diff --git a/MIGRATION.md b/MIGRATION.md index 9bb917c..597251d 100644 --- a/MIGRATION.md +++ b/MIGRATION.md @@ -18,14 +18,14 @@ On the hosts: ## Roles -| Role name | Modified? | Tested? | Production? | Notes | +| Role name | Modified? | Tested? | Production? | Notes | |----------------------|:---------:|:--------:|:-----------:|----------------------------------------------------------------------| |`roles/service` | **YES** | **YES** | NO | New `apt` module style for packages. | |`roles/ssh_server` | **YES** | **YES** | NO | `lxc_ssh.py` --> `ssh_lxc.py`, multi-key support. | |`roles/ca` | **YES** | ReadNote | NO | New `apt` module style for pacakges. Works with this [ca_manager]. | |`prepare_host.yaml` | **YES** | **YES** | NO | Migrate Debian release to Buster and Python 2 to 3. | -|`roles/lxc_guest.yaml`| **YES** | **YES** | NO | Updated Debian and LXC. `xfs` ***broken***, `ext4` working. | -|`roles/ldap` | NO | NO | NO | | +|`roles/lxc_guest` | **YES** | **YES** | NO | Updated Debian and LXC. `xfs` ***broken***, `ext4` working. | +|`roles/ldap` | **YES** | **YES** | NO | `phamm.schema` now provided locally. | |`roles/nginx` | NO | NO | NO | | |`roles/projects` | NO | NO | NO | | |`roles/dns_record` | NO | NO | NO | | diff --git a/roles/ldap/files/phamm-vacation.schema b/roles/ldap/files/phamm-vacation.schema new file mode 100644 index 0000000..f77aa25 --- /dev/null +++ b/roles/ldap/files/phamm-vacation.schema @@ -0,0 +1,63 @@ +#-------------------------------------------------------------------------- +# LDAP Schema for phamm-vacation +#---------------------- +# Release 1.1.1 +# 2012/08/28 +#-------------------------------------------------------------------------- +# Copyright (c) 2008-2016 Mirko Grava, RHX Srl - www.rhx.it +# Permission is granted to copy, distribute and/or modify this document +# under the terms of the GNU Free Documentation License, Version 2 +# or any later version published by the Free Software Foundation; +#-------------------------------------------------------------------------- +# 1.3.6.1.4.1.22339 RHX Srl's OID +# 1.3.6.1.4.1.22339.2 Phamm-vacation +# 1.3.6.1.4.1.22339.2.1 AttributeTypes +# 1.3.6.1.4.1.22339.2.2 ObjectClasses +#-------------------------------------------------------------------------- + +# Attribute Types +#----------------- +attributetype ( 1.3.6.1.4.1.22339.2.1.1 NAME 'vacationActive' + DESC 'A flag, for marking the user as being away' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.2.1.2 NAME 'vacationInfo' + DESC 'Absentee note to leave behind, while on vacation' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.2.1.3 NAME 'vacationStart' + DESC 'Beginning of vacation' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.2.1.4 NAME 'vacationEnd' + DESC 'End of vacation' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.2.1.5 NAME 'vacationForward' + DESC 'RFC1274: RFC822 Mailbox' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) + +attributetype ( 1.3.6.1.4.1.22339.2.1.6 NAME 'vacationSubject' + DESC 'Subject for the vacation message' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.2.1.7 NAME 'vacationReminder' + DESC 'How many hours we should wait before a second email from someone will cause another vacation message to be sent to that email address' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) + +# Classes +#--------- + +objectclass ( 1.3.6.1.4.1.22339.2.2.1 NAME 'Vacation' + SUP top AUXILIARY + DESC 'Users vacation status information' + MUST ( vacationActive ) + MAY ( vacationInfo $ vacationStart $ vacationEnd $ vacationForward $ vacationSubject $ vacationReminder ) ) diff --git a/roles/ldap/files/phamm.schema b/roles/ldap/files/phamm.schema new file mode 100644 index 0000000..2b6208b --- /dev/null +++ b/roles/ldap/files/phamm.schema @@ -0,0 +1,240 @@ +#-------------------------------------------------------------------------- +# LDAP Schema for phamm +#---------------------- +# Release 1.5 +# 2014/10/3 +#-------------------------------------------------------------------------- +# Copyright (c) 2006-2016 Mirko Grava, RHX Srl - www.rhx.it +# Permission is granted to copy, distribute and/or modify this document +# under the terms of the GNU Free Documentation License, Version 2 +# or any later version published by the Free Software Foundation; +#-------------------------------------------------------------------------- +# 1.3.6.1.4.1.22339 RHX Srl's OID +# 1.3.6.1.4.1.22339.1 Phamm +# 1.3.6.1.4.1.22339.1.1 AttributeTypes +# 1.3.6.1.4.1.22339.1.2 ObjectClasses +#-------------------------------------------------------------------------- + +# Attribute Types +#----------------- + +attributetype ( 1.3.6.1.4.1.22339.1.1.1 NAME 'postfixTransport' + DESC 'A string directing postfix which transport to use' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.2 NAME 'accountActive' + DESC 'A boolean telling whether an account is active or not' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.3 NAME 'lastChange' + DESC 'Time in unix time of last change in entry' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.4 NAME 'vd' + DESC 'A virtual domain managed by Phamm' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.5 NAME 'mailbox' + DESC 'The absolute path to the mailbox for a mail account in a non-default location' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.6 NAME 'quota' + DESC 'A string that represents the quota on a mailbox' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.7 NAME 'clearPassword' + DESC 'A separate text that stores the mail account password in clear text' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128}) + +attributetype ( 1.3.6.1.4.1.22339.1.1.8 NAME 'maildrop' + DESC 'RFC822 Mailbox - mail alias' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.9 NAME 'mailsource' + DESC 'Message source' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.10 NAME 'editAliases' + DESC 'A boolean telling whether a domain manager can edit Aliases' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.11 NAME 'editAccounts' + DESC 'A boolean telling whether a domain manager can edit Accounts' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.12 NAME 'editAV' + DESC 'A boolean telling whether a domain manager can edit Antivirus' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.13 NAME 'delete' + DESC 'A boolean telling whether this item is marked for deletion' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.14 NAME 'forwardActive' + DESC 'A boolean telling whether this item is using forward' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.15 NAME 'maxDomain' + DESC 'A string that represents the max domain for a VirtualAdmin' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.16 NAME 'maxMail' + DESC 'A string that represents the max mail for a VirtualAdmin' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.17 NAME 'maxAlias' + DESC 'A string that represents the max alias for a VirtualAdmin' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.18 NAME 'maxQuota' + DESC 'A string that represents the max quota for a VirtualAdmin' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.19 NAME 'adminID' + DESC 'A string that represents the dn of admin domain' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.20 NAME 'vdHome' + DESC 'The absolute path to the virtual domain home' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.21 NAME 'otherTransport' + DESC 'A string directing postfix which transport to use' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.22 NAME 'creationDate' + DESC 'Timestamp of creation' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27{14} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.23 NAME 'otherPath' + DESC 'This path to help any application' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.24 NAME 'createMaildir' + DESC 'A boolean telling when we must create Maildir for maildrop transport' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.25 NAME 'smtpAuth' + DESC 'A boolean telling when we could do smtp-auth' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.26 NAME 'expireDate' + DESC 'Expire date' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27{14} SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.27 NAME 'mailAutoreply' + DESC 'RFC822 Mailbox - mail for autoreply' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.28 NAME 'bypassGreyListing' + DESC 'A boolean telling when we could bypass Grey Listing' + EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.29 NAME 'phammGroup' + DESC 'Define the phamm Group of the VirtualMailAccount' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.30 NAME 'maxSmtpAuth' + DESC 'A string that represents the max SMTP Auth for a VirtualAdmin' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.31 NAME 'maxAntivirus' + DESC 'A string that represents the max Antivirus for a VirtualAdmin' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.32 NAME 'maxAntiSpam' + DESC 'A string that represents the max AntiSpam for a VirtualAdmin' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +attributetype ( 1.3.6.1.4.1.22339.1.1.33 NAME 'maxGreyList' + DESC 'A string that represents the max AntiGreyList for a VirtualAdmin' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + +# Classes +#--------- + +objectclass ( 1.3.6.1.4.1.22339.1.2.1 NAME 'VirtualMailAccount' + SUP inetOrgPerson STRUCTURAL + DESC 'Mail account objects' + MUST ( mail $ vdHome $ mailbox $ accountActive $ lastChange $ delete ) + MAY ( quota $ otherTransport $ editAccounts $ creationDate $ createMaildir $ smtpAuth $ expireDate $ mailAutoreply $ bypassGreyListing $ phammGroup ) ) + +objectclass ( 1.3.6.1.4.1.22339.1.2.2 NAME 'VirtualMailAlias' + SUP inetOrgPerson STRUCTURAL + DESC 'Mail aliasing/forwarding entry' + MUST ( mail $ maildrop $ accountActive $ lastChange ) + MAY ( mailsource $ editAccounts $ creationDate $ smtpAuth $ expireDate $ bypassGreyListing) ) + +objectclass ( 1.3.6.1.4.1.22339.1.2.3 NAME 'VirtualDomain' + SUP top STRUCTURAL + DESC 'Virtual Domain entry to be used with postfix transport maps' + MUST ( vd $ accountActive $ lastChange $ delete ) + MAY ( postfixTransport $ description $ maxMail $ maxAlias $ maxQuota $ editAV $ adminID $ creationDate $ bypassGreyListing $ maxSmtpAuth $ maxAntivirus $ maxAntiSpam $ maxGreyList) ) + +objectclass ( 1.3.6.1.4.1.22339.1.2.4 NAME 'VirtualForward' + SUP top AUXILIARY + DESC 'Forward setting for VirtualMailAccount' + MUST ( forwardActive ) + MAY ( maildrop ) ) + +objectclass ( 1.3.6.1.4.1.22339.1.2.5 NAME 'VirtualAdmin' + SUP inetOrgPerson STRUCTURAL + DESC 'Virtual Admin entry' + MUST ( mail $ maxDomain $ accountActive $ lastChange ) + MAY ( vd $ editAccounts ) ) + +objectclass ( 1.3.6.1.4.1.22339.1.2.6 NAME 'VirtualBackupDomain' + SUP top STRUCTURAL + DESC 'Virtual Backup Domain entry to be used for relay' + MUST ( vd $ accountActive $ lastChange $ delete ) + MAY ( description ) ) + +objectclass ( 1.3.6.1.4.1.22339.1.2.7 NAME 'VirtualBackupMail' + SUP top STRUCTURAL + DESC 'Virtual Backup Mail entry to be used for relay' + MUST ( mail $ accountActive $ lastChange ) + MAY ( description ) ) + +objectclass ( 1.3.6.1.4.1.22339.1.2.8 NAME 'Yap' + SUP top AUXILIARY + DESC 'Yet another path' + MUST ( otherPath ) + ) + diff --git a/roles/ldap/tasks/main.yaml b/roles/ldap/tasks/main.yaml index 30a484e..d16eef8 100644 --- a/roles/ldap/tasks/main.yaml +++ b/roles/ldap/tasks/main.yaml @@ -54,18 +54,21 @@ question: 'slapd/password1' vtype: 'string' value: '{{ slapd_passwd }}' + - name: configure OpenLDAP (password2) debconf: name: 'slapd' question: 'slapd/password2' vtype: 'string' value: '{{ slapd_passwd }}' + - name: configure phamm-ldap debconf: name: 'phamm-ldap' question: 'phamm-ldap/init_base_ldap' vtype: 'boolean' value: false + - include_role: name: service vars: @@ -73,13 +76,22 @@ service_packages: - slapd - ldap-utils - - phamm-ldap - libpam-ldap - sudo + +- name: download schemas + copy: + src: "{{ item }}" + dest: /etc/ldap/schema/ + loop: + - "phamm.schema" + - "phamm-vacation.schema" + - name: upload slapd config template: src: slapd.conf.j2 dest: "/etc/ldap/slapd.conf" + - name: update slapd config shell: slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d args: @@ -96,6 +108,7 @@ olcModuleLoad: {1}memberof olcModuleLoad: {2}pw-sha2 notify: restart slapd + - name: upload default tree template: dest=/etc/ldap/default_tree.ldif @@ -104,10 +117,12 @@ group=root mode=0400 register: upload_default_tree + - name: create default tree shell: slapadd -l /etc/ldap/default_tree.ldif when: upload_default_tree.changed notify: restart slapd + - name: enable OpenLDAP server service: name: 'slapd' diff --git a/roles/ldap/templates/slapd.conf.j2 b/roles/ldap/templates/slapd.conf.j2 index e4b56b3..0041210 100644 --- a/roles/ldap/templates/slapd.conf.j2 +++ b/roles/ldap/templates/slapd.conf.j2 @@ -3,6 +3,7 @@ include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/phamm.schema +include /etc/ldap/schema/phamm-vacation.schema include /usr/share/doc/libpam-ldap/ldapns.schema modulepath /usr/lib/ldap