ltb-project
diff --git a/‎.github/workflows/test.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/test.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎README.md‎
Lines changed: 25 additions & 7 deletions b/‎README.md‎
Lines changed: 25 additions & 7 deletions
diff --git a/‎defaults/main.yml‎
Lines changed: 122 additions & 9 deletions b/‎defaults/main.yml‎
Lines changed: 122 additions & 9 deletions
diff --git a/‎tasks/main.yml‎
Lines changed: 21 additions & 0 deletions b/‎tasks/main.yml‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎templates/var/backups/openldap/config.ldif‎
Lines changed: 1 addition & 1 deletion b/‎templates/var/backups/openldap/config.ldif‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎tests/host_vars/localhost.yml‎
Lines changed: 0 additions & 82 deletions b/‎tests/host_vars/localhost.yml‎
Lines changed: 0 additions & 82 deletions
@@ -20,4 +20,4 @@ jobs:
           sudo pip3 install ansible
           ansible --version
           printf '[defaults]\nroles_path=../' >ansible.cfg
-          ansible-playbook tests/test.yml -i tests/inventory --syntax-check --vault-password-file .vault_pass
+          ansible-playbook tests/standalone.yml -i tests/inventory --syntax-check --vault-password-file .vault_pass
@@ -12,27 +12,45 @@ Requirements
 Role Variables
 --------------
 
-You'll need to store the hash value for you admin password. You'll get it like this:
+You'll need to store the hash value for you admin passwords. You'll get it like this:
 
 ```
 /usr/local/openldap/sbin/slappasswd -o module-path="/usr/local/openldap/libexec/openldap" -o module-load="argon2" -h "{ARGON2}" -s "password"
 ```
 
-Dependencies
-------------
+Store the passwords in the vault file in: `tests/credentials-vault.yml`
+
+
+Playbook examples
+-----------------
 
+You should:
+ * either deploy your role
+ * or use a configuration file for setting the role path, for example:
 
-Example Playbook
-----------------
+ansible.cfg
+```
+[defaults]
+roles_path=../
+```
 
-See `tests/test.yml`
+See `tests/standalone.yml`
 
 Run playbook with:
 
 ```
-ansible-playbook tests/test.yml -i tests/inventory --ask-vault-pass
+ansible-playbook tests/standalone.yml -i tests/inventory --ask-vault-pass
 ```
 
+or:
+
+```
+ansible-playbook tests/standalone.yml -i tests/inventory --vault-password-file .vault_pass
+```
+
+If you need a two-nodes multimaster example, give a look at `tests/multimaster1.yml` and `tests/multimaster2.yml`
+
+
 License
 -------
 
 
@@ -1,10 +1,10 @@
 ---
-# defaults file for ansible-role-ldaptoolbox-openldap
+################################################################################
+# Defaults variables for OpenLDAP role
+################################################################################
 
-# Common configuration
-# --------------------
 
-# APT configuration
+# apt package repository
 ldaptoolbox_openldap_apt_key_url: "https://ltb-project.org/documentation/_static/RPM-GPG-KEY-LTB-project"
 ldaptoolbox_openldap_apt_key_id: "3FC3FD92ABA3975D2BEB95A70AC51F926D45BFC5"
 ldaptoolbox_openldap_apt_repo_filename: "ltb-project-openldap"
@@ -17,7 +17,7 @@ ldaptoolbox_openldap_packages_base: openldap-ltb, openldap-ltb-contrib-overlays,
 ldaptoolbox_openldap_packages_dependencies: libcrack2, curl
 ldaptoolbox_openldap_packages_state: present
 
-# Configuration
+# Filesystem
 ldaptoolbox_openldap_configuration_backup_dir: /var/backups/openldap
 ldaptoolbox_openldap_configuration_timestamp_cmd: 'date +%Y%m%d%H%M%S'
 ldaptoolbox_openldap_configuration_timestamp: '00000000000000'
@@ -27,8 +27,32 @@ ldaptoolbox_openldap_configuration_group: ldap
 ldaptoolbox_openldap_configuration_mode: 0600
 ldaptoolbox_openldap_sslgroup: ssl-cert
 
+# OpenLDAP LTB CLI command path
 ldaptoolbox_openldap_slapd_cli_cmd: /usr/local/openldap/sbin/slapd-cli
 
+
+
+# OpenLDAP configuration
+################################################################################
+
+# Suffix
+ldaptoolbox_openldap_suffix: "{{ ldaptoolbox_openldap_suffix }}"
+
+# Custom schemas
+ldaptoolbox_openldap_custom_schema_srcdir: ""
+ldaptoolbox_openldap_custom_schema_list: []
+ldaptoolbox_openldap_schema_dir: /usr/local/openldap/etc/openldap/schema
+
+# Certificates
+ldaptoolbox_openldap_olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
+ldaptoolbox_openldap_olcTLSCertificateFile: /etc/ssl/certs/ssl-cert-snakeoil.pem
+ldaptoolbox_openldap_olcTLSCertificateKeyFile: /etc/ssl/private/ssl-cert-snakeoil.key
+ldaptoolbox_openldap_olcTLSProtocolMin: 3.3
+
+# Log level
+ldaptoolbox_openldap_olcLogLevel: stats
+
+# Enabled modules
 ldaptoolbox_openldap_module_list:
   - argon2.la
   - pw-pbkdf2.la
@@ -39,11 +63,100 @@ ldaptoolbox_openldap_module_list:
   - unique.la
   - refint.la
 
-ldaptoolbox_openldap_custom_schema_srcdir: ""
-ldaptoolbox_openldap_custom_schema_list: []
-ldaptoolbox_openldap_schema_dir: /usr/local/openldap/etc/openldap/schema
 
-ldaptoolbox_openldap_suffix: "dc=my-domain,dc=com"
+##################
+# Database options
+##################
+
+# config database
+ldaptoolbox_openldap_config_olcRootDN: cn=admin,cn=config
+ldaptoolbox_openldap_config_olcRootPW_hash: "{{ ldaptoolbox_openldap_config_olcRootPW_hash_vault }}"
+
+# main database
+ldaptoolbox_openldap_database_olcRootDN: "cn=admin,{{ ldaptoolbox_openldap_suffix }}"
+ldaptoolbox_openldap_database_olcRootPW_hash: "{{ ldaptoolbox_openldap_database_olcRootPW_hash_vault }}"
+ldaptoolbox_openldap_database_olcDbMaxSize: "4294967296"
 
+# monitor database
+ldaptoolbox_openldap_monitor_olcRootDN: "cn=monitor"
+ldaptoolbox_openldap_monitor_olcRootPW_hash: "{{ ldaptoolbox_openldap_monitor_olcRootPW_hash_vault }}"
+
+
+
+##########################
+# General OpenLDAP options
+##########################
+
+ldaptoolbox_openldap_olcSaslHost: 127.0.0.1
+ldaptoolbox_openldap_olcSortVals: member
 ldaptoolbox_olcPasswordHash: "{ARGON2}"
 
+# Access rights
+ldaptoolbox_openldap_access_list:
+  - to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
+  - to dn.base="" by * read
+  - to dn.base="cn=Subschema" by * read
+  - to * by self write  by users read  by anonymous auth
+
+# Limits
+ldaptoolbox_openldap_database_olcLimits:
+  - dn.base="uid=syncrepl,ou=accounts,ou=infrastructure,{{ ldaptoolbox_openldap_suffix }}" size=unlimited  time=unlimited
+
+# Indexes definition
+ldaptoolbox_openldap_database_olcDbIndexes:
+  - "objectClass eq"
+  - "entryUUID eq"
+  - "entryCSN eq"
+  - "cn pres,eq,sub"
+  - "uid pres,eq,sub"
+
+########################
+# Replication directives
+########################
+
+ldaptoolbox_openldap_olcServerID: 1
+ldaptoolbox_openldap_syncrepl:
+- rid: "001"
+  provider: "ldap://localhost:389/"
+  tlscert: "{{ ldaptoolbox_openldap_olcTLSCertificateFile }}"
+  tlskey: "{{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}"
+  tlscacert: "{{ ldaptoolbox_openldap_olcTLSCACertificateFile }}"
+  tlsreqcert: "demand"
+  binddn: "uid=syncrepl,ou=accounts,ou=infrastructure,{{ ldaptoolbox_openldap_suffix }}"
+  password: "{{ ldaptoolbox_openldap_syncrepl_password_vault }}"
+  searchbase: "{{ ldaptoolbox_openldap_suffix }}"
+  scope: "sub"
+  type: "refreshAndPersist"
+  retry: "5 5 300 +"
+- rid: "002"
+  provider: "ldap://localhost:389/"
+  tlscert: "{{ ldaptoolbox_openldap_olcTLSCertificateFile }}"
+  tlskey: "{{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}"
+  tlscacert: "{{ ldaptoolbox_openldap_olcTLSCACertificateFile }}"
+  tlsreqcert: "demand"
+  binddn: "uid=syncrepl,ou=accounts,ou=infrastructure,{{ ldaptoolbox_openldap_suffix }}"
+  password: "{{ ldaptoolbox_openldap_syncrepl_password_vault }}"
+  searchbase: "{{ ldaptoolbox_openldap_suffix }}"
+  scope: "sub"
+  type: "refreshAndPersist"
+  retry: "5 5 300 +"
+ldaptoolbox_openldap_overlay_syncprov_olcSpCheckpoint: "100 10"
+ldaptoolbox_openldap_overlay_syncprov_olcSpSessionlog: "100"
+
+########################
+# Overlays configuration
+########################
+
+# Password policy
+ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyDefault: "cn=default,ou=ppolicies,{{ ldaptoolbox_openldap_suffix }}"
+ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyHashCleartext: "TRUE"
+ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyUseLockout: "TRUE"
+
+# Referential integrity
+ldaptoolbox_openldap_overlay_refint_olcRefintAttribute: "member"
+ldaptoolbox_openldap_overlay_refint_olcRefintNothing: "cn=nothing,{{ ldaptoolbox_openldap_suffix }}"
+
+# Dynamic groups (dynlist)
+ldaptoolbox_openldap_overlay_dynlist_olcDlAttrSet: "groupOfURLs memberURL member+memberOf@groupOfNames*"
+
+
@@ -24,6 +24,27 @@
     state: present
   when: ldaptoolbox_openldap_olcTLSCertificateFile is defined
 
+- name: Ensure correct file ownership, group and permissions for CA
+  ansible.builtin.file:
+    path: "{{ ldaptoolbox_openldap_olcTLSCACertificateFile }}"
+    owner: "root"
+    group: "root"
+    mode: "644"
+
+- name: Ensure correct file ownership, group and permissions for certificate
+  ansible.builtin.file:
+    path: "{{ ldaptoolbox_openldap_olcTLSCertificateFile }}"
+    owner: "root"
+    group: "root"
+    mode: "644"
+
+- name: Ensure correct file ownership, group and permissions for key
+  ansible.builtin.file:
+    path: "{{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}"
+    owner: "root"
+    group: "{{ ldaptoolbox_openldap_sslgroup }}"
+    mode: "640"
+
 # Configuration
 # -------------
 
 
@@ -22,7 +22,7 @@ olcPidFile: /usr/local/openldap/var/run/slapd.pid
 olcReadOnly: FALSE
 olcSaslHost: {{ ldaptoolbox_openldap_olcSaslHost }}
 olcSaslSecProps: none
-olcServerID: 1
+olcServerID: {{ ldaptoolbox_openldap_olcServerID }}
 olcSockbufMaxIncoming: 262143
 olcSockbufMaxIncomingAuth: 16777215
 olcThreads: 16