diff --git a/roles/OpenVPN-Server/tasks/copyCerts.yml b/roles/OpenVPN-Server/tasks/copyCerts.yml
deleted file mode 100644
index c0a99622227b16d3465b8694e625f874246524ef..0000000000000000000000000000000000000000
--- a/roles/OpenVPN-Server/tasks/copyCerts.yml
+++ /dev/null
@@ -1,22 +0,0 @@
----
-- name: "Copying CA and server certificate"
- shell: "cp -pvf /etc/easy-rsa/2.0/keys/ca.crt /etc/openvpn/; cp -pvf /etc/easy-rsa/2.0/keys/{{ inventory_hostname }}.crt /etc/openvpn/; cp -pvf /etc/easy-rsa/2.0/keys/{{ inventory_hostname }}.key /etc/openvpn/"
- args:
- creates: /etc/openvpn/ca.crt
-- name: "Create symlink for Diffie Hellman"
- file: "src=/etc/easy-rsa/2.0/keys/dh512.pem dest=/etc/openvpn/dh512.pem state=link"
-- name: "Copying server.conf to the OpenVPN server"
- template: src={{ item }} dest=/etc/openvpn/server.conf
- with_first_found:
- - files:
- - server.conf.j2
- - userConfig
- - defaultConfig
- paths:
- - ../templates/
- - ../files/
- notify: restart openvpn
-
-- name: "Start OpenVPN"
- service: name=openvpn state=started
- sudo: true
diff --git a/roles/karaage2.7/tasks/main.yml b/roles/karaage2.7/tasks/main.yml
index aa90c83f204973eb7bf6a6c5f2728c8194d5f37b..fe3197637d6756bbead854ed6806e26fa78ee0a7 100644
--- a/roles/karaage2.7/tasks/main.yml
+++ b/roles/karaage2.7/tasks/main.yml
@@ -1,8 +1,5 @@
---
- include_vars: "{{ hostvars[ansible_hostname]['ansible_distribution'] }}_{{ hostvars[ansible_hostname]['ansible_distribution_version'] }}_{{ ansible_architecture }}.yml"
-- include_vars: passwords.yml
-
-
- name: install system packages apt
apt: name={{ item }} state=installed update_cache=true
@@ -99,8 +96,8 @@
lineinfile:
args:
dest: /etc/karaage/global_settings.py
- regexp: "LDAP_URL ="
- line: "LDAP_URL = '{{ ldapURL }}'"
+ regexp: "LDAP_URL = "
+ line: "LDAP_URL = '{{ ldapURI }}'"
backrefs: yes
sudo: true
@@ -111,7 +108,7 @@
args:
dest: /etc/karaage/global_settings.py
regexp: "LDAP_BASE ="
- line: "LDAP_BASE = '{{ ldapDomain }}'"
+ line: "LDAP_BASE = '{{ ldapBase }}'"
backrefs: yes
sudo: true
@@ -120,7 +117,7 @@
args:
dest: /etc/karaage/global_settings.py
regexp: "LDAP_USER_BASE="
- line: "LDAP_USER_BASE = 'ou=Accounts,{{ ldapDomain }}'"
+ line: "LDAP_USER_BASE = '{{ ldapUserBase }}'"
backrefs: yes
sudo: true
@@ -129,7 +126,7 @@
args:
dest: /etc/karaage/global_settings.py
regexp: "LDAP_GROUP_BASE="
- line: "LDAP_GROUP_BASE = 'ou=Groups,{{ ldapDomain }}'"
+ line: "LDAP_GROUP_BASE = '{{ ldapGroupBase }}'"
backrefs: yes
sudo: true
@@ -138,7 +135,7 @@
args:
dest: /etc/karaage/global_settings.py
regexp: "LDAP_ADMIN_USER ="
- line: "LDAP_ADMIN_USER = 'cn=Manager,{{ ldapDomain }}'"
+ line: "LDAP_ADMIN_USER = '{{ ldapManager }}'"
backrefs: yes
sudo: true
diff --git a/roles/karaage2.7_noppolicy/files/defaultUnlocked.py b/roles/karaage2.7_noppolicy/files/defaultUnlocked.py
new file mode 100644
index 0000000000000000000000000000000000000000..c025f2ed1b7cf77e5ce24eb2569b1c92d76a9c4f
--- /dev/null
+++ b/roles/karaage2.7_noppolicy/files/defaultUnlocked.py
@@ -0,0 +1,22 @@
+# Copyright 2014 Monash University
+#
+# This file integrates with django-tldap.
+#
+# django-tldap is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# django-tldap is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with django-tldap If not, see <http://www.gnu.org/licenses/>.
+
+import placard.ldap_passwd
+class defaultUnlockedMixin(object):
+ @classmethod
+ def is_locked(cls,self):
+ return False
diff --git a/roles/karaage2.7_noppolicy/meta/main.yml b/roles/karaage2.7_noppolicy/meta/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6e5176c2fcd927bdc8074588203fe3a9cd790bcf
--- /dev/null
+++ b/roles/karaage2.7_noppolicy/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+ - { role: karaage2.7 }
diff --git a/roles/karaage2.7_noppolicy/tasks/main.yml b/roles/karaage2.7_noppolicy/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..de944debc7e561409309467791ffe2c7f559fa5c
--- /dev/null
+++ b/roles/karaage2.7_noppolicy/tasks/main.yml
@@ -0,0 +1,37 @@
+---
+- name: install defaultUnlocked mixin
+ copy: dest=/usr/share/pyshared/placard/schemas/defaultUnlocked.py src=defaultUnlocked.py owner=root mode=644
+ sudo: true
+
+- name: link defaultUnlocked mixin
+ shell: ln -s /usr/share/pyshared/placard/schemas/defaultUnlocked.py /usr/lib/python2.7/dist-packages/placard/schemas/defaultUnlocked.py ; ln -s /usr/share/pyshared/placard/schemas/defaultUnlocked.py /usr/lib/python2.6/dist-packages/placard/schemas/defaultUnlocked.py
+ args:
+ creates: /usr/lib/python2.6/dist-packages/placard/schemas/defaultUnlocked.py
+ sudo: true
+
+- name: configure ldap mixins 1
+ lineinfile:
+ args:
+ dest: /etc/karaage/ldap_schemas.py
+ regexp: "from placard.schemas.pwdpolicy import pwdPolicyMixin"
+ line: "from placard.schemas.defaultUnlocked import defaultUnlockedMixin"
+ backrefs: yes
+ sudo: true
+
+- name: configure ldap mixins 2
+ lineinfile:
+ args:
+ dest: /etc/karaage/ldap_schemas.py
+ regexp: " mixin_list = [ common.personMixin, pwdPolicyMixin, kPersonMixin ]"
+ line: " mixin_list = [ common.personMixin, defaultUnlockedMixin, kPersonMixin ]"
+ backrefs: yes
+ sudo: true
+
+- name: configure ldap mixins 3
+ lineinfile:
+ args:
+ dest: /etc/karaage/ldap_schemas.py
+ regexp: "class person(rfc.person, rfc.organizationalPerson, rfc.inetOrgPerson, rfc.pwdPolicy, common.baseMixin):"
+ line: class person(rfc.person, rfc.organizationalPerson, rfc.inetOrgPerson, common.baseMixin):"
+ backrefs: yes
+ sudo: true
diff --git a/roles/ldapserver/tasks/main.yml b/roles/ldapserver/tasks/main.yml
index 625ea2b585b70efc1aec3217f278e9e4ea31055f..a5ec4d6992069cba7b5dcc69e2d51c57829d9e29 100644
--- a/roles/ldapserver/tasks/main.yml
+++ b/roles/ldapserver/tasks/main.yml
@@ -1,7 +1,6 @@
---
- include_vars: "{{ hostvars[ansible_hostname]['ansible_distribution'] }}_{{ hostvars[ansible_hostname]['ansible_distribution_version'] }}_{{ ansible_architecture }}.yml"
-- include_vars: passwords.yml
- name: install system packages apt
apt: name={{ item }} state=installed update_cache=true
@@ -91,11 +90,12 @@
register: tlsConfigured
- name: check Manager config
- shell: "slapcat -b cn=config | grep 'olcRootDN: cn=Manager,{{ ldapDomain }}'"
+ shell: "slapcat -b cn=config | grep 'olcRootDN: {{ ldapManager }}'"
ignore_errors: true
sudo: true
register: managerConfigured
+# slapcat does a line wrap at character 78. Don't attempt to match on {{ ldapManager }} as it will cross two lines
- name: check ACL config
shell: "slapcat -b cn=config | grep 'olcAccess:' | grep 'cn=Manager'"
ignore_errors: true
@@ -104,22 +104,22 @@
- name: check DIT config
- shell: "ldapsearch -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -b {{ ldapDomain }} objectClass=dcObject"
+ shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
ignore_errors: true
register: ditConfigured
- name: check Accounts config
- shell: "ldapsearch -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -b ou=Accounts,{{ ldapDomain }} objectClass=*"
+ shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
ignore_errors: true
register: accountsConfigured
- name: check Groups config
- shell: "ldapsearch -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -b ou=Groups,{{ ldapDomain }} objectClass=*"
+ shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=*"
ignore_errors: true
register: groupsConfigured
- name: check binddn config
- shell: "ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b {{ ldapDomain }} objectClass=dcObject"
+ shell: "ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b {{ ldapDomain }} -x -H ldap://localhost objectClass=dcObject"
ignore_errors: true
register: binddnConfigured
@@ -140,58 +140,18 @@
when: aclConfigured|failed
- name: add DIT root
- shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/root.ldif
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
when: ditConfigured|failed
- name: add Accounts OU
- shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/accounts.ldif
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/accounts.ldif
when: accountsConfigured|failed
- name: add Groups OU
- shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/groups.ldif
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
when: groupsConfigured|failed
- name: add binddn
- shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/binddn.ldif
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/binddn.ldif
sudo: true
when: binddnConfigured|failed
-
-- name: check ppolicy module loaded
- shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}ppolicy"
- sudo: true
- ignore_errors: true
- register: ppolicyModuleLoaded
-
-- name: load ppolicy module
- shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_moduleload.ldif -D cn=config
- sudo: true
- when: ppolicyModuleLoaded|failed
-
-- name: check ppolicy overlay config
- shell: "slapcat -b cn=config | grep 'dn: olcOverlay=ppolicy,olcDatabase={.*}bdb,cn=config'"
- ignore_errors: true
- sudo: true
- register: ppolicyOverlayConfigured
-
-- name: add ppolicy overlay
- shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_overlay.ldif -D cn=config
- sudo: true
- when: ppolicyOverlayConfigured|failed
-
-- name: check pwpolicies config
- shell: ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b ou=pwpolicies,{{ ldapDomain }} objectClass=*
- ignore_errors: true
- register: pwpoliciesConfigured
-
-- name: add pwpolicies
- shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/pwpolicies.ldif
- when: pwpoliciesConfigured|failed
-
-- name: check defaultPwpolicy config
- shell: ldapsearch -D cn=binddn,ou=Accounts,{{ ldapDomain }} -w {{ ldapBindDNPassword }} -b cn=default,ou=pwpolicies,{{ ldapDomain }} objectClass=*
- ignore_errors: true
- register: defaultPpolicyConfigured
-
-- name: add defaultPwpolicy
- shell: ldapadd -x -D cn=Manager,{{ ldapDomain }} -w {{ ldapManagerPassword }} -f /tmp/default_ppolicy.ldif
- when: defaultPpolicyConfigured|failed
diff --git a/roles/ldapserver/templates/accounts_ldif.j2 b/roles/ldapserver/templates/accounts_ldif.j2
index 93e5fd93c030454d3da0945627a56726bef56c8a..e057dd1b491e270f831b3d4b79e803ae4c3560a7 100644
--- a/roles/ldapserver/templates/accounts_ldif.j2
+++ b/roles/ldapserver/templates/accounts_ldif.j2
@@ -1,2 +1,2 @@
-dn: ou=Accounts,{{ ldapDomain }}
+dn: {{ ldapUserBase }}
objectClass: organizationalUnit
diff --git a/roles/ldapserver/templates/acls_ldif.j2 b/roles/ldapserver/templates/acls_ldif.j2
index 631f57ed8f8684c843aa87e5c7ae3cf2d53734f6..c9df71971300ed28b1a06cff14f346c36dca8524 100644
--- a/roles/ldapserver/templates/acls_ldif.j2
+++ b/roles/ldapserver/templates/acls_ldif.j2
@@ -1,6 +1,6 @@
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcAccess
-olcAccess: {0}to attrs=userPassword by dn="cn=Manager,{{ ldapDomain }}" write by self write by * auth
-olcAccess: {1}to attrs=shadowLastChange by dn="cn=Manager,{{ ldapDomain }}" write by self write by * read
+olcAccess: {0}to attrs=userPassword by dn="{{ ldapManager }}" write by self write by * auth
+olcAccess: {1}to attrs=shadowLastChange by dn="{{ ldapManager }}" write by self write by * read
olcAccess: {2}to * by users read by anonymous auth
diff --git a/roles/ldapserver/templates/binddn_ldif.j2 b/roles/ldapserver/templates/binddn_ldif.j2
index 553885b1e7fd8ad5e02dcc1f5636e4da13907864..3f2e31b68f556fb535f3ca06cb189d45f48077d3 100644
--- a/roles/ldapserver/templates/binddn_ldif.j2
+++ b/roles/ldapserver/templates/binddn_ldif.j2
@@ -1,4 +1,4 @@
-dn: cn=binddn,ou=Accounts,{{ ldapDomain }}
+dn: {{ ldapBindDN }}
objectClass: inetOrgPerson
cn: binddn
sn: binddn
diff --git a/roles/ldapserver/templates/default_ppolicy_ldif.j2 b/roles/ldapserver/templates/default_ppolicy_ldif.j2
index 5d1847dc905aabb0248c3c5b7d1b11cb9a51e9c1..cc638a27e219461a3b033eee4701d53ca594bff3 100644
--- a/roles/ldapserver/templates/default_ppolicy_ldif.j2
+++ b/roles/ldapserver/templates/default_ppolicy_ldif.j2
@@ -1,6 +1,19 @@
dn: cn=default,ou=pwpolicies,{{ ldapDomain }}
+cn: default
+objectClass: pwdPolicy
objectClass: top
objectClass: device
-objectClass: pwdPolicy
+pwdAllowUserChange: TRUE
pwdAttribute: 2.5.4.35
-cn: default
+pwdExpireWarning: 604800
+pwdFailureCountInterval: 30
+pwdGraceAuthNLimit: 0
+pwdInHistory: 10
+pwdLockout: TRUE
+pwdLockoutDuration: 3600
+pwdMaxAge: 7776000
+pwdMaxFailure: 5
+pwdMinAge: 3600
+pwdMinLength: 12
+pwdMustChange: FALSE
+pwdSafeModify: FALSE
diff --git a/roles/ldapserver/templates/groups_ldif.j2 b/roles/ldapserver/templates/groups_ldif.j2
index 39890b039b41143faec775af91d3b36e433bed05..70386e0f9290e627b128dc7b92834d114bf714c1 100644
--- a/roles/ldapserver/templates/groups_ldif.j2
+++ b/roles/ldapserver/templates/groups_ldif.j2
@@ -1,2 +1,2 @@
-dn: ou=Groups,{{ ldapDomain }}
+dn: {{ ldapGroupBase }}
objectClass: organizationalUnit
diff --git a/roles/ldapserver/templates/manager_ldif.j2 b/roles/ldapserver/templates/manager_ldif.j2
index 103847031a0842eb72fe2126b56eb94b061f5b9d..5cdf02169cbc2dc0e6cffc01122349fbc1cac325 100644
--- a/roles/ldapserver/templates/manager_ldif.j2
+++ b/roles/ldapserver/templates/manager_ldif.j2
@@ -4,7 +4,7 @@ replace: olcSuffix
olcSuffix: {{ ldapDomain }}
-
replace: olcRootDN
-olcRootDN: cn=Manager,{{ ldapDomain }}
+olcRootDN: {{ ldapManager }}
-
add: olcRootPW
olcRootPW: {{ ldapManagerHash.stdout }}
diff --git a/roles/ldapserver/vars/CentOS_6.6_x86_64.yml b/roles/ldapserver/vars/CentOS_6.6_x86_64.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f7898718dcef361447091f6a9b474a6505bd3343
--- /dev/null
+++ b/roles/ldapserver/vars/CentOS_6.6_x86_64.yml
@@ -0,0 +1,5 @@
+---
+ system_packages:
+ - openldap-servers
+ - openldap-clients
+ - openssl
diff --git a/roles/ldapserver/vars/main.yml b/roles/ldapserver/vars/main.yml
index a94437139fc51855a70dff6ad7143258fb21b714..45af19775f162034555d25a5a4eba04c3c82fa6a 100644
--- a/roles/ldapserver/vars/main.yml
+++ b/roles/ldapserver/vars/main.yml
@@ -1,3 +1,3 @@
---
- ldapuser: ldap
- ldapgroup: ldap
+ ldapuser: ldap
+ ldapgroup: ldap
diff --git a/roles/nfs-client/defaults/main.yml b/roles/nfs-client/defaults/main.yml
index 2c6b83527ec4617bfb43c276595554e67b761703..d201130985c95100cc8a7eb11b63fa87a5879af6 100644
--- a/roles/nfs-client/defaults/main.yml
+++ b/roles/nfs-client/defaults/main.yml
@@ -1,3 +1,6 @@
---
-nfs_type: "nfs"
-nfs_options: "vers=3,noatime,rsize=16384,wsize=16384,hard,intr,tcp,nolock"
+nfsClientSrcDir: '/mnt'
+nfsClientDestDir: '/mnt/test-nfs'
+nfs_server: 'nfsserver.edu'
+nfs_type: 'nfs'
+nfs_options: 'vers=3,noatime,rsize=16384,wsize=16384,hard,intr,tcp,nolock'
diff --git a/roles/nfs-client/tasks/mountFileSystem.yml b/roles/nfs-client/tasks/mountFileSystem.yml
index 27b2328ca2ef3f12e8d49452d99b976dc9d3d57a..da39a8eb2842761fe07d79a5691e7d44aeb0c7b5 100644
--- a/roles/nfs-client/tasks/mountFileSystem.yml
+++ b/roles/nfs-client/tasks/mountFileSystem.yml
@@ -1,10 +1,10 @@
---
-
- name: "Get the NFS Network"
- setup: filter="ansible_tun0"
- register: nfsServer
- run_once: true
- delegate_to: "{{ nfs_server }}"
+ name: "Get the NFS Network"
+ setup: filter="ansible_tun0"
+ register: nfsServer
+ run_once: true
+ delegate_to: "{{ nfs_server }}"
-
mount: "name={{ item.name }} src={{ nfsServer['ansible_facts']['ansible_tun0']['ipv4']['address'] }}:{{ item.src }} fstype={{ item.fstype }} opts={{ item.opts }} state=mounted"
name: "Mounting NFS mounts"
diff --git a/roles/nfs-common/tasks/main.yml b/roles/nfs-common/tasks/main.yml
index c7e34d16ebe7f846fb5433b5c9dfacba4794c9a8..5f1757d5f6b2724de61540f7c82b23921ae46d18 100644
--- a/roles/nfs-common/tasks/main.yml
+++ b/roles/nfs-common/tasks/main.yml
@@ -1,2 +1,6 @@
---
- include: yumPackages.yml
+
+- name: setup idmap.conf
+ template: src=idmap.conf.j2 dest=/etc/idmap.conf
+ sudo: true
diff --git a/roles/openLdapClient/templates/idmapd.conf.j2 b/roles/nfs-common/templates/idmapd.conf.j2
similarity index 99%
rename from roles/openLdapClient/templates/idmapd.conf.j2
rename to roles/nfs-common/templates/idmapd.conf.j2
index ad560a27e09c95912e4e639c38f807e9fb3a109b..c5f6ad8544242a0fa4f4bfbe7a52075b4f7a5831 100644
--- a/roles/openLdapClient/templates/idmapd.conf.j2
+++ b/roles/nfs-common/templates/idmapd.conf.j2
@@ -2,7 +2,7 @@
#Verbosity = 0
# The following should be set to the local NFSv4 domain name
# The default is the host's DNS domain name.
-Domain = {{ ldapDomain }}
+Domain = {{ ansible_fqdn }}
# The following is a comma-separated list of Kerberos realm
# names that should be considered to be equivalent to the
diff --git a/roles/nfs-server/tasks/startServer.yml b/roles/nfs-server/tasks/startServer.yml
index 17211aff0bab88c5d6d1ff05f2ed9046aea03f19..e8338d56c7265b4fb04a9f5626198d1f3bfe6846 100644
--- a/roles/nfs-server/tasks/startServer.yml
+++ b/roles/nfs-server/tasks/startServer.yml
@@ -1,7 +1,7 @@
---
--
- name: "Starting rpcbind"
- service: "name=rpcbind state=started"
--
- name: "Start the Server"
- service: "name=nfs state=started"
+- name: "Starting rpcbind"
+ service: "name=rpcbind state=restarted"
+ sudo: true
+- name: "Start the Server"
+ service: "name=nfs state=restarted"
+ sudo: true
diff --git a/roles/openLdapClient/defaults/main.yml b/roles/openLdapClient/defaults/main.yml
index a106dc093b84fc9f6390b1c74bde7cb1f01ab607..943ed859cbbe42cc152c91188f2cf9644469b13e 100644
--- a/roles/openLdapClient/defaults/main.yml
+++ b/roles/openLdapClient/defaults/main.yml
@@ -1,17 +1,3 @@
---
-ldapDomain: "monash.edu.au"
-ldapUri: "ldaps://ldapserver.com/"
-ldapDn: "cn=ldapbind,cn=users,dc=monash,dc=edu,dc=au"
-ldapPassword: "secret"
-ldapBase: "cn=users,dc=monash,dc=edu,dc=au"
-ldapUserClass: "user"
-ldapUserHomeDirectory: "unixHomeDirectory"
-ldapUserPricipal: "userPrincipalName"
-ldapGroupBase: "ou=groups,dc=monash,dc=edu,dc=au"
-tlsCaCertDirectory: "/etc/openldap/certs"
-tlsCaCertFile: "/etc/openldap/certs/ca.pem"
-ldapCaCertFileSource: "/etc/openldap/certs"
-cacertFile: "ca.pem"
ldapRfc2307: ""
ldapRfc2307Pam: ""
-ldapServerHost: "10.0.0.1 ldapserver.com"
diff --git a/roles/openLdapClient/handlers/main.yml b/roles/openLdapClient/handlers/main.yml
index d9a0a7d61f6aa04d738b605a9211d185629ef338..6005eec0b09c629769272934a285635147bb3e90 100644
--- a/roles/openLdapClient/handlers/main.yml
+++ b/roles/openLdapClient/handlers/main.yml
@@ -1,8 +1,4 @@
---
-- name: auth config
- shell: authconfig --updateall
- sudo: true
-
- name: restart sssd
service: name=sssd state=restarted
sudo: true
diff --git a/roles/openLdapClient/tasks/configLdapClient.yml b/roles/openLdapClient/tasks/configLdapClient.yml
index 0becac8d6a575d1deeaa704b34ef11ece736e330..0bcc83dbdcbe3b10638dafd3126ea5d9380ab25f 100644
--- a/roles/openLdapClient/tasks/configLdapClient.yml
+++ b/roles/openLdapClient/tasks/configLdapClient.yml
@@ -3,7 +3,6 @@
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:
- pam_ldap.conf
- - idmapd.conf
- nsswitch.conf
sudo: true
@@ -15,21 +14,13 @@
template: src=authconfig.j2 dest=/etc/sysconfig/authconfig
sudo: true
-- name: "Insert LDAP IP address LDAP to /etc/hosts"
- lineinfile: dest=/etc/hosts line="{{ ldapServerHost }}" state=present insertafter=EOF
- sudo: true
-
- name: "Copy ldap.conf file "
template: src=ldap.conf.j2 dest=/etc/openldap/ldap.conf
sudo: true
-- name: "Copy ldap cacert file"
- copy: src={{ ldapCaCertFileSource }} dest={{ tlsCaCertFile }} owner=root group=root mode=0644
- sudo: true
-
- name: "Copy sssd.conf to ldap client"
template: src=sssd.j2 dest=/etc/sssd/sssd.conf owner=root group=root mode=600
sudo: true
- notify: auth config
+ notify: restart sssd
diff --git a/roles/openLdapClient/tasks/main.yml b/roles/openLdapClient/tasks/main.yml
index 748236194d5ba6c9c64917b931b8594c56f15e93..4335800bef1c3529895fa56a3b4c5c6c2a4f2c8c 100644
--- a/roles/openLdapClient/tasks/main.yml
+++ b/roles/openLdapClient/tasks/main.yml
@@ -1,5 +1,5 @@
---
-
- include: installOpenLdap.yml
+ include: installOpenLdap.yml
-
- include: configLdapClient.yml
+ include: configLdapClient.yml
diff --git a/roles/openLdapClient/templates/ldap.conf.j2 b/roles/openLdapClient/templates/ldap.conf.j2
index cda2caf63e9bc11760c39cc52d27f2e372ba9b9e..c20d39ed9758fceac564698f006fcae022a9bec4 100644
--- a/roles/openLdapClient/templates/ldap.conf.j2
+++ b/roles/openLdapClient/templates/ldap.conf.j2
@@ -1,6 +1,5 @@
-TLS_CACERTDIR {{ tlsCaCertDirectory }}
-TLS_CACERT {{ tlsCaCertFile }}
-URI {{ ldapUri }}
+TLS_CACERT {{ ldapCaCertFile }}
+URI {{ ldapURI }}
BASE {{ ldapBase }}
timelimit 120
diff --git a/roles/openLdapClient/templates/nsswitch.conf.j2 b/roles/openLdapClient/templates/nsswitch.conf.j2
index 31c299a3ad99a7f2f0d060b981717a7e3c34f552..6fd6a802a835f6405fc3ceec765b038427b84ed3 100644
--- a/roles/openLdapClient/templates/nsswitch.conf.j2
+++ b/roles/openLdapClient/templates/nsswitch.conf.j2
@@ -30,9 +30,9 @@
#shadow: db files nisplus nis
#group: db files nisplus nis
-passwd: files ldap
-shadow: files ldap
-group: files ldap
+passwd: files sss
+shadow: files sss
+group: files sss
#hosts: db files nisplus nis dns
hosts: files dns
@@ -52,9 +52,9 @@ netmasks: files
networks: files
protocols: files
rpc: files
-services: files
+services: files sss
-netgroup: files ldap
+netgroup: files sss
publickey: nisplus
diff --git a/roles/openLdapClient/templates/pam_ldap.conf.j2 b/roles/openLdapClient/templates/pam_ldap.conf.j2
index c3e11fc82d399229627df01c8ceeb147d0afa9a0..61b04ce2459518f5b7e491be2e013820742061a8 100644
--- a/roles/openLdapClient/templates/pam_ldap.conf.j2
+++ b/roles/openLdapClient/templates/pam_ldap.conf.j2
@@ -17,7 +17,7 @@
#host 127.0.0.1
# The distinguished name of the search base.
-base {{ ldapBase }}
+base {{ ldapBase }}
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
@@ -27,7 +27,7 @@ base {{ ldapBase }}
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# [aulmc used to be 11/10/2013 # uri ldap://m2-w.massive.org.au/
-uri {{ ldapDomain }}
+uri {{ ldapURI }}
# The LDAP version to use (defaults to 3
# if supported by client library)
@@ -35,11 +35,11 @@ uri {{ ldapDomain }}
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
-binddn {{ ldapDn }}
+binddn {{ ldapBindDN }}
# The credentials to bind with.
# Optional: default is no credential.
-bindpw {{ ldapPassword }}
+bindpw {{ ldapBindDNPassword }}
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
@@ -220,19 +220,6 @@ nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,rad
#pam_filter objectclass=User
#pam_password ad
-# RFC 2307 (AD) mappings
-nss_base_group ou=Groups,dc=massive,dc=org,dc=au?one
-nss_map_objectclass posixAccount user
-nss_map_objectclass shadowAccount user
-nss_map_attribute uid sAMAccountName
-nss_map_attribute homeDirectory unixHomeDirectory
-nss_map_attribute shadowLastChange pwdLastSet
-nss_map_objectclass posixGroup group
-nss_map_attribute uniqueMember member
-pam_login_attribute sAMAccountName
-pam_filter objectclass=User
-pam_password md5
-
# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword
@@ -300,7 +287,7 @@ pam_password md5
ssl no
#tls_cacertdir /etc/openldap/cacerts
#pam_password md5
-tls_cacertdir {{ tlsCaCertDirectory }}
-tls_cacertfile {{ tlsCaCertFile }}
+tls_cacertfile {{ ldapCaCertFile }}
+# RFC 2307 (AD) mappings
{{ ldapRfc2307Pam }}
diff --git a/roles/openLdapClient/templates/sssd.j2 b/roles/openLdapClient/templates/sssd.j2
index 01deb52e3f8826d9ff2b03dcbb07123dd887c67a..9b7f8dbc8ed538cd0cd37ecde5c78a67bbf28f4e 100644
--- a/roles/openLdapClient/templates/sssd.j2
+++ b/roles/openLdapClient/templates/sssd.j2
@@ -1,19 +1,14 @@
[sssd]
config_file_version = 2
-domains = {{ ldapDomain }}
+domains = {{ ansible_domain }}
services = nss, pam, autofs
-# SSSD will not start if you do not configure any domains.
-# Add new domain configurations as [domain/<NAME>] sections, and
-# then add the list of domains (in the order you want them to be
-# queried) to the "domains" attribute below and uncomment it.
-; domains = LDAP
[nss]
filter_users = root
[pam]
-[domain/{{ ldapDomain}}]
+[domain/{{ ansible_domain }}]
ldap_referrals = false
cache_credentials = false
entry_cache_timeout=3600
@@ -25,14 +20,13 @@ auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
-ldap_uri = {{ ldapUri }}
+ldap_uri = {{ ldapURI }}
ldap_id_use_start_tls = True
ldap_tls_reqcert = allow
-ldap_tls_cacertdir = {{ tlsCaCertDirectory }}
-ldap_tls_cacert = {{ cacertFile }}
-ldap_default_bind_dn = {{ ldapDn }}
+ldap_tls_cacert = {{ ldapCaCertFile }}
+ldap_default_bind_dn = {{ ldapBindDN }}
ldap_default_authtok_type = password
-ldap_default_authtok = {{ ldapPassword }}
+ldap_default_authtok = {{ ldapBindDNPassword }}
{{ ldapRfc2307 }}
diff --git a/roles/slurm-build/tasks/main.yml b/roles/slurm-build/tasks/main.yml
index add696e828fee1eee49d2f241442a7aa44d42724..6868f089b21149335e58fd05f37b610a69401333 100644
--- a/roles/slurm-build/tasks/main.yml
+++ b/roles/slurm-build/tasks/main.yml
@@ -31,10 +31,15 @@
chdir: /tmp
creates: /tmp/slurm-{{ slurm_version }}.tar.bz2
+- name: check munge installation
+ shell: rpm -qa munge
+ register: munge_installed
+
- name: install munge deps
shell: rpm -i /root/rpmbuild/RPMS/x86_64/munge-libs-{{ munge_version }}-1.el6.x86_64.rpm /root/rpmbuild/RPMS/x86_64/munge-{{ munge_version }}-1.el6.x86_64.rpm /root/rpmbuild/RPMS/x86_64/munge-devel-{{ munge_version }}-1.el6.x86_64.rpm
sudo: true
- ignore_errors: true
+# ignore_errors: true
+ when: munge_installed | failed
- name: make slurm rpms
shell: rpmbuild -ta --clean slurm-{{ slurm_version }}.tar.bz2
@@ -49,7 +54,15 @@
args:
creates: /tmp/rpmbuild/RPMS/x86_64/slurm-{{ slurm_version }}-1.el6.x86_64.rpm
+#- name: retrieve rpms
+# shell: scp -r {{ hostvars[ansible_hostname]['ansible_user_id'] }}@{{ ansible_ssh_host }}:/tmp/rpmbuild/ /tmp
+# delegate_to: 127.0.0.1
+# when: ansible_ssh_host | defined
+# when: ansible_ssh_host | defined
+# sudo: true
+
- name: retrieve rpms
- shell: scp -r {{ hostvars[ansible_hostname]['ansible_user_id'] }}@{{ ansible_ssh_host }}:/tmp/rpmbuild/ /tmp
+ shell: scp -r {{ hostvars[ansible_hostname]['ansible_user_id'] }}@{{ ansible_hostname }}:/tmp/rpmbuild/ /tmp
delegate_to: 127.0.0.1
+# when: ansible_ssh_host | not defined
diff --git a/roles/slurm/tasks/main.yml b/roles/slurm/tasks/main.yml
index a3a5ca1950ac30106ab54692280e2a7d7d37d82b..d351e4603f55fc1c368adc881526ff4971fae576 100644
--- a/roles/slurm/tasks/main.yml
+++ b/roles/slurm/tasks/main.yml
@@ -1,6 +1,7 @@
---
- name: copy rpms
copy: src=/tmp/rpmbuild dest=/tmp/
+ sudo: true
- name: install munge rpms
shell: "rpm --install /tmp/rpmbuild/RPMS/x86_64/munge*{{ munge_version }}*rpm"
@@ -27,9 +28,6 @@
sudo: true
ignore_errors: true
-- name: load munge key
- include_vars: passwords.yml
-
- name: install munge key
template: src=munge_key.j2 dest=/etc/munge/munge.key
sudo: true
diff --git a/scripts/make_passwords.py b/scripts/make_passwords.py
index f9fd8a9aef1e4476f9f779d58d8915fc9e3bd7c9..9cc0ec346e68f6c5cbe2d271c59ab2f17f58dd2c 100644
--- a/scripts/make_passwords.py
+++ b/scripts/make_passwords.py
@@ -25,13 +25,10 @@ try:
f=open(pwpath,'r')
data=yaml.load(f.read())
f.close()
+ print data
except Exception as e:
- pass
-if data==None:
data={}
-print data
-
for pw in required_passwords.keys():
if data.has_key(pw):
pass
diff --git a/scripts/makehosts.py b/scripts/makehosts.py
index 97e97afac86363a3107f3f066be10586460c05d9..fe0d7d92cc7961d3877eb7e239fb76d09173994a 100755
--- a/scripts/makehosts.py
+++ b/scripts/makehosts.py
@@ -12,7 +12,7 @@ hosts={}
for group in d['groups'].keys():
i=0
for h in d['groups'][group]:
- hosts[h] = ['%s %s.%s'%(h, h, domain)]
+ hosts[h] = ['%s.%s %s'%(h, domain, h)]
for h in hosts.keys():
if d['hostvars'].has_key(h):
diff --git a/topplay.yml b/topplay.yml
deleted file mode 100644
index 9591c9be74c23c504c491dbaba3163475cb602d9..0000000000000000000000000000000000000000
--- a/topplay.yml
+++ /dev/null
@@ -1,87 +0,0 @@
----
-
-# First we need hostname -f to return the correct domain
-
-- hosts: '*'
- roles:
- - {role: etcHosts, domain: 'test.massive.org.au' }
-
-# Create an x509 CA. Certificates are used for the VPN, the ldap server and the web server (karaage)
-
-- hosts: ManagmentNodes[0]
- vars:
- roles:
- - { role: easy-rsa-CA }
-
-- hosts: 'ManagmentNodes'
- vars:
- x509_ca_server: "{{ groups['ManagmentNodes'][0] }}"
- ldapDomain: "dc=test,dc=massive,dc=org,dc=au"
- roles:
- - { role: OpenVPN-Server }
- - { role: ldapserver }
-
-- hosts: 'karaage'
- vars:
- x509_ca_server: "{{ groups['ManagmentNodes'][0] }}"
- smtp_smarthost: "does_not_exist.massive.org.au"
- ldapDomain: "dc=test,dc=massive,dc=org,dc=au"
- ldapURL: "ldaps://{{ hostvars[groups['ManagmentNodes'][0]]['ansible_fqdn'] }}"
- roles:
- - { role: karaage2.7 }
-
-# The next two tasks, apply the VPN and recalcuate /etc/hosts. Comment them if you are on a secure network
-
-- hosts: ComputeNodes
- vars:
- x509_ca_server: "{{ groups['ManagmentNodes'][0] }}"
- openvpn_servers: "{{ groups['ManagmentNodes'] }}"
- roles:
- - { role: OpenVPN-Client }
-
-- hosts: '*'
- roles:
- - {role: etcHosts, domain: 'test.massive.org.au' }
-
-# These tasks build some software (slurm, munge and openmpi) and copy them back to localhost. Skip if you have some other way of getting
-# copyies of these software
-
-- hosts: ComputeNodes[0]
- vars:
- slurm_version: 14.11.0
- munge_version: 0.5.11
- roles:
- - { role: slurm-build }
-
-# Slurm and openmpi tasks assume copies of the software in /tmp under a very specific directory strucutre (created by the build tasks above) Modifiy
-# the roles if you have a different way of installing the software
-
-- hosts: ComputeNodes:ManagmentNodes:LoginNodes
- vars:
- slurm_version: 14.11.0
- munge_version: 0.5.11
- slurmqueues:
- - {name: batch, group: ComputeNodes}
- slurmctrl: "{{ groups['ManagmentNodes'][0] }}"
- roles:
- - { role: slurm, slurm_use_vpn: true} # change to false if you are on a secure network
- - { role: test_user }
-
-# These tasks build some software (slurm, munge and openmpi) and copy them back to localhost. Skip if you have some other way of getting
-# copyies of these software
-
-- hosts: ComputeNodes[0]
- vars:
- openmpi_version: 1.8.3
- roles:
- - { role: openmpi-build }
-
-# Slurm and openmpi tasks assume copies of the software in /tmp under a very specific directory strucutre (created by the build tasks above) Modifiy
-# the roles if you have a different way of installing the software
-
-- hosts: ComputeNodes:ManagmentNodes:LoginNodes
- vars:
- openmpi_version: 1.8.3
- roles:
- - { role: openmpi }
-