Compare revisions

cae6bd7b · cae6bd7b · cae6bd7b · cae6bd7b · cae6bd7b · cae6bd7b
--- a/roles/openLdapClient/templates/nsswitch.conf.j2
+++ b/roles/openLdapClient/templates/nsswitch.conf.j2
--- a/roles/openLdapClient/templates/pam_ldap.conf.j2
+++ b/roles/openLdapClient/templates/pam_ldap.conf.j2
--- a/roles/openLdapClient/templates/password-auth.j2
+++ b/roles/openLdapClient/templates/password-auth.j2
--- a/roles/openLdapClient/templates/sssd.j2
+++ b/roles/openLdapClient/templates/sssd.j2
 [sssd]
 config_file_version = 2
-domains = {{ ansible_domain }}
+domains = {{ ldapDomain }}
 services = nss, pam, autofs

 [nss]
-filter_users = root
+filter_users = root, slurm, munge
+filter_groups = slurm, munge

 [pam]

-[domain/{{ ansible_domain }}]
+[domain/{{ ldapDomain }}]
 ldap_referrals = false
 cache_credentials = false
-entry_cache_timeout=3600
+entry_cache_timeout=5400
+memcache_timeout=300
 entry_cache_nowait_percentage=50
-enumerate = true
+enumerate = false

 id_provider = ldap
 auth_provider = ldap
 chpass_provider = ldap
 access_provider = ldap

-ldap_uri = {{ ldapURI }} 
-ldap_id_use_start_tls = True
-ldap_tls_reqcert = allow 
+{% if ldapROURI is defined %}
+ldap_uri = {{ ldapURI }}, {{ ldapROURI }}
+ldap_chpass_uri = {{ ldapURI }}
+{% else %}
+ldap_uri = {{ ldapURI }}
+{% endif %}
+ldap_id_use_start_tls = {{ useTLS }}
+{% if useTLS %}
+ldap_tls_reqcert = allow
+{% else %}
+ldap_tls_reqcert = never
+{% endif %}
+{% if ldapCaCertFile is defined %}
 ldap_tls_cacert = {{ ldapCaCertFile }}
+{% endif %}
 ldap_default_bind_dn = {{ ldapBindDN }} 
 ldap_default_authtok_type = password
 ldap_default_authtok = {{ ldapBindDNPassword }} 

--- a/roles/openLdapClient/templates/system-auth-ac.j2
+++ b/roles/openLdapClient/templates/system-auth-ac.j2
 #%PAM-1.0
 # This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
+
 auth        required      pam_env.so
+auth        required      pam_faildelay.so delay=2000000
 auth        sufficient    pam_unix.so nullok try_first_pass
 auth        requisite     pam_succeed_if.so uid >= 500 quiet
 auth        sufficient    pam_sss.so use_first_pass
 auth        required      pam_deny.so

 account     required      pam_unix.so broken_shadow
+account     sufficient    pam_localuser.so
 account     sufficient    pam_succeed_if.so uid < 500 quiet
 account     [default=bad success=ok user_unknown=ignore] pam_sss.so
 account     required      pam_permit.so

-password    requisite     pam_cracklib.so try_first_pass retry=3
-password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
+password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
 password    sufficient    pam_sss.so use_authtok
 password    required      pam_deny.so

@@ -21,4 +24,4 @@ session     optional      pam_keyinit.so revoke
 session     required      pam_limits.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
-session     optional      pam_sss.so
+session     optional      pam_sss.so
\ No newline at end of file
--- a/roles/ldapserver/files/DB_CONFIG
+++ b/roles/ldapserver/files/DB_CONFIG
+# one 0.25 GB cache
+set_cachesize 0 268435456 1
+
+# Transaction Log settings
+set_lg_regionmax 262144
+set_lg_bsize 2097152
+
+set_flags DB_LOG_AUTOREMOVE
--- a/roles/ldapserver/files/auxposixgroup.ldif
+++ b/roles/ldapserver/files/auxposixgroup.ldif
+dn: cn=auxPosixGroup,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: auxPosixGroup
+olcObjectClasses: ( 1.3.6.1.4.1.1.1.1.2.1 NAME 'auxPosixGroup' DESC 'Abstraction of a group of accounts' SUP top AUXILIARY MUST gidNumber MAY ( userPassword $ memberUid $ description ) )
--- a/roles/ldapserver/meta/main.yml
+++ b/roles/ldapserver/meta/main.yml
---
-dependencies:
-    - { role: easy-rsa-certificate, x509_csr_args: "", x509_sign_args: "--server", x509_cacert_file: "/etc/ssl/certs/ca.crt", x509_key_file: "/etc/ssl/private/server.key", x509_cert_file: "/etc/ssl/certs/server.crt", x509_common_name: "{{ ansible_fqdn }}" }
--- a/roles/ldapserver/tasks/main.yml
+++ b/roles/ldapserver/tasks/main.yml
 ---
+- name: include vars
+  include_vars:
+    file: "{{ ansible_distribution }}_{{ ansible_distribution_version }}_{{ ansible_architecture }}.yml"

- include_vars: "{{ ansible_distribution }}_{{ ansible_distribution_version }}_{{ ansible_architecture }}.yml"
+- name: include vars2
+  include_vars:
+    file: "{{ ansible_distribution }}.yml"

 - name: install system packages apt
-  apt: name={{ item }} state=installed update_cache=true
-  sudo: true
-  with_items: system_packages
+  apt: name={{ system_packages }} state=present update_cache=true
+  become: true
  when: ansible_os_family == 'Debian'

 - name: install system packages yum
-  yum: name={{ item }} state=installed
-  sudo: true
-  with_items: system_packages
+  yum: name={{ system_packages }} state=present
+  become: true
  when: ansible_os_family == 'RedHat'

+- name: Fixed default configuration
+  lineinfile: dest=/etc/default/slapd regexp='^SLAPD_SERVICES="ldap:/// ldapi:///"' line='SLAPD_SERVICES="ldaps:/// ldap:/// ldapi:///"'
+  become: true
+  when: ansible_os_family == 'Debian'
+
 - name: hash password
  command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapManagerPassword }}
  register: ldapManagerHash

- name: hash binddn password
-  command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapBindDNPassword }}
-  register: ldapBindDNHash
-
- name: template ssl.ldif
-  template: src=ssl_ldif.j2 dest=/tmp/ssl.ldif mode=600
-
- name: template manager.ldif
-  template: src=manager_ldif.j2 dest=/tmp/manager.ldif mode=600
-  sudo: true
-
- name: template binddn.ldif
-  template: src=binddn_ldif.j2 dest=/tmp/binddn.ldif mode=600
-  sudo: true
-
 - name: template root.ldif
  template: src=root_ldif.j2 dest=/tmp/root.ldif

 - name: template accounts.ldif
  template: src=accounts_ldif.j2 dest=/tmp/accounts.ldif

+- name: template real accounts.ldif
+  template: src=real_accounts_ldif.j2 dest=/tmp/real_accounts.ldif
+
 - name: template groups.ldif
  template: src=groups_ldif.j2 dest=/tmp/groups.ldif

- name: template acls.ldif
-  template: src=acls_ldif.j2 dest=/tmp/acls.ldif
-
- name: template ppolicy_moduleload.ldif
-  template: src=ppolicy_moduleload_ldif.j2 dest=/tmp/ppolicy_moduleload.ldif
+- name: template load_modules.ldif
+  template: src=load_modules_ldif.j2 dest=/tmp/load_modules.ldif

 - name: template ppolicy_overlay.ldif
  template: src=ppolicy_overlay_ldif.j2 dest=/tmp/ppolicy_overlay.ldif
@@ -57,101 +50,311 @@
 - name: template default_ppolicy.ldif
  template: src=default_ppolicy_ldif.j2 dest=/tmp/default_ppolicy.ldif

+- name: template ssl.ldif
+  template: src=ssl_ldif.j2 dest=/tmp/ssl.ldif mode=600
+
+- name: template acl_groups.ldif
+  template: src=acl_groups_ldif.j2 dest=/tmp/acl_groups.ldif mode=600
+
+- name: template load_memberof.ldif
+  template: src=load_memberof_ldif.j2 dest=/tmp/load_memberof.ldif mode=600
+
+- name: template load_refint.ldif
+  template: src=load_refint_ldif.j2 dest=/tmp/load_refint.ldif mode=600
+
+- name: template memberOfConfig.ldif
+  template: src=memberOfConfig_ldif.j2 dest=/tmp/memberOfConfig.ldif mode=600
+
+- name: template refint_config.ldif
+  template: src=refint_config_ldif.j2 dest=/tmp/refint_config.ldif mode=600
+
+- name: template manager.ldif
+  template: src=manager_ldif.j2 dest=/tmp/manager.ldif mode=600
+  become: true
+- name: template manager2.ldif
+  template: src=manager_ldif2.j2 dest=/tmp/manager2.ldif mode=600
+  become: true
+- name: template manager3.ldif
+  template: src=manager_ldif3.j2 dest=/tmp/manager3.ldif mode=600
+  become: true
+
+- name: make ldap certs dir
+  file: path={{ ldapCertDest | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }}
+  become: true
+
+- name: make ldap private dir
+  file: path={{ ldapKeyDest | dirname }} state=directory owner={{ ldapuser }} group={{ ldapgroup }} mode=700
+  become: true

 - name: copy cert
-  command: cp /etc/ssl/certs/server.crt /etc/openldap/certs/ldapcert.pem
-  sudo: true
+  copy: src="files_services/{{ ldapCert }}" dest="{{ ldapCertDest }}"
+  become: true

- name: copy cacert
-  command: cp /etc/ssl/certs/ca.crt /etc/openldap/certs/cacert.pem
-  sudo: true
+- name: copy ca cert
+  copy: src="files_services/{{ ldapCAChain }}" dest="{{ ldapCAChainDest }}"
+  become: true

- name: copy key
-  command: cp /etc/ssl/private/server.key /etc/openldap/certs/ldapkey.pem
-  sudo: true
+- name: copy ca root cert
+  copy: src="files_services/{{ ldap_TLSCARoot }}" dest="{{ ldapCARootDest }}"
+  become: true
+  when: ldap_TLSCARoot is defined

- name: chmod key
-  file: path=/etc/openldap/certs/ldapkey.pem owner={{ ldapuser }} group={{ ldapgroup }} mode=600
-  sudo: true
+- name: copy key
+  copy: src="files_services/{{ ldapKey }}" dest="{{ ldapKeyDest }}" mode=600 owner={{ ldapuser }} group={{ ldapgroup }}
+  become: true

 - name: enable ssl centos
  lineinfile: regexp="SLAPD_LDAPS=no" state=present line="SLAPD_LDAPS=yes" dest=/etc/sysconfig/ldap
-  sudo: true
-  when: ansible_os_family == 'RedHat'
+  become: true
+  when: ansible_os_family == 'RedHat' and ansible_distribution_major_version < '7'
+
+- name: enable ssl centos 7
+  lineinfile: regexp="^SLAPD_URLS=" state=present line="SLAPD_URLS='ldaps:/// ldapi:/// ldap:///'" dest=/etc/sysconfig/slapd
+  become: true
+  when: ansible_os_family == 'RedHat' and ansible_distribution_major_version >= '7'
+
+- name: check TLS config is present
+  shell: "slapcat -b cn=config | grep 'olcTLSCertificateKeyFile: {{ ldapKeyDest }}'"
+  ignore_errors: true
+  become: true
+  register: tlsConfigured
+
+- name: copy db config
+  copy: src=files/DB_CONFIG dest=/var/lib/ldap/DB_CONFIG owner={{ ldapuser }} group={{ ldapgroup }} mode=644
+  become: true

 - name: start ldap
  service: name=slapd state=restarted
-  sudo: true
+  become: true

- name: check TLS config
-  shell: "slapcat -b cn=config | grep 'olcTLSCertificateKeyFile: /etc/openldap/certs/ldapkey.pem'"
+- name: initialise server ssl
+  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ssl.ldif -D cn=config
+  become: true
+  when: tlsConfigured.failed
+
+- name: Initialise cosine and ppolicy
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f {{ ldapDir }}/schema/{{ item }}.ldif -D cn=config
+  with_items:
+   - ppolicy
+   - cosine
+   - nis
+   - inetorgperson
  ignore_errors: true
-  sudo: true
-  register: tlsConfigured
+  become: true
+
+- name: check auxposixgroup is present
+  shell: "slapcat -b cn=auxPosixGroup,cn=schema,cn=config | grep auxPosixGroup"
+  ignore_errors: true
+  become: true
+  register: auxposixgroup
+
+- name: copy the auxposixgroup schema
+  copy: src="files/auxposixgroup.ldif" dest="{{ ldapDir }}/schema/auxposixgroup.ldif"
+  become: true
+  become_user: root
+
+- name: load the auxposixgroup schema
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f "{{ ldapDir }}/schema/auxposixgroup.ldif" -D cn=config
+  become_user: root
+  become: true
+  when: auxposixgroup.failed
+
+- name: check ppolicy module loaded
+  shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}ppolicy"
+  become: true
+  ignore_errors: true
+  register: ppolicyModuleLoaded
+
+- name: load ppolicy module
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/load_modules.ldif -D cn=config
+  become: true
+  when: ppolicyModuleLoaded.failed
+
+- name: check ppolicy overlay config
+  shell: "slapcat -b cn=config | grep 'dn: olcOverlay={.*}ppolicy,olcDatabase={.*}.db,cn=config'"
+  ignore_errors: true
+  become: true
+  register: ppolicyOverlayConfigured
+
+- name: add ppolicy overlay
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/ppolicy_overlay.ldif -D cn=config
+  become: true
+  when: ppolicyOverlayConfigured.failed
+
+- name: check refint module loaded
+  shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}refint"
+  become: true
+  ignore_errors: true
+  register: refintModuleLoaded
+
+- name: load refint module
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/load_refint.ldif -D cn=config
+  become: true
+  when: refintModuleLoaded.failed
+
+- name: check memberof module loaded
+  shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}memberof"
+  become: true
+  ignore_errors: true
+  register: memberofModuleLoaded
+
+- name: load memberof module
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/load_memberof.ldif -D cn=config
+  become: true
+  when: memberofModuleLoaded.failed

 - name: check Manager config
-  shell: "slapcat -b cn=config | grep 'olcRootDN: {{ ldapManager }}'"
+  shell: "slapcat -b cn=config | grep 'olcRootDN: {{ ldapManagerDN }}'"
  ignore_errors: true
-  sudo: true
+  become: true
  register: managerConfigured

+- name: initialise server manager
+  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config
+  become: true
+#  when: managerConfigured.failed
+  
+- name: initialise server manager2
+  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager2.ldif -D cn=config
+  become: true
+  ignore_errors: true
+#  when: managerConfigured.failed
+
+- name: check member of config
+  shell: "ldapsearch -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=olcMemberOf"
+  ignore_errors: true
+  register: memberOfConfigured
+
+- name: add member of config
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/memberOfConfig.ldif -D cn=config
+  when: memberOfConfigured.failed
+  become: true
+
+- name: check refinit config
+  shell: "ldapsearch -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=olcRefintConfig"
+  ignore_errors: true
+  register: refintConfigured
+
+- name: add refint config
+  shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/refint_config.ldif
+  when: refintConfigured.failed
+  become: true
+
 # slapcat does a line wrap at character 78. Don't attempt to match on {{ ldapManager }} as it will cross two lines
 - name: check ACL config
  shell: "slapcat -b cn=config | grep 'olcAccess:' | grep 'cn=Manager'"
  ignore_errors: true
-  sudo: true
+  become: true
  register: aclConfigured

+- name: template acls.ldif
+  template: src=acls_ldif.j2 dest=/tmp/acls.ldif
+
+- name: initialise server acls
+  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
+  become: true
+  when: aclConfigured.failed

 - name: check DIT config
-  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
+  shell: "ldapsearch -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
  ignore_errors: true
  register: ditConfigured

- name: check Accounts config
-  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
+- name: add DIT root
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
+  when: ditConfigured.failed
+
+- name: check real Accounts config
+  shell: "ldapsearch -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -b {{ ldapAccountBase }} -x -H ldap://localhost objectClass=*"
  ignore_errors: true
-  register: accountsConfigured
+  register: realAccountsConfigured
+  when: ldapAccountBase is defined
+
+- name: add real Accounts OU
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/real_accounts.ldif
+  when: realAccountsConfigured is defined and realAccountsConfigured.failed

 - name: check Groups config
-  shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=*"
+  shell: "ldapsearch -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=*"
  ignore_errors: true
  register: groupsConfigured

+- name: add Groups OU
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
+  when: groupsConfigured.failed
+
+- name: check aclroups config
+  shell: "ldapsearch -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -b {{ ldapAclGroupBase }} -x -H ldap://localhost objectClass=*"
+  ignore_errors: true
+  register: aclgroupsConfigured
+
+- name: add aclgroups OU
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/acl_groups.ldif
+  when: aclgroupsConfigured.failed
+
+
+- name: check Accounts config
+  shell: "ldapsearch -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
+  ignore_errors: true
+  register: accountsConfigured
+
+- name: add Accounts OU
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/accounts.ldif
+  when: accountsConfigured.failed
+
 - name: check binddn config
-  shell: "ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b {{ ldapDomain }} -x -H ldap://localhost objectClass=dcObject"
+  shell: "ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b {{ ldapBase }} -x -H ldap://localhost objectClass=dcObject"
  ignore_errors: true
  register: binddnConfigured

+- name: hash binddn password
+  command: /usr/sbin/slappasswd -h {SSHA} -s {{ ldapBindDNPassword }}
+  register: ldapBindDNHash

- name: initialise server ssl
-  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/ssl.ldif -D cn=config 
-  sudo: true
-  when: tlsConfigured|failed
+- name: template binddn.ldif
+  template: src=binddn_ldif.j2 dest=/tmp/binddn.ldif mode=600
+  become: true

- name: initialise server manager
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/manager.ldif -D cn=config 
-  sudo: true
-  when: managerConfigured|failed
+- name: add binddn
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/binddn.ldif
+  become: true
+  when: binddnConfigured.failed

- name: initialise server acls
-  shell:  ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/acls.ldif -D cn=config
-  sudo: true
-  when: aclConfigured|failed
+- name: check pwpolicies config
+  shell: ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b ou=pwpolicies,{{ ldapBase }} objectClass=*
+  ignore_errors: true
+  register: pwpoliciesConfigured

- name: add DIT root
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/root.ldif
-  when: ditConfigured|failed
+- name: add pwpolicies
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -f /tmp/pwpolicies.ldif
+  when: pwpoliciesConfigured.failed

- name: add Accounts OU
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/accounts.ldif
-  when: accountsConfigured|failed
+- name: check defaultPwpolicy config
+  shell: ldapsearch -D {{ ldapBindDN }} -w {{ ldapBindDNPassword }} -b cn=default,ou=pwpolicies,{{ ldapBase }} objectClass=*
+  ignore_errors: true
+  register: defaultPpolicyConfigured

- name: add Groups OU
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
-  when: groupsConfigured|failed
+- name: add defaultPwpolicy
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -f /tmp/default_ppolicy.ldif
+  when: defaultPpolicyConfigured.failed

- name: add binddn
-  shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/binddn.ldif
-  sudo: true
-  when: binddnConfigured|failed
+- name: template monitoruser.ldif
+  template: src=monitoruser.ldif.j2 dest=/tmp/monitoruser.ldif
+
+- name: template monitoruser.ldif
+  template: src=monitoring.ldif.j2 dest=/tmp/monitoring.ldif
+
+- name: check monitoruser
+  shell: 'slapcat -b cn=monitor,ou=People,dc=erc,dc=monash,dc=edu,dc=au | grep "cn: monitor"'
+  ignore_errors: true
+  register: monitoruser
+  become: true
+
+- name: add monitoruser
+  #shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -f /tmp/default_ppolicy.ldif
+  shell: ldapadd -x -D {{ ldapManagerDN }} -w {{ ldapManagerPassword }} -H ldap://localhost -f /tmp/monitoruser.ldif
+  when: monitoruser.failed
+
+- name: add monitoruser
+  shell: ldapmodify -Y external -H ldapi:// -f /tmp/monitoring.ldif
+  when: monitoruser.failed
--- a/roles/ldapserver/templates/acl_groups_ldif.j2
+++ b/roles/ldapserver/templates/acl_groups_ldif.j2
+dn: {{ ldapAclGroupBase }}
+objectClass: organizationalUnit
--- a/roles/ldapserver/templates/acls_ldif.j2
+++ b/roles/ldapserver/templates/acls_ldif.j2
-dn: olcDatabase={2}bdb,cn=config
+dn: {{ dbname }},cn=config
 changetype: modify
 add: olcAccess
-olcAccess: {0}to attrs=userPassword by dn="{{ ldapManager }}" write by self write by * auth
-olcAccess: {1}to attrs=shadowLastChange by dn="{{ ldapManager }}" write by self write by * read
+olcAccess: {0}to attrs=userPassword by dn="{{ ldapManagerDN }}" write by self write by * auth
+olcAccess: {1}to attrs=shadowLastChange by dn="{{ ldapManagerDN }}" write by self write by * read
 olcAccess: {2}to * by users read by anonymous auth
--- a/roles/ldapserver/templates/default_ppolicy_ldif.j2
+++ b/roles/ldapserver/templates/default_ppolicy_ldif.j2
-dn: cn=default,ou=pwpolicies,{{ ldapDomain }}
+dn: cn=default,ou=pwpolicies,{{ ldapBase }}
 cn: default
 objectClass: pwdPolicy
 objectClass: top
@@ -11,7 +11,7 @@ pwdGraceAuthNLimit: 0
 pwdInHistory: 10
 pwdLockout: TRUE
 pwdLockoutDuration: 3600
-pwdMaxAge: 7776000
+pwdMaxAge: 0
 pwdMaxFailure: 5
 pwdMinAge: 3600
 pwdMinLength: 12

--- a/roles/ldapserver/templates/ldap.conf.j2
+++ b/roles/ldapserver/templates/ldap.conf.j2
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE	dc=example,dc=com
+URI {{ ldapURI }}
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
+
+# TLS certificates (needed for GnuTLS)
+TLS_CACERT	{{ x509_cacert_file }}
--- a/roles/ldapserver/templates/load_memberof_ldif.j2
+++ b/roles/ldapserver/templates/load_memberof_ldif.j2
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModulePath: {{ module_path }}
+olcModuleLoad: memberof.la
--- a/roles/ldapserver/templates/ppolicy_moduleload_ldif.j2
+++ b/roles/ldapserver/templates/ppolicy_moduleload_ldif.j2
 dn: cn=module,cn=config
 objectClass: olcModuleList
 cn: module
-olcModulePath: /usr/lib64/openldap/
+olcModulePath: {{ module_path }} 
 olcModuleLoad: ppolicy.la
--- a/roles/ldapserver/templates/load_refint_ldif.j2
+++ b/roles/ldapserver/templates/load_refint_ldif.j2
+dn: cn=module,cn=config
+objectClass: olcModuleList
+cn: module
+olcModulePath: {{ module_path }}
+olcModuleLoad: refint.la
--- a/roles/ldapserver/templates/manager_ldif.j2
+++ b/roles/ldapserver/templates/manager_ldif.j2
-dn: olcDatabase={2}bdb,cn=config
+dn: {{ dbname }},cn=config
 changetype: modify
 replace: olcSuffix
-olcSuffix: {{ ldapDomain }}
+olcSuffix: {{ ldapBase }}
 -
 replace: olcRootDN
-olcRootDN: {{ ldapManager }}
-
-add: olcRootPW
-olcRootPW: {{ ldapManagerHash.stdout }}
+olcRootDN: {{ ldapManagerDN }}
--- a/roles/ldapserver/templates/manager_ldif2.j2
+++ b/roles/ldapserver/templates/manager_ldif2.j2
+dn: {{ dbname }},cn=config
+changetype: modify
+replace: olcRootPW
+olcRootPW: {{ ldapManagerHash.stdout }}
--- a/roles/ldapserver/templates/manager_ldif3.j2
+++ b/roles/ldapserver/templates/manager_ldif3.j2
+dn: {{ dbname }},cn=config
+changetype: modify
+replace: olcRootPW
+olcRootPW: {{ ldapManagerHash.stdout }}
--- a/roles/ldapserver/templates/memberOfConfig_ldif.j2
+++ b/roles/ldapserver/templates/memberOfConfig_ldif.j2
+dn: olcOverlay=memberof,{{ dbname }},cn=config
+objectClass: olcConfig
+objectClass: olcMemberOf
+objectClass: olcOverlayConfig
+objectClass: top
+olcOverlay: memberof
+olcMemberOfDangling: ignore
+olcMemberOfRefInt: TRUE
+olcMemberOfGroupOC: groupOfNames
+olcMemberOfMemberAD: member
+olcMemberOfMemberOfAD: memberOf
No results found