diff --git a/roles/ldapserver/tasks/main.yml b/roles/ldapserver/tasks/main.yml
index e1b9420b33f3fc6a17b2c28850ee110753f923bf..36251d5067b77a992d65ec590cfc31c0a9ae264c 100644
--- a/roles/ldapserver/tasks/main.yml
+++ b/roles/ldapserver/tasks/main.yml
@@ -2,6 +2,7 @@
- include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_version }}_{{ ansible_architecture }}.yml"
- include_vars: "{{ ansible_distribution }}.yml"
+
- name: install system packages apt
apt: name={{ item }} state=installed update_cache=true
sudo: true
@@ -23,10 +24,6 @@
command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapManagerPassword }}
register: ldapManagerHash
-
-
-
-
- name: template root.ldif
template: src=root_ldif.j2 dest=/tmp/root.ldif
@@ -39,7 +36,6 @@
- name: template groups.ldif
template: src=groups_ldif.j2 dest=/tmp/groups.ldif
-
- name: template load_modules.ldif
template: src=load_modules_ldif.j2 dest=/tmp/load_modules.ldif
@@ -65,45 +61,28 @@
template: src=manager_ldif3.j2 dest=/tmp/manager3.ldif mode=600
sudo: true
-
-- name: make cert dir
- file: path={{ ldapcert | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
- sudo: true
-
-- name: make key dir
- file: path={{ ldapkey | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }} mode=700
- sudo: true
-
- name: make ca dir
- file: path={{ cacert | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
+ file: path={{ ldapCAChainDest | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
sudo: true
- name: make ldap certs dir
- file: path={{ ldapCertDir }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
+ file: path={{ ldapCertDest | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
sudo: true
- when: ldapCertDir is defined
- name: make ldap private dir
- file: path={{ ldapPrivateDir }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
+ file: path={{ ldapKeyDest | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
sudo: true
- when: ldapPrivateDir is defined
-# Change to remove easy-rsa and to use fixed key and certs
-- name: copy fixed keys and certs from files directory
- template: src=files/{{ item.src }} dest="{{ item.dest }}" mode={{ item.mode }} owner=root group=root
- with_items: ldapCertFiles
- sudo: true
-
- name: copy cert
- copy: src="files/{{ ldap_TLSCert }}" dest="{{ ldapcert }}"
+ copy: src="files/{{ ldapCertSrc }}" dest="{{ ldapCertDest }}"
sudo: true
- name: copy cacert
- copy: src="files/{{ ldap_TLSCAChain }}" dest="{{ cacert }}"
+ copy: src="files/{{ ldapCAChainSrc }}" dest="{{ ldapCAChainDest }}"
sudo: true
- name: copy key
- copy: src="files/{{ ldap_TLSKey }}" dest="{{ ldapkey }}" mode=600 owner={{ ldapuser }} group={{ ldapgroup }}
+ copy: src="files/{{ ldapKeySrc }}" dest="{{ ldapKeyDest }}" mode=600 owner={{ ldapuser }} group={{ ldapgroup }}
sudo: true
- name: enable ssl centos
@@ -117,12 +96,11 @@
when: ansible_os_family == 'RedHat' and ansible_distribution_major_version >= '7'
- name: check TLS config
- shell: "slapcat -b cn=config | grep 'olcTLSCertificateKeyFile: {{ ldapkey }}'"
+ shell: "slapcat -b cn=config | grep 'olcTLSCertificateKeyFile: {{ ldapKeyDest }}'"
ignore_errors: true
sudo: true
register: tlsConfigured
-
- name: start ldap
service: name=slapd state=restarted
sudo: true
@@ -133,7 +111,7 @@
when: tlsConfigured|failed
- name: Initialise cosine and ppolicy
- shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/{{ item }}.ldif -D cn=config
+ shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/{{ ldapDir }}/schema/{{ item }}.ldif -D cn=config
with_items:
- ppolicy
- cosine
@@ -141,7 +119,6 @@
- inetorgperson
ignore_errors: true
sudo: true
- when: ansible_os_family == 'RedHat' and ansible_distribution_major_version >= '7'
- name: check ppolicy module loaded
shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}ppolicy"
@@ -165,7 +142,6 @@
sudo: true
when: ppolicyOverlayConfigured|failed
-
- name: check Manager config
shell: "slapcat -b cn=config | grep 'olcRootDN: {{ ldapManager }}'"
ignore_errors: true
@@ -201,8 +177,6 @@
sudo: true
when: aclConfigured|failed
-
-
- name: check DIT config
shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
ignore_errors: true
@@ -212,7 +186,6 @@
shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
when: ditConfigured|failed
-
- name: check real Accounts config
shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapAccountBase }} -x -H ldap://localhost objectClass=*"
ignore_errors: true
@@ -259,7 +232,6 @@
sudo: true
when: binddnConfigured|failed
-
- name: check pwpolicies config
shell: ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b ou=pwpolicies,{{ ldapDomain }} objectClass=*
ignore_errors: true
diff --git a/roles/ldapserver/templates/ssl_ldif.j2 b/roles/ldapserver/templates/ssl_ldif.j2
index b60604c40e2b185d7c0001cd30ada14b41eb405a..075e3a262401204d0fc81ff617f9397890a34755 100644
--- a/roles/ldapserver/templates/ssl_ldif.j2
+++ b/roles/ldapserver/templates/ssl_ldif.j2
@@ -1,9 +1,9 @@
dn: cn=config
replace: olcTLSCACertificateFile
-olcTLSCACertificateFile: {{ cacert }}
+olcTLSCACertificateFile: {{ ldapCAChainDest }}
-
replace: olcTLSCertificateFile
-olcTLSCertificateFile: {{ ldapcert }}
+olcTLSCertificateFile: {{ ldapCertDest }}
-
replace: olcTLSCertificateKeyFile
-olcTLSCertificateKeyFile: {{ ldapkey }}
+olcTLSCertificateKeyFile: {{ ldapKeyDest }}
diff --git a/roles/ldapserver/vars/CentOS.yml b/roles/ldapserver/vars/CentOS.yml
index 7159629c2947b81c5502b014b053e4a09c1b4970..d8f1c966672eb9f480e37ec84dbdd6597ff5d929 100644
--- a/roles/ldapserver/vars/CentOS.yml
+++ b/roles/ldapserver/vars/CentOS.yml
@@ -1,5 +1,4 @@
---
- ldapcert: /etc/openldap/certs/ldapcert.pem
- ldapkey: /etc/openldap/certs/ldapkey.pem
- cacert: /etc/openldap/certs/cacert.pem
+ ldapDir: "openldap"
module_path: "/usr/lib64/openldap/"
+
diff --git a/roles/ldapserver/vars/Debian.yml b/roles/ldapserver/vars/Debian.yml
index 7732d830f30bc489eba194ce251fcf02157542dc..a7d28315897cb38fd11029255b42d8c1a180e7e4 100644
--- a/roles/ldapserver/vars/Debian.yml
+++ b/roles/ldapserver/vars/Debian.yml
@@ -1,5 +1,3 @@
---
- ldapcert: /etc/ldap/certs/ldapcert.pem
- ldapkey: /etc/ldap/certs/ldapkey.pem
- cacert: /etc/ldap/certs/cacert.pem
+ ldapDir: "ldap"
module_path: "/usr/lib/ldap"
diff --git a/roles/ldapserver/vars/main.yml b/roles/ldapserver/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c6921d3d2afb66d54d54157077fbd5959e186637
--- /dev/null
+++ b/roles/ldapserver/vars/main.yml
@@ -0,0 +1,9 @@
+---
+ldapCertDest: "/etc/{{ ldapDir }}/ssl/certs/hpcldap0.erc.monash.edu.au.cert.pem"
+ldapKeyDest: "/etc/{{ ldapDir }}/ssl/private/hpcldao0.erc.monash.edu.au.key.pem"
+ldapCAChainDest: "/etc/{{ ldapDir }}/ssl/certs/MeRC_HPC_CaChain.cert.pem"
+
+ldapKeySrc: "hpcldap0.erc.monash.edu.au.key.pem"
+ldapCertSrc: "hpcldap0.erc.monash.edu.au.cert.pem"
+ldapCAChainSrc: "MeRC_HPC_CA_Chain.cert.pem"
+