safer password handling in ldap and nextcloud

roles/ldap/tasks/2_renew_rootpw.yaml

@@ -25,6 +25,7 @@
     values: >-
       {{ new_passwd_hash.stdout }}
     state: 'exact'
+  diff: false
   no_log: true
 
 - name: 'renewing admin password - calling ldappasswd'
@@ -33,11 +34,4 @@
     passwd: '{{ ldap_passwd }}'
     bind_dn: 'cn=admin,{{ ldap_basedn }}'
     bind_pw: '{{ ldap_passwd }}'
-
-- name: 'renewing admin password - storing plaintext'
-  copy:
-    content: '{{ ldap_passwd }}'
-    dest: '/etc/slapd.secret'
-  when: test_env is defined and test_env
-  no_log: true
 ...

roles/ldap/tasks/3_provision_tree.yaml

@@ -1,15 +1,4 @@
 ---
-- when: ldap_passwd is not defined
-  block:
-    - name: 'get plaintext admin password'
-      slurp:
-        path: '/etc/slapd.secret'
-      register: slapd_secret
-
-    - name: 'set ldap_passwd'
-      set_fact:
-        ldap_passwd: '{{ slapd_secret.content | b64decode }}'
-
 - name: 'populate tree - organization units'
   ldap_entry:
     dn: 'ou={{ item }},{{ ldap_basedn }}'
@@ -126,9 +115,4 @@
     bind_dn: 'cn=admin,{{ ldap_basedn }}'
     bind_pw: '{{ ldap_passwd }}'
   loop: '{{ ldap_server_accounts }}'
-
-#- name: templating ACLs
-#  template:
-#    src: "global.acl.j2"
-#    dest: "/etc/ldap/{{ item }}"
 ...

roles/nextcloud/tasks/main.yaml

@@ -85,13 +85,18 @@
     - name: 'create random root password'
       gen_passwd: length=20
       register: 'nextcloud_password'
+      no_log: true
     - name: 'set initial root password'
       set_fact:
         nextcloud_initial_root_password: '{{ nextcloud_password.passwd }}'
+      no_log: true
     - name: 'store root password plaintext'
       copy:
         content: '{{ nextcloud_initial_root_password }}'
         dest: '/etc/nextcloud.secret'
+        mode: '0700'
+      no_log: true
+      diff: false
     - name: 'emit warning for initial_root_password not set'
       fail:
         msg: >-
@@ -177,6 +182,9 @@
   gen_passwd: 'length=32'
   register: 'nextcloud_ldap_passwd'
   no_log: true
+  when:
+    - ldap_admin_dn is defined
+    - ldap_admin_pw is defined
   tags:
     - 'service_password'
 
@@ -189,14 +197,18 @@
     start_tls: '{{ ldap_tls_enabled }}'
     bind_dn: '{{ ldap_admin_dn }}'
     bind_pw: '{{ ldap_admin_pw }}'
-  no_log: true
+  when: nextcloud_ldap_passwd.changed
+  register: nextcloud_ldap_passwd_result
   tags:
     - 'service_password'
 
-- import_tasks: 'occ.yaml'
+- name: 'configure nextcloud ldap password with occ'
+  import_tasks: 'occ.yaml'
   vars:
     occ_args: 'ldap:set-config s01 ldapAgentPassword {{ nextcloud_ldap_passwd.passwd }}'
     nojson: true
+  no_log: true
+  when: nextcloud_ldap_passwd_result.changed
   tags:
     - 'service_password'
 - name: 'MONITORING | add HTTP service'