From 5929ba8b809134633654ac41d92da075e7a273fc Mon Sep 17 00:00:00 2001 From: Juan Manuel Garcia del Moral Date: Sat, 18 Aug 2018 21:21:00 -0300 Subject: [PATCH] role instead of playbook --- README.md | 24 ++- deploy-ldap-fusiondirectory.yml | 343 -------------------------------- handlers/main.yml | 82 ++++++++ tasks/main.yml | 250 +++++++++++++++++++++++ 4 files changed, 352 insertions(+), 347 deletions(-) delete mode 100644 deploy-ldap-fusiondirectory.yml create mode 100644 handlers/main.yml create mode 100644 tasks/main.yml diff --git a/README.md b/README.md index 16470a6..f497d09 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Deploy OpenLDAP/FusionDirectory using Ansible -These playbooks will deploy an OpenLDAP/FusionDirectory server. +These Role will deploy an OpenLDAP/FusionDirectory server. Components: * OpenLDAP (slapd) @@ -16,7 +16,7 @@ Components: ## Clone the repository -Clone the reposiroty: +Clone the repository: ``` $ git clone https://git.theo-andreou.org/Personal/ansible-deploy-ldap-fusiondirectory.git @@ -49,7 +49,7 @@ timezone: Asia/Nicosia * Create an encrypted *vars/secrets.yml* file: ``` -$ ansible-vault create vars/secrets.yml +$ ansible-vault create vars/secrets.yml ``` Use a master password for the file above. @@ -63,12 +63,28 @@ fd_admin: fdadmin fd_admin_pass: MySecretFDCombination ``` +* Create a playbook to call this role (fusiondirectory.yml): +``` +- hosts: all + become: yes + gather_facts: false + vars: + - ansible_user: "ubuntu" + pre_tasks: + - name: install python 2 + raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal) + changed_when: False + roles: + - ansible-deploy-ldap-fusiondirectory +``` + + ## Deploy LDAP and FusionDirectory When done with the configuration run this command (provide your master password): ``` -$ ansible-playbook --vault-id @prompt deploy_fusiondirectory.yml +$ ansible-playbook --vault-id @prompt fusiondirectory.yml ``` When done visit http://auth.example.org to login for the first time. I suggest you enable HTTPS before doing that. diff --git a/deploy-ldap-fusiondirectory.yml b/deploy-ldap-fusiondirectory.yml deleted file mode 100644 index 135e037..0000000 --- a/deploy-ldap-fusiondirectory.yml +++ /dev/null @@ -1,343 +0,0 @@ ---- -# This will deploy OpenLDAP and FusionDirectory on the mailserver -- hosts: auth.example.com - user: root - - vars_files: - - vars/all.yml - - vars/secrets.yml - - tasks: - - - name: Prepate /etc/hosts - lineinfile: - path: /etc/hosts - insertafter: '^127.0.1.1 ' - line: "{{ item }}" - with_items: - - "127.0.2.1 mail.{{ domain }} mail" - - "127.0.3.1 auth.{{ domain }} auth" - - - name: Setup OpenLDAP and Dependencies - apt: - name: "{{ item }}" - state: present - update_cache: yes - with_items: - - ldap-utils - - gnutls-bin - - ca-certificates - - python-ldap - - python3-ldap - - - name: debconf configuration for slapd - debconf: - name: slapd - question: "{{ item.question }}" - value: "{{ item.value }}" - vtype: "{{ item.vtype }}" - with_items: - - { question: slapd/no_configuration, value: False, vtype: boolean } - - { question: slapd/domain, value: "{{ domain }}", vtype: string } - - { question: shared/organization, value: "{{ organization }}", vtype: string } - - { question: slapd/password1, value: "{{ ldap_admin_pass }}", vtype: password } - - { question: slapd/password2, value: "{{ ldap_admin_pass }}", vtype: password } - - { question: slapd/backend, value: MDB, vtype: select } - - { question: slapd/purge_database, value: False, vtype: boolean } - - { question: slapd/move_old_database, value: True, vtype: boolean } - no_log: True - - - name: install slapd - apt: - name: slapd - state: present - - - name: Create the ROOT CA store - file: - path: /srv/CA - state: directory - - - name: Generate the CA Certificate template - template: - src: templates/ca-cert.tmpl.j2 - dest: /srv/CA/ca-cert.tmpl - - - name: Generate the ROOT CA private key - command: | - certtool --generate-privkey \ - --outfile {{ domain }}-rootCA.key - args: - chdir: /srv/CA - creates: "/srv/CA/{{ domain }}-rootCA.key" - - - name: Generate the ROOT CA Certificate - command: | - certtool --generate-self-signed \ - --template ca-cert.tmpl \ - --load-privkey {{ domain }}-rootCA.key \ - --outfile {{ domain }}-rootCA.crt - args: - chdir: /srv/CA - creates: "/srv/CA/{{ domain }}-rootCA.crt" - - - name: Add our ROOT CA as trusted - copy: - remote_src: yes - src: "/srv/CA/{{ domain }}-rootCA.crt" - dest: /usr/local/share/ca-certificates/ - notify: - - Update CA Certificates - - - name: Create the LDAP TLS store - file: - path: /etc/ldap/ssl - owner: openldap - group: openldap - state: directory - - - name: Generate the LDAP Certificate template - template: - src: templates/ldap-cert.tmpl.j2 - dest: /srv/CA/ldap-cert.tmpl - - - name: Generate the LDAP private key - command: | - certtool --generate-privkey \ - --outfile {{ domain }}.key - args: - chdir: /etc/ldap/ssl - creates: "/etc/ldap/ssl/{{ domain }}.key" - - - name: Generate the LDAP Certificate - command: | - certtool --generate-certificate \ - --template /srv/CA/ldap-cert.tmpl \ - --load-privkey {{ domain }}.key \ - --outfile {{ domain }}.crt \ - --load-ca-privkey /srv/CA/{{ domain }}-rootCA.key - --load-ca-certificate /srv/CA/{{ domain }}-rootCA.crt - args: - chdir: /etc/ldap/ssl - creates: "/etc/ldap/ssl/{{ domain }}.crt" - - - name: Set the correct ownership on the LDAP cert/key pair - file: - path: "/etc/ldap/ssl/{{ item }}" - owner: openldap - group: openldap - with_items: - - "{{ domain }}.key" - - "{{ domain }}.crt" - - - name: Create the custom_ldifs store - file: - path: /etc/ldap/custom_ldifs - owner: openldap - group: openldap - state: directory - - - name: Create the olcSSL.ldif file (LDAP TLS Configuration) - template: - src: templates/olcSSL.ldif.j2 - dest: /etc/ldap/custom_ldifs/olcSSL.ldif - owner: openldap - group: openldap - notify: - - Apply olcSSL.ldif - - Restart slapd - - - name: Add an apt key by id from a keyserver - apt_key: - keyserver: keys.gnupg.net - id: A94DE63F2EDB5F0DC0785EBBD744D55EACDA69FF - - - name: Add the Fusiondirectory repo - apt_repository: - repo: "{{ item }}" - state: present - with_items: - - 'deb http://repos.fusiondirectory.org/fusiondirectory-current/debian-jessie jessie main' - - 'deb http://repos.fusiondirectory.org/fusiondirectory-extra/debian-jessie jessie main' - - - name: Install FusionDirectory, dependencies and plugins - apt: - name: "{{ item }}" - update_cache: yes - state: present - with_items: - - apache2 - - libapache2-mod-php - - php-ldap - - php-intl - - php-pear - - php-mbstring - - fusiondirectory - - fusiondirectory-schema - - fusiondirectory-plugin-ldapdump - - fusiondirectory-plugin-ldapmanager - - fusiondirectory-plugin-dsa - - fusiondirectory-plugin-dsa-schema - - fusiondirectory-plugin-systems - - fusiondirectory-plugin-systems-schema - notify: - - Apply FusionDirectory Schema - - Apply FusionDirectory Plugins Schema - - - name: Calculate FusionDirectory Configuration hash - stat: - path: /var/cache/fusiondirectory/class.cache - get_md5: yes - register: fd_config_hash - - - name: Generate the Initial FusionDirectory configuration - template: - src: templates/fd-init-config.ldif.j2 - dest: /etc/ldap/custom_ldifs/fd-init-config.ldif - notify: - - Initialize FusionDirectory Configuration - - - name: Migrate FusionDirectory Object Classes - template: - src: templates/fd-migrate-object-classes.ldif.j2 - dest: /etc/ldap/custom_ldifs/fd-migrate-object-classes.ldif - notify: - - Migrate Object Classes - - - name: Create an empty ldap.conf file - file: - path: /etc/ldap/ldap.conf - state: touch - notify: - - Generate FusionDirectory SuperUser and OUs - - - name: Set FusionDirectory SuperUser Password - command: | - true - notify: - - Set SuperUser Password - no_log: True - - - name: Migrate FusionDirectory Defaults ACLs - template: - src: templates/fd-migrate-default-acl.ldif.j2 - dest: /etc/ldap/custom_ldifs/fd-migrate-default-acl.ldif - notify: - - Migrate Default ACLs - - - name: Fix Permissions for the FusionDirectory Configuration - template: - src: templates/fusiondirectory.conf.j2 - dest: /etc/fusiondirectory/fusiondirectory.conf - notify: - - Fix FusionDirectory Configuration Permisions - - - name: Apply FusionDirectory Service Accounts ACL - template: - src: templates/fd-service_accounts_acl.ldif.j2 - dest: /etc/ldap/custom_ldifs/fd-service_accounts_acl.ldif - notify: - - Apply Service Accounts ACL - - - - name: Create a .well-known directory - file: - path: /var/www/html/.well-known - state: directory - owner: www-data - group: www-data - - - name: Deploy the Apache VirtualHosts for FusionDirectory - template: - src: "templates/fd-vhost{{ item }}.j2" - dest: "/etc/apache2/sites-available/{{domain}}{{ item }}" - with_items: - - ".conf" - - "-ssl.conf" - notify: - - Enable the Apache HTTP VirtualHost - - Disable the Default Apache VirtualHost - - Restart Apache - - handlers: - - - name: Update CA Certificates - command: update-ca-certificates - - - name: Apply olcSSL.ldif - command: ldapmodify -Y EXTERNAL -H ldapi:/// -f olcSSL.ldif - args: - chdir: /etc/ldap/custom_ldifs - - - name: Restart slapd - service: - name: slapd - state: restarted - - - name: Apply FusionDirectory Schema - command: fusiondirectory-insert-schema - - - name: Apply FusionDirectory Plugins Schema - command: | - fusiondirectory-insert-schema \ - -i /etc/ldap/schema/fusiondirectory/{{ item }}.schema - with_items: - - dsa-fd-conf - - service-fd - - systems-fd-conf - - systems-fd - - - name: Initialize FusionDirectory Configuration - command: | - ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-init-config.ldif - args: - chdir: /etc/ldap/custom_ldifs - no_log: True - - - name: Migrate Object Classes - command: | - ldapmodify -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-object-classes.ldif - args: - chdir: /etc/ldap/custom_ldifs - no_log: True - - - name: Generate FusionDirectory SuperUser and OUs - shell: | - yes '{{ fd_admin }}' | \ - fusiondirectory-setup --yes --check-ldap - - - name: Set SuperUser Password - command: | - ldappasswd -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -s {{ fd_admin_pass }} uid={{ fd_admin }},ou=people,{{ base_dn }} - no_log: True - - - name: Migrate Default ACLs - command: | - ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-default-acl.ldif - args: - chdir: /etc/ldap/custom_ldifs - no_log: True - - - name: Fix FusionDirectory Configuration Permisions - command: fusiondirectory-setup --yes --check-config - - - name: Apply Service Accounts ACL - command: | - ldapadd -c -Y EXTERNAL -H ldapi:/// -f fd-service_accounts_acl.ldif - args: - chdir: /etc/ldap/custom_ldifs - - - name: Enable the Apache HTTP VirtualHost - file: - src: "/etc/apache2/sites-available/{{ domain }}.conf" - dest: "/etc/apache2/sites-enabled/{{ domain }}.conf" - state: link - - - name: Disable the Default Apache VirtualHost - file: - path: /etc/apache2/sites-enabled/000-default.conf - state: absent - - - name: Restart Apache - service: - name: apache2 - state: restarted diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..57f088f --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,82 @@ +--- +- name: Update CA Certificates + command: update-ca-certificates + +- name: Apply olcSSL.ldif + command: ldapmodify -Y EXTERNAL -H ldapi:/// -f olcSSL.ldif + args: + chdir: /etc/ldap/custom_ldifs + +- name: Restart slapd + service: + name: slapd + state: restarted + +- name: Apply FusionDirectory Schema + command: fusiondirectory-insert-schema + +- name: Apply FusionDirectory Plugins Schema + command: | + fusiondirectory-insert-schema \ + -i /etc/ldap/schema/fusiondirectory/{{ item }}.schema + with_items: + - dsa-fd-conf + - service-fd + - systems-fd-conf + - systems-fd + +- name: Initialize FusionDirectory Configuration + command: | + ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-init-config.ldif + args: + chdir: /etc/ldap/custom_ldifs + no_log: True + +- name: Migrate Object Classes + command: | + ldapmodify -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-object-classes.ldif + args: + chdir: /etc/ldap/custom_ldifs + no_log: True + +- name: Generate FusionDirectory SuperUser and OUs + shell: | + yes '{{ fd_admin }}' | \ + fusiondirectory-setup --yes --check-ldap + +- name: Set SuperUser Password + command: | + ldappasswd -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -s {{ fd_admin_pass }} uid={{ fd_admin }},ou=people,{{ base_dn }} + no_log: True + +- name: Migrate Default ACLs + command: | + ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-default-acl.ldif + args: + chdir: /etc/ldap/custom_ldifs + no_log: True + +- name: Fix FusionDirectory Configuration Permisions + command: fusiondirectory-setup --yes --check-config + +- name: Apply Service Accounts ACL + command: | + ldapadd -c -Y EXTERNAL -H ldapi:/// -f fd-service_accounts_acl.ldif + args: + chdir: /etc/ldap/custom_ldifs + +- name: Enable the Apache HTTP VirtualHost + file: + src: "/etc/apache2/sites-available/{{ domain }}.conf" + dest: "/etc/apache2/sites-enabled/{{ domain }}.conf" + state: link + +- name: Disable the Default Apache VirtualHost + file: + path: /etc/apache2/sites-enabled/000-default.conf + state: absent + +- name: Restart Apache + service: + name: apache2 + state: restarted diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..a88e031 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,250 @@ +--- +# This will deploy OpenLDAP and FusionDirectory on the mailserver +- name: Prepate /etc/hosts + lineinfile: + path: /etc/hosts + insertafter: '^127.0.1.1 ' + line: "{{ item }}" + with_items: + - "127.0.2.1 mail.{{ domain }} mail" + - "127.0.3.1 auth.{{ domain }} auth" + +- name: Setup OpenLDAP and Dependencies + apt: + name: "{{ item }}" + state: present + update_cache: yes + with_items: + - ldap-utils + - gnutls-bin + - ca-certificates + - python-ldap + - python3-ldap + +- name: debconf configuration for slapd + debconf: + name: slapd + question: "{{ item.question }}" + value: "{{ item.value }}" + vtype: "{{ item.vtype }}" + with_items: + - { question: slapd/no_configuration, value: False, vtype: boolean } + - { question: slapd/domain, value: "{{ domain }}", vtype: string } + - { question: shared/organization, value: "{{ organization }}", vtype: string } + - { question: slapd/password1, value: "{{ ldap_admin_pass }}", vtype: password } + - { question: slapd/password2, value: "{{ ldap_admin_pass }}", vtype: password } + - { question: slapd/backend, value: MDB, vtype: select } + - { question: slapd/purge_database, value: False, vtype: boolean } + - { question: slapd/move_old_database, value: True, vtype: boolean } + no_log: True + +- name: install slapd + apt: + name: slapd + state: present + +- name: Create the ROOT CA store + file: + path: /srv/CA + state: directory + +- name: Generate the CA Certificate template + template: + src: templates/ca-cert.tmpl.j2 + dest: /srv/CA/ca-cert.tmpl + +- name: Generate the ROOT CA private key + command: | + certtool --generate-privkey \ + --outfile {{ domain }}-rootCA.key + args: + chdir: /srv/CA + creates: "/srv/CA/{{ domain }}-rootCA.key" + +- name: Generate the ROOT CA Certificate + command: | + certtool --generate-self-signed \ + --template ca-cert.tmpl \ + --load-privkey {{ domain }}-rootCA.key \ + --outfile {{ domain }}-rootCA.crt + args: + chdir: /srv/CA + creates: "/srv/CA/{{ domain }}-rootCA.crt" + +- name: Add our ROOT CA as trusted + copy: + remote_src: yes + src: "/srv/CA/{{ domain }}-rootCA.crt" + dest: /usr/local/share/ca-certificates/ + notify: + - Update CA Certificates + +- name: Create the LDAP TLS store + file: + path: /etc/ldap/ssl + owner: openldap + group: openldap + state: directory + +- name: Generate the LDAP Certificate template + template: + src: templates/ldap-cert.tmpl.j2 + dest: /srv/CA/ldap-cert.tmpl + +- name: Generate the LDAP private key + command: | + certtool --generate-privkey \ + --outfile {{ domain }}.key + args: + chdir: /etc/ldap/ssl + creates: "/etc/ldap/ssl/{{ domain }}.key" + +- name: Generate the LDAP Certificate + command: | + certtool --generate-certificate \ + --template /srv/CA/ldap-cert.tmpl \ + --load-privkey {{ domain }}.key \ + --outfile {{ domain }}.crt \ + --load-ca-privkey /srv/CA/{{ domain }}-rootCA.key + --load-ca-certificate /srv/CA/{{ domain }}-rootCA.crt + args: + chdir: /etc/ldap/ssl + creates: "/etc/ldap/ssl/{{ domain }}.crt" + +- name: Set the correct ownership on the LDAP cert/key pair + file: + path: "/etc/ldap/ssl/{{ item }}" + owner: openldap + group: openldap + with_items: + - "{{ domain }}.key" + - "{{ domain }}.crt" + +- name: Create the custom_ldifs store + file: + path: /etc/ldap/custom_ldifs + owner: openldap + group: openldap + state: directory + +- name: Create the olcSSL.ldif file (LDAP TLS Configuration) + template: + src: templates/olcSSL.ldif.j2 + dest: /etc/ldap/custom_ldifs/olcSSL.ldif + owner: openldap + group: openldap + notify: + - Apply olcSSL.ldif + - Restart slapd + +- name: Add an apt key by id from a keyserver + apt_key: + keyserver: keys.gnupg.net + id: A94DE63F2EDB5F0DC0785EBBD744D55EACDA69FF + +- name: Add the Fusiondirectory repo + apt_repository: + repo: "{{ item }}" + state: present + with_items: + - 'deb http://repos.fusiondirectory.org/fusiondirectory-current/debian-jessie jessie main' + - 'deb http://repos.fusiondirectory.org/fusiondirectory-extra/debian-jessie jessie main' + +- name: Install FusionDirectory, dependencies and plugins + apt: + name: "{{ item }}" + update_cache: yes + state: present + with_items: + - apache2 + - libapache2-mod-php + - php-ldap + - php-intl + - php-pear + - php-mbstring + - fusiondirectory + - fusiondirectory-schema + - fusiondirectory-plugin-ldapdump + - fusiondirectory-plugin-ldapmanager + - fusiondirectory-plugin-dsa + - fusiondirectory-plugin-dsa-schema + - fusiondirectory-plugin-systems + - fusiondirectory-plugin-systems-schema + notify: + - Apply FusionDirectory Schema + - Apply FusionDirectory Plugins Schema + +- name: Calculate FusionDirectory Configuration hash + stat: + path: /var/cache/fusiondirectory/class.cache + get_md5: yes + register: fd_config_hash + +- name: Generate the Initial FusionDirectory configuration + template: + src: templates/fd-init-config.ldif.j2 + dest: /etc/ldap/custom_ldifs/fd-init-config.ldif + notify: + - Initialize FusionDirectory Configuration + +- name: Migrate FusionDirectory Object Classes + template: + src: templates/fd-migrate-object-classes.ldif.j2 + dest: /etc/ldap/custom_ldifs/fd-migrate-object-classes.ldif + notify: + - Migrate Object Classes + +- name: Create an empty ldap.conf file + file: + path: /etc/ldap/ldap.conf + state: touch + notify: + - Generate FusionDirectory SuperUser and OUs + +- name: Set FusionDirectory SuperUser Password + command: | + true + notify: + - Set SuperUser Password + no_log: True + +- name: Migrate FusionDirectory Defaults ACLs + template: + src: templates/fd-migrate-default-acl.ldif.j2 + dest: /etc/ldap/custom_ldifs/fd-migrate-default-acl.ldif + notify: + - Migrate Default ACLs + +- name: Fix Permissions for the FusionDirectory Configuration + template: + src: templates/fusiondirectory.conf.j2 + dest: /etc/fusiondirectory/fusiondirectory.conf + notify: + - Fix FusionDirectory Configuration Permisions + +- name: Apply FusionDirectory Service Accounts ACL + template: + src: templates/fd-service_accounts_acl.ldif.j2 + dest: /etc/ldap/custom_ldifs/fd-service_accounts_acl.ldif + notify: + - Apply Service Accounts ACL + + +- name: Create a .well-known directory + file: + path: /var/www/html/.well-known + state: directory + owner: www-data + group: www-data + +- name: Deploy the Apache VirtualHosts for FusionDirectory + template: + src: "templates/fd-vhost{{ item }}.j2" + dest: "/etc/apache2/sites-available/{{domain}}{{ item }}" + with_items: + - ".conf" + - "-ssl.conf" + notify: + - Enable the Apache HTTP VirtualHost + - Disable the Default Apache VirtualHost + - Restart Apache