first working version of the role

Author: davidcoutadeur

README.md

@@ -1,12 +1,13 @@
 OpenLDAP
 ========
 
-Ansible role which installs and configures [LTP-Projects](https://ltb-project.org/)'s OpenLDAP.
+Ansible role which installs and configures [LTB-Project](https://ltb-project.org/)'s OpenLDAP.
 
 Requirements
 ------------
 
-n/a
+- ansible
+- HTTP connection to the LTB-project's repository
 
 Role Variables
 --------------
@@ -24,11 +25,13 @@ Dependencies
 Example Playbook
 ----------------
 
-Install and configure OpenLDAP on your servers:
+See `tests/test.yml`
 
-    - hosts: openldap_servers
-      roles:
-         - ldaptoolbox.openldap
+Run playbook with:
+
+```
+ansible-playbook tests/test.yml -i tests/inventory --ask-vault-pass
+```
 
 License
 -------

defaults/main.yml

@@ -43,15 +43,7 @@ ldaptoolbox_openldap_custom_schema_srcdir: ""
 ldaptoolbox_openldap_custom_schema_list: []
 ldaptoolbox_openldap_schema_dir: /usr/local/openldap/etc/openldap/schema
 
-ldaptoolbox_openldap_manager: ""
-ldaptoolbox_openldap_suffix: ""
-
-ldaptoolbox_openldap_syncrepl:
-- rid: 001
-  provider: "ldap://localhost:389/"
-  binddn: "{{ ldaptoolbox_openldap_"
-  password: "{{ ldaptoolbox_openldap_syncrepl_password }}"
-  searchbase: ""
+ldaptoolbox_openldap_suffix: "dc=my-domain,dc=com"
 
 ldaptoolbox_olcPasswordHash: "{ARGON2}"
 

templates/var/backups/openldap/config.ldif

@@ -154,7 +154,7 @@ dn: olcDatabase={2}monitor,cn=config
 objectClass: olcDatabaseConfig
 olcDatabase: {2}monitor
 olcRootDN: {{ ldaptoolbox_openldap_monitor_olcRootDN }}
-olcRootPW: {{ ldaptoolbox_openldap_monitor_olcRootPW }}
+olcRootPW: {{ ldaptoolbox_openldap_monitor_olcRootPW_hash }}
 olcAddContentAcl: FALSE
 olcLastMod: TRUE
 olcMaxDerefDepth: 15

tests/credentials-vault.yml

@@ -0,0 +1,32 @@
+$ANSIBLE_VAULT;1.1;AES256
+37346662633864343863613765313565646332363862653762336333653463613935356139623466
+6662616236333863363635623861646337373762623863380a313665623265353730363838303464
+33613665656335353063363431643530623261363938353735623561353839303266643739373239
+6230333536383634330a393337393865346464623632303461393433636165643131373166643361
+32313938666335623835316539643166666336373764336264306365653466333639363066386562
+32663864373166643664343137363463376631616363646137643535623931366631323739363265
+34313533353164616261373332643835666662373862633161306663323461626338613338313062
+30316163366434656664373830316366653065363438333431633162653237613939626465626534
+30356237346339633530373662313465303130303133363561303234373466326531313062653139
+35333161613038376266316333393363393736356539633363393864373766656232323033653931
+38343863643066376435346539633161393266313232356261646563356530366164316462633331
+61376361353730666635336631343265656331303966666364363637623237626466363239313066
+61323664386661396261343832633261623462613661343463346639343265626539623332613531
+66366561666134313361633461383138623737316161653539313131653266653332323633323563
+39613365306638316535613331323836366631633065393666643565633662616635623031373939
+35376366663237636237346235653135626630356133643135656433633732666135333337336664
+66613765303934666163656430643163306530626361306364353165313830666261393766363162
+36313239396230303763346334633737323666313466613336616238616537313462663963333239
+30386361626137386635626363396363366564643534316133643339303838313566376536353730
+38303565326136363665303030396239373066613764326364353130653864633534363634376238
+39616466393637393639613064346538636139386636373430626237633838316433613335356533
+32383162356337323032343231356336643966333739313333336531626537353333366264373163
+38353734313965353135373164636633613335323166386633613836326464376134663231626565
+30623866313662623565326463646264653638356336366563663161346464623232383563376237
+33396563616638306436636164386537323437626533393334393138396533663930333531663039
+65646438626239313166363465356536616666323838353938303632323430623330316339613766
+34336632643735326563376138343731643734363332646338663536613038666166353532333231
+35646338663333383035646233353139666163616265353831363463653937373833643832386165
+65366336633361366534336163313534646263363333613732363161663962643339373665663730
+63346135316534326463303865373137383939393633623261333566343733313864333965656531
+333164333263326366343466323234333837

tests/files/ldaptoolbox.oldap/usr/local/openldap/etc/openldap/schema/custom.ldif

@@ -0,0 +1 @@
+# Custom ldif schema

tests/host_vars/localhost.yml

@@ -0,0 +1,82 @@
+# Configuration openldap
+# ----------------------
+
+ldaptoolbox_openldap_custom_schema_srcdir: "{{ playbook_dir }}/files/ldaptoolbox.oldap/usr/local/openldap/etc/openldap/schema"
+ldaptoolbox_openldap_custom_schema_list:
+  - custom.ldif
+
+ldaptoolbox_openldap_olcSaslHost: 127.0.0.1
+ldaptoolbox_openldap_olcSortVals: member
+ldaptoolbox_openldap_olcServerID: 1
+ldaptoolbox_openldap_olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
+ldaptoolbox_openldap_olcTLSCertificateFile: /etc/ssl/certs/ssl-cert-snakeoil.pem
+ldaptoolbox_openldap_olcTLSCertificateKeyFile: /etc/ssl/private/ssl-cert-snakeoil.key
+ldaptoolbox_openldap_olcTLSProtocolMin: 3.3
+ldaptoolbox_openldap_olcLogLevel: stats
+
+ldaptoolbox_openldap_config_olcRootDN: cn=admin,cn=config
+ldaptoolbox_openldap_config_olcRootPW_hash: "{{ ldaptoolbox_openldap_config_olcRootPW_hash_vault }}"
+ldaptoolbox_openldap_database_olcRootDN: cn=admin,dc=my-domain,dc=com
+ldaptoolbox_openldap_database_olcRootPW_hash: "{{ ldaptoolbox_openldap_database_olcRootPW_hash_vault }}"
+
+ldaptoolbox_openldap_suffix: "dc=my-domain,dc=com"
+
+ldaptoolbox_openldap_syncrepl:
+- rid: "001"
+  provider: "ldap://localhost:389/"
+  tlscert: "{{ ldaptoolbox_openldap_olcTLSCertificateFile }}"
+  tlskey: "{{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}"
+  tlscacert: "{{ ldaptoolbox_openldap_olcTLSCACertificateFile }}"
+  tlsreqcert: "demand"
+  binddn: "uid=syncrepl,ou=accounts,ou=infrastructure,dc=my-domain,dc=com"
+  password: "{{ ldaptoolbox_openldap_syncrepl_password_vault }}"
+  searchbase: "{{ ldaptoolbox_openldap_suffix }}"
+  scope: "sub"
+  type: "refreshAndPersist"
+  retry: "5 5 300 +"
+- rid: "002"
+  provider: "ldap://localhost:389/"
+  tlscert: "{{ ldaptoolbox_openldap_olcTLSCertificateFile }}"
+  tlskey: "{{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}"
+  tlscacert: "{{ ldaptoolbox_openldap_olcTLSCACertificateFile }}"
+  tlsreqcert: "demand"
+  binddn: "uid=syncrepl,ou=accounts,ou=infrastructure,dc=my-domain,dc=com"
+  password: "{{ ldaptoolbox_openldap_syncrepl_password_vault }}"
+  searchbase: "{{ ldaptoolbox_openldap_suffix }}"
+  scope: "sub"
+  type: "refreshAndPersist"
+  retry: "5 5 300 +"
+
+ldaptoolbox_openldap_access_list:
+  - to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
+  - to dn.base="" by * read
+  - to dn.base="cn=Subschema" by * read
+  - to * by self write  by users read  by anonymous auth
+
+ldaptoolbox_openldap_database_olcLimits:
+  - dn.base="uid=syncrepl,ou=accounts,ou=infrastructure,dc=my-domain,dc=com" size=unlimited  time=unlimited
+
+ldaptoolbox_openldap_database_olcDbIndexes:
+  - "objectClass eq"
+  - "entryUUID eq"
+  - "entryCSN eq"
+  - "cn pres,eq,sub"
+  - "uid pres,eq,sub"
+
+ldaptoolbox_openldap_database_olcDbMaxSize: "4294967296"
+
+ldaptoolbox_openldap_overlay_syncprov_olcSpCheckpoint: "100 10"
+ldaptoolbox_openldap_overlay_syncprov_olcSpSessionlog: "100"
+
+ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyDefault: "cn=default,ou=ppolicies,dc=my-domain,dc=com"
+ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyHashCleartext: "TRUE"
+ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyUseLockout: "TRUE"
+
+ldaptoolbox_openldap_overlay_refint_olcRefintAttribute: "member"
+ldaptoolbox_openldap_overlay_refint_olcRefintNothing: "cn=nothing,dc=my-domain,dc=com"
+
+ldaptoolbox_openldap_overlay_dynlist_olcDlAttrSet: "groupOfURLs memberURL member+memberOf@groupOfNames*"
+
+ldaptoolbox_openldap_monitor_olcRootDN: "cn=monitor"
+ldaptoolbox_openldap_monitor_olcRootPW_hash: "{{ ldaptoolbox_openldap_monitor_olcRootPW_hash_vault }}"
+

tests/test.yml

@@ -1,5 +1,7 @@
 ---
 - hosts: localhost
   remote_user: root
+  vars_files:
+    - credentials-vault.yml
   roles:
     - ansible-role-ldaptoolbox-openldap