Merge pull request #5 from shahaan/mcc-nectar

Mcc nectar

roles/OpenVPN-Server/tasks/copyCerts.yml

---- 
-- name: "Copying CA and server certificate"
-  shell: "cp -pvf /etc/easy-rsa/2.0/keys/ca.crt /etc/openvpn/; cp -pvf /etc/easy-rsa/2.0/keys/{{ inventory_hostname }}.crt /etc/openvpn/; cp -pvf /etc/easy-rsa/2.0/keys/{{ inventory_hostname }}.key /etc/openvpn/"
-  args:
-    creates: /etc/openvpn/ca.crt
-- name: "Create symlink for Diffie Hellman"
-  file: "src=/etc/easy-rsa/2.0/keys/dh512.pem dest=/etc/openvpn/dh512.pem state=link"
-- name: "Copying server.conf to the OpenVPN server"
-  template: src={{ item }} dest=/etc/openvpn/server.conf
-  with_first_found:
-    - files:
-        - server.conf.j2
-        - userConfig
-        - defaultConfig
-      paths:
-        - ../templates/
-        - ../files/
-  notify: restart openvpn
-
-- name: "Start OpenVPN"
-  service: name=openvpn state=started
-  sudo: true

roles/karaage2.7/tasks/main.yml

 ---
 - include_vars: "{{ hostvars[ansible_hostname]['ansible_distribution'] }}_{{ hostvars[ansible_hostname]['ansible_distribution_version'] }}_{{ ansible_architecture }}.yml"
-- include_vars: passwords.yml
-
-
 
 - name: install system packages apt
   apt: name={{ item }} state=installed update_cache=true
@@ -99,8 +96,8 @@
   lineinfile:
   args:
     dest: /etc/karaage/global_settings.py
-    regexp: "LDAP_URL ="
-    line: "LDAP_URL = '{{ ldapURL }}'"
+    regexp: "LDAP_URL = "
+    line: "LDAP_URL = '{{ ldapURI }}'"
     backrefs: yes
   sudo: true
 
@@ -111,7 +108,7 @@
   args:
     dest: /etc/karaage/global_settings.py
     regexp: "LDAP_BASE ="
-    line: "LDAP_BASE = '{{ ldapDomain }}'"
+    line: "LDAP_BASE = '{{ ldapBase }}'"
     backrefs: yes
   sudo: true
 
@@ -120,7 +117,7 @@
   args:
     dest: /etc/karaage/global_settings.py
     regexp: "LDAP_USER_BASE="
-    line: "LDAP_USER_BASE = 'ou=Accounts,{{ ldapDomain }}'"
+    line: "LDAP_USER_BASE = '{{ ldapUserBase }}'"
     backrefs: yes
   sudo: true
 
@@ -129,7 +126,7 @@
   args:
     dest: /etc/karaage/global_settings.py
     regexp: "LDAP_GROUP_BASE="
-    line: "LDAP_GROUP_BASE = 'ou=Groups,{{ ldapDomain }}'"
+    line: "LDAP_GROUP_BASE = '{{ ldapGroupBase }}'"
     backrefs: yes
   sudo: true
 
@@ -138,7 +135,7 @@
   args:
     dest: /etc/karaage/global_settings.py
     regexp: "LDAP_ADMIN_USER ="
-    line: "LDAP_ADMIN_USER = 'cn=Manager,{{ ldapDomain }}'"
+    line: "LDAP_ADMIN_USER = '{{ ldapManager }}'"
     backrefs: yes
   sudo: true
   

roles/karaage2.7_noppolicy/files/defaultUnlocked.py

+# Copyright 2014 Monash University
+#
+# This file integrates with django-tldap.
+#
+# django-tldap is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# django-tldap is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with django-tldap  If not, see <http://www.gnu.org/licenses/>.
+
+import placard.ldap_passwd
+class defaultUnlockedMixin(object):
+    @classmethod
+    def is_locked(cls,self):
+        return False

roles/karaage2.7_noppolicy/meta/main.yml

+---
+dependencies:
+  - { role: karaage2.7 }

roles/karaage2.7_noppolicy/tasks/main.yml

+---
+- name: install defaultUnlocked mixin
+  copy: dest=/usr/share/pyshared/placard/schemas/defaultUnlocked.py src=defaultUnlocked.py owner=root mode=644
+  sudo: true
+
+- name: link defaultUnlocked mixin
+  shell: ln -s /usr/share/pyshared/placard/schemas/defaultUnlocked.py /usr/lib/python2.7/dist-packages/placard/schemas/defaultUnlocked.py ;  ln -s /usr/share/pyshared/placard/schemas/defaultUnlocked.py /usr/lib/python2.6/dist-packages/placard/schemas/defaultUnlocked.py 
+  args:
+    creates: /usr/lib/python2.6/dist-packages/placard/schemas/defaultUnlocked.py
+  sudo: true
+
+- name: configure ldap mixins 1
+  lineinfile:  
+  args:
+    dest: /etc/karaage/ldap_schemas.py 
+    regexp: "from placard.schemas.pwdpolicy import pwdPolicyMixin" 
+    line: "from placard.schemas.defaultUnlocked import defaultUnlockedMixin" 
+    backrefs: yes
+  sudo: true
+
+- name: configure ldap mixins 2
+  lineinfile:  
+  args:
+    dest: /etc/karaage/ldap_schemas.py 
+    regexp: "    mixin_list = [ common.personMixin, pwdPolicyMixin, kPersonMixin ]"
+    line: "    mixin_list = [ common.personMixin, defaultUnlockedMixin, kPersonMixin ]"
+    backrefs: yes
+  sudo: true
+
+- name: configure ldap mixins 3
+  lineinfile:  
+  args:
+    dest: /etc/karaage/ldap_schemas.py 
+    regexp: "class person(rfc.person, rfc.organizationalPerson, rfc.inetOrgPerson, rfc.pwdPolicy, common.baseMixin):"
+    line: class person(rfc.person, rfc.organizationalPerson, rfc.inetOrgPerson, common.baseMixin):"
+    backrefs: yes
+  sudo: true

roles/ldapserver/tasks/main.yml

 ---
 
 - include_vars: "{{ hostvars[ansible_hostname]['ansible_distribution'] }}_{{ hostvars[ansible_hostname]['ansible_distribution_version'] }}_{{ ansible_architecture }}.yml"
-- include_vars: passwords.yml
 
 - name: install system packages apt
   apt: name={{ item }} state=installed update_cache=true
@@ -91,11 +90,12 @@
   register: tlsConfigured
 
 - name: check Manager config
-  shell: "slapcat -b cn=config | grep 'olcRootDN: cn=Manager,{{ ldapDomain }}'"
+  shell: "slapcat -b cn=config | grep 'olcRootDN: {{ ldapManager }}'"
   ignore_errors: true
   sudo: true
   register: managerConfigured
 
+# slapcat does a line wrap at character 78. Don't attempt to match on {{ ldapManager }} as it will cross two lines
 - name: check ACL config
   shell: "slapcat -b cn=config | grep 'olcAccess:' | grep 'cn=Manager'"
   ignore_errors: true
@@ -104,22 +104,22 @@
 
 
 - name: check DIT config
-  shell: "ldapsearch -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -b {{ ldapDomain }} objectClass=dcObject"
+  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
   ignore_errors: true
   register: ditConfigured
 
 - name: check Accounts config
-  shell: "ldapsearch -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -b ou=Accounts,{{ ldapDomain }} objectClass=*"
+  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
   ignore_errors: true
   register: accountsConfigured
 
 - name: check Groups config
-  shell: "ldapsearch -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -b ou=Groups,{{ ldapDomain }} objectClass=*"
+  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=*"
   ignore_errors: true
   register: groupsConfigured
 
 - name: check binddn config
-  shell: "ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b {{ ldapDomain }} objectClass=dcObject"
+  shell: "ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b {{ ldapDomain }} -x -H ldap://localhost objectClass=dcObject"
   ignore_errors: true
   register: binddnConfigured
 
@@ -140,58 +140,18 @@
   when: aclConfigured|failed
 
 - name: add DIT root
-  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/root.ldif
+  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
   when: ditConfigured|failed
 
 - name: add Accounts OU
-  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/accounts.ldif
+  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/accounts.ldif
   when: accountsConfigured|failed
 
 - name: add Groups OU
-  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/groups.ldif
+  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
   when: groupsConfigured|failed
 
 - name: add binddn
-  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/binddn.ldif
+  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/binddn.ldif
   sudo: true
   when: binddnConfigured|failed
-
-- name: check ppolicy module loaded
-  shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}ppolicy"
-  sudo: true
-  ignore_errors: true
-  register: ppolicyModuleLoaded
-
-- name: load ppolicy module
-  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_moduleload.ldif -D cn=config 
-  sudo: true
-  when: ppolicyModuleLoaded|failed
-
-- name: check ppolicy overlay config
-  shell: "slapcat -b cn=config | grep 'dn: olcOverlay=ppolicy,olcDatabase={.*}bdb,cn=config'"
-  ignore_errors: true
-  sudo: true
-  register: ppolicyOverlayConfigured
-
-- name: add ppolicy overlay
-  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_overlay.ldif -D cn=config 
-  sudo: true
-  when: ppolicyOverlayConfigured|failed
-
-- name: check pwpolicies config
-  shell: ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b ou=pwpolicies,{{ ldapDomain }} objectClass=*
-  ignore_errors: true
-  register: pwpoliciesConfigured
-
-- name: add pwpolicies
-  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/pwpolicies.ldif
-  when: pwpoliciesConfigured|failed
-
-- name: check defaultPwpolicy config
-  shell: ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b cn=default,ou=pwpolicies,{{ ldapDomain }} objectClass=*
-  ignore_errors: true
-  register: defaultPpolicyConfigured
-
-- name: add defaultPwpolicy
-  shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/default_ppolicy.ldif
-  when: defaultPpolicyConfigured|failed

roles/ldapserver/templates/accounts_ldif.j2

-dn: ou=Accounts,{{ ldapDomain }}
+dn: {{ ldapUserBase }}
 objectClass: organizationalUnit

roles/ldapserver/templates/acls_ldif.j2

 dn: olcDatabase={2}bdb,cn=config
 changetype: modify
 add: olcAccess
-olcAccess: {0}to attrs=userPassword by dn="cn=Manager,{{ ldapDomain }}" write by self write by * auth
-olcAccess: {1}to attrs=shadowLastChange by dn="cn=Manager,{{ ldapDomain }}" write by self write by * read
+olcAccess: {0}to attrs=userPassword by dn="{{ ldapManager }}" write by self write by * auth
+olcAccess: {1}to attrs=shadowLastChange by dn="{{ ldapManager }}" write by self write by * read
 olcAccess: {2}to * by users read by anonymous auth

roles/ldapserver/templates/binddn_ldif.j2

-dn: cn=binddn,ou=Accounts,{{ ldapDomain }}
+dn: {{ ldapBindDN }}
 objectClass: inetOrgPerson
 cn: binddn
 sn: binddn

roles/ldapserver/templates/default_ppolicy_ldif.j2

 dn: cn=default,ou=pwpolicies,{{ ldapDomain }}
+cn: default
+objectClass: pwdPolicy
 objectClass: top
 objectClass: device
-objectClass: pwdPolicy
+pwdAllowUserChange: TRUE
 pwdAttribute: 2.5.4.35
-cn: default
+pwdExpireWarning: 604800
+pwdFailureCountInterval: 30
+pwdGraceAuthNLimit: 0
+pwdInHistory: 10
+pwdLockout: TRUE
+pwdLockoutDuration: 3600
+pwdMaxAge: 7776000
+pwdMaxFailure: 5
+pwdMinAge: 3600
+pwdMinLength: 12
+pwdMustChange: FALSE
+pwdSafeModify: FALSE

roles/ldapserver/templates/groups_ldif.j2

-dn: ou=Groups,{{ ldapDomain }}
+dn: {{ ldapGroupBase }}
 objectClass: organizationalUnit

roles/ldapserver/templates/manager_ldif.j2

@@ -4,7 +4,7 @@ replace: olcSuffix
 olcSuffix: {{ ldapDomain }}
 -
 replace: olcRootDN
-olcRootDN: cn=Manager,{{ ldapDomain }}
+olcRootDN: {{ ldapManager }}
 -
 add: olcRootPW
 olcRootPW: {{ ldapManagerHash.stdout }}

roles/ldapserver/vars/CentOS_6.6_x86_64.yml

+---
+ system_packages:
+  - openldap-servers
+  - openldap-clients
+  - openssl

roles/ldapserver/vars/main.yml

 ---
- ldapuser:  ldap
- ldapgroup: ldap
+  ldapuser:  ldap
+  ldapgroup: ldap

roles/nfs-client/defaults/main.yml

 ---
-nfs_type: "nfs"
-nfs_options: "vers=3,noatime,rsize=16384,wsize=16384,hard,intr,tcp,nolock"
+nfsClientSrcDir: '/mnt'
+nfsClientDestDir: '/mnt/test-nfs'
+nfs_server: 'nfsserver.edu' 
+nfs_type: 'nfs'
+nfs_options: 'vers=3,noatime,rsize=16384,wsize=16384,hard,intr,tcp,nolock'

roles/nfs-client/tasks/mountFileSystem.yml

 --- 
 -
- name: "Get the NFS Network"
- setup: filter="ansible_tun0"
- register: nfsServer
- run_once: true
- delegate_to: "{{ nfs_server }}"
+  name: "Get the NFS Network"
+  setup: filter="ansible_tun0"
+  register: nfsServer
+  run_once: true
+  delegate_to: "{{ nfs_server }}"
 - 
   mount: "name={{ item.name }} src={{ nfsServer['ansible_facts']['ansible_tun0']['ipv4']['address'] }}:{{ item.src }} fstype={{ item.fstype }} opts={{ item.opts }} state=mounted"
   name: "Mounting NFS mounts"

roles/nfs-common/tasks/main.yml

 ---
 - include: yumPackages.yml
+
+- name: setup idmap.conf
+  template: src=idmap.conf.j2 dest=/etc/idmap.conf
+  sudo: true

roles/openLdapClient/templates/idmapd.conf.j2 → roles/nfs-common/templates/idmapd.conf.j2

@@ -2,7 +2,7 @@
 #Verbosity = 0
 # The following should be set to the local NFSv4 domain name
 # The default is the host's DNS domain name.
-Domain = {{ ldapDomain }} 
+Domain = {{ ansible_fqdn }} 
 
 # The following is a comma-separated list of Kerberos realm
 # names that should be considered to be equivalent to the

roles/nfs-server/tasks/startServer.yml

 --- 
-- 
-  name: "Starting rpcbind"
-  service: "name=rpcbind state=started"
-- 
-  name: "Start the Server"
-  service: "name=nfs state=started"
+- name: "Starting rpcbind"
+  service: "name=rpcbind state=restarted"
+  sudo: true
+- name: "Start the Server"
+  service: "name=nfs state=restarted"
+  sudo: true

roles/openLdapClient/defaults/main.yml

 ---
-ldapDomain: "monash.edu.au" 
-ldapUri: "ldaps://ldapserver.com/"
-ldapDn: "cn=ldapbind,cn=users,dc=monash,dc=edu,dc=au" 
-ldapPassword: "secret"
-ldapBase: "cn=users,dc=monash,dc=edu,dc=au"
-ldapUserClass: "user"
-ldapUserHomeDirectory: "unixHomeDirectory"
-ldapUserPricipal: "userPrincipalName"
-ldapGroupBase: "ou=groups,dc=monash,dc=edu,dc=au"
-tlsCaCertDirectory: "/etc/openldap/certs"
-tlsCaCertFile: "/etc/openldap/certs/ca.pem"
-ldapCaCertFileSource: "/etc/openldap/certs"
-cacertFile: "ca.pem"
 ldapRfc2307: ""
 ldapRfc2307Pam: ""
-ldapServerHost: "10.0.0.1 ldapserver.com"