---
|
|
- include_role:
|
|
name: 'service'
|
|
vars:
|
|
service_name: 'nscd'
|
|
service_packages: 'nscd'
|
|
|
|
- name: 'set debconf values'
|
|
debconf:
|
|
name: 'slapd'
|
|
question: '{{ item.question }}'
|
|
vtype: 'string'
|
|
value: '{{ item.value }}'
|
|
register: debconfs
|
|
loop:
|
|
- { question: 'slapd/domain', value: '{{ ldap_domain }}' }
|
|
- { question: 'slapd/dump_database', value: 'when needed' }
|
|
- { question: 'shared/organization', value: '{{ ldap_organization }}' }
|
|
|
|
- include_role:
|
|
name: 'service'
|
|
vars:
|
|
service_name: 'slapd'
|
|
service_packages:
|
|
- 'slapd'
|
|
- 'ldap-utils'
|
|
- 'libpam-ldap'
|
|
- 'python3-ldap'
|
|
- 'sudo'
|
|
|
|
- name: 'delete old backups'
|
|
file:
|
|
path: '{{ item }}'
|
|
state: 'absent'
|
|
with_fileglob: '/var/backups/*.ldapdb'
|
|
when: debconfs.results[0].changed
|
|
|
|
- name: 'backup old database and re-create'
|
|
command: 'dpkg-reconfigure -p critical slapd'
|
|
when: debconfs.results[0].changed
|
|
|
|
- name: 'start slapd service'
|
|
service:
|
|
name: 'slapd'
|
|
enabled: true
|
|
state: 'started'
|
|
|
|
- name: 'copy schemas'
|
|
copy:
|
|
src: '{{ item }}'
|
|
dest: '/etc/ldap/schema/'
|
|
loop:
|
|
- 'ldapns.ldif'
|
|
- 'kerberos.ldif'
|
|
- 'phamm.ldif'
|
|
- 'phamm-vacation.ldif'
|
|
|
|
- name: 'activate schemas'
|
|
command:
|
|
cmd: 'ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }}'
|
|
creates: '/etc/ldap/slapd.d/cn=config/cn=schema/cn={*}{{ item }}'
|
|
loop:
|
|
- 'ldapns.ldif'
|
|
- 'kerberos.ldif'
|
|
- 'phamm.ldif'
|
|
- 'phamm-vacation.ldif'
|
|
|
|
- name: 'activate modules'
|
|
ldap_attr:
|
|
dn: 'cn=module{0},cn=config'
|
|
name: 'olcModuleLoad'
|
|
values:
|
|
- '{0}back_mdb'
|
|
- '{1}pw-sha2'
|
|
- '{2}auditlog'
|
|
- '{3}memberof'
|
|
|
|
- name: 'create log dir'
|
|
file:
|
|
path: '/var/log/openldap'
|
|
owner: 'openldap'
|
|
group: 'openldap'
|
|
state: 'directory'
|
|
|
|
- name: 'set loglevel'
|
|
ldap_attr:
|
|
dn: 'cn=config'
|
|
name: 'olcLogLevel'
|
|
values: 'conns acl'
|
|
|
|
- name: 'activate auditlog overlay'
|
|
ldap_entry:
|
|
dn: 'olcOverlay={0}auditlog,olcDatabase={{ item.db }},cn=config'
|
|
objectClass:
|
|
- 'olcOverlayConfig'
|
|
- 'olcAuditLogConfig'
|
|
attributes:
|
|
olcAuditlogFile: '/var/log/openldap/{{ item.logfile }}'
|
|
loop:
|
|
- { db: '{0}config', logfile: 'audit_config.ldif' }
|
|
- { db: '{1}mdb', logfile: 'audit_mdb.ldif' }
|
|
|
|
- name: 'activate memberof overlay'
|
|
ldap_entry:
|
|
dn: 'olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config'
|
|
objectClass:
|
|
- 'olcOverlayConfig'
|
|
- 'olcMemberOf'
|
|
|
|
- name: 'set default password hash'
|
|
ldap_attr:
|
|
dn: 'olcDatabase={-1}frontend,cn=config'
|
|
name: 'olcPasswordHash'
|
|
values: '{SSHA512}'
|
|
|
|
- name: 'evaluating base_dn'
|
|
set_fact:
|
|
base_dn: 'dc={{ ldap_domain.replace(".", ",dc=") }}'
|
|
|
|
- name: 'configure TLS x509 <-> ldap dn translation'
|
|
ldap_attr:
|
|
dn: 'cn=config'
|
|
name: 'olcAuthzRegexp'
|
|
state: 'exact'
|
|
values:
|
|
- >-
|
|
{0} ^cn=([^,]+),ou=Server,{{ x509_ldap_suffix }}$
|
|
cn=$1,ou=Server,{{ base_dn }}
|
|
- >-
|
|
{1} ^mail=[^,]+,cn=([^,]+),ou=People,{{ x509_ldap_suffix }}$
|
|
cn=$1,ou=People,{{ base_dn }}
|
|
|
|
- name: 'configure main tree acls'
|
|
ldap_attr:
|
|
dn: 'olcDatabase={1}mdb,cn=config'
|
|
name: 'olcAccess'
|
|
state: 'exact'
|
|
values:
|
|
# [0] -> Admins can proxy-auth to RootDN
|
|
# /proxy-auth is not required for routine user-management operations
|
|
- >-
|
|
{0} to dn.exact=cn=admin,{{ base_dn }} attrs=authzFrom
|
|
by group.exact=cn=admin,ou=Group,{{ base_dn }} auth
|
|
by * none
|
|
# [1] :: ou=People
|
|
# [1.0] -> Admins can edit People `userPassword`
|
|
# -> People can edit their `userPassword`
|
|
# -> Anyone can auth with `userPassword` if using strong TLS.
|
|
- >-
|
|
{1} to dn.one=ou=People,{{ base_dn }} attrs=userPassword
|
|
by group.exact=cn=admin,ou=Group,{{ base_dn }} write
|
|
by self write
|
|
by anonymous {{ 'tls_ssf=256 ' if ldap_tls_enabled }}auth
|
|
by * none
|
|
# [1.1] -> Admins can list the full People tree
|
|
# -> Servers can perform search on People tree
|
|
- >-
|
|
{2} to dn.exact=ou=People,{{ base_dn }} attrs=entry
|
|
by group.exact=cn=admin,ou=Group,{{ base_dn }} read
|
|
by dn.children=ou=Server,{{ base_dn }} search
|
|
by * none
|
|
# [1.2] -> Admins can add/remove People entries
|
|
- >-
|
|
{3} to dn.exact=ou=People,{{ base_dn }} attrs=children
|
|
by group.exact=cn=admin,ou=Group,{{ base_dn }} write
|
|
by * none
|
|
# [1.3] -> Admins can edit all People attributes
|
|
# -> Servers can read all People attributes (except userPassword)
|
|
# -> People can read all their attributes
|
|
# -> Break: over privileges may be accorded later (i.e.: servers)
|
|
- >-
|
|
{4} to dn.one=ou=People,{{ base_dn }}
|
|
by group.exact=cn=admin,ou=Group,{{ base_dn }} write
|
|
by dn.children=ou=Server,{{ base_dn }} read
|
|
by self read
|
|
by * break
|
|
# [1.5] -> No other access to People tree
|
|
- >-
|
|
{5} to dn.subtree=ou=People,{{ base_dn }}
|
|
by * none
|
|
# [2] :: ou=Group
|
|
# [2.1] -> Admins can add/remove members from groups
|
|
- >-
|
|
{6} to dn.one=ou=Group,{{ base_dn }} attrs=member
|
|
by group.exact=cn=admin,ou=Group,{{ base_dn }} write
|
|
by * none
|
|
# [2.2] -> No other access to Group tree
|
|
- >-
|
|
{7} to dn.children=ou=Group,{{ base_dn }}
|
|
by * none
|
|
# [3] :: ou=Server
|
|
# [3.0] -> Local servers can simple-bind their entries if using TLS
|
|
# /Server using TLS-client Auth with OU=Server are automatically authenticated
|
|
## TODO: Add peername.ip filtering on server subnet
|
|
- >-
|
|
{8} to dn.children=ou=Server,{{ base_dn }} attrs=userPassword
|
|
by {{ 'tls_ssf=256 ' if ldap_tls_enabled }}auth
|
|
by group.exact=cn=admin,ou=Group,{{ base_dn }} write
|
|
by * none
|
|
# [3.1] -> No other access to Server tree
|
|
- >-
|
|
{9} to dn.subtree=ou=Server,{{ base_dn }}
|
|
by * none
|
|
# [4] :: ou=VirtualDomains - WiP
|
|
# [4.0] -> Admins can write whole subtree
|
|
# [4.1] -> Servers can read whole subtree
|
|
# - >-
|
|
# to dn.subtree=ou=VirtualDomains,{{ base_dn }}
|
|
# by group.exact=cn=admin,ou=Group,{{ base_dn }} write
|
|
# by dn.children=ou=Server,{{ base_dn }} read
|
|
# [5] :: ou=Kerberos - Wi
|
|
|
|
...
|
|
|