LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
433 Commits
12 Branches
967 KiB
Tree: 42212333a4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '42212333a4'
${ noResults }
lilik_playbook/roles/ldap/README.md

68 lines
1.8 KiB
Raw Normal View History

Documentation for refactored roles And minor improvements/refactoring
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
4 years ago
Documentation for refactored roles And minor improvements/refactoring
5 years ago
Give Variable a Scope Refactoring Add role prefix to role specifig variable to avoid conflicts when using multiples role on the same machine on the same play.
4 years ago
Documentation for refactored roles And minor improvements/refactoring
5 years ago
style and variables refactoring - Coherent quotation style Single quotes for text variable (even if implicit), no quotes for variable and conditional statements, if not required. - Some useful tags added: * ssh_certs renewal of server SSH certificates and configuration of authorized CA. * tls_pub renewal of public TLS certificates (let's encrypt) and certbot configuration. * tls_int renewal of internal TLS certificates (service authorizations) and configuration of authorized internal CA. *(ToDo: deployment of Certificate Revokation Lists)* * lxc deployment of new containers (deployment of configuration file excluded, for instance change in ip address are always applied and trigger a container restart even if you skip this tag. * packages installation and upgrade of software packages (apt, opkg or tarballs) * service_password create new random password for services-only password, for routine rotation. Not meant to be skipped (some roles need to know the service password, so they do a rotation). - prepare_host - ssh_server - lxc_guest - ldap - gitlab - x509_subject_prefix - x509_ldap_suffix *Replaces:* x509_suffix in ldap.yaml - letsencrypt_email Used in roles/certbot and roles/gitlab - root_ca_cert *Replaces:* ssl_ca_cert and files/lilik_x1.crt New defaults: - ldap_domain | default: `${domain}` - server_fqdn | default: `${hostname}.dmz.${domain}` *Replaces:* fqdn_domain Removed: - fqdn_dmain - x509_suffix *Replaced by:* x509_ldap_suffix in common New defaults: - server_fqdn | default: `${hostname}.${domain}` *Replaces*: fqdn - ldap_domain | default: `${domain}` - ldap_server | default: `ldap1.dmz.${domain}` - ldap_basedn | default: `dn(${ldap_domain})` - enable_https | default: `true` New defaults: - server_fqdn | default: `${hostname}.${domain}`
5 years ago
Documentation for refactored roles And minor improvements/refactoring
5 years ago
 
  1. # Role: ldap

  2. 

  3. Set-up a LDAP server
  4. 

  5. ## Configuration variables

  6. 

  7. | Name                   | Description                                        |
  8. |------------------------|----------------------------------------------------|
  9. | `host_fqdn`            | FQDN of the host [`$hostname.dmz.$domain`]         |
  10. | `ldap_domain`          | Dot-form domain name. [`$domain`]                  |
  11. | `ldap_organization`    | Organization [`$organization`]                     |
  12. | `ldap_check_tree`      | Populate tree with initial configuration. [`true`] |
  13. | `ldap_tls_enabled`     | Enables TLS, requires a *ca_manager*. [`true`]     |
  14. | `ldap_tls_server_ca`   | CA to check slapd cert [`$tls_root_ca`]            |
  15. | `ldap_tls_user_ca`     | CA to authenticate users [`$tls_root_ca`]          |
  16. | `virtual_domains`      | Required with `check_tree`: list of vds to init.   |
  17. 

  18. 

  19. **Note:** If `ldap_tls_enabled` the *ca_manager* host should be configured
  20. and TLS Root CA should be set in vars.
  21. 

  22. ## Minimal example

  23. 

  24. group_vars/all.yaml:
  25. 

  26. 	---
  27. 	domain: 'example.com'
  28. 	organization: 'LILiK'
  29. 	x509_subj_prefix:
  30. 	  C: 'IT'
  31. 	  L: 'Firenze'
  32. 	  O: '{{ organization }}'
  33. 

  34. 	user_ca_keys:
  35. 	  - "ssh-ed25519 ################### CA"
  36. 	tls_root_ca: |
  37. 	  -----BEGIN CERTIFICATE-----
  38. 	  ###########################
  39. 	  -----END CERTIFICATE-----
  40. 

  41. hosts:
  42. 

  43. 	vm_gateay             ansible_host=10.0.2.1   ansible_user=root
  44. 	authorities_request   ansible_host=10.0.1.8   ansible_user=request
  45. 	host1                 ansible_host=10.0.1.1   ansible_user=root
  46. 	ldap1              ansible_host=10.0.2.2   ansible_user=root    ansible_lxc_host=host1
  47. 

  48. playbook.yaml:
  49. 

  50. 	---
  51. 	# Configure LDAP on a Physical Host
  52. 	- hosts: 'host'
  53.       roles:
  54. 	    - role: ldap
  55. 		  virtual_domains:
  56. 		    - 'example.com'
  57. 

  58. Command line:
  59. 

  60. 	ansible-playbook -i hosts playbook.yaml
  61. 

  62. 

  63. ## Requirements

  64. 

  65. On Ansible controller:
  66. 

  67. - tasks/ca-dialog.yaml
  68.