LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

roles/ldap: add syncrepl support

python3
Zolfa 4 years ago
parent
11fc50313e
commit
78dfe4819f
Signed by: zolfa GPG Key ID: E1A43B038C4D6616
4 changed files with 153 additions and 12 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +4
    -0
      roles/ldap/defaults/main.yaml
  2. +26
    -12
      roles/ldap/tasks/1_configure_server.yaml
  3. +120
    -0
      roles/ldap/tasks/5_configure_replication.yaml
  4. +3
    -0
      roles/ldap/tasks/main.yaml

+ 4
- 0
roles/ldap/defaults/main.yaml View File

@ -6,6 +6,10 @@ ldap_organization: '{{ organization }}'
ldap_check_tree: true
ldap_tls_enabled: true
ldap_syncrepl_is_consumer: false
ldap_syncrepl_is_provider: false
ldap_syncrepl_target_providers: []
ldap_tls_server_ca: '{{ tls_intermediate_server_ca }}'
ldap_tls_user_ca: '{{ tls_intermediate_user_ca }}'


+ 26
- 12
roles/ldap/tasks/1_configure_server.yaml View File

@ -124,6 +124,9 @@
- >-
{1} ^mail=[^,]+,cn=([^,]+),ou=People,{{ ldap_x509_suffix }}$
cn=$1,ou=People,{{ ldap_basedn }}
- >-
{2} ^cn=([^,]+),ou=LDAP,{{ ldap_x509_suffix }}$
cn=$1,ou=LDAP,{{ ldap_basedn }}
- name: 'configure main tree acls'
ldap_attr:
@ -131,10 +134,21 @@
name: 'olcAccess'
state: 'exact'
values:
# TOFIX: Remove hardcoded IP
- >-
{0} to dn.exact={{ ldap_basedn }} attrs=entry,objectClass,contextCSN
by peername.regex=10\.150\.42\..* read
by * break
- >-
{1} to dn.subtree={{ ldap_basedn }}
{% if ldap_syncrepl_is_provider %}
by dn.children=ou=LDAP,{{ ldap_basedn }} tls_ssf=256 read
{% endif %}
by * break
# [0] -> Admins can proxy-auth to RootDN
# /proxy-auth is not required for routine user-management operations
- >-
{0} to dn.exact=cn=admin,{{ ldap_basedn }} attrs=authzFrom
{2} to dn.exact=cn=admin,{{ ldap_basedn }} attrs=authzFrom
by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} auth
by * none
# [1] :: ou=People
@ -142,21 +156,21 @@
# -> People can edit their `userPassword`
# -> Anyone can auth with `userPassword` if using strong TLS.
- >-
{1} to dn.one=ou=People,{{ ldap_basedn }} attrs=userPassword
{3} to dn.one=ou=People,{{ ldap_basedn }} attrs=userPassword
by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} write
by self write
by anonymous {{ 'tls_ssf=256 ' if ldap_tls_enabled }}auth
by * none
# [1.1] -> Admins can add/remove People entries
- >-
{2} to dn.exact=ou=People,{{ ldap_basedn }} attrs=children
{4} to dn.exact=ou=People,{{ ldap_basedn }} attrs=children
by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} write
by * none
# [1.2] -> Admins can list the full People tree
# -> Servers can perform search on People tree
- >-
{3} to dn.exact=ou=People,{{ ldap_basedn }}
{5} to dn.exact=ou=People,{{ ldap_basedn }}
by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} read
by dn.children=ou=Server,{{ ldap_basedn }} search
by * none
@ -165,51 +179,51 @@
# -> People can read all their attributes
# -> Break: over privileges may be accorded later (i.e.: servers)
- >-
{4} to dn.one=ou=People,{{ ldap_basedn }}
{6} to dn.one=ou=People,{{ ldap_basedn }}
by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} write
by dn.children=ou=Server,{{ ldap_basedn }} read
by self read
by * break
# [1.5] -> No other access to People tree
- >-
{5} to dn.subtree=ou=People,{{ ldap_basedn }}
{7} to dn.subtree=ou=People,{{ ldap_basedn }}
by * none
# [2] :: ou=Group
# [2.1] -> Admins can list groups
# -> Servers can list groups
- >-
{6} to dn.exact=ou=Group,{{ ldap_basedn }} attrs=entry
{8} to dn.exact=ou=Group,{{ ldap_basedn }} attrs=entry
by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} read
by dn.children=ou=Server,{{ ldap_basedn }} read
by * none
# [2.2] -> Admins can create/delete groups
- >-
{7} to dn.exact=ou=Group,{{ ldap_basedn }} attrs=children
{9} to dn.exact=ou=Group,{{ ldap_basedn }} attrs=children
by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} write
by * none
# [2.3] -> Admins can edit group members
# -> Server can list group members
- >-
{8} to dn.one=ou=Group,{{ ldap_basedn }}
{10} to dn.one=ou=Group,{{ ldap_basedn }}
by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} write
by dn.children=ou=Server,{{ ldap_basedn }} read
by * none
# [2.2] -> No other access to Group tree
- >-
{9} to dn.children=ou=Group,{{ ldap_basedn }}
{11} to dn.children=ou=Group,{{ ldap_basedn }}
by * none
# [3] :: ou=Server
# [3.0] -> Local servers can simple-bind their entries if using TLS
# /Server using TLS-client Auth with OU=Server are automatically authenticated
## TODO: Add peername.ip filtering on server subnet
- >-
{10} to dn.children=ou=Server,{{ ldap_basedn }} attrs=userPassword
{12} to dn.children=ou=Server,{{ ldap_basedn }} attrs=userPassword
by anonymous {{ 'tls_ssf=256 ' if ldap_tls_enabled }}auth
by group.exact=cn=admin,ou=Group,{{ ldap_basedn }} write
by * none
# [3.1] -> No other access to Server tree
- >-
{11} to dn.subtree=ou=Server,{{ ldap_basedn }}
{13} to dn.subtree=ou=Server,{{ ldap_basedn }}
by * none
# [4] :: ou=VirtualDomains - WiP
# [4.0] -> Admins can write whole subtree


+ 120
- 0
roles/ldap/tasks/5_configure_replication.yaml View File

@ -0,0 +1,120 @@
---
- name: 'SYNC | create replication consumer certificate'
import_role: name='ca_cert'
vars:
ca_cert_common_name: '{{ host_fqdn }}'
ca_cert_proto: 'tls'
ca_cert_client: true
ca_cert_tls_subj: '{{ openssl_x509_prefix }}/OU=LDAP/CN={{ ca_cert_common_name }}'
ca_cert_tls_ca_path: '/etc/ldap/user_ca.crt'
ca_cert_tls_key_path: '/etc/ldap/syncrepl.key'
ca_cert_tls_csr_path: '/etc/ldap/syncrepl.csr'
ca_cert_tls_cert_path: '/etc/ldap/syncrepl.crt'
when: ldap_syncrepl_is_consumer
- name: 'SYNC | set key ownership'
file:
path: '/etc/ldap/syncrepl.key'
owner: 'openldap'
group: 'openldap'
- name: 'SYNC | activate syncprov module'
ldap_attr:
dn: 'cn=module{0},cn=config'
name: 'olcModuleLoad'
values: '{4}syncprov'
state: 'present'
when: ldap_syncrepl_is_provider
- name: 'SYNC | activate overlay'
ldap_entry:
dn: 'olcOverlay={2}syncprov,olcDatabase={1}mdb,cn=config'
objectClass:
- 'olcOverlayConfig'
- 'olcSyncProvConfig'
when: ldap_syncrepl_is_provider
- name: 'SYNC | disable limits for consumer'
ldap_attr:
dn: 'olcDatabase={1}mdb,cn=config'
name: 'olcLimits'
state: 'exact'
values:
- >-
{0} dn.children=ou=LDAP,{{ ldap_basedn }}
time.soft=unlimited
time.hard=unlimited
size.soft=unlimited
size.hard=unlimited
when: ldap_syncrepl_is_provider
- name: 'SYNC | set serverID'
ldap_attr:
dn: 'cn=config'
name: 'olcServerID'
values: '{{ ldap_syncrepl_server_id }}'
state: 'exact'
- name: 'SYNC | build SyncRepl configuration'
set_fact:
syncrepls: |
{{ syncrepls|d([])
+ [
'{'+idx|string+'}'
+ ' rid='+item.rid|string
+ ' provider='+item.url
+ ' searchbase='+ldap_basedn
+ ' type=refreshAndPersist'
+ ' interval=00:01:00:00'
+ ' retry="5 5 300 5"'
+ ' timeout=1'
+ ' bindmethod=sasl'
+ ' saslmech=EXTERNAL'
+ ' starttls=critical'
+ ' tls_cert="/etc/ldap/syncrepl.crt"'
+ ' tls_key="/etc/ldap/syncrepl.key"'
+ ' tls_cacert="/etc/ldap/server_ca.crt"'
] }}
loop: '{{ ldap_syncrepl_target_providers }}'
loop_control:
index_var: idx
when: ldap_syncrepl_is_consumer
- debug:
msg: syncrepls
- name: 'SYNC | apply SyncRepl configuration'
ldap_attr:
dn: 'olcDatabase={1}mdb,cn=config'
name: 'olcSyncRepl'
values: '{{ syncrepls }}'
state: 'exact'
ignore_errors: true
when: ldap_syncrepl_is_consumer
- name: 'SYNC | enable MirrorMode'
ldap_attr:
dn: 'olcDatabase={1}mdb,cn=config'
name: 'olcMirrorMode'
values: 'TRUE'
state: 'exact'
when:
- ldap_syncrepl_is_consumer
- ldap_syncrepl_is_provider
- name: 'MONITORING | add ldap_master'
set_fact:
monitoring_facts: >
{{ hostvars[monitoring_host]['monitoring_facts']
| default({})
| combine({
host_fqdn: {
"vars": { "ldap_master": ldap_syncrepl_target_providers[0].url }
}
}, recursive=True) }}
delegate_to: '{{ monitoring_host }}'
delegate_facts: true
when: ldap_syncrepl_is_consumer
tags:
- 'monitoring'
...

+ 3
- 0
roles/ldap/tasks/main.yaml View File

@ -13,4 +13,7 @@
- name: 'including tls tasks'
import_tasks: '4_setup_tls.yaml'
when: ldap_tls_enabled
- name: 'including replication tasks'
import_tasks: '5_configure_replication.yaml'
...

Write Preview
Loading…
Cancel
Save