: check Manager config
  shell: "slapcat -b cn=config | grep 'olcRootDN: {{ ldapManager }}'"
  ignore_errors: true
@@ -201,8 +177,6 @@
  sudo: true
  when: aclConfigured|failed

-
-
 - name: check DIT config
  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
  ignore_errors: true
@@ -212,7 +186,6 @@
  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
  when: ditConfigured|failed

-
 - name: check real Accounts config
  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapAccountBase }} -x -H ldap://localhost objectClass=*"
  ignore_errors: true
@@ -259,7 +232,6 @@
  sudo: true
  when: binddnConfigured|failed

-
 - name: check pwpolicies config
  shell: ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b ou=pwpolicies,{{ ldapDomain }} objectClass=*
  ignore_errors: true

--- a/roles/ldapserver/templates/ssl_ldif.j2
+++ b/roles/ldapserver/templates/ssl_ldif.j2
 dn: cn=config
 replace: olcTLSCACertificateFile
-olcTLSCACertificateFile: {{ cacert }}
+olcTLSCACertificateFile: {{ ldapCAChainDest }}
 -
 replace: olcTLSCertificateFile
-olcTLSCertificateFile:  {{ ldapcert }}
+olcTLSCertificateFile:  {{ ldapCertDest }}
 -
 replace: olcTLSCertificateKeyFile
-olcTLSCertificateKeyFile: {{ ldapkey }}
+olcTLSCertificateKeyFile: {{ ldapKeyDest }}
--- a/roles/ldapserver/vars/CentOS.yml
+++ b/roles/ldapserver/vars/CentOS.yml
 ---
-  ldapcert: /etc/openldap/certs/ldapcert.pem
-  ldapkey: /etc/openldap/certs/ldapkey.pem
-  cacert: /etc/openldap/certs/cacert.pem
+  ldapDir: "openldap"
  module_path: "/usr/lib64/openldap/"
+  
--- a/roles/ldapserver/vars/Debian.yml
+++ b/roles/ldapserver/vars/Debian.yml
 ---
-  ldapcert: /etc/ldap/certs/ldapcert.pem
-  ldapkey: /etc/ldap/certs/ldapkey.pem
-  cacert: /etc/ldap/certs/cacert.pem
+  ldapDir: "ldap"
  module_path: "/usr/lib/ldap"
--- a/roles/ldapserver/vars/main.yml
+++ b/roles/ldapserver/vars/main.yml
+---
+ldapCertDest: "/etc/{{ ldapDir }}/ssl/certs/hpcldap0.erc.monash.edu.au.cert.pem"
+ldapKeyDest: "/etc/{{ ldapDir }}/ssl/private/hpcldao0.erc.monash.edu.au.key.pem"
+ldapCAChainDest: "/etc/{{ ldapDir }}/ssl/certs/MeRC_HPC_CaChain.cert.pem"
+
+ldapKeySrc: "hpcldap0.erc.monash.edu.au.key.pem"
+ldapCertSrc: "hpcldap0.erc.monash.edu.au.cert.pem"                         
+ldapCAChainSrc: "MeRC_HPC_CA_Chain.cert.pem"
+