- ---
- - include_role:
- name: 'service'
- vars:
- service_name: 'nscd'
- service_packages: 'nscd'
-
- - name: 'set debconf values'
- debconf:
- name: 'slapd'
- question: '{{ item.question }}'
- vtype: 'string'
- value: '{{ item.value }}'
- register: debconfs
- loop:
- - { question: 'slapd/domain', value: '{{ ldap_domain }}' }
- - { question: 'slapd/dump_database', value: 'when needed' }
- - { question: 'shared/organization', value: '{{ ldap_organization }}' }
-
- - include_role:
- name: 'service'
- vars:
- service_name: 'slapd'
- service_packages:
- - 'slapd'
- - 'ldap-utils'
- - 'libpam-ldap'
- - 'python3-ldap'
- - 'sudo'
-
- - name: 'delete old backups'
- file:
- path: '{{ item }}'
- state: 'absent'
- with_fileglob: '/var/backups/*.ldapdb'
- when: debconfs.results[0].changed
-
- - name: 'backup old database and re-create'
- command: 'dpkg-reconfigure -p critical slapd'
- when: debconfs.results[0].changed
-
- - name: 'start slapd service'
- service:
- name: 'slapd'
- enabled: true
- state: 'started'
-
- - name: 'copy schemas'
- copy:
- src: '{{ item }}'
- dest: '/etc/ldap/schema/'
- loop:
- - 'ldapns.ldif'
- - 'kerberos.ldif'
- - 'phamm.ldif'
- - 'phamm-vacation.ldif'
-
- - name: 'activate schemas'
- command:
- cmd: 'ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }}'
- creates: '/etc/ldap/slapd.d/cn=config/cn=schema/cn={*}{{ item }}'
- loop:
- - 'ldapns.ldif'
- - 'kerberos.ldif'
- - 'phamm.ldif'
- - 'phamm-vacation.ldif'
-
- - name: 'activate modules'
- ldap_attr:
- dn: 'cn=module{0},cn=config'
- name: 'olcModuleLoad'
- values:
- - '{0}back_mdb'
- - '{1}pw-sha2'
- - '{2}auditlog'
- - '{3}memberof'
-
- - name: 'create log dir'
- file:
- path: '/var/log/openldap'
- owner: 'openldap'
- group: 'openldap'
- state: 'directory'
-
- - name: 'set loglevel'
- ldap_attr:
- dn: 'cn=config'
- name: 'olcLogLevel'
- values: 'conns acl'
-
- - name: 'activate auditlog overlay'
- ldap_entry:
- dn: 'olcOverlay={0}auditlog,olcDatabase={{ item.db }},cn=config'
- objectClass:
- - 'olcOverlayConfig'
- - 'olcAuditLogConfig'
- attributes:
- olcAuditlogFile: '/var/log/openldap/{{ item.logfile }}'
- loop:
- - { db: '{0}config', logfile: 'audit_config.ldif' }
- - { db: '{1}mdb', logfile: 'audit_mdb.ldif' }
-
- - name: 'activate memberof overlay'
- ldap_entry:
- dn: 'olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config'
- objectClass:
- - 'olcOverlayConfig'
- - 'olcMemberOf'
-
- - name: 'set default password hash'
- ldap_attr:
- dn: 'olcDatabase={-1}frontend,cn=config'
- name: 'olcPasswordHash'
- values: '{SSHA512}'
-
- - name: 'evaluating base_dn'
- set_fact:
- base_dn: 'dc={{ ldap_domain.replace(".", ",dc=") }}'
-
- - name: 'configure TLS x509 <-> ldap dn translation'
- ldap_attr:
- dn: 'cn=config'
- name: 'olcAuthzRegexp'
- state: 'exact'
- values:
- - >-
- {0} ^cn=([^,]+),ou=Server,{{ x509_ldap_suffix }}$
- cn=$1,ou=Server,{{ base_dn }}
- - >-
- {1} ^mail=[^,]+,cn=([^,]+),ou=People,{{ x509_ldap_suffix }}$
- cn=$1,ou=People,{{ base_dn }}
-
- - name: 'configure main tree acls'
- ldap_attr:
- dn: 'olcDatabase={1}mdb,cn=config'
- name: 'olcAccess'
- state: 'exact'
- values:
- # [0] -> Admins can proxy-auth to RootDN
- # /proxy-auth is not required for routine user-management operations
- - >-
- {0} to dn.exact=cn=admin,{{ base_dn }} attrs=authzFrom
- by group.exact=cn=admin,ou=Group,{{ base_dn }} auth
- by * none
- # [1] :: ou=People
- # [1.0] -> Admins can edit People `userPassword`
- # -> People can edit their `userPassword`
- # -> Anyone can auth with `userPassword` if using strong TLS.
- - >-
- {1} to dn.one=ou=People,{{ base_dn }} attrs=userPassword
- by group.exact=cn=admin,ou=Group,{{ base_dn }} write
- by self write
- by anonymous {{ 'tls_ssf=256 ' if ldap_tls_enabled }}auth
- by * none
- # [1.1] -> Admins can list the full People tree
- # -> Servers can perform search on People tree
- - >-
- {2} to dn.exact=ou=People,{{ base_dn }} attrs=entry
- by group.exact=cn=admin,ou=Group,{{ base_dn }} read
- by dn.children=ou=Server,{{ base_dn }} search
- by * none
- # [1.2] -> Admins can add/remove People entries
- - >-
- {3} to dn.exact=ou=People,{{ base_dn }} attrs=children
- by group.exact=cn=admin,ou=Group,{{ base_dn }} write
- by * none
- # [1.3] -> Admins can edit all People attributes
- # -> Servers can read all People attributes (except userPassword)
- # -> People can read all their attributes
- # -> Break: over privileges may be accorded later (i.e.: servers)
- - >-
- {4} to dn.one=ou=People,{{ base_dn }}
- by group.exact=cn=admin,ou=Group,{{ base_dn }} write
- by dn.children=ou=Server,{{ base_dn }} read
- by self read
- by * break
- # [1.5] -> No other access to People tree
- - >-
- {5} to dn.subtree=ou=People,{{ base_dn }}
- by * none
- # [2] :: ou=Group
- # [2.1] -> Admins can add/remove members from groups
- - >-
- {6} to dn.one=ou=Group,{{ base_dn }} attrs=member
- by group.exact=cn=admin,ou=Group,{{ base_dn }} write
- by * none
- # [2.2] -> No other access to Group tree
- - >-
- {7} to dn.children=ou=Group,{{ base_dn }}
- by * none
- # [3] :: ou=Server
- # [3.0] -> Local servers can simple-bind their entries if using TLS
- # /Server using TLS-client Auth with OU=Server are automatically authenticated
- ## TODO: Add peername.ip filtering on server subnet
- - >-
- {8} to dn.children=ou=Server,{{ base_dn }} attrs=userPassword
- by {{ 'tls_ssf=256 ' if ldap_tls_enabled }}auth
- by group.exact=cn=admin,ou=Group,{{ base_dn }} write
- by * none
- # [3.1] -> No other access to Server tree
- - >-
- {9} to dn.subtree=ou=Server,{{ base_dn }}
- by * none
- # [4] :: ou=VirtualDomains - WiP
- # [4.0] -> Admins can write whole subtree
- # [4.1] -> Servers can read whole subtree
- # - >-
- # to dn.subtree=ou=VirtualDomains,{{ base_dn }}
- # by group.exact=cn=admin,ou=Group,{{ base_dn }} write
- # by dn.children=ou=Server,{{ base_dn }} read
- # [5] :: ou=Kerberos - Wi
-
- ...
-
|
