121 lines
3.2 KiB
YAML
121 lines
3.2 KiB
YAML
---
|
|
- hosts: auth1
|
|
vars:
|
|
ldap_base: "{{ base_domain.split('.') | map('regex_replace', '^(.*)$', 'dc=\\1') | join(',') }}"
|
|
tasks:
|
|
- name: setup networking
|
|
import_role:
|
|
name: ../roles/network_setup
|
|
vars:
|
|
ipv4_addr: "{{ auth1_ipv4_addr }}"
|
|
- meta: flush_handlers
|
|
- name: install LDAP packages
|
|
apt:
|
|
name: "{{ item }}"
|
|
loop:
|
|
- slapd
|
|
- ldap-utils
|
|
- ldapvi
|
|
- libnss-ldapd
|
|
- libpam-ldapd
|
|
- nscd
|
|
- sudo-ldap
|
|
- name: copy slapd.conf
|
|
template:
|
|
src: ldap/slapd.conf.j2
|
|
dest: /etc/ldap/slapd.conf
|
|
owner: openldap
|
|
group: openldap
|
|
notify: restart slapd
|
|
- name: move slapd.d directory
|
|
command:
|
|
cmd: mv /etc/ldap/slapd.d /etc/ldap/slapd.d.bak
|
|
removes: /etc/ldap/slapd.d
|
|
notify: restart slapd
|
|
- name: copy sudo.schema
|
|
copy:
|
|
remote_src: yes
|
|
src: /usr/share/doc/sudo-ldap/schema.OpenLDAP
|
|
dest: /etc/ldap/schema/sudo.schema
|
|
owner: openldap
|
|
group: openldap
|
|
notify: restart slapd
|
|
- name: copy other schemas
|
|
copy:
|
|
src: "ldap/{{ item }}"
|
|
dest: "/etc/ldap/schema/{{ item }}"
|
|
owner: openldap
|
|
group: openldap
|
|
loop:
|
|
- rfc2307bis.schema
|
|
- csc.schema
|
|
notify: restart slapd
|
|
- name: copy DB_CONFIG
|
|
copy:
|
|
remote_src: yes
|
|
src: /usr/share/slapd/DB_CONFIG
|
|
dest: /var/lib/ldap/DB_CONFIG
|
|
owner: openldap
|
|
group: openldap
|
|
notify: restart slapd
|
|
- name: make sure slapd is running
|
|
systemd:
|
|
name: slapd
|
|
state: started
|
|
- name: determine if cn=config is present
|
|
command: ldapsearch -LLLQ -Y EXTERNAL -H ldapi:/// -b cn=config -s base
|
|
ignore_errors: yes
|
|
register: cn_config_cmd
|
|
- name: stop slapd
|
|
systemd:
|
|
name: slapd
|
|
state: stopped
|
|
when: cn_config_cmd.rc == 0
|
|
- name: purge old slapd database
|
|
shell: rm /var/lib/ldap/*
|
|
when: cn_config_cmd.rc == 0
|
|
notify: restart slapd
|
|
- name: copy ldap.conf
|
|
template:
|
|
src: ldap/ldap.conf.j2
|
|
dest: /etc/ldap/ldap.conf
|
|
notify:
|
|
- restart nslcd
|
|
- restart nscd
|
|
- name: add member->uniqueMember map
|
|
lineinfile:
|
|
line: map group member uniqueMember
|
|
path: /etc/nslcd.conf
|
|
notify: restart nslcd
|
|
- name: copy nsswitch.conf
|
|
copy:
|
|
src: ldap/nsswitch.conf
|
|
dest: /etc/nsswitch.conf
|
|
notify: restart nslcd
|
|
- name: disable mail_badpass for sudo
|
|
replace:
|
|
path: /etc/sudoers
|
|
regexp: "^(Defaults\\s+mail_badpass)$"
|
|
replace: "#\\1"
|
|
- meta: flush_handlers
|
|
- name: copy LDIF data
|
|
template:
|
|
src: ldap/data.ldif.j2
|
|
dest: /etc/ldap/data.ldif
|
|
- name: load LDIF data
|
|
command: ldapadd -c -f /etc/ldap/data.ldif -Y EXTERNAL -H ldapi:///
|
|
ignore_errors: yes
|
|
handlers:
|
|
- name: restart slapd
|
|
systemd:
|
|
name: slapd
|
|
state: restarted
|
|
- name: restart nslcd
|
|
systemd:
|
|
name: nslcd
|
|
state: restarted
|
|
- name: restart nscd
|
|
systemd:
|
|
name: nscd
|
|
state: restarted
|