From da883379662bda2e596d150faf1c607220eb9712 Mon Sep 17 00:00:00 2001 From: Zolfa Date: Fri, 17 Apr 2020 22:45:01 +0200 Subject: [PATCH] roles/ldap: super-refactoring and TLS support. - Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured. --- roles/ldap/defaults/main.yaml | 5 + roles/ldap/defaults/main.yaml~ | 3 + roles/ldap/files/kerberos.ldif | 162 +++++++++++++++ roles/ldap/files/ldapns.ldif | 19 ++ roles/ldap/files/phamm-vacation.ldif | 30 +++ roles/ldap/files/phamm-vacation.schema | 63 ------ roles/ldap/files/phamm.ldif | 132 ++++++++++++ roles/ldap/files/phamm.schema | 240 ---------------------- roles/ldap/tasks/1_configure_server.yaml | 201 ++++++++++++++++++ roles/ldap/tasks/2_renew_rootpw.yaml | 40 ++++ roles/ldap/tasks/3_provision_tree.yaml | 143 +++++++++++++ roles/ldap/tasks/4_setup_tls.yaml | 128 ++++++++++++ roles/ldap/tasks/main.yaml | 139 ++----------- roles/ldap/templates/default_tree.ldif.j2 | 186 ----------------- roles/ldap/templates/slapd.conf.j2 | 12 -- 15 files changed, 879 insertions(+), 624 deletions(-) create mode 100644 roles/ldap/defaults/main.yaml create mode 100644 roles/ldap/defaults/main.yaml~ create mode 100644 roles/ldap/files/kerberos.ldif create mode 100644 roles/ldap/files/ldapns.ldif create mode 100644 roles/ldap/files/phamm-vacation.ldif delete mode 100644 roles/ldap/files/phamm-vacation.schema create mode 100644 roles/ldap/files/phamm.ldif delete mode 100644 roles/ldap/files/phamm.schema create mode 100644 roles/ldap/tasks/1_configure_server.yaml create mode 100644 roles/ldap/tasks/2_renew_rootpw.yaml create mode 100644 roles/ldap/tasks/3_provision_tree.yaml create mode 100644 roles/ldap/tasks/4_setup_tls.yaml delete mode 100644 roles/ldap/templates/default_tree.ldif.j2 delete mode 100644 roles/ldap/templates/slapd.conf.j2 diff --git a/roles/ldap/defaults/main.yaml b/roles/ldap/defaults/main.yaml new file mode 100644 index 0000000..0f38c26 --- /dev/null +++ b/roles/ldap/defaults/main.yaml @@ -0,0 +1,5 @@ +--- +ldap_tls_enabled: true +renew_rootdn_pw: true +check_tree: true +... diff --git a/roles/ldap/defaults/main.yaml~ b/roles/ldap/defaults/main.yaml~ new file mode 100644 index 0000000..5e95b54 --- /dev/null +++ b/roles/ldap/defaults/main.yaml~ @@ -0,0 +1,3 @@ +--- +ldap_tls_enabled: true +... diff --git a/roles/ldap/files/kerberos.ldif b/roles/ldap/files/kerberos.ldif new file mode 100644 index 0000000..e078006 --- /dev/null +++ b/roles/ldap/files/kerberos.ldif @@ -0,0 +1,162 @@ +dn: cn=kerberos,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: kerberos +olcAttributeTypes: {0}( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName + ' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1 + .4.1.1466.115.121.1.26 ) +olcAttributeTypes: {1}( 1.2.840.113554.1.4.1.6.1 NAME 'krbCanonicalName' EQU + ALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1. + 1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {2}( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType + ' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {3}( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DE + SC 'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {4}( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpi + ration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE ) +olcAttributeTypes: {5}( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags' + EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {6}( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife + ' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {7}( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewable + Age' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALU + E ) +olcAttributeTypes: {8}( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReferen + ces' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: {9}( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers' + EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: {10}( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' + EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: {11}( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers' + EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: {12}( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer' + EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {13}( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope + ' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {14}( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalRe + ferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 + .12 ) +olcAttributeTypes: {15}( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNaming + Attr' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE- + VALUE ) +olcAttributeTypes: {16}( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers' + EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: {17}( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife' + EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {18}( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife' + EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {19}( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffC + hars' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VAL + UE ) +olcAttributeTypes: {20}( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLengt + h' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE + ) +olcAttributeTypes: {21}( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryL + ength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VA + LUE ) +olcAttributeTypes: {22}( 1.3.6.1.4.1.5322.21.2.1 NAME 'krbPwdMaxFailure' EQU + ALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {23}( 1.3.6.1.4.1.5322.21.2.2 NAME 'krbPwdFailureCountInt + erval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VA + LUE ) +olcAttributeTypes: {24}( 1.3.6.1.4.1.5322.21.2.3 NAME 'krbPwdLockoutDuration + ' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {25}( 1.2.840.113554.1.4.1.6.2 NAME 'krbPwdAttributes' EQ + UALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {26}( 1.2.840.113554.1.4.1.6.3 NAME 'krbPwdMaxLife' EQUAL + ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: {27}( 1.2.840.113554.1.4.1.6.4 NAME 'krbPwdMaxRenewableLi + fe' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE + ) +olcAttributeTypes: {28}( 1.2.840.113554.1.4.1.6.5 NAME 'krbPwdAllowedKeysalt + s' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE- + VALUE ) +olcAttributeTypes: {29}( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyRe + ference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. + 12 SINGLE-VALUE ) +olcAttributeTypes: {30}( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExp + iration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE ) +olcAttributeTypes: {31}( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKe + y' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcAttributeTypes: {32}( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolic + yReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121 + .1.12 SINGLE-VALUE ) +olcAttributeTypes: {33}( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' E + QUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: {34}( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncS + altTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: {35}( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEn + cSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: {36}( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory' + EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcAttributeTypes: {37}( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChan + ge' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SING + LE-VALUE ) +olcAttributeTypes: {38}( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' E + QUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VA + LUE ) +olcAttributeTypes: {39}( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUAL + ITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcAttributeTypes: {40}( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAl + iases' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {41}( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccess + fulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 + SINGLE-VALUE ) +olcAttributeTypes: {42}( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedA + uth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SIN + GLE-VALUE ) +olcAttributeTypes: {43}( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailed + Count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VA + LUE ) +olcAttributeTypes: {44}( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData' + EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcAttributeTypes: {45}( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectRefer + ences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + ) +olcAttributeTypes: {46}( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContai + nerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 + 2 ) +olcAttributeTypes: {47}( 2.16.840.1.113730.3.8.15.2.1 NAME 'krbPrincipalAuth + Ind' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: {48}( 1.3.6.1.4.1.5322.21.2.4 NAME 'krbAllowedToDelegateT + o' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6. + 1.4.1.1466.115.121.1.26 ) +olcObjectClasses: {0}( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP + top STRUCTURAL MUST cn ) +olcObjectClasses: {1}( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer + ' SUP top STRUCTURAL MUST cn MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ k + rbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSa + ltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdm + Servers $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef + ) ) +olcObjectClasses: {2}( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' SUP t + op ABSTRACT MUST cn MAY ( krbHostServer $ krbRealmReferences ) ) +olcObjectClasses: {3}( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SU + P krbService STRUCTURAL ) +olcObjectClasses: {4}( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SU + P krbService STRUCTURAL ) +olcObjectClasses: {5}( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' + SUP top AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled + $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krb + PasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHisto + ry $ krbLastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastS + uccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ kr + bAllowedToDelegateTo $ krbPrincipalAuthInd ) ) +olcObjectClasses: {6}( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP + top STRUCTURAL MUST krbPrincipalName MAY krbObjectReferences ) +olcObjectClasses: {7}( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux' + SUP top AUXILIARY MAY krbPrincipalReferences ) +olcObjectClasses: {8}( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' S + UP krbService STRUCTURAL ) +olcObjectClasses: {9}( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SU + P top STRUCTURAL MUST cn MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDif + fChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdF + ailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxL + ife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) ) +olcObjectClasses: {10}( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicy + Aux' SUP top AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRene + wableAge ) ) +olcObjectClasses: {11}( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy + ' SUP top STRUCTURAL MUST cn ) + diff --git a/roles/ldap/files/ldapns.ldif b/roles/ldap/files/ldapns.ldif new file mode 100644 index 0000000..a86f8f5 --- /dev/null +++ b/roles/ldap/files/ldapns.ldif @@ -0,0 +1,19 @@ +# LDAP Name Service Additional Schema +# Source: pam_ldap package by Luke Howard converted to LDIF +# Has not been published in Internet Draft or RFC. + +dn: cn=ldapns,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: ldapns +olcAttributeTypes: {0}( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' + DESC 'IANA GSS-API authorized service name' + EQUALITY caseIgnoreMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) +olcObjectClasses: {0}( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' + DESC 'Auxiliary object class for adding authorizedService attribute' + SUP top AUXILIARY + MAY authorizedService ) +olcObjectClasses: {1}( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject' + DESC 'Auxiliary object class for adding host attribute' + SUP top AUXILIARY + MAY host ) diff --git a/roles/ldap/files/phamm-vacation.ldif b/roles/ldap/files/phamm-vacation.ldif new file mode 100644 index 0000000..3761419 --- /dev/null +++ b/roles/ldap/files/phamm-vacation.ldif @@ -0,0 +1,30 @@ +dn: cn=phamm-vacation,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: phamm-vacation +olcAttributeTypes: {0}( 1.3.6.1.4.1.22339.2.1.1 NAME 'vacationActive' DESC ' + A flag, for marking the user as being away' EQUALITY booleanMatch SYNTAX 1. + 3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {1}( 1.3.6.1.4.1.22339.2.1.2 NAME 'vacationInfo' DESC 'Ab + sentee note to leave behind, while on vacation' EQUALITY octetStringMatch S + YNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) +olcAttributeTypes: {2}( 1.3.6.1.4.1.22339.2.1.3 NAME 'vacationStart' DESC 'B + eginning of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115 + .121.1.40 SINGLE-VALUE ) +olcAttributeTypes: {3}( 1.3.6.1.4.1.22339.2.1.4 NAME 'vacationEnd' DESC 'End + of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.4 + 0 SINGLE-VALUE ) +olcAttributeTypes: {4}( 1.3.6.1.4.1.22339.2.1.5 NAME 'vacationForward' DESC + 'RFC1274: RFC822 Mailbox' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5S + ubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) +olcAttributeTypes: {5}( 1.3.6.1.4.1.22339.2.1.6 NAME 'vacationSubject' DESC + 'Subject for the vacation message' EQUALITY octetStringMatch SYNTAX 1.3.6.1 + .4.1.1466.115.121.1.40 SINGLE-VALUE ) +olcAttributeTypes: {6}( 1.3.6.1.4.1.22339.2.1.7 NAME 'vacationReminder' DESC + 'How many hours we should wait before a second email from someone will cau + se another vacation message to be sent to that email address' EQUALITY octe + tStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) +olcObjectClasses: {0}( 1.3.6.1.4.1.22339.2.2.1 NAME 'Vacation' DESC 'Users v + acation status information' SUP top AUXILIARY MUST vacationActive MAY ( vac + ationInfo $ vacationStart $ vacationEnd $ vacationForward $ vacationSubject + $ vacationReminder ) ) + diff --git a/roles/ldap/files/phamm-vacation.schema b/roles/ldap/files/phamm-vacation.schema deleted file mode 100644 index f77aa25..0000000 --- a/roles/ldap/files/phamm-vacation.schema +++ /dev/null @@ -1,63 +0,0 @@ -#-------------------------------------------------------------------------- -# LDAP Schema for phamm-vacation -#---------------------- -# Release 1.1.1 -# 2012/08/28 -#-------------------------------------------------------------------------- -# Copyright (c) 2008-2016 Mirko Grava, RHX Srl - www.rhx.it -# Permission is granted to copy, distribute and/or modify this document -# under the terms of the GNU Free Documentation License, Version 2 -# or any later version published by the Free Software Foundation; -#-------------------------------------------------------------------------- -# 1.3.6.1.4.1.22339 RHX Srl's OID -# 1.3.6.1.4.1.22339.2 Phamm-vacation -# 1.3.6.1.4.1.22339.2.1 AttributeTypes -# 1.3.6.1.4.1.22339.2.2 ObjectClasses -#-------------------------------------------------------------------------- - -# Attribute Types -#----------------- -attributetype ( 1.3.6.1.4.1.22339.2.1.1 NAME 'vacationActive' - DESC 'A flag, for marking the user as being away' - EQUALITY booleanMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.2.1.2 NAME 'vacationInfo' - DESC 'Absentee note to leave behind, while on vacation' - EQUALITY octetStringMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.2.1.3 NAME 'vacationStart' - DESC 'Beginning of vacation' - EQUALITY octetStringMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.2.1.4 NAME 'vacationEnd' - DESC 'End of vacation' - EQUALITY octetStringMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.2.1.5 NAME 'vacationForward' - DESC 'RFC1274: RFC822 Mailbox' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) - -attributetype ( 1.3.6.1.4.1.22339.2.1.6 NAME 'vacationSubject' - DESC 'Subject for the vacation message' - EQUALITY octetStringMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.2.1.7 NAME 'vacationReminder' - DESC 'How many hours we should wait before a second email from someone will cause another vacation message to be sent to that email address' - EQUALITY octetStringMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) - -# Classes -#--------- - -objectclass ( 1.3.6.1.4.1.22339.2.2.1 NAME 'Vacation' - SUP top AUXILIARY - DESC 'Users vacation status information' - MUST ( vacationActive ) - MAY ( vacationInfo $ vacationStart $ vacationEnd $ vacationForward $ vacationSubject $ vacationReminder ) ) diff --git a/roles/ldap/files/phamm.ldif b/roles/ldap/files/phamm.ldif new file mode 100644 index 0000000..ed2e929 --- /dev/null +++ b/roles/ldap/files/phamm.ldif @@ -0,0 +1,132 @@ +dn: cn=phamm,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: phamm +olcAttributeTypes: {0}( 1.3.6.1.4.1.22339.1.1.1 NAME 'postfixTransport' DESC + 'A string directing postfix which transport to use' EQUALITY caseExactIA5M + atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE ) +olcAttributeTypes: {1}( 1.3.6.1.4.1.22339.1.1.2 NAME 'accountActive' DESC 'A + boolean telling whether an account is active or not' EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {2}( 1.3.6.1.4.1.22339.1.1.3 NAME 'lastChange' DESC 'Time + in unix time of last change in entry' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +olcAttributeTypes: {3}( 1.3.6.1.4.1.22339.1.1.4 NAME 'vd' DESC 'A virtual do + main managed by Phamm' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subs + tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {4}( 1.3.6.1.4.1.22339.1.1.5 NAME 'mailbox' DESC 'The abs + olute path to the mailbox for a mail account in a non-default location' EQU + ALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {5}( 1.3.6.1.4.1.22339.1.1.6 NAME 'quota' DESC 'A string + that represents the quota on a mailbox' EQUALITY caseExactIA5Match SYNTAX 1 + .3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {6}( 1.3.6.1.4.1.22339.1.1.7 NAME 'clearPassword' DESC 'A + separate text that stores the mail account password in clear text' EQUALIT + Y octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) +olcAttributeTypes: {7}( 1.3.6.1.4.1.22339.1.1.8 NAME 'maildrop' DESC 'RFC822 + Mailbox - mail alias' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subs + tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) +olcAttributeTypes: {8}( 1.3.6.1.4.1.22339.1.1.9 NAME 'mailsource' DESC 'Mess + age source' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: {9}( 1.3.6.1.4.1.22339.1.1.10 NAME 'editAliases' DESC 'A + boolean telling whether a domain manager can edit Aliases' EQUALITY boolean + Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {10}( 1.3.6.1.4.1.22339.1.1.11 NAME 'editAccounts' DESC ' + A boolean telling whether a domain manager can edit Accounts' EQUALITY bool + eanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {11}( 1.3.6.1.4.1.22339.1.1.12 NAME 'editAV' DESC 'A bool + ean telling whether a domain manager can edit Antivirus' EQUALITY booleanMa + tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {12}( 1.3.6.1.4.1.22339.1.1.13 NAME 'delete' DESC 'A bool + ean telling whether this item is marked for deletion' EQUALITY booleanMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {13}( 1.3.6.1.4.1.22339.1.1.14 NAME 'forwardActive' DESC + 'A boolean telling whether this item is using forward' EQUALITY booleanMatc + h SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {14}( 1.3.6.1.4.1.22339.1.1.15 NAME 'maxDomain' DESC 'A s + tring that represents the max domain for a VirtualAdmin' EQUALITY caseExact + IA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {15}( 1.3.6.1.4.1.22339.1.1.16 NAME 'maxMail' DESC 'A str + ing that represents the max mail for a VirtualAdmin' EQUALITY caseExactIA5M + atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {16}( 1.3.6.1.4.1.22339.1.1.17 NAME 'maxAlias' DESC 'A st + ring that represents the max alias for a VirtualAdmin' EQUALITY caseExactIA + 5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {17}( 1.3.6.1.4.1.22339.1.1.18 NAME 'maxQuota' DESC 'A st + ring that represents the max quota for a VirtualAdmin' EQUALITY caseExactIA + 5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {18}( 1.3.6.1.4.1.22339.1.1.19 NAME 'adminID' DESC 'A str + ing that represents the dn of admin domain' EQUALITY caseExactIA5Match SYNT + AX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {19}( 1.3.6.1.4.1.22339.1.1.20 NAME 'vdHome' DESC 'The ab + solute path to the virtual domain home' EQUALITY caseExactIA5Match SYNTAX 1 + .3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {20}( 1.3.6.1.4.1.22339.1.1.21 NAME 'otherTransport' DESC + 'A string directing postfix which transport to use' EQUALITY caseExactIA5M + atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE ) +olcAttributeTypes: {21}( 1.3.6.1.4.1.22339.1.1.22 NAME 'creationDate' DESC ' + Timestamp of creation' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.12 + 1.1.27{14} SINGLE-VALUE ) +olcAttributeTypes: {22}( 1.3.6.1.4.1.22339.1.1.23 NAME 'otherPath' DESC 'Thi + s path to help any application' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4 + .1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {23}( 1.3.6.1.4.1.22339.1.1.24 NAME 'createMaildir' DESC + 'A boolean telling when we must create Maildir for maildrop transport' EQUA + LITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {24}( 1.3.6.1.4.1.22339.1.1.25 NAME 'smtpAuth' DESC 'A bo + olean telling when we could do smtp-auth' EQUALITY booleanMatch SYNTAX 1.3. + 6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {25}( 1.3.6.1.4.1.22339.1.1.26 NAME 'expireDate' DESC 'Ex + pire date' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27{14} S + INGLE-VALUE ) +olcAttributeTypes: {26}( 1.3.6.1.4.1.22339.1.1.27 NAME 'mailAutoreply' DESC + 'RFC822 Mailbox - mail for autoreply' EQUALITY caseIgnoreIA5Match SUBSTR ca + seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) +olcAttributeTypes: {27}( 1.3.6.1.4.1.22339.1.1.28 NAME 'bypassGreyListing' D + ESC 'A boolean telling when we could bypass Grey Listing' EQUALITY booleanM + atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: {28}( 1.3.6.1.4.1.22339.1.1.29 NAME 'phammGroup' DESC 'De + fine the phamm Group of the VirtualMailAccount' EQUALITY caseIgnoreMatch SU + BSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) +olcAttributeTypes: {29}( 1.3.6.1.4.1.22339.1.1.30 NAME 'maxSmtpAuth' DESC 'A + string that represents the max SMTP Auth for a VirtualAdmin' EQUALITY case + ExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {30}( 1.3.6.1.4.1.22339.1.1.31 NAME 'maxAntivirus' DESC ' + A string that represents the max Antivirus for a VirtualAdmin' EQUALITY cas + eExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {31}( 1.3.6.1.4.1.22339.1.1.32 NAME 'maxAntiSpam' DESC 'A + string that represents the max AntiSpam for a VirtualAdmin' EQUALITY caseE + xactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: {32}( 1.3.6.1.4.1.22339.1.1.33 NAME 'maxGreyList' DESC 'A + string that represents the max AntiGreyList for a VirtualAdmin' EQUALITY c + aseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcObjectClasses: {0}( 1.3.6.1.4.1.22339.1.2.1 NAME 'VirtualMailAccount' DES + C 'Mail account objects' SUP inetOrgPerson STRUCTURAL MUST ( mail $ vdHome + $ mailbox $ accountActive $ lastChange $ delete ) MAY ( quota $ otherTransp + ort $ editAccounts $ creationDate $ createMaildir $ smtpAuth $ expireDate $ + mailAutoreply $ bypassGreyListing $ phammGroup ) ) +olcObjectClasses: {1}( 1.3.6.1.4.1.22339.1.2.2 NAME 'VirtualMailAlias' DESC + 'Mail aliasing/forwarding entry' SUP inetOrgPerson STRUCTURAL MUST ( mail $ + maildrop $ accountActive $ lastChange ) MAY ( mailsource $ editAccounts $ + creationDate $ smtpAuth $ expireDate $ bypassGreyListing ) ) +olcObjectClasses: {2}( 1.3.6.1.4.1.22339.1.2.3 NAME 'VirtualDomain' DESC 'Vi + rtual Domain entry to be used with postfix transport maps' SUP top STRUCTUR + AL MUST ( vd $ accountActive $ lastChange $ delete ) MAY ( postfixTransport + $ description $ maxMail $ maxAlias $ maxQuota $ editAV $ adminID $ creatio + nDate $ bypassGreyListing $ maxSmtpAuth $ maxAntivirus $ maxAntiSpam $ maxG + reyList ) ) +olcObjectClasses: {3}( 1.3.6.1.4.1.22339.1.2.4 NAME 'VirtualForward' DESC 'F + orward setting for VirtualMailAccount' SUP top AUXILIARY MUST forwardActive + MAY maildrop ) +olcObjectClasses: {4}( 1.3.6.1.4.1.22339.1.2.5 NAME 'VirtualAdmin' DESC 'Vir + tual Admin entry' SUP inetOrgPerson STRUCTURAL MUST ( mail $ maxDomain $ ac + countActive $ lastChange ) MAY ( vd $ editAccounts ) ) +olcObjectClasses: {5}( 1.3.6.1.4.1.22339.1.2.6 NAME 'VirtualBackupDomain' DE + SC 'Virtual Backup Domain entry to be used for relay' SUP top STRUCTURAL MU + ST ( vd $ accountActive $ lastChange $ delete ) MAY description ) +olcObjectClasses: {6}( 1.3.6.1.4.1.22339.1.2.7 NAME 'VirtualBackupMail' DESC + 'Virtual Backup Mail entry to be used for relay' SUP top STRUCTURAL MUST ( + mail $ accountActive $ lastChange ) MAY description ) +olcObjectClasses: {7}( 1.3.6.1.4.1.22339.1.2.8 NAME 'Yap' DESC 'Yet another + path' SUP top AUXILIARY MUST otherPath ) + diff --git a/roles/ldap/files/phamm.schema b/roles/ldap/files/phamm.schema deleted file mode 100644 index 2b6208b..0000000 --- a/roles/ldap/files/phamm.schema +++ /dev/null @@ -1,240 +0,0 @@ -#-------------------------------------------------------------------------- -# LDAP Schema for phamm -#---------------------- -# Release 1.5 -# 2014/10/3 -#-------------------------------------------------------------------------- -# Copyright (c) 2006-2016 Mirko Grava, RHX Srl - www.rhx.it -# Permission is granted to copy, distribute and/or modify this document -# under the terms of the GNU Free Documentation License, Version 2 -# or any later version published by the Free Software Foundation; -#-------------------------------------------------------------------------- -# 1.3.6.1.4.1.22339 RHX Srl's OID -# 1.3.6.1.4.1.22339.1 Phamm -# 1.3.6.1.4.1.22339.1.1 AttributeTypes -# 1.3.6.1.4.1.22339.1.2 ObjectClasses -#-------------------------------------------------------------------------- - -# Attribute Types -#----------------- - -attributetype ( 1.3.6.1.4.1.22339.1.1.1 NAME 'postfixTransport' - DESC 'A string directing postfix which transport to use' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.2 NAME 'accountActive' - DESC 'A boolean telling whether an account is active or not' - EQUALITY booleanMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.3 NAME 'lastChange' - DESC 'Time in unix time of last change in entry' - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.4 NAME 'vd' - DESC 'A virtual domain managed by Phamm' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.5 NAME 'mailbox' - DESC 'The absolute path to the mailbox for a mail account in a non-default location' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.6 NAME 'quota' - DESC 'A string that represents the quota on a mailbox' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.7 NAME 'clearPassword' - DESC 'A separate text that stores the mail account password in clear text' - EQUALITY octetStringMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128}) - -attributetype ( 1.3.6.1.4.1.22339.1.1.8 NAME 'maildrop' - DESC 'RFC822 Mailbox - mail alias' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.9 NAME 'mailsource' - DESC 'Message source' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.10 NAME 'editAliases' - DESC 'A boolean telling whether a domain manager can edit Aliases' - EQUALITY booleanMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.11 NAME 'editAccounts' - DESC 'A boolean telling whether a domain manager can edit Accounts' - EQUALITY booleanMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.12 NAME 'editAV' - DESC 'A boolean telling whether a domain manager can edit Antivirus' - EQUALITY booleanMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.13 NAME 'delete' - DESC 'A boolean telling whether this item is marked for deletion' - EQUALITY booleanMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.14 NAME 'forwardActive' - DESC 'A boolean telling whether this item is using forward' - EQUALITY booleanMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.15 NAME 'maxDomain' - DESC 'A string that represents the max domain for a VirtualAdmin' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.16 NAME 'maxMail' - DESC 'A string that represents the max mail for a VirtualAdmin' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.17 NAME 'maxAlias' - DESC 'A string that represents the max alias for a VirtualAdmin' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.18 NAME 'maxQuota' - DESC 'A string that represents the max quota for a VirtualAdmin' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.19 NAME 'adminID' - DESC 'A string that represents the dn of admin domain' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.20 NAME 'vdHome' - DESC 'The absolute path to the virtual domain home' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.21 NAME 'otherTransport' - DESC 'A string directing postfix which transport to use' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.22 NAME 'creationDate' - DESC 'Timestamp of creation' - EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27{14} SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.23 NAME 'otherPath' - DESC 'This path to help any application' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.24 NAME 'createMaildir' - DESC 'A boolean telling when we must create Maildir for maildrop transport' - EQUALITY booleanMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.25 NAME 'smtpAuth' - DESC 'A boolean telling when we could do smtp-auth' - EQUALITY booleanMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.26 NAME 'expireDate' - DESC 'Expire date' - EQUALITY integerMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.27{14} SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.27 NAME 'mailAutoreply' - DESC 'RFC822 Mailbox - mail for autoreply' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.28 NAME 'bypassGreyListing' - DESC 'A boolean telling when we could bypass Grey Listing' - EQUALITY booleanMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.29 NAME 'phammGroup' - DESC 'Define the phamm Group of the VirtualMailAccount' - EQUALITY caseIgnoreMatch - SUBSTR caseIgnoreSubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.30 NAME 'maxSmtpAuth' - DESC 'A string that represents the max SMTP Auth for a VirtualAdmin' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.31 NAME 'maxAntivirus' - DESC 'A string that represents the max Antivirus for a VirtualAdmin' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.32 NAME 'maxAntiSpam' - DESC 'A string that represents the max AntiSpam for a VirtualAdmin' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - -attributetype ( 1.3.6.1.4.1.22339.1.1.33 NAME 'maxGreyList' - DESC 'A string that represents the max AntiGreyList for a VirtualAdmin' - EQUALITY caseExactIA5Match - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) - -# Classes -#--------- - -objectclass ( 1.3.6.1.4.1.22339.1.2.1 NAME 'VirtualMailAccount' - SUP inetOrgPerson STRUCTURAL - DESC 'Mail account objects' - MUST ( mail $ vdHome $ mailbox $ accountActive $ lastChange $ delete ) - MAY ( quota $ otherTransport $ editAccounts $ creationDate $ createMaildir $ smtpAuth $ expireDate $ mailAutoreply $ bypassGreyListing $ phammGroup ) ) - -objectclass ( 1.3.6.1.4.1.22339.1.2.2 NAME 'VirtualMailAlias' - SUP inetOrgPerson STRUCTURAL - DESC 'Mail aliasing/forwarding entry' - MUST ( mail $ maildrop $ accountActive $ lastChange ) - MAY ( mailsource $ editAccounts $ creationDate $ smtpAuth $ expireDate $ bypassGreyListing) ) - -objectclass ( 1.3.6.1.4.1.22339.1.2.3 NAME 'VirtualDomain' - SUP top STRUCTURAL - DESC 'Virtual Domain entry to be used with postfix transport maps' - MUST ( vd $ accountActive $ lastChange $ delete ) - MAY ( postfixTransport $ description $ maxMail $ maxAlias $ maxQuota $ editAV $ adminID $ creationDate $ bypassGreyListing $ maxSmtpAuth $ maxAntivirus $ maxAntiSpam $ maxGreyList) ) - -objectclass ( 1.3.6.1.4.1.22339.1.2.4 NAME 'VirtualForward' - SUP top AUXILIARY - DESC 'Forward setting for VirtualMailAccount' - MUST ( forwardActive ) - MAY ( maildrop ) ) - -objectclass ( 1.3.6.1.4.1.22339.1.2.5 NAME 'VirtualAdmin' - SUP inetOrgPerson STRUCTURAL - DESC 'Virtual Admin entry' - MUST ( mail $ maxDomain $ accountActive $ lastChange ) - MAY ( vd $ editAccounts ) ) - -objectclass ( 1.3.6.1.4.1.22339.1.2.6 NAME 'VirtualBackupDomain' - SUP top STRUCTURAL - DESC 'Virtual Backup Domain entry to be used for relay' - MUST ( vd $ accountActive $ lastChange $ delete ) - MAY ( description ) ) - -objectclass ( 1.3.6.1.4.1.22339.1.2.7 NAME 'VirtualBackupMail' - SUP top STRUCTURAL - DESC 'Virtual Backup Mail entry to be used for relay' - MUST ( mail $ accountActive $ lastChange ) - MAY ( description ) ) - -objectclass ( 1.3.6.1.4.1.22339.1.2.8 NAME 'Yap' - SUP top AUXILIARY - DESC 'Yet another path' - MUST ( otherPath ) - ) - diff --git a/roles/ldap/tasks/1_configure_server.yaml b/roles/ldap/tasks/1_configure_server.yaml new file mode 100644 index 0000000..23f051e --- /dev/null +++ b/roles/ldap/tasks/1_configure_server.yaml @@ -0,0 +1,201 @@ +--- +- include_role: + name: 'service' + vars: + service_name: 'nscd' + service_packages: 'nscd' + +- name: 'set debconf values' + debconf: + name: 'slapd' + question: '{{ item.question }}' + vtype: 'string' + value: '{{ item.value }}' + loop: + - { question: 'slapd/domain', value: '{{ ldap_domain }}' } + - { question: 'slapd/dump_database', value: 'when needed' } + - { question: 'shared/organization', value: '{{ ldap_organization }}' } + +- include_role: + name: 'service' + vars: + service_name: 'slapd' + service_packages: + - 'slapd' + - 'ldap-utils' + - 'libpam-ldap' + - 'python3-ldap' + - 'sudo' + +- name: 'start slapd service' + service: + name: 'slapd' + enabled: true + state: 'started' + +- name: 'copy schemas' + copy: + src: '{{ item }}' + dest: '/etc/ldap/schema/' + loop: + - 'ldapns.ldif' + - 'kerberos.ldif' + - 'phamm.ldif' + - 'phamm-vacation.ldif' + +- name: 'activate schemas' + command: + cmd: 'ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }}' + creates: '/etc/ldap/slapd.d/cn=config/cn=schema/cn={*}{{ item }}' + loop: + - 'ldapns.ldif' + - 'kerberos.ldif' + - 'phamm.ldif' + - 'phamm-vacation.ldif' + +- name: 'activate modules' + ldap_attr: + dn: 'cn=module{0},cn=config' + name: 'olcModuleLoad' + values: + - '{0}back_mdb' + - '{1}pw-sha2' + - '{2}auditlog' + - '{3}memberof' + +- name: 'create log dir' + file: + path: '/var/log/openldap' + owner: 'openldap' + group: 'openldap' + state: 'directory' + +- name: 'set loglevel' + ldap_attr: + dn: 'cn=config' + name: 'olcLogLevel' + values: 'conns acl' + +- name: 'activate auditlog overlay' + ldap_entry: + dn: 'olcOverlay={0}auditlog,olcDatabase={{ item.db }},cn=config' + objectClass: + - 'olcOverlayConfig' + - 'olcAuditLogConfig' + attributes: + olcAuditlogFile: '/var/log/openldap/{{ item.logfile }}' + loop: + - { db: '{0}config', logfile: 'audit_config.ldif' } + - { db: '{1}mdb', logfile: 'audit_mdb.ldif' } + +- name: 'activate memberof overlay' + ldap_entry: + dn: 'olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config' + objectClass: + - 'olcOverlayConfig' + - 'olcMemberOf' + +- name: 'set default password hash' + ldap_attr: + dn: 'olcDatabase={-1}frontend,cn=config' + name: 'olcPasswordHash' + values: '{SSHA512}' + +- name: 'evaluating base_dn' + set_fact: + base_dn: 'dc={{ ldap_domain.replace(".", ",dc=") }}' + +- name: 'configure TLS x509 <-> ldap dn translation' + ldap_attr: + dn: 'cn=config' + name: 'olcAuthzRegexp' + state: 'exact' + values: + - |- + {0} ^cn=([^,]+),ou=Server,{{ x509_suffix }}$ + cn=$1,ou=Server,{{ base_dn }} + - |- + {1} ^mail=[^,]+,cn=([^,]+),ou=People,{{ x509_suffix }}$ + cn=$1,ou=People,{{ base_dn }} + +- name: 'configure main tree acls' + ldap_attr: + dn: 'olcDatabase={1}mdb,cn=config' + name: 'olcAccess' + state: 'exact' + values: + # [0] -> Admins can proxy-auth to RootDN + # /proxy-auth is not required for routine user-management operations + - |- + {0} to dn.exact=cn=admin,{{ base_dn }} attrs=authzFrom + by group.exact=cn=admin,ou=Group,dc=lilik,dc=it auth + by * none + # [1] :: ou=People + # [1.0] -> Admins can edit People `userPassword` + # -> People can edit their `userPassword` + # -> Anyone can auth with `userPassword` if using strong TLS. + - |- + {1} to dn.one=ou=People,{{ base_dn }} attrs=userPassword + by group.exact=cn=admin,ou=Group,{{ base_dn }} write + by self write + by anonymous tls_ssf=256 auth + by * none + # [1.1] -> Admins can list the full People tree + # -> Servers can perform search on People tree + - |- + {2}to dn.exact=ou=People,{{ base_dn }} attrs=entry + by group.exact=cn=admin,ou=Group,{{ base_dn }} read + by dn.children=ou=Server,{{ base_dn }} search + by * none + # [1.2] -> Admins can add/remove People entries + - |- + {3} to dn.exact=ou=People,{{ base_dn }} attrs=children + by group.exact=cn=admin,ou=Group,{{ base_dn }} write + by * none + # [1.3] -> Admins can edit all People attributes + # -> Servers can read all People attributes (except userPassword) + # -> People can read all their attributes + # -> Break: over privileges may be accorded later (i.e.: servers) + - |- + {4} to dn.one=ou=People,{{ base_dn }} + by group.exact=cn=admin,ou=Group,{{ base_dn }} write + by dn.children=ou=Server,{{ base_dn }} read + by self read + by * break + # [1.5] -> No other access to People tree + - |- + {5} to dn.subtree=ou=People,{{ base_dn }} + by * none + # [2] :: ou=Group + # [2.1] -> Admins can add/remove members from groups + - |- + {6} to dn.one=ou=Group,{{ base_dn }} attrs=member + by group.exact=cn=admin,ou=Group,{{ base_dn }} write + by * none + # [2.2] -> No other access to Group tree + - |- + {7} to dn.children=ou=Group,{{ base_dn }} + by * none + # [3] :: ou=Server + # [3.0] -> Local servers can simple-bind their entries if using TLS + # /Server using TLS-client Auth with OU=Server are automatically authenticated + - |- + {8} to dn.children=ou=Server,{{ base_dn }} attrs=userPassword + by peername.ip=10.151.42.0%255.255.255.0 tls_ssf=256 auth + by group.exact=cn=admin,ou=Group,{{ base_dn }} write + by * none + # [3.1] -> No other access to Server tree + - |- + {9} to dn.subtree=ou=Server,{{ base_dn }} + by * none + # [4] :: ou=VirtualDomains - WiP + # [4.0] -> Admins can write whole subtree + # [4.1] -> Servers can read whole subtree +# - >- +# to dn.subtree=ou=VirtualDomains,{{ base_dn }} +# by group.exact=cn=admin,ou=Group,{{ base_dn }} write +# by dn.children=ou=Server,{{ base_dn }} read + # [5] :: ou=Kerberos - Wi + +... + diff --git a/roles/ldap/tasks/2_renew_rootpw.yaml b/roles/ldap/tasks/2_renew_rootpw.yaml new file mode 100644 index 0000000..199a36d --- /dev/null +++ b/roles/ldap/tasks/2_renew_rootpw.yaml @@ -0,0 +1,40 @@ +--- +- name: 'evaluating base_dn' + set_fact: + base_dn: 'dc={{ ldap_domain.replace(".", ",dc=") }}' + +- name: 'renewing admin password - generation' + gen_passwd: 'length=32' + register: new_passwd + +- name: 'renewing admin password - hashing' + shell: > + slappasswd + -o module-load=pw-sha2 + -h "{SSHA512}" + -s "{{ new_passwd.passwd }}" + register: new_passwd_hash + +- name: 'renewing admin password - setting RootPW' + ldap_attr: + dn: 'olcDatabase={1}mdb,cn=config' + name: 'olcRootPW' + values: '{{ new_passwd_hash.stdout }}' + state: 'exact' + +- name: 'renewing admin password - calling ldappasswd' + ldap_passwd: + dn: 'cn=admin,{{ base_dn }}' + passwd: '{{ new_passwd.passwd }}' + bind_dn: 'cn=admin,{{ base_dn }}' + bind_pw: '{{ new_passwd.passwd }}' + +- name: 'renewing admin password - storing plaintext' + copy: + content: '{{ new_passwd.passwd }}' + dest: '/etc/slapd.secret' + +- name: 'renewing admin password - setting fact' + set_fact: + ldap_passwd: '{{ new_passwd.passwd }}' +... diff --git a/roles/ldap/tasks/3_provision_tree.yaml b/roles/ldap/tasks/3_provision_tree.yaml new file mode 100644 index 0000000..c0c1eec --- /dev/null +++ b/roles/ldap/tasks/3_provision_tree.yaml @@ -0,0 +1,143 @@ +--- +- name: 'evaluating base_dn' + set_fact: + base_dn: 'dc={{ ldap_domain.replace(".", ",dc=") }}' + +- when: ldap_passwd is not defined + block: + - name: 'get plaintext admin password' + slurp: + path: '/etc/slapd.secret' + register: slapd_secret + + - name: 'set ldap_passwd' + set_fact: + ldap_passwd: '{{ slapd_secret.content | b64decode }}' + +- set_fact: +- name: 'provisioning tree - organization units' + ldap_entry: + dn: 'ou={{ item }},{{ base_dn }}' + objectClass: + - 'organizationalUnit' + bind_dn: 'cn=admin,{{ base_dn }}' + bind_pw: '{{ ldap_passwd }}' + loop: + - 'People' + - 'Group' + - 'Server' + - 'VirtualDomain' + - 'Kerberos' + +- name: 'provisioning tree - virtual domains' + ldap_entry: + dn: 'vd={{ item }},ou=VirtualDomain,{{ base_dn }}' + objectClass: + - 'VirtualDomain' + attributes: + postfixTransport: 'maildrop:' + delete: 'FALSE' + accountActive: 'TRUE' + lastChange: '{{ ansible_date_time.epoch }}' + bind_dn: 'cn=admin,{{ base_dn }}' + bind_pw: '{{ ldap_passwd }}' + loop: '{{ virtual_domains }}' + +- name: 'provisioning tree - virtual domain postmasters' + ldap_entry: + dn: 'cn=postmaster,vd={{ item }},ou=VirtualDomain,{{ base_dn }}' + objectClass: + - 'VirtualMailAlias' + attributes: + mail: 'postmaster@{{ item }}' + editAccounts: 'TRUE' + accountActive: 'TRUE' + lastChange: '{{ ansible_date_time.epoch }}' + maildrop: 'postmaster' + sn: 'postmaster' + bind_dn: 'cn=admin,{{ base_dn }}' + bind_pw: '{{ ldap_passwd }}' + loop: '{{ virtual_domains }}' + +- name: 'provisioning tree - posix groups' + ldap_entry: + dn: 'cn={{ item.name }},ou=Group,{{ base_dn }}' + objectClass: + - 'posixGroup' + attributes: + gidNumber: '{{ item.gid }}' + bind_dn: 'cn=admin,{{ base_dn }}' + bind_pw: '{{ ldap_passwd }}' + loop: + - { name: 'stduser', gid: 5000 } + - { name: 'user_sites', gid: 900 } + +- name: 'provisioning tree - name groups' + ldap_entry: + dn: 'cn={{ item }},ou=Group,{{ base_dn }}' + objectClass: + - 'groupOfNames' + attributes: + member: 'cn=admin,{{ base_dn }}' + bind_dn: 'cn=admin,{{ base_dn }}' + bind_pw: '{{ ldap_passwd }}' + loop: + - 'admin' + - 'wiki' + - 'lilik.it' + - 'cloud' + - 'projects' + - 'teambox' + - 'im' + +- name: 'provisioning tree - test users' + ldap_entry: + dn: 'cn={{ item.user }},ou=People,{{ base_dn }}' + objectClass: + - 'inetOrgPerson' + - 'authorizedServiceObject' + attributes: '{{ item.attrs }}' + bind_dn: 'cn=admin,{{ base_dn }}' + bind_pw: '{{ ldap_passwd }}' + loop: + - { user: 'pippo', attrs: { sn: 'User Pippo', mail: 'pippo@lilik.it', authorizedService: 'gitlab' } } + - { user: 'pluto', attrs: { sn: 'User Pluto', mail: 'pluto@lilik.it' } } + - { user: 'test_admin', attrs: { sn: 'Test admin', mail: 'admin1@lilik.it' } } + +- name: 'provisioning tree - test users passwd' + ldap_passwd: + dn: 'cn={{ item.user }},ou=People,{{ base_dn }}' + passwd: '{{ item.passwd }}' + bind_dn: 'cn=admin,{{ base_dn }}' + bind_pw: '{{ ldap_passwd }}' + loop: + - { user: 'pippo', passwd: 'pippopippo' } + - { user: 'pluto', passwd: 'plutopluto' } + - { user: 'test_admin', passwd: 'pippopippo' } + +- name: 'provisioning tree - admin group members' + ldap_attr: + dn: 'cn=admin,ou=Group,{{ base_dn }}' + name: 'member' + values: 'cn=test_admin,ou=People,{{ base_dn }}' + bind_dn: 'cn=admin,{{ base_dn }}' + bind_pw: '{{ ldap_passwd }}' + +- name: 'provisioning tree - servers' + ldap_entry: + dn: 'cn={{ item }},ou=Server,{{ base_dn }}' + objectClass: 'applicationProcess' + objectClass: 'person' + attributes: + sn: '{{ item }}' + bind_dn: 'cn=admin,{{ base_dn }}' + bind_pw: '{{ ldap_passwd }}' + loop: + - 'TestServer' + - 'projects' + +#- name: templating ACLs +# template: +# src: "global.acl.j2" +# dest: "/etc/ldap/{{ item }}" +... diff --git a/roles/ldap/tasks/4_setup_tls.yaml b/roles/ldap/tasks/4_setup_tls.yaml new file mode 100644 index 0000000..92f252d --- /dev/null +++ b/roles/ldap/tasks/4_setup_tls.yaml @@ -0,0 +1,128 @@ +- apt: + pkg: 'openssl' + state: 'present' + +- name: 'generate ED25519 private key' + shell: + cmd: > + openssl genpkey + -algorithm ED25519 + -out /etc/ldap/slapd.key + creates: '/etc/ldap/slapd.key' + +- name: 'set private key ownership' + file: + path: '/etc/ldap/slapd.key' + owner: 'openldap' + group: 'openldap' + mode: '600' + +- name: 'generate certificate request' + shell: + cmd: > + openssl req + -new + -subj "{{ ssl_subject_prefix }}/OU=Server/CN={{ ansible_hostname }}.{{ fqdn_domain }}" + -key /etc/ldap/slapd.key + -out /etc/ldap/slapd.csr + creates: '/etc/ldap/slapd.csr' + +- name: 'set key ownership and permission' + file: + path: /etc/ldap + +- name: 'lookup_ssl_ca_cert' + when: ssl_ca_cert is not defined + set_fact: + ssl_ca_cert: '{{ lookup("file", "lilik_ca_w1.pub") }}' + +- name: 'update ssl_ca_cert' + copy: + content: "{{ ssl_ca_cert }}" + dest: '/etc/ldap/ssl_ca.crt' + +- name: 'check if slapd cert is valid' + command: > + openssl verify + -CAfile /etc/ldap/ssl_ca.crt + -untrusted /etc/ldap/slapd.crt + /etc/ldap/slapd.crt + register: slapd_cert_is_valid + changed_when: false + failed_when: false + +- when: slapd_cert_is_valid.rc != 0 + block: + - name: 'renewing cert - generating ca request' + cert_request: + host: '{{ ansible_hostname }}.{{ fqdn_domain }}' + path: '/etc/ldap/slapd.csr' + proto: 'ssl' + register: ca_request + + - name: 'renewing cert - sending ca sign request' + include: 'ca-dialog.yaml' + + - set_fact: + request_output: '{{ request_result.stdout | string | from_json }}' + + - debug: + var: request_result + + - name: 'renewing cert - generating get cert request' + set_fact: + ca_request: + type: 'get_certificate' + requestID: '{{ request_output.requestID }}' + + - debug: + msg: > + Please manually confirm sign request with id + {{ request_output.requestID }} + + - name: 'renewing cert - waiting for ca signature' + include: 'ca-dialog.yaml' + + - set_fact: + cert_key: '{{ request_result.stdout | string | from_json }}' + + - debug: + var: request_result + verbosity: 2 + + - name: 'renewing cert - storing new cert file' + copy: + content: '{{ cert_key.result }}' + dest: '/etc/ldap/slapd.crt' + +# !BUG! Fixed in Ansible dev using ldap_attrs instead of ldap_attr +# Ref: https://github.com/ansible/ansible/issues/25665 +- name: 'configuring TLS options (workaround)' + ldap_attr: + dn: 'cn=config' + name: '{{ item.name }}' + values: '{{ item.value }}' + loop: + - { name: 'olcTLSCertificateFile', value: '/etc/ldap/slapd.crt' } + - { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' } + failed_when: false + +- name: 'configuring TLS options' + ldap_attr: + dn: 'cn=config' + name: '{{ item.name }}' + values: '{{ item.value }}' + state: 'exact' + loop: + - { name: 'olcTLSCertificateFile', value: '/etc/ldap/slapd.crt' } + - { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' } + - { name: 'olcTLSCACertificateFile', value: '/etc/ldap/ssl_ca.crt' } + - { name: 'olcTLSVerifyClient', value: 'try' } # TLS Client Auth + +- name: 'configuring slapd service' + lineinfile: + line: 'SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"' + regexp: '^SLAPD_SERVICES=' + path: '/etc/default/slapd' + notify: + - 'restart slapd' diff --git a/roles/ldap/tasks/main.yaml b/roles/ldap/tasks/main.yaml index 4517a93..d71df62 100644 --- a/roles/ldap/tasks/main.yaml +++ b/roles/ldap/tasks/main.yaml @@ -1,123 +1,16 @@ -- include_role: - name: service - vars: - service_name: nscd - service_packages: nscd - -- name: configure OpenLDAP (domain) - debconf: - name: 'slapd' - question: 'slapd/domain' - vtype: 'string' - value: '{{ ldap_domain }}' -- name: configure OpenLDAP (configure) - debconf: - name: 'slapd' - question: 'slapd/dump_database' - vtype: 'string' - value: 'when needed' -- name: configure OpenLDAP (organization) - debconf: - name: 'slapd' - question: 'shared/organization' - vtype: 'string' - value: '{{ ldap_organization }}' - -- name: slurp slap secret file - slurp: - src: /etc/slapd.secret - register: slapdsecret - failed_when: false - changed_when: false - -- set_fact: - slapd_passwd: "{{ slapdsecret['content'] | b64decode }}" - when: '"content" in slapdsecret' - -- block: - - name: generate admin password - gen_passwd: length=20 - register: new_passwd - - - name: store slapd secret - copy: - content : "{{ new_passwd.passwd }}" - dest: /etc/slapd.secret - - - set_fact: - slapd_passwd: "{{ new_passwd.passwd }}" - when: 'not "content" in slapdsecret' - -- name: configure OpenLDAP (password1) - debconf: - name: 'slapd' - question: 'slapd/password1' - vtype: 'string' - value: '{{ slapd_passwd }}' - -- name: configure OpenLDAP (password2) - debconf: - name: 'slapd' - question: 'slapd/password2' - vtype: 'string' - value: '{{ slapd_passwd }}' - -- include_role: - name: service - vars: - service_name: slapd - service_packages: - - slapd - - ldap-utils - - libpam-ldap - - sudo - -- name: download schemas - copy: - src: "{{ item }}" - dest: /etc/ldap/schema/ - loop: - - "phamm.schema" - - "phamm-vacation.schema" - -- name: upload slapd config - template: - src: slapd.conf.j2 - dest: "/etc/ldap/slapd.conf" - -- name: update slapd config - shell: slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d - args: - creates: "/etc/ldap/slapd.d/cn=config/cn=schema/cn={4}phamm.ldif" - become: true - become_method: sudo - become_user: openldap - notify: restart slapd - -- name: fix missing memberOf and pw-sha2 module load - blockinfile: - dest: /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif - content: | - olcModuleLoad: {1}memberof - olcModuleLoad: {2}pw-sha2 - notify: restart slapd - -- name: upload default tree - template: - dest=/etc/ldap/default_tree.ldif - src=default_tree.ldif.j2 - owner=root - group=root - mode=0400 - register: upload_default_tree - -- name: create default tree - shell: slapadd -l /etc/ldap/default_tree.ldif - when: upload_default_tree.changed - notify: restart slapd - -- name: enable OpenLDAP server - service: - name: 'slapd' - enabled: true - state: started +--- +- name: 'including configuration tasks' + include_tasks: '1_configure_server.yaml' + +- name: 'including password renewal tasks' + include_tasks: '2_renew_rootpw.yaml' + when: renew_rootdn_pw + +- name: 'including tree provisionig tasks' + include_tasks: '3_provision_tree.yaml' + when: check_tree + +- name: 'including tls tasks' + include_tasks: '4_setup_tls.yaml' + when: ldap_tls_enabled +... diff --git a/roles/ldap/templates/default_tree.ldif.j2 b/roles/ldap/templates/default_tree.ldif.j2 deleted file mode 100644 index 5836e7c..0000000 --- a/roles/ldap/templates/default_tree.ldif.j2 +++ /dev/null @@ -1,186 +0,0 @@ -# Entry 4: o=Group,dc=lilik,dc=it -dn: o=Group,dc=lilik,dc=it -hassubordinates: TRUE -o: Group -objectclass: organization -objectclass: top -structuralobjectclass: organization -subschemasubentry: cn=Subschema - -# Entry 10: cn=stdusers,o=Group,dc=lilik,dc=it -dn: cn=stdusers,o=Group,dc=lilik,dc=it -cn: stdusers -gidnumber: 9000 -hassubordinates: FALSE -objectclass: posixGroup -objectclass: top -structuralobjectclass: posixGroup -subschemasubentry: cn=Subschema - -# Entry 12: cn=users_sites,o=Group,dc=lilik,dc=it -dn: cn=users_sites,o=Group,dc=lilik,dc=it -cn: users_sites -gidnumber: 500 -hassubordinates: FALSE -memberuid: test_user -objectclass: posixGroup -objectclass: top -structuralobjectclass: posixGroup -subschemasubentry: cn=Subschema - -# Entry 14: o=hosting,dc=lilik,dc=it -dn: o=hosting,dc=lilik,dc=it -description: mail.lilik.it hosting root -hassubordinates: TRUE -o: hosting -objectclass: top -objectclass: organization -structuralobjectclass: organization -subschemasubentry: cn=Subschema - -# Entry 22: vd=lilik.it,o=hosting,dc=lilik,dc=it -dn: vd=lilik.it,o=hosting,dc=lilik,dc=it -accountactive: TRUE -delete: FALSE -editav: FALSE -hassubordinates: TRUE -maxalias: 20 -maxmail: 11 -maxquota: 250 -objectclass: top -objectclass: VirtualDomain -postfixtransport: maildrop: -structuralobjectclass: VirtualDomain -subschemasubentry: cn=Subschema -vd: lilik.it -lastChange: 1228821387 - -# Entry 23: cn=postmaster,vd=lilik.it,o=hosting,dc=lilik,dc=it -dn: cn=postmaster,vd=lilik.it,o=hosting,dc=lilik,dc=it -accountactive: TRUE -cn: postmaster -editaccounts: TRUE -hassubordinates: FALSE -mail: postmaster -maildrop: postmaster -objectclass: top -objectclass: VirtualMailAlias -sn: postmaster -structuralobjectclass: VirtualMailAlias -subschemasubentry: cn=Subschema -userpassword: {SSHA}4IuBxQNWgMNPX/lCtP2GgbJeiYX+u4ud -lastChange: 1228821387 - -# Entry 24: mail=abuse,vd=lilik.it,o=hosting,dc=lilik,dc=it -dn: mail=abuse,vd=lilik.it,o=hosting,dc=lilik,dc=it -accountactive: TRUE -cn: NONAME -givenname: NONAME -hassubordinates: FALSE -mail: abuse -maildrop: root -objectclass: top -objectclass: VirtualMailAlias -smtpauth: FALSE -sn: NONAME -structuralobjectclass: VirtualMailAlias -subschemasubentry: cn=Subschema -userpassword: {CRYPT}! -lastChange: 1228821387 - -dn: mail=test_user,vd=lilik.it,o=hosting,dc=lilik,dc=it -objectclass: alias -objectclass: extensibleObject -#uid: alias -aliasedobjectname: uid=test_user,o=People,dc=lilik,dc=it - - -# Entry 319: o=People,dc=lilik,dc=it -dn: o=People,dc=lilik,dc=it -hassubordinates: TRUE -o: People -objectclass: organization -objectclass: top -structuralobjectclass: organization -subschemasubentry: cn=Subschema - -dn: uid=test_user,o=People,dc=lilik,dc=it -accountactive: TRUE -cn: Test -delete: FALSE -gidnumber: 100 -givenname: Test -hassubordinates: FALSE -homedirectory: /home/test_user -loginshell: /bin/bash -mail: test_user -objectclass: top -objectclass: inetOrgPerson -objectclass: VirtualMailAccount -objectclass: posixAccount -objectclass: shadowAccount -objectclass: hostObject -othertransport: phamm: -quota: 1024000 -shadowlastchange: 14281 -smtpauth: FALSE -sn: User -structuralobjectclass: VirtualMailAccount -subschemasubentry: cn=Subschema -uid: test_user -uidnumber: 10001 -userpassword: {SSHA}2SWroMDSWoIWlYEvzpHvSRK4PMsjGW/u -lastChange: 1228821387 -vdhome: undefined -mailbox: undefined - - -# Entry 12: cn=admin,o=Group,dc=lilik,dc=it -dn: cn=admin,o=Group,dc=lilik,dc=it -cn: admin -objectClass: groupOfNames -objectClass: top -structuralObjectClass: groupOfNames -member: cn=admin,dc=lilik,dc=it - -dn: cn=wiki,o=Group,dc=lilik,dc=it -cn: wiki -objectClass: groupOfNames -objectClass: top -structuralObjectClass: groupOfNames -member: cn=admin,dc=lilik,dc=it - -dn: cn=lilik.it,o=Group,dc=lilik,dc=it -cn: lilik.it -objectClass: groupOfNames -objectClass: top -structuralObjectClass: groupOfNames -member: cn=admin,dc=lilik,dc=it - -dn: cn=cloud,o=Group,dc=lilik,dc=it -cn: cloud -objectClass: groupOfNames -objectClass: top -structuralObjectClass: groupOfNames -member: cn=admin,dc=lilik,dc=it - -dn: cn=projects,o=Group,dc=lilik,dc=it -cn: projects -objectClass: groupOfNames -objectClass: top -structuralObjectClass: groupOfNames -member: cn=admin,dc=lilik,dc=it - -dn: cn=teambox,o=Group,dc=lilik,dc=it -cn: teambox -objectClass: groupOfNames -objectClass: top -structuralObjectClass: groupOfNames -member: cn=admin,dc=lilik,dc=it - -dn: cn=im,o=Group,dc=lilik,dc=it -cn: im -objectClass: groupOfNames -objectClass: top -structuralObjectClass: groupOfNames -member: cn=admin,dc=lilik,dc=it diff --git a/roles/ldap/templates/slapd.conf.j2 b/roles/ldap/templates/slapd.conf.j2 deleted file mode 100644 index 0041210..0000000 --- a/roles/ldap/templates/slapd.conf.j2 +++ /dev/null @@ -1,12 +0,0 @@ -include /etc/ldap/schema/core.schema -include /etc/ldap/schema/cosine.schema -include /etc/ldap/schema/nis.schema -include /etc/ldap/schema/inetorgperson.schema -include /etc/ldap/schema/phamm.schema -include /etc/ldap/schema/phamm-vacation.schema -include /usr/share/doc/libpam-ldap/ldapns.schema - -modulepath /usr/lib/ldap -moduleload memberof.la - -overlay memberof