ben
/
infra
1
1
Fork 2
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
infra/roles/openldap/tasks/openldap.yml

348 lines
10 KiB
YAML
Raw Permalink Blame History

---
- name: create dir structure
file:
path: "{{ openldap_root }}/{{ item }}"
state: directory
mode: 0755
owner: openldap
group: openldap
recurse: false
with_items:
- ldap
- certs
- slapd.d
- ldif
# - name: copy certs that need to be owned by openldap user
# copy:
# src: "private/letsencrypt/{{ openldap_domain }}/{{ item }}"
# dest: "{{ openldap_root }}/certs/{{ item }}"
# owner: openldap
# group: openldap
# mode: 0600
# tags:
# - letsencrypt
# no_log: true
# with_items:
# - cert.pem
# - chain.pem
# - fullchain.pem
# - privkey.pem
- name: copy dhparam.pem
copy:
src: private/roles/openldap/files/dhparam.pem
dest: "{{ openldap_root }}/certs/dhparam.pem"
owner: openldap
group: openldap
mode: 0600
no_log: true
- name: start openldap container
docker_container:
name: openldap
hostname: "{{ openldap_url }}"
#domainname: "{{ openldap_domain }}"
image: git.sudo.is/ops/openldap:latest
auto_remove: false
detach: true
pull: true
restart_policy: "no"
state: started
container_default_behavior: compatibility
#user: "{{ openldap_uid }}:{{ openldap_gid }}"
mounts:
- type: bind
source: "{{ openldap_root }}/ldap"
target: /var/lib/ldap
- type: bind
source: "{{ openldap_root }}/slapd.d"
target: /etc/ldap/slapd.d
- type: bind
source: "/etc/letsencrypt/live/{{ openldap_domain }}"
target: /letsencrypt/
- type: bind
source: "{{ openldap_root }}/certs/dhparam.pem"
target: /container/service/slapd/assets/certs/dhparam.pem
- type: bind
source: "/usr/local/etc/certs/{{ openldap_domain }}/fullchain.pem"
target: /container/service/slapd/assets/certs/fullchain.pem
- type: bind
source: "/usr/local/etc/certs/{{ openldap_domain }}/cert.pem"
target: /container/service/slapd/assets/certs/cert.pem
- type: bind
source: "/usr/local/etc/certs/{{ openldap_domain }}/privkey.pem"
target: /container/service/slapd/assets/certs/privkey.pem
# - type: bind
# source: "{{ openldap_root }}/ldif"
# target: /container/service/slapd/assets/config/bootstrap/ldif/custom
ports:
- 389:389
- 636:636
env:
LDAP_LOG_LEVEL: "256"
LDAP_ORGANISATION: "{{ openldap_domain }}"
LDAP_DOMAIN: "{{ openldap_domain }}"
LDAP_BASE_DN: "{{ openldap_dc }}"
LDAP_ADMIN_PASSWORD: "{{ openldap_admin_pass }}"
LDAP_CONFIG_PASSWORD: "{{ openldap_config_pass }}"
LDAP_READONLY_USER: "true"
LDAP_READONLY_USER_USERNAME: "readonly"
LDAP_READONLY_USER_PASSWORD: "{{ openldap_readonly_pass }}"
LDAP_RFC2307BIS_SCHEMA: "false"
LDAP_BACKEND: "mdb"
LDAP_TLS: "true"
LDAP_TLS_CRT_FILENAME: "cert.pem"
LDAP_TLS_KEY_FILENAME: "privkey.pem"
LDAP_TLS_DH_PARAM_FILENAME: "dhparam.pem"
LDAP_TLS_CA_CRT_FILENAME: "fullchain.pem"
LDAP_TLS_ENFORCE: "false"
# defaults to: SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC
# based on Red Hat: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Hardening_TLS_Configuration.html
#LDAP_TLS_CIPHER_SUITE: "SECURE256:-VERS-SSL3.0"
LDAP_TLS_VERIFY_CLIENT: "try"
LDAP_REPLICATION: "false"
KEEP_EXISTING_CONFIG: "false"
LDAP_REMOVE_CONFIG_AFTER_SETUP: "true"
LDAP_SSL_HELPER_PREFIX: "ldap"
networks_cli_compatible: false
network_mode: bridgewithdns
networks:
- name: bridgewithdns
ipv4_address: "{{ bridgewithdns.openldap }}"
# labels:
# dockerlogs_format: "json"
tags:
- docker-containers
- openldap-container
- name: wait for openldap container to be ready
wait_for:
port: 389
state: started
host: localhost
sleep: 1
timeout: 10
tags:
- jellyfin-container
- name: start phpldapadmin container
docker_container:
name: phpldapadmin
image: osixia/phpldapadmin:latest
auto_remove: false
detach: true
pull: false
restart_policy: "unless-stopped"
state: started
container_default_behavior: compatibility
env:
PHPLDAPADMIN_LDAP_HOSTS: "openldap"
PHPLDAPADMIN_HTTPS: "false"
networks_cli_compatible: false
networks:
- name: bridgewithdns
ipv4_address: "{{ bridgewithdns.ldapadmin }}"
tags:
- docker-containers
# https://tylersguides.com/guides/openldap-how-to-add-a-user/
- name: apt packages that python-ldap depends on
apt:
name:
- libldap2-dev
- libsasl2-dev
- slapd
- ldap-utils
- tox
- lcov
- valgrind
update_cache: true
state: latest
- name: disable slapd service that apt enabled
service:
name: slapd
enabled: false
state: stopped
tags:
- slapd
- name: pip module for ldap tasks
pip:
name: python-ldap
state: latest
executable: pip3
tags:
- pip
- packages
- name: create ou's
community.general.ldap_entry:
dn: "ou={{ item }},{{ openldap_dc }}"
objectClass:
- organizationalUnit
server_uri: ldap://{{ openldap_url }}/
bind_dn: "{{ openldap_admin_user }}"
bind_pw: "{{ openldap_admin_pass }}"
tags:
- ldap-users
with_items:
- users
- usergroups
- groups
- services
- hosts
# this module doesnt change existing users if they exist, so it is setting anything that a user
# should be able to change themselves
- name: add inventory human users
community.general.ldap_entry:
dn: "uid={{ item.username }},ou=users,{{ openldap_dc }}"
objectClass:
- inetOrgPerson
- posixAccount
state: present
attributes:
sn: "{{ item.username }}"
cn: "{{ item.username }}"
mail: "{{ item.email }}"
displayName: "{{ item.username }}"
uidNumber: "{{ item.uid }}"
gidNumber: "{{ item.gid }}"
homeDirectory: "{{ item.home }}"
loginShell: "{{ item.shell }}"
server_uri: ldap://{{ openldap_url }}/
bind_dn: "{{ openldap_admin_user }}"
bind_pw: "{{ openldap_admin_pass }}"
loop_control:
label: "{{ item.username }}"
with_items: "{{ ldap_human_users }}" # see role/openldap/defaults/main.yml
tags:
- ldap-users
- name: add inventory ldap_only_users
community.general.ldap_entry:
dn: "uid={{ item.username }},ou=users,{{ openldap_dc }}"
objectClass:
- inetOrgPerson
state: present
attributes:
sn: "{{ item.username }}"
cn: "{{ item.username }}"
mail: "{{ item.email }}"
displayName: "{{ item.username }}"
server_uri: ldap://{{ openldap_url }}/
bind_dn: "{{ openldap_admin_user }}"
bind_pw: "{{ openldap_admin_pass }}"
loop_control:
label: "{{ item.username }}"
with_items: "{{ ldap_only_users_enabled }}"
tags:
- ldap-users
- ldap-only-users
- name: add inventory user groups
community.general.ldap_entry:
dn: "cn={{ item.username }},ou=usergroups,{{ openldap_dc }}"
objectClass:
- posixGroup
state: present
attributes:
gidNumber: "{{ item.gid }}"
memberUid: "{{ item.username }}"
server_uri: ldap://{{ openldap_url }}/
bind_dn: "{{ openldap_admin_user }}"
bind_pw: "{{ openldap_admin_pass }}"
loop_control:
label: "{{ item.username }}"
with_items: "{{ ldap_human_users }}"
tags:
- ldap-users
- name: create groups
community.general.ldap_entry:
dn: "cn={{ item }},ou=groups,{{ openldap_dc }}"
objectClass:
- groupOfUniqueNames
state: present
attributes:
uniqueMember: "{{ openldap_dc }}"
server_uri: ldap://{{ openldap_url }}/
bind_dn: "{{ openldap_admin_user }}"
bind_pw: "{{ openldap_admin_pass }}"
loop_control:
label: "{{ item }}"
with_items: "{{ openldap_groups }}"
tags:
- ldap-users
- ldap-groups
- name: adding inventory users to groups
community.general.ldap_attrs:
dn: "cn={{ item[0] }},ou=groups,{{ openldap_dc }}"
attributes:
uniqueMember: "uid={{ item[1].username }},ou=users,{{ openldap_dc }}"
state: "{%if item[0] in item[1].ldap_groups|default([])%}present{%else%}absent{%endif%}"
server_uri: ldap://{{ openldap_url }}/
bind_dn: "{{ openldap_admin_user }}"
bind_pw: "{{ openldap_admin_pass }}"
loop_control:
label: "{{ item[1].username }}, group={{ item[0] }}, present={{ item[0] in item[1].ldap_groups|default([]) }}"
with_nested:
- "{{ openldap_groups }}"
- "{{ ldap_human_users }}"
# when:
# - item[1] in item[0].ldap_groups|default([])
tags:
- ldap-users
- name: adding inventory ldap_only_users to groups
community.general.ldap_attrs:
dn: "cn={{ item[0] }},ou=groups,{{ openldap_dc }}"
attributes:
uniqueMember: "uid={{ item[1].username }},ou=users,{{ openldap_dc }}"
state: "{%if item[0] in item[1].ldap_groups|default([])%}present{%else%}absent{%endif%}"
server_uri: ldap://{{ openldap_url }}/
bind_dn: "{{ openldap_admin_user }}"
bind_pw: "{{ openldap_admin_pass }}"
loop_control:
label: "{{ item[1].username }}, group={{ item[0] }}, present={{ item[0] in item[1].ldap_groups|default([]) }}"
with_nested:
- "{{ openldap_groups }}"
- "{{ ldap_only_users_enabled }}"
tags:
- ldap-users
- name: remove disabled users
community.general.ldap_entry:
dn: "uid={{ item }},ou=users,{{ openldap_dc }}"
state: absent
server_uri: ldap://{{ openldap_url }}/
bind_dn: "{{ openldap_admin_user }}"
bind_pw: "{{ openldap_admin_pass }}"
loop_control:
label: "{{ item }}"
with_items: "{{ ldap_usernames_disabled }}"
tags:
- ldap-users
- ldap-users-disabled
# # this task will change attrs if they dont match
# - name: adding attrs that are
# community.general.ldap_attrs:
# dn: "uid={{ item.username }},ou=users,{{ openldap_dc }}"
# attributes:
# userPassword: "{{ item.ldap_pass }}"
# state: exact
# server_uri: ldap://{{ openldap_url }}/
# bind_dn: "{{ openldap_admin_user }}"
# bind_pw: "{{ openldap_admin_pass }}"
# with_items: "{{ userlist.values()|selectattr('enabled', 'true') }}"
# loop_control:
# label: "{{ item.username }}"
# tags:
# - ldap-users
View Git Blame Copy Permalink