Merge pull request #2 from davidcoutadeur/wip_role_creation

creation of the ansible role for OpenLDAP LTB

Author: davidcoutadeur

.github/workflows/test.yml

@@ -0,0 +1,23 @@
+name: Test ansible-role-ldaptoolbox-openldap
+
+on: push
+
+jobs:
+  test-deployment:
+    runs-on: ubuntu-latest
+    name: test ansible-role-ldaptoolbox-openldap syntax
+    steps:
+      - uses: actions/checkout@v2
+      - name: get repository
+        run: |
+          git fetch --unshallow
+          git pull origin
+          git config user.email "[email protected]"
+          git config user.name "GitHub Actions"
+      - name: test ansible syntax
+        run: |
+          sudo apt-get install -y python3-pip
+          sudo pip3 install ansible
+          ansible --version
+          printf '[defaults]\nroles_path=../' >ansible.cfg
+          ansible-playbook tests/test.yml -i tests/inventory --syntax-check

README.md

@@ -1 +1,45 @@
-# openldap-role-ansible
+OpenLDAP
+========
+
+Ansible role which installs and configures [LTB-Project](https://ltb-project.org/)'s OpenLDAP.
+
+Requirements
+------------
+
+- ansible
+- HTTP connection to the LTB-project's repository
+
+Role Variables
+--------------
+
+You'll need to store the hash value for you admin password. You'll get it like this:
+
+```
+/usr/local/openldap/sbin/slappasswd -o module-path="/usr/local/openldap/libexec/openldap" -o module-load="argon2" -h "{ARGON2}" -s "password"
+```
+
+Dependencies
+------------
+
+
+Example Playbook
+----------------
+
+See `tests/test.yml`
+
+Run playbook with:
+
+```
+ansible-playbook tests/test.yml -i tests/inventory --ask-vault-pass
+```
+
+License
+-------
+
+GPLv3
+
+Author Information
+------------------
+
+- Mathieu Jourdan
+- David Coutadeur

defaults/main.yml

@@ -0,0 +1,49 @@
+---
+# defaults file for ansible-role-ldaptoolbox-openldap
+
+# Common configuration
+# --------------------
+
+# APT configuration
+ldaptoolbox_openldap_apt_key_url: "https://ltb-project.org/documentation/_static/RPM-GPG-KEY-LTB-project"
+ldaptoolbox_openldap_apt_key_id: "3FC3FD92ABA3975D2BEB95A70AC51F926D45BFC5"
+ldaptoolbox_openldap_apt_repo_filename: "ltb-project-openldap"
+ldaptoolbox_openldap_apt_keyrings_path: /usr/share/keyrings
+ldaptoolbox_openldap_apt_repo: "deb [arch=amd64 signed-by=/usr/share/keyrings/ltb-project-openldap.gpg] http://ltb-project.org/debian/openldap25/bullseye bullseye main"
+ldaptoolbox_openldap_apt_validate_certs: "true"
+
+# Packages
+ldaptoolbox_openldap_packages_base: openldap-ltb, openldap-ltb-contrib-overlays, openldap-ltb-mdb-utils
+ldaptoolbox_openldap_packages_dependencies: libcrack2, curl
+ldaptoolbox_openldap_packages_state: present
+
+# Configuration
+ldaptoolbox_openldap_configuration_backup_dir: /var/backups/openldap
+ldaptoolbox_openldap_configuration_timestamp_cmd: 'date +%Y%m%d%H%M%S'
+ldaptoolbox_openldap_configuration_timestamp: '00000000000000'
+ldaptoolbox_openldap_configuration_prefix: "config"
+ldaptoolbox_openldap_configuration_owner: ldap
+ldaptoolbox_openldap_configuration_group: ldap
+ldaptoolbox_openldap_configuration_mode: 0600
+ldaptoolbox_openldap_sslgroup: ssl-cert
+
+ldaptoolbox_openldap_slapd_cli_cmd: /usr/local/openldap/sbin/slapd-cli
+
+ldaptoolbox_openldap_module_list:
+  - argon2.la
+  - pw-pbkdf2.la
+  - back_mdb.la
+  - dynlist.la
+  - ppolicy.la
+  - syncprov.la
+  - unique.la
+  - refint.la
+
+ldaptoolbox_openldap_custom_schema_srcdir: ""
+ldaptoolbox_openldap_custom_schema_list: []
+ldaptoolbox_openldap_schema_dir: /usr/local/openldap/etc/openldap/schema
+
+ldaptoolbox_openldap_suffix: "dc=my-domain,dc=com"
+
+ldaptoolbox_olcPasswordHash: "{ARGON2}"
+

handlers/main.yml

@@ -0,0 +1,2 @@
+---
+# handlers file for ansible-role-ldaptoolbox-openldap

meta/main.yml

@@ -0,0 +1,19 @@
+galaxy_info:
+  author: Mathieu Jourdan, David Coutadeur
+  description: installs and configures [LTP-Projects](https://ltb-project.org/)' OpenLDAP.
+  license: GPL-3.0-or-later
+
+  min_ansible_version: 2.10
+
+  platforms:
+    - name: Debian
+      versions:
+      - bullseye
+
+  galaxy_tags:
+    - identity
+    - openldap
+    - ldap
+    - ldaptoolbox
+
+dependencies: []

tasks/ldaptoolbox-repository.yml

@@ -0,0 +1,19 @@
+---
+# tasks file for ansible-role-ldaptoolbox-openldap
+
+- name: debian repository
+  block:
+
+  - name: fetch repository key
+    ansible.builtin.shell: "curl {{ ldaptoolbox_openldap_apt_key_url }} | gpg --dearmor > {{ ldaptoolbox_openldap_apt_keyrings_path }}/{{ ldaptoolbox_openldap_apt_repo_filename }}.gpg"
+
+  - name: add repository
+    ansible.builtin.apt_repository:
+      repo: "{{ ldaptoolbox_openldap_apt_repo }}"
+      filename: "{{ ldaptoolbox_openldap_apt_repo_filename }}"
+      update_cache: yes
+      state: present
+
+  when:
+  - ansible_os_family == "Debian"
+

tasks/main.yml

@@ -0,0 +1,53 @@
+---
+# tasks file for ansible-role-ldaptoolbox-openldap
+
+# Installation
+# ------------
+
+- name: install package dependencies
+  package:
+    name: "{{ ldaptoolbox_openldap_packages_dependencies }}"
+    state: "{{ ldaptoolbox_openldap_packages_state }}"
+
+- name: install ldaptoolbox repository
+  include_tasks: ldaptoolbox-repository.yml
+
+- name: install openldap packages
+  package:
+    name: "{{ ldaptoolbox_openldap_packages_base }}"
+    state: "{{ ldaptoolbox_openldap_packages_state }}"
+
+- name: allow ldap to read TLS certificates
+  ansible.builtin.user:
+    name: "{{ ldaptoolbox_openldap_configuration_owner }}"
+    groups: "{{ ldaptoolbox_openldap_sslgroup }}"
+    state: present
+  when: ldaptoolbox_openldap_olcTLSCertificateFile is defined
+
+# Configuration
+# -------------
+
+- name: deploy config file
+  ansible.builtin.template:
+    src: ".{{ ldaptoolbox_openldap_configuration_backup_dir }}/{{ ldaptoolbox_openldap_configuration_prefix }}.ldif"
+    dest: "{{ ldaptoolbox_openldap_configuration_backup_dir }}/{{ ldaptoolbox_openldap_configuration_prefix }}-{{ ldaptoolbox_openldap_configuration_timestamp }}.ldif"
+    owner: "{{ ldaptoolbox_openldap_configuration_owner }}"
+    group: "{{ ldaptoolbox_openldap_configuration_group }}"
+    mode: "{{ ldaptoolbox_openldap_configuration_mode }}"
+
+- name: deploy custom schema
+  ansible.builtin.template:
+    src: "{{ ldaptoolbox_openldap_custom_schema_srcdir }}/{{ item }}"
+    dest: "{{ ldaptoolbox_openldap_schema_dir }}/{{ item }}"
+    owner: "{{ ldaptoolbox_openldap_configuration_owner }}"
+    group: "{{ ldaptoolbox_openldap_configuration_group }}"
+  loop: "{{ ldaptoolbox_openldap_custom_schema_list }}"
+
+- name: load config from file
+  ansible.builtin.shell: "{{ ldaptoolbox_openldap_slapd_cli_cmd }} restoreconfig"
+
+# Import Data
+# -----------
+
+#TODO
+

templates/var/backups/openldap/config.ldif

@@ -0,0 +1,164 @@
+dn: cn=config
+objectClass: olcGlobal
+cn: config
+olcConfigFile: slapd.conf
+olcConfigDir: slapd.d
+olcArgsFile: /usr/local/openldap/var/run/slapd.args
+olcAttributeOptions: lang-
+olcAuthzPolicy: none
+olcConcurrency: 0
+olcConnMaxPending: 100
+olcConnMaxPendingAuth: 1000
+olcGentleHUP: FALSE
+olcIdleTimeout: 0
+olcIndexSubstrIfMaxLen: 4
+olcIndexSubstrIfMinLen: 2
+olcIndexSubstrAnyLen: 4
+olcIndexSubstrAnyStep: 2
+olcIndexIntLen: 4
+olcListenerThreads: 1
+olcLocalSSF: 71
+olcPidFile: /usr/local/openldap/var/run/slapd.pid
+olcReadOnly: FALSE
+olcSaslHost: {{ ldaptoolbox_openldap_olcSaslHost }}
+olcSaslSecProps: none
+olcServerID: 1
+olcSockbufMaxIncoming: 262143
+olcSockbufMaxIncomingAuth: 16777215
+olcThreads: 16
+olcTLSCACertificateFile: {{ ldaptoolbox_openldap_olcTLSCACertificateFile }}
+olcTLSCertificateFile:  {{ ldaptoolbox_openldap_olcTLSCertificateFile }}
+olcTLSCertificateKeyFile: {{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}
+olcTLSCRLCheck: none
+olcTLSVerifyClient: allow
+olcTLSProtocolMin: {{ ldaptoolbox_openldap_olcTLSProtocolMin }}
+olcToolThreads: 1
+olcWriteTimeout: 0
+olcLogLevel: {{ ldaptoolbox_openldap_olcLogLevel }}
+
+dn: cn=module{0},cn=config
+objectClass: olcModuleList
+cn: module{0}
+olcModulePath: /usr/local/openldap/lib64/:/usr/local/openldap/libexec/openldap/
+{% for module in ldaptoolbox_openldap_module_list %}
+olcModuleLoad: {{ module }}
+{% endfor %}
+
+dn: cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schema
+
+include: file:///usr/local/openldap/etc/openldap/schema/core.ldif
+
+include: file:///usr/local/openldap/etc/openldap/schema/cosine.ldif
+
+include: file:///usr/local/openldap/etc/openldap/schema/nis.ldif
+
+include: file:///usr/local/openldap/etc/openldap/schema/inetorgperson.ldif
+
+include: file:///usr/local/openldap/etc/openldap/schema/dyngroup.ldif
+
+{% for schema in ldaptoolbox_openldap_custom_schema_list %}
+include: file://{{ ldaptoolbox_openldap_schema_dir }}/{{ schema }}
+{% endfor %}
+
+dn: olcDatabase={-1}frontend,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcFrontendConfig
+olcDatabase: {-1}frontend
+{% for rule in ldaptoolbox_openldap_access_list %}
+olcAccess: {{ rule }}
+{% endfor %}
+olcAddContentAcl: FALSE
+olcLastMod: TRUE
+olcMaxDerefDepth: 0
+olcReadOnly: FALSE
+olcSchemaDN: cn=Subschema
+olcSecurity: ssf=128
+olcSizeLimit: 500
+olcSyncUseSubentry: FALSE
+olcMonitoring: FALSE
+olcPasswordHash: {{ ldaptoolbox_olcPasswordHash }}
+olcSortVals: {{ ldaptoolbox_openldap_olcSortVals }}
+
+dn: olcDatabase={0}config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: {0}config
+olcAccess: {0}to *  by * none
+olcAddContentAcl: TRUE
+olcLastMod: TRUE
+olcMaxDerefDepth: 15
+olcReadOnly: FALSE
+olcRootDN: {{ ldaptoolbox_openldap_config_olcRootDN }}
+olcRootPW: {{ ldaptoolbox_openldap_config_olcRootPW_hash }}
+olcSyncUseSubentry: FALSE
+olcMonitoring: FALSE
+
+dn: olcDatabase={1}mdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcMdbConfig
+olcDatabase: {1}mdb
+olcDbDirectory: /usr/local/openldap/var/openldap-data
+olcSuffix: {{ ldaptoolbox_openldap_suffix }}
+olcLastMod: TRUE
+{% for limit in ldaptoolbox_openldap_database_olcLimits %}
+olcLimits: {{ limit }}
+{% endfor %}
+olcMaxDerefDepth: 15
+olcReadOnly: FALSE
+olcRootDN: {{ ldaptoolbox_openldap_database_olcRootDN }}
+olcRootPW: {{ ldaptoolbox_openldap_database_olcRootPW_hash }}
+olcSyncUseSubentry: FALSE
+olcLastBind: TRUE
+{% for syncrepl in ldaptoolbox_openldap_syncrepl %}
+olcSyncrepl: rid={{ syncrepl.rid }} provider={{ syncrepl.provider }} bindmethod=simple timeout=0 network-timeout=0 binddn="{{ syncrepl.binddn }}" credentials="{{ syncrepl.password }}" keepalive=0:0:0 starttls=no {% if syncrepl.tlscert %}tls_cert="{{ syncrepl.tlscert }}" tls_key={{ syncrepl.tlskey }}" tls_cacert="{{ syncrepl.tlscacert }}" tls_reqcert="{{ syncrepl.tlsreqcert }}"{% endif %} filter="(objectclass=*)" searchbase="{{ syncrepl.searchbase }}" scope="{{ syncrepl.scope }}" schemachecking=on type="{{ syncrepl.type }}" retry="{{ syncrepl.retry }}"
+{% endfor %}
+{% if ldaptoolbox_openldap_syncrepl|length > 0 %}
+olcMultiProvider: TRUE
+{% endif %}
+olcMonitoring: TRUE
+{% for index in ldaptoolbox_openldap_database_olcDbIndexes %}
+olcDbIndex: {{ index }}
+{% endfor %}
+olcDbMaxSize: {{ ldaptoolbox_openldap_database_olcDbMaxSize }}
+
+dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcSyncProvConfig
+olcOverlay: {0}syncprov
+olcSpCheckpoint: {{ ldaptoolbox_openldap_overlay_syncprov_olcSpCheckpoint }}
+olcSpSessionlog: {{ ldaptoolbox_openldap_overlay_syncprov_olcSpSessionlog }}
+
+dn: olcOverlay={1}ppolicy,olcDatabase={1}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcPPolicyConfig
+olcOverlay: {1}ppolicy
+olcPPolicyDefault: {{ ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyDefault }}
+olcPPolicyHashCleartext: {{ ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyHashCleartext }}
+olcPPolicyUseLockout: {{ ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyUseLockout }}
+
+dn: olcOverlay={2}refint,olcDatabase={1}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcRefintConfig
+olcOverlay: {2}refint
+olcRefintAttribute: {{ ldaptoolbox_openldap_overlay_refint_olcRefintAttribute }}
+olcRefintNothing: {{ ldaptoolbox_openldap_overlay_refint_olcRefintNothing }}
+
+dn: olcOverlay={3}dynlist,olcDatabase={1}mdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcDynamicList
+olcOverlay: {3}dynlist
+olcDlAttrSet: {{ ldaptoolbox_openldap_overlay_dynlist_olcDlAttrSet }}
+
+dn: olcDatabase={2}monitor,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: {2}monitor
+olcRootDN: {{ ldaptoolbox_openldap_monitor_olcRootDN }}
+olcRootPW: {{ ldaptoolbox_openldap_monitor_olcRootPW_hash }}
+olcAddContentAcl: FALSE
+olcLastMod: TRUE
+olcMaxDerefDepth: 15
+olcReadOnly: FALSE
+olcSyncUseSubentry: FALSE
+olcMonitoring: FALSE
+