roles/karaage3.1.17/tasks/karaage.yml

@@ -2,7 +2,7 @@
 -
  name: "Installing prerequisites Debian"
  apt: name={{ item }} update_cache=yes
- sudo: true
+ become: true
  with_items:
   - libxml2-dev
   - libxslt1-dev
@@ -26,8 +26,8 @@
 
 -
  name: "Installing prerequisites Redhat"
- yum: name={{ item }} state=latest
- sudo: true
+ yum: name={{ item }} state=present
+ become: true
  with_items:
   - libxml2-devel
   - libxslt-devel
@@ -43,7 +43,7 @@
   - lapack-devel
   - blas-devel
   - libffi-devel
- when: ansible_os_family == "RedHat" 
+ when: ansible_os_family == "RedHat"
      #-
      # name: Install the latest pip
      # shell: easy_install pip
@@ -51,25 +51,18 @@
 
 -
  name: "Getting Karaage from Github"
- git: repo="https://github.com/monash-merc/karaage.git" dest="/root/karaage3.1.7" {% if karaage_source_version is defined %}version="{{ karaage_source_version }}" {% endif %} force=yes
- sudo: true
+ git: repo="https://github.com/monash-merc/karaage.git" dest="/root/karaage3.1.7" force=yes
+ become: true
 
--
- name: "Installing Karaage Dependencies"
- pip: name={{ item }}
- sudo: true
- with_items:
-  - six
-  - slimit
-  - ply
-  - cython
-  - django-celery
-  - pyasn1
-  - ldap3
-#  - mod_wsgi
+- name: Copy dependence file
+  copy: src=files/requirements.txt dest=/tmp/requirements.txt mode=644
+
+- name: "Installing Karaage Dependencies"
+  pip: requirements=/tmp/requirements.txt
+  become: true
 -
  name: "Restrict Django version to 1.7.8"
- sudo: true
+ become: true
  replace: dest=/root/karaage3.1.7/setup.py regexp="Django >= 1.7" replace="Django == 1.7.8"
 -
  name: "Installing Karaage from source"
@@ -77,23 +70,23 @@
  args:
   chdir: /root/karaage3.1.7
   creates: /root/karaage3.1.7/build/bdist.linux-x86_64
- sudo: true
+ become: true
 -
  name: "Templating Karaage settings"
  template: src=settings.py.j2 dest=/etc/karaage3/settings.py owner=root group={{ apache_user }} mode=0640
- sudo: true
+ become: true
 -
  name: "Templating project conf"
  template: src=kginit.conf.j2 dest=/etc/karaage3/kginit.conf owner=root group={{ apache_user }} mode=0640
- sudo: true
+ become: true
 -
  name: "Templating project init script"
  template: src=kg_init.j2 dest=/usr/bin/kg_init owner=root mode=755
- sudo: true
+ become: true
 -
  name: "Templating adding admin role script"
  template: src=kg_add_admin.j2 dest=/usr/bin/kg_add_admin owner=root mode=755
- sudo: true
+ become: true
 -
  name: "Creating karaage3 in /var directories log, lib "
  file: path={{ item }} state=directory owner=root group={{ apache_user }} mode=0775
@@ -101,100 +94,100 @@
   - /var/log/karaage3
   - /var/lib/karaage3
   - /var/cache/karaage3
- sudo: true
+ become: true
 
 - name: install karaage3-wsgi.conf
   template: src=karaage3-wsgi.conf.j2 dest=/etc/apache2/conf-available/karaage3-wsgi.conf
-  sudo: true
+  become: true
 
 - name: install karaage3-wsgi.conf
   template: src=index.html.j2 dest=/var/www/index.html
-  sudo: true
+  become: true
 
 - name: install karaage3-wsgi.conf
   template: src=kg-idps.j2 dest=/usr/bin/kg-idps mode=755
-  sudo: true
+  become: true
 
-- name: install shibboleth cache file 
-  template: src="files/{{ shibboleth_deploy }}_metadata.aaf.xml.j2" dest=/tmp/metadata.aaf.xml 
+- name: install shibboleth cache file
+  template: src="files/{{ shibboleth_deploy }}_metadata.aaf.xml.j2" dest=/tmp/metadata.aaf.xml
 
 -
  name: "enabling Karaage configuration"
  shell: a2enconf karaage3-wsgi
- sudo: true
+ become: true
  when: ansible_os_family == "Debian"
 -
  name: "enabling Karaage configuration"
  shell: cp -rvpf /root/karaage3.1.7/conf/karaage3-wsgi.conf /etc/httpd/conf.d/karaage3-wsgi.conf
- sudo: true
+ become: true
  when: ansible_os_family == "RedHat"
 
 
 -
  name: "Set Secret Key"
  lineinfile: dest=/etc/karaage3/settings.py regexp="SECRET_KEY = ''" line="SECRET_KEY = '{{ karaageSecretKey }}'" state=present
- sudo: true
+ become: true
 
 -
  name: "Check karaage DB has been initialized or not"
- shell: mysql -h {{ karaageDbHost }}  -u {{ karaageDbName }} --password={{ karaagePassword }} -Bse 'use karaage; show tables;' | wc -l 
+ shell: mysql -h {{ karaageDbHost }}  -u {{ karaageDbName }} --password={{ karaagePassword }} -Bse 'use karaage; show tables;' | wc -l
  register: karaage_db_init
 
 - name: enable wsgi
   shell: a2enmod wsgi
-  sudo: true
+  become: true
 
 - name: enable shibboleth
   shell: a2enmod shib2
-  sudo: true
+  become: true
 
 -
  name: " Create DB tables"
- shell: kg-manage migrate 
- sudo: true
+ shell: kg-manage migrate
+ become: true
  when: karaage_db_init.stdout.find("0") == 0
 
 -
  name: "Create IDP institutes (disable it as cache is not available)"
- shell: kg-idps /tmp/metadata.aaf.xml 
- sudo: true
+ shell: kg-idps /tmp/metadata.aaf.xml
+ become: true
  when: karaage_db_init.stdout.find("0") == 0
 
 -
  name: "Create projects"
  shell: kg_init /etc/karaage3/kginit.conf {{ admin_password }}
- sudo: true
+ become: true
  when: karaage_db_init.stdout.find("0") == 0
 
 - name: install postfix
   apt: name=postfix state=present
-  sudo: true
+  become: true
 
 - name: configure postfix
   template: src=main_cf.j2 dest=/etc/postfix/main.cf
-  sudo: true
+  become: true
   notify: restart postfix
 
 -
  name: "Reloading apache"
  service: name=apache2 state=reloaded
- sudo: true
+ become: true
  when: ansible_os_family == "Debian"
 
 -
  name: "Reloading apache"
  service: name=httpd state=reloaded
- sudo: true
+ become: true
  when: ansible_os_family == "RedHat"
 
 - name: "Start cron job for creating idps"
   cron: name=idps job=/usr/bin/kg-idps user=root day=*/1 state=present
-  sudo: true
+  become: true
 
 -
  name: "Templating username list"
  template: src=files/{{ item }} dest=/{{ user_id_file_dir }}/{{ item }}
  with_items: user_id_file
- sudo: true
+ become: true
  when: user_id_file is defined and user_id_file_dir is defined
 

roles/karaage3.1.17/tasks/main.yml

@@ -2,7 +2,7 @@
 
  - name: "Copying the ldap ca cert file"
    template: src="files/{{ ldap_TLSCARoot }}" dest="/etc/apache2/ssl/certs/ldap_ca.cert.pem" mode=0644
-   sudo: true
+   become: true
    when: apache_cert_file is defined
 
  - include: prerequisitesDebian.yml

roles/karaage3.1.17/tasks/prerequisitesDebian.yml

 ---
 -
   name: "Installing prereq packages"
-  sudo: true
+  become: true
   apt: name={{ item }} update_cache=yes
   with_items:
    - debian-keyring
-- 
-  apt_key: "url=http://code.vpac.org/debian/vpac-debian-key.gpg state=present"
-  name: "Installing the VPAC Debian Archive signing key"
-  sudo: true
-- 
-  apt_repository: "repo='deb     http://code.vpac.org/debian  jessie main' state=present"
-  name: "Adding VPAC repository in the source list"
-  sudo: true
-- 
-  apt_repository: "repo='deb-src http://code.vpac.org/debian  jessie main' state=present"
-  name: "Adding VPAC source repository"
-  sudo: true
-- 
+-
   apt: update_cache=yes
   name: "Upgrading apt..."
-  sudo: true
+  become: true
 

roles/karaage3.1.17/templates/index.html.j2

-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html>
-<body><h3>HPC identity system (The landing page is under the construction)</h3>
-<br>
-<p>Monash HPC identity system is a new HPC access control system. Access to the HPC ID system is done through the Australian Access Federation (AAF). This allows you to login using your Institutional username and password.
-<br>
-<br>
-If it is the first time you are using the system, it will give your options to select your existing HPC username for creating a new user account. You'll need to join projects before you can access HPC system.
-<br>
-<br>
-If your organisation is not a member of the AAF or if you need helps, please send HPC email support: help@massive.org.au.</p>
-<br>
-<p>Click following link <a href=https://{{ ansible_fqdn }}/aafbootstrap>to continue.</a></p>
-</body>
-</html>
+<html><body><h3>HPC identity management</h3>
+<p>To log in via AAF authentication, connect to <a href=https://{{ hpchostname }}.erc.monash.edu.au/aafbootstrap>aafbootstrap</a></p>
+<p>To log in without AAF authentication, connect to <a href=https://{{ hpchostname }}.erc.monash.edu.au/users>users</a></p>
+</body></html>

roles/ldapclient/defaults/main.yml

 ---
 ldapRfc2307: ""
 ldapRfc2307Pam: ""
+useTLS: True

roles/ldapclient/handlers/main.yml

 ---
-- name: restart sssd 
+- name: restart sssd
   service: name=sssd state=restarted
-  sudo: true
+  become: true

roles/ldapclient/tasks/configLdapClient.yml

@@ -2,43 +2,78 @@
 - name: "Copy configuration files to ldap client"
   template: src={{ item }}.j2 dest=/etc/{{ item }}
   with_items:
-    - pam_ldap.conf
     - nsswitch.conf
-  sudo: true
+  become: true
+  become_user: root
 
 - name: "make basedir"
-  file: path="{{ ldapCaCertFile | dirname }}" state=directory owner=root
-  sudo: true
+  file: path="{{ ldapCaCertFile | dirname }}" state=directory owner=root follow=yes
+  become: true
+  become_user: root
   ignore_errors: true
+  when: ldapCaCertFile is defined
 
 - name: "Copy the CA cert"
   copy: src={{ ldapCaCertSrc }} dest={{ ldapCaCertFile }} owner=root mode=644
-  sudo: true
+  become: true
+  become_user: root
   when: ldapCaCertSrc is defined
 
 - name: "Template CA cert"
   template: src=ldapCaCert.j2 dest={{ ldapCaCertFile }} owner=root mode=644
-  sudo: true
+  become: true
+  become_user: root
   when: ldapCaCertContents is defined
 
 - name: "Copy system auth"
-  template: src=system-auth.j2 dest=/etc/pam.d/system-auth
-  sudo: true
+  template: src=system-auth.j2 dest=/etc/pam.d/system-auth-ac
+  become: true
+  become_user: root
+  when: ansible_os_family == 'RedHat'
 
 - name: "Copy password auth"
-  template: src=password-auth.j2 dest=/etc/pam.d/password-auth
-  sudo: true
+  template: src=password-auth.j2 dest=/etc/pam.d/password-auth-ac
+  become: true
+  become_user: root
+  when: ansible_os_family == 'RedHat'
 
 - name: "Add LDAP server IP address to /etc/hosts"
   lineinfile: dest=/etc/hosts line="{{ ldapServerHostIpLine }}" state=present insertafter=EOF
-  sudo: true
+  become: true
+  become_user: root
   when: ldapServerHostIpLine is defined
 
+- name: "Add LDAP server IP address to /etc/hosts"
+  lineinfile: dest=/etc/hosts line="{{ hostvars[groups['LDAPServer'][0]]['ansible_host'] }} {{ ldapServerHostName }}" state=present insertafter=EOF
+  become: true
+  become_user: root
+  when: ldapServerHostIpLine is not defined
+
 - name: "Copy sssd.conf to ldap client"
   template: src=sssd.j2 dest=/etc/sssd/sssd.conf owner=root group=root mode=600
-  sudo: true
+  become: true
+  become_user: root
   notify: restart sssd
 
+- name: Setting the size of /var/lib/sssd disk for ComputeNodes
+  set_fact: 
+        ssd_size: "80M"
+  when: not ( ( inventory_hostname in groups.LoginNodes ) or ( inventory_hostname in groups.BackupNodes ) or ( inventory_hostname in groups.ManagementNodes ) )
+
+- name: Setting the size of /var/lib/sssd disk for LoginNodes or Backup or Management Nodes
+  set_fact: 
+        ssd_size: "80M"
+  when: ( inventory_hostname in groups.LoginNodes ) or ( inventory_hostname in groups.BackupNodes ) or ( inventory_hostname in groups.ManagementNodes )
+
+- name: Print size of /var/lib/sssd disk
+  debug: msg="Size of /var/lib/sssd disk is {{ ssd_size }}"
+
+- name: "Make the cache a tmpfs"
+  mount: name=/var/lib/sss/db/ src=tmpfs fstype=tmpfs opts='size={{ ssd_size }}' state=mounted
+  become: true
+  become_user: root
+
 - name: "start sssd"
   service: name=sssd state=started enabled=yes
-  sudo: true
+  become: true
+  become_user: root

roles/ldapclient/tasks/installOpenLdap.yml

 ---
 - name: "Install open ldap package yum"
-  yum: name={{ item }} state=latest
-  with_items:
-    - openldap
-    - openldap-clients
-    - sssd
-    - sssd-common
-    - sssd-client
-    - nss
-    - nss-tools
-  sudo: true
+  yum:
+    name: ['openldap', 'openldap-clients', 'sssd', 'sssd-common', 'sssd-client', 'nss', 'nss-tools']
+    state: present
+  become: true
   when: ansible_os_family == 'RedHat'
 
 - name: "Install open ldap package apt"
-  action: apt pkg={{ item }} state=installed 
-  with_items:
-    - ldap-utils
-    - sssd 
-    - libpam-sss 
-  sudo: true
+  package:
+    name:
+      - ldap-utils
+      - sssd
+      - libpam-sss
+      - libnss-sss
+    state: present
+  become: true
   when: ansible_os_family == 'Debian'

roles/ldapclient/tasks/main.yml

 ---
 -
-  include: installOpenLdap.yml 
+  include: installOpenLdap.yml
 -
-  include: configLdapClient.yml 
+  include: configLdapClient.yml

roles/ldapclient/templates/sssd.j2

@@ -12,20 +12,31 @@ filter_groups = slurm, munge
 [domain/{{ ldapDomain }}]
 ldap_referrals = false
 cache_credentials = false
-entry_cache_timeout=60480
-memcache_timeout=60480
+entry_cache_timeout=5400
+memcache_timeout=300
 entry_cache_nowait_percentage=50
-enumerate = true
+enumerate = false
 
 id_provider = ldap
 auth_provider = ldap
 chpass_provider = ldap
 access_provider = ldap
 
-ldap_uri = {{ ldapURI }} 
-ldap_id_use_start_tls = True
-ldap_tls_reqcert = allow 
+{% if ldapROURI is defined %}
+ldap_uri = {{ ldapURI }}, {{ ldapROURI }}
+ldap_chpass_uri = {{ ldapURI }}
+{% else %}
+ldap_uri = {{ ldapURI }}
+{% endif %}
+ldap_id_use_start_tls = {{ useTLS }}
+{% if useTLS %}
+ldap_tls_reqcert = allow
+{% else %}
+ldap_tls_reqcert = never
+{% endif %}
+{% if ldapCaCertFile is defined %}
 ldap_tls_cacert = {{ ldapCaCertFile }}
+{% endif %}
 ldap_default_bind_dn = {{ ldapBindDN }} 
 ldap_default_authtok_type = password
 ldap_default_authtok = {{ ldapBindDNPassword }} 

roles/ldapclient/templates/system-auth.j2

 #%PAM-1.0
 # This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
+
 auth        required      pam_env.so
+auth        required      pam_faildelay.so delay=2000000
 auth        sufficient    pam_unix.so nullok try_first_pass
 auth        requisite     pam_succeed_if.so uid >= 500 quiet
 auth        sufficient    pam_sss.so use_first_pass
 auth        required      pam_deny.so
 
 account     required      pam_unix.so broken_shadow
+account     sufficient    pam_localuser.so
 account     sufficient    pam_succeed_if.so uid < 500 quiet
 account     [default=bad success=ok user_unknown=ignore] pam_sss.so
 account     required      pam_permit.so
 
-password    requisite     pam_cracklib.so try_first_pass retry=3
-password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
+password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 password    sufficient    pam_sss.so use_authtok
 password    required      pam_deny.so
 
@@ -21,4 +24,4 @@ session     optional      pam_keyinit.so revoke
 session     required      pam_limits.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
-session     optional      pam_sss.so
+session     optional      pam_sss.so
\ No newline at end of file

roles/ldapserver/files/DB_CONFIG

+# one 0.25 GB cache
+set_cachesize 0 268435456 1
+
+# Transaction Log settings
+set_lg_regionmax 262144
+set_lg_bsize 2097152
+
+set_flags DB_LOG_AUTOREMOVE

roles/ldapserver/files/auxposixgroup.ldif

+dn: cn=auxPosixGroup,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: auxPosixGroup
+olcObjectClasses: ( 1.3.6.1.4.1.1.1.1.2.1 NAME 'auxPosixGroup' DESC 'Abstraction of a group of accounts' SUP top AUXILIARY MUST gidNumber MAY ( userPassword $ memberUid $ description ) )

roles/ldapserver/tasks/main.yml

 ---
+- name: include vars
+  include_vars:
+    file: "{{ ansible_distribution }}_{{ ansible_distribution_version }}_{{ ansible_architecture }}.yml"
 
-- include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_version }}_{{ ansible_architecture }}.yml"
-- include_vars: "{{ ansible_distribution }}.yml"
+- name: include vars2
+  include_vars:
+    file: "{{ ansible_distribution }}.yml"
 
 - name: install system packages apt
-  apt: name={{ item }} state=installed update_cache=true
-  sudo: true
-  with_items: system_packages
+  apt: name={{ system_packages }} state=present update_cache=true
+  become: true
   when: ansible_os_family == 'Debian'
 
 - name: install system packages yum
-  yum: name={{ item }} state=installed
-  sudo: true
-  with_items: system_packages
+  yum: name={{ system_packages }} state=present
+  become: true
   when: ansible_os_family == 'RedHat'
 
-- name: Fixed default configuration 
+- name: Fixed default configuration
   lineinfile: dest=/etc/default/slapd regexp='^SLAPD_SERVICES="ldap:/// ldapi:///"' line='SLAPD_SERVICES="ldaps:/// ldap:/// ldapi:///"'
-  sudo: true
+  become: true
   when: ansible_os_family == 'Debian'
 
 - name: hash password
@@ -51,65 +53,84 @@
 - name: template ssl.ldif
   template: src=ssl_ldif.j2 dest=/tmp/ssl.ldif mode=600
 
+- name: template acl_groups.ldif
+  template: src=acl_groups_ldif.j2 dest=/tmp/acl_groups.ldif mode=600
+
+- name: template load_memberof.ldif
+  template: src=load_memberof_ldif.j2 dest=/tmp/load_memberof.ldif mode=600
+
+- name: template load_refint.ldif
+  template: src=load_refint_ldif.j2 dest=/tmp/load_refint.ldif mode=600
+
+- name: template memberOfConfig.ldif
+  template: src=memberOfConfig_ldif.j2 dest=/tmp/memberOfConfig.ldif mode=600
+
+- name: template refint_config.ldif
+  template: src=refint_config_ldif.j2 dest=/tmp/refint_config.ldif mode=600
+
 - name: template manager.ldif
   template: src=manager_ldif.j2 dest=/tmp/manager.ldif mode=600
-  sudo: true
+  become: true
 - name: template manager2.ldif
   template: src=manager_ldif2.j2 dest=/tmp/manager2.ldif mode=600
-  sudo: true
+  become: true
 - name: template manager3.ldif
   template: src=manager_ldif3.j2 dest=/tmp/manager3.ldif mode=600
-  sudo: true
+  become: true
 
 - name: make ldap certs dir
   file: path={{ ldapCertDest | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
-  sudo: true
+  become: true
 
 - name: make ldap private dir
   file: path={{ ldapKeyDest | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }} mode=700
-  sudo: true
+  become: true
 
 - name: copy cert
-  copy: src="files/{{ ldapCert }}" dest="{{ ldapCertDest }}"
-  sudo: true
+  copy: src="files_services/{{ ldapCert }}" dest="{{ ldapCertDest }}"
+  become: true
 
 - name: copy ca cert
-  copy: src="files/{{ ldapCAChain }}" dest="{{ ldapCAChainDest }}"
-  sudo: true
+  copy: src="files_services/{{ ldapCAChain }}" dest="{{ ldapCAChainDest }}"
+  become: true
 
 - name: copy ca root cert
-  copy: src="files/{{ ldap_TLSCARoot }}" dest="{{ ldapCARootDest }}"
-  sudo: true
+  copy: src="files_services/{{ ldap_TLSCARoot }}" dest="{{ ldapCARootDest }}"
+  become: true
   when: ldap_TLSCARoot is defined
 
 - name: copy key
-  copy: src="files/{{ ldapKey }}" dest="{{ ldapKeyDest }}" mode=600 owner={{ ldapuser }} group={{ ldapgroup }} 
-  sudo: true
+  copy: src="files_services/{{ ldapKey }}" dest="{{ ldapKeyDest }}" mode=600 owner={{ ldapuser }} group={{ ldapgroup }}
+  become: true
 
 - name: enable ssl centos
   lineinfile: regexp="SLAPD_LDAPS=no" state=present line="SLAPD_LDAPS=yes" dest=/etc/sysconfig/ldap
-  sudo: true
+  become: true
   when: ansible_os_family == 'RedHat' and ansible_distribution_major_version < '7'
 
 - name: enable ssl centos 7
   lineinfile: regexp="^SLAPD_URLS=" state=present line="SLAPD_URLS='ldaps:/// ldapi:/// ldap:///'" dest=/etc/sysconfig/slapd
-  sudo: true
+  become: true
   when: ansible_os_family == 'RedHat' and ansible_distribution_major_version >= '7'
 
-- name: check TLS config
+- name: check TLS config is present
   shell: "slapcat -b cn=config | grep 'olcTLSCertificateKeyFile: {{ ldapKeyDest }}'"
   ignore_errors: true
-  sudo: true
+  become: true
   register: tlsConfigured
 
+- name: copy db config
+  copy: src=files/DB_CONFIG dest=/var/lib/ldap/DB_CONFIG owner={{ ldapuser }} group={{ ldapgroup }} mode=644
+  become: true
+
 - name: start ldap
   service: name=slapd state=restarted
-  sudo: true
+  become: true
 
 - name: initialise server ssl
-  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ssl.ldif -D cn=config 
-  sudo: true
-  when: tlsConfigured|failed
+  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ssl.ldif -D cn=config
+  become: true
+  when: tlsConfigured.failed
 
 - name: Initialise cosine and ppolicy
   shell: ldapadd -Y EXTERNAL -H ldapi:/// -f {{ ldapDir }}/schema/{{ item }}.ldif -D cn=config
@@ -119,55 +140,111 @@
    - nis
    - inetorgperson
   ignore_errors: true
-  sudo: true
-      
+  become: true
+
+- name: check auxposixgroup is present
+  shell: "slapcat -b cn=auxPosixGroup,cn=schema,cn=config | grep auxPosixGroup"
+  ignore_errors: true
+  become: true
+  register: auxposixgroup
+
+- name: copy the auxposixgroup schema
+  copy: src="files/auxposixgroup.ldif" dest="{{ ldapDir }}/schema/auxposixgroup.ldif"
+  become: true
+  become_user: root
+
+- name: load the auxposixgroup schema
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f "{{ ldapDir }}/schema/auxposixgroup.ldif" -D cn=config
+  become_user: root
+  become: true
+  when: auxposixgroup.failed
+
 - name: check ppolicy module loaded
   shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}ppolicy"
-  sudo: true
+  become: true
   ignore_errors: true
   register: ppolicyModuleLoaded
 
 - name: load ppolicy module
-  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/load_modules.ldif -D cn=config 
-  sudo: true
-  when: ppolicyModuleLoaded|failed
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/load_modules.ldif -D cn=config
+  become: true
+  when: ppolicyModuleLoaded.failed
 
 - name: check ppolicy overlay config
-  shell: "slapcat -b cn=config | grep 'dn: olcOverlay=ppolicy,olcDatabase={.*}.db,cn=config'"
+  shell: "slapcat -b cn=config | grep 'dn: olcOverlay={.*}ppolicy,olcDatabase={.*}.db,cn=config'"
   ignore_errors: true
-  sudo: true
+  become: true
   register: ppolicyOverlayConfigured
 
 - name: add ppolicy overlay
-  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_overlay.ldif -D cn=config 
-  sudo: true
-  when: ppolicyOverlayConfigured|failed
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_overlay.ldif -D cn=config
+  become: true
+  when: ppolicyOverlayConfigured.failed
+
+- name: check refint module loaded
+  shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}refint"
+  become: true
+  ignore_errors: true
+  register: refintModuleLoaded
+
+- name: load refint module
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/load_refint.ldif -D cn=config
+  become: true
+  when: refintModuleLoaded.failed
+
+- name: check memberof module loaded
+  shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}memberof"
+  become: true
+  ignore_errors: true
+  register: memberofModuleLoaded
+
+- name: load memberof module
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/load_memberof.ldif -D cn=config
+  become: true
+  when: memberofModuleLoaded.failed
 
 - name: check Manager config
-  shell: "slapcat -b cn=config | grep 'olcRootDN: {{ ldapManager }}'"
+  shell: "slapcat -b cn=config | grep 'olcRootDN: {{ ldapManagerDN }}'"
   ignore_errors: true
-  sudo: true
+  become: true
   register: managerConfigured
 
 - name: initialise server manager
   shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config
-  sudo: true
-  when: managerConfigured|failed
-- name: initialise server manager
-  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager2.ldif -D cn=config 
-  sudo: true
+  become: true
+#  when: managerConfigured.failed
+  
+- name: initialise server manager2
+  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager2.ldif -D cn=config
+  become: true
   ignore_errors: true
-  when: managerConfigured|failed
-- name: initialise server manager
-  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager3.ldif -D cn=config 
-  sudo: true
-  when: managerConfigured|failed
+#  when: managerConfigured.failed
+
+- name: check member of config
+  shell: "ldapsearch -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=olcMemberOf"
+  ignore_errors: true
+  register: memberOfConfigured
+
+- name: add member of config
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/memberOfConfig.ldif -D cn=config
+  when: memberOfConfigured.failed
+  become: true
+
+- name: check refinit config
+  shell: "ldapsearch -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=olcRefintConfig"
+  ignore_errors: true
+  register: refintConfigured
+
+- name: add refint config
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/refint_config.ldif
+  when: refintConfigured.failed
+  become: true
 
 # slapcat does a line wrap at character 78. Don't attempt to match on {{ ldapManager }} as it will cross two lines
 - name: check ACL config
   shell: "slapcat -b cn=config | grep 'olcAccess:' | grep 'cn=Manager'"
   ignore_errors: true
-  sudo: true
+  become: true
   register: aclConfigured
 
 - name: template acls.ldif
@@ -175,48 +252,58 @@
 
 - name: initialise server acls
   shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
-  sudo: true
-  when: aclConfigured|failed
+  become: true
+  when: aclConfigured.failed
 
 - name: check DIT config
-  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
+  shell: "ldapsearch -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
   ignore_errors: true
   register: ditConfigured
 
 - name: add DIT root
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
-  when: ditConfigured|failed
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
+  when: ditConfigured.failed
 
 - name: check real Accounts config
-  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapAccountBase }} -x -H ldap://localhost objectClass=*"
+  shell: "ldapsearch -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -b {{ ldapAccountBase }} -x -H ldap://localhost objectClass=*"
   ignore_errors: true
   register: realAccountsConfigured
   when: ldapAccountBase is defined
 
 - name: add real Accounts OU
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/real_accounts.ldif
-  when: realAccountsConfigured is defined and realAccountsConfigured|failed
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/real_accounts.ldif
+  when: realAccountsConfigured is defined and realAccountsConfigured.failed
 
 - name: check Groups config
-  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=*"
+  shell: "ldapsearch -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=*"
   ignore_errors: true
   register: groupsConfigured
 
 - name: add Groups OU
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
-  when: groupsConfigured|failed
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
+  when: groupsConfigured.failed
+
+- name: check aclroups config
+  shell: "ldapsearch -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -b {{ ldapAclGroupBase }} -x -H ldap://localhost objectClass=*"
+  ignore_errors: true
+  register: aclgroupsConfigured
+
+- name: add aclgroups OU
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/acl_groups.ldif
+  when: aclgroupsConfigured.failed
+
 
 - name: check Accounts config
-  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
+  shell: "ldapsearch -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
   ignore_errors: true
   register: accountsConfigured
 
 - name: add Accounts OU
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/accounts.ldif
-  when: accountsConfigured|failed
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/accounts.ldif
+  when: accountsConfigured.failed
 
 - name: check binddn config
-  shell: "ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b {{ ldapDomain }} -x -H ldap://localhost objectClass=dcObject"
+  shell: "ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
   ignore_errors: true
   register: binddnConfigured
 
@@ -226,28 +313,48 @@
 
 - name: template binddn.ldif
   template: src=binddn_ldif.j2 dest=/tmp/binddn.ldif mode=600
-  sudo: true
+  become: true
 
 - name: add binddn
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/binddn.ldif
-  sudo: true
-  when: binddnConfigured|failed
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/binddn.ldif
+  become: true
+  when: binddnConfigured.failed
 
 - name: check pwpolicies config
-  shell: ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b ou=pwpolicies,{{ ldapDomain }} objectClass=*
+  shell: ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b ou=pwpolicies,{{ ldapBase }} objectClass=*
   ignore_errors: true
   register: pwpoliciesConfigured
 
 - name: add pwpolicies
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -f /tmp/pwpolicies.ldif
-  when: pwpoliciesConfigured|failed
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -f /tmp/pwpolicies.ldif
+  when: pwpoliciesConfigured.failed
 
 - name: check defaultPwpolicy config
-  shell: ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b cn=default,ou=pwpolicies,{{ ldapDomain }} objectClass=*
+  shell: ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b cn=default,ou=pwpolicies,{{ ldapBase }} objectClass=*
   ignore_errors: true
   register: defaultPpolicyConfigured
 
 - name: add defaultPwpolicy
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -f /tmp/default_ppolicy.ldif
-  when: defaultPpolicyConfigured|failed
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -f /tmp/default_ppolicy.ldif
+  when: defaultPpolicyConfigured.failed
+
+- name: template monitoruser.ldif
+  template: src=monitoruser.ldif.j2 dest=/tmp/monitoruser.ldif
+
+- name: template monitoruser.ldif
+  template: src=monitoring.ldif.j2 dest=/tmp/monitoring.ldif
+
+- name: check monitoruser
+  shell: 'slapcat -b cn=monitor,ou=People,dc=erc,dc=monash,dc=edu,dc=au | grep "cn: monitor"'
+  ignore_errors: true
+  register: monitoruser
+  become: true
+
+- name: add monitoruser
+  #shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -f /tmp/default_ppolicy.ldif
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -H ldap://localhost -f /tmp/monitoruser.ldif
+  when: monitoruser.failed
 
+- name: add monitoruser
+  shell: ldapmodify -Y external -H ldapi:// -f /tmp/monitoring.ldif
+  when: monitoruser.failed

roles/ldapserver/templates/acl_groups_ldif.j2

+dn: {{ ldapAclGroupBase }}
+objectClass: organizationalUnit

roles/ldapserver/templates/acls_ldif.j2

 dn: {{ dbname }},cn=config
 changetype: modify
 add: olcAccess
-olcAccess: {0}to attrs=userPassword by dn="{{ ldapManager }}" write by self write by * auth
-olcAccess: {1}to attrs=shadowLastChange by dn="{{ ldapManager }}" write by self write by * read
+olcAccess: {0}to attrs=userPassword by dn="{{ ldapManagerDN }}" write by self write by * auth
+olcAccess: {1}to attrs=shadowLastChange by dn="{{ ldapManagerDN }}" write by self write by * read
 olcAccess: {2}to * by users read by anonymous auth

roles/ldapserver/templates/default_ppolicy_ldif.j2

-dn: cn=default,ou=pwpolicies,{{ ldapDomain }}
+dn: cn=default,ou=pwpolicies,{{ ldapBase }}
 cn: default
 objectClass: pwdPolicy
 objectClass: top
@@ -11,7 +11,7 @@ pwdGraceAuthNLimit: 0
 pwdInHistory: 10
 pwdLockout: TRUE
 pwdLockoutDuration: 3600
-pwdMaxAge: 7776000
+pwdMaxAge: 0
 pwdMaxFailure: 5
 pwdMinAge: 3600
 pwdMinLength: 12

roles/ldapserver/templates/load_memberof_ldif.j2

+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModulePath: {{ module_path }}
+olcModuleLoad: memberof.la

roles/ldapserver/templates/load_refint_ldif.j2

+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModulePath: {{ module_path }}
+olcModuleLoad: refint.la

roles/ldapserver/templates/manager_ldif.j2

 dn: {{ dbname }},cn=config
 changetype: modify
 replace: olcSuffix
-olcSuffix: {{ ldapDomain }}
+olcSuffix: {{ ldapBase }}
 -
 replace: olcRootDN
-olcRootDN: {{ ldapManager }}
+olcRootDN: {{ ldapManagerDN }}