diff --git a/README.md b/README.md index f497d09..16470a6 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Deploy OpenLDAP/FusionDirectory using Ansible -These Role will deploy an OpenLDAP/FusionDirectory server. +These playbooks will deploy an OpenLDAP/FusionDirectory server. Components: * OpenLDAP (slapd) @@ -16,7 +16,7 @@ Components: ## Clone the repository -Clone the repository: +Clone the reposiroty: ``` $ git clone https://git.theo-andreou.org/Personal/ansible-deploy-ldap-fusiondirectory.git @@ -49,7 +49,7 @@ timezone: Asia/Nicosia * Create an encrypted *vars/secrets.yml* file: ``` -$ ansible-vault create vars/secrets.yml +$ ansible-vault create vars/secrets.yml ``` Use a master password for the file above. @@ -63,28 +63,12 @@ fd_admin: fdadmin fd_admin_pass: MySecretFDCombination ``` -* Create a playbook to call this role (fusiondirectory.yml): -``` -- hosts: all - become: yes - gather_facts: false - vars: - - ansible_user: "ubuntu" - pre_tasks: - - name: install python 2 - raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal) - changed_when: False - roles: - - ansible-deploy-ldap-fusiondirectory -``` - - ## Deploy LDAP and FusionDirectory When done with the configuration run this command (provide your master password): ``` -$ ansible-playbook --vault-id @prompt fusiondirectory.yml +$ ansible-playbook --vault-id @prompt deploy_fusiondirectory.yml ``` When done visit http://auth.example.org to login for the first time. I suggest you enable HTTPS before doing that. diff --git a/deploy-ldap-fusiondirectory.yml b/deploy-ldap-fusiondirectory.yml new file mode 100644 index 0000000..135e037 --- /dev/null +++ b/deploy-ldap-fusiondirectory.yml @@ -0,0 +1,343 @@ +--- +# This will deploy OpenLDAP and FusionDirectory on the mailserver +- hosts: auth.example.com + user: root + + vars_files: + - vars/all.yml + - vars/secrets.yml + + tasks: + + - name: Prepate /etc/hosts + lineinfile: + path: /etc/hosts + insertafter: '^127.0.1.1 ' + line: "{{ item }}" + with_items: + - "127.0.2.1 mail.{{ domain }} mail" + - "127.0.3.1 auth.{{ domain }} auth" + + - name: Setup OpenLDAP and Dependencies + apt: + name: "{{ item }}" + state: present + update_cache: yes + with_items: + - ldap-utils + - gnutls-bin + - ca-certificates + - python-ldap + - python3-ldap + + - name: debconf configuration for slapd + debconf: + name: slapd + question: "{{ item.question }}" + value: "{{ item.value }}" + vtype: "{{ item.vtype }}" + with_items: + - { question: slapd/no_configuration, value: False, vtype: boolean } + - { question: slapd/domain, value: "{{ domain }}", vtype: string } + - { question: shared/organization, value: "{{ organization }}", vtype: string } + - { question: slapd/password1, value: "{{ ldap_admin_pass }}", vtype: password } + - { question: slapd/password2, value: "{{ ldap_admin_pass }}", vtype: password } + - { question: slapd/backend, value: MDB, vtype: select } + - { question: slapd/purge_database, value: False, vtype: boolean } + - { question: slapd/move_old_database, value: True, vtype: boolean } + no_log: True + + - name: install slapd + apt: + name: slapd + state: present + + - name: Create the ROOT CA store + file: + path: /srv/CA + state: directory + + - name: Generate the CA Certificate template + template: + src: templates/ca-cert.tmpl.j2 + dest: /srv/CA/ca-cert.tmpl + + - name: Generate the ROOT CA private key + command: | + certtool --generate-privkey \ + --outfile {{ domain }}-rootCA.key + args: + chdir: /srv/CA + creates: "/srv/CA/{{ domain }}-rootCA.key" + + - name: Generate the ROOT CA Certificate + command: | + certtool --generate-self-signed \ + --template ca-cert.tmpl \ + --load-privkey {{ domain }}-rootCA.key \ + --outfile {{ domain }}-rootCA.crt + args: + chdir: /srv/CA + creates: "/srv/CA/{{ domain }}-rootCA.crt" + + - name: Add our ROOT CA as trusted + copy: + remote_src: yes + src: "/srv/CA/{{ domain }}-rootCA.crt" + dest: /usr/local/share/ca-certificates/ + notify: + - Update CA Certificates + + - name: Create the LDAP TLS store + file: + path: /etc/ldap/ssl + owner: openldap + group: openldap + state: directory + + - name: Generate the LDAP Certificate template + template: + src: templates/ldap-cert.tmpl.j2 + dest: /srv/CA/ldap-cert.tmpl + + - name: Generate the LDAP private key + command: | + certtool --generate-privkey \ + --outfile {{ domain }}.key + args: + chdir: /etc/ldap/ssl + creates: "/etc/ldap/ssl/{{ domain }}.key" + + - name: Generate the LDAP Certificate + command: | + certtool --generate-certificate \ + --template /srv/CA/ldap-cert.tmpl \ + --load-privkey {{ domain }}.key \ + --outfile {{ domain }}.crt \ + --load-ca-privkey /srv/CA/{{ domain }}-rootCA.key + --load-ca-certificate /srv/CA/{{ domain }}-rootCA.crt + args: + chdir: /etc/ldap/ssl + creates: "/etc/ldap/ssl/{{ domain }}.crt" + + - name: Set the correct ownership on the LDAP cert/key pair + file: + path: "/etc/ldap/ssl/{{ item }}" + owner: openldap + group: openldap + with_items: + - "{{ domain }}.key" + - "{{ domain }}.crt" + + - name: Create the custom_ldifs store + file: + path: /etc/ldap/custom_ldifs + owner: openldap + group: openldap + state: directory + + - name: Create the olcSSL.ldif file (LDAP TLS Configuration) + template: + src: templates/olcSSL.ldif.j2 + dest: /etc/ldap/custom_ldifs/olcSSL.ldif + owner: openldap + group: openldap + notify: + - Apply olcSSL.ldif + - Restart slapd + + - name: Add an apt key by id from a keyserver + apt_key: + keyserver: keys.gnupg.net + id: A94DE63F2EDB5F0DC0785EBBD744D55EACDA69FF + + - name: Add the Fusiondirectory repo + apt_repository: + repo: "{{ item }}" + state: present + with_items: + - 'deb http://repos.fusiondirectory.org/fusiondirectory-current/debian-jessie jessie main' + - 'deb http://repos.fusiondirectory.org/fusiondirectory-extra/debian-jessie jessie main' + + - name: Install FusionDirectory, dependencies and plugins + apt: + name: "{{ item }}" + update_cache: yes + state: present + with_items: + - apache2 + - libapache2-mod-php + - php-ldap + - php-intl + - php-pear + - php-mbstring + - fusiondirectory + - fusiondirectory-schema + - fusiondirectory-plugin-ldapdump + - fusiondirectory-plugin-ldapmanager + - fusiondirectory-plugin-dsa + - fusiondirectory-plugin-dsa-schema + - fusiondirectory-plugin-systems + - fusiondirectory-plugin-systems-schema + notify: + - Apply FusionDirectory Schema + - Apply FusionDirectory Plugins Schema + + - name: Calculate FusionDirectory Configuration hash + stat: + path: /var/cache/fusiondirectory/class.cache + get_md5: yes + register: fd_config_hash + + - name: Generate the Initial FusionDirectory configuration + template: + src: templates/fd-init-config.ldif.j2 + dest: /etc/ldap/custom_ldifs/fd-init-config.ldif + notify: + - Initialize FusionDirectory Configuration + + - name: Migrate FusionDirectory Object Classes + template: + src: templates/fd-migrate-object-classes.ldif.j2 + dest: /etc/ldap/custom_ldifs/fd-migrate-object-classes.ldif + notify: + - Migrate Object Classes + + - name: Create an empty ldap.conf file + file: + path: /etc/ldap/ldap.conf + state: touch + notify: + - Generate FusionDirectory SuperUser and OUs + + - name: Set FusionDirectory SuperUser Password + command: | + true + notify: + - Set SuperUser Password + no_log: True + + - name: Migrate FusionDirectory Defaults ACLs + template: + src: templates/fd-migrate-default-acl.ldif.j2 + dest: /etc/ldap/custom_ldifs/fd-migrate-default-acl.ldif + notify: + - Migrate Default ACLs + + - name: Fix Permissions for the FusionDirectory Configuration + template: + src: templates/fusiondirectory.conf.j2 + dest: /etc/fusiondirectory/fusiondirectory.conf + notify: + - Fix FusionDirectory Configuration Permisions + + - name: Apply FusionDirectory Service Accounts ACL + template: + src: templates/fd-service_accounts_acl.ldif.j2 + dest: /etc/ldap/custom_ldifs/fd-service_accounts_acl.ldif + notify: + - Apply Service Accounts ACL + + + - name: Create a .well-known directory + file: + path: /var/www/html/.well-known + state: directory + owner: www-data + group: www-data + + - name: Deploy the Apache VirtualHosts for FusionDirectory + template: + src: "templates/fd-vhost{{ item }}.j2" + dest: "/etc/apache2/sites-available/{{domain}}{{ item }}" + with_items: + - ".conf" + - "-ssl.conf" + notify: + - Enable the Apache HTTP VirtualHost + - Disable the Default Apache VirtualHost + - Restart Apache + + handlers: + + - name: Update CA Certificates + command: update-ca-certificates + + - name: Apply olcSSL.ldif + command: ldapmodify -Y EXTERNAL -H ldapi:/// -f olcSSL.ldif + args: + chdir: /etc/ldap/custom_ldifs + + - name: Restart slapd + service: + name: slapd + state: restarted + + - name: Apply FusionDirectory Schema + command: fusiondirectory-insert-schema + + - name: Apply FusionDirectory Plugins Schema + command: | + fusiondirectory-insert-schema \ + -i /etc/ldap/schema/fusiondirectory/{{ item }}.schema + with_items: + - dsa-fd-conf + - service-fd + - systems-fd-conf + - systems-fd + + - name: Initialize FusionDirectory Configuration + command: | + ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-init-config.ldif + args: + chdir: /etc/ldap/custom_ldifs + no_log: True + + - name: Migrate Object Classes + command: | + ldapmodify -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-object-classes.ldif + args: + chdir: /etc/ldap/custom_ldifs + no_log: True + + - name: Generate FusionDirectory SuperUser and OUs + shell: | + yes '{{ fd_admin }}' | \ + fusiondirectory-setup --yes --check-ldap + + - name: Set SuperUser Password + command: | + ldappasswd -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -s {{ fd_admin_pass }} uid={{ fd_admin }},ou=people,{{ base_dn }} + no_log: True + + - name: Migrate Default ACLs + command: | + ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-default-acl.ldif + args: + chdir: /etc/ldap/custom_ldifs + no_log: True + + - name: Fix FusionDirectory Configuration Permisions + command: fusiondirectory-setup --yes --check-config + + - name: Apply Service Accounts ACL + command: | + ldapadd -c -Y EXTERNAL -H ldapi:/// -f fd-service_accounts_acl.ldif + args: + chdir: /etc/ldap/custom_ldifs + + - name: Enable the Apache HTTP VirtualHost + file: + src: "/etc/apache2/sites-available/{{ domain }}.conf" + dest: "/etc/apache2/sites-enabled/{{ domain }}.conf" + state: link + + - name: Disable the Default Apache VirtualHost + file: + path: /etc/apache2/sites-enabled/000-default.conf + state: absent + + - name: Restart Apache + service: + name: apache2 + state: restarted diff --git a/handlers/main.yml b/handlers/main.yml deleted file mode 100644 index 57f088f..0000000 --- a/handlers/main.yml +++ /dev/null @@ -1,82 +0,0 @@ ---- -- name: Update CA Certificates - command: update-ca-certificates - -- name: Apply olcSSL.ldif - command: ldapmodify -Y EXTERNAL -H ldapi:/// -f olcSSL.ldif - args: - chdir: /etc/ldap/custom_ldifs - -- name: Restart slapd - service: - name: slapd - state: restarted - -- name: Apply FusionDirectory Schema - command: fusiondirectory-insert-schema - -- name: Apply FusionDirectory Plugins Schema - command: | - fusiondirectory-insert-schema \ - -i /etc/ldap/schema/fusiondirectory/{{ item }}.schema - with_items: - - dsa-fd-conf - - service-fd - - systems-fd-conf - - systems-fd - -- name: Initialize FusionDirectory Configuration - command: | - ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-init-config.ldif - args: - chdir: /etc/ldap/custom_ldifs - no_log: True - -- name: Migrate Object Classes - command: | - ldapmodify -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-object-classes.ldif - args: - chdir: /etc/ldap/custom_ldifs - no_log: True - -- name: Generate FusionDirectory SuperUser and OUs - shell: | - yes '{{ fd_admin }}' | \ - fusiondirectory-setup --yes --check-ldap - -- name: Set SuperUser Password - command: | - ldappasswd -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -s {{ fd_admin_pass }} uid={{ fd_admin }},ou=people,{{ base_dn }} - no_log: True - -- name: Migrate Default ACLs - command: | - ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-default-acl.ldif - args: - chdir: /etc/ldap/custom_ldifs - no_log: True - -- name: Fix FusionDirectory Configuration Permisions - command: fusiondirectory-setup --yes --check-config - -- name: Apply Service Accounts ACL - command: | - ldapadd -c -Y EXTERNAL -H ldapi:/// -f fd-service_accounts_acl.ldif - args: - chdir: /etc/ldap/custom_ldifs - -- name: Enable the Apache HTTP VirtualHost - file: - src: "/etc/apache2/sites-available/{{ domain }}.conf" - dest: "/etc/apache2/sites-enabled/{{ domain }}.conf" - state: link - -- name: Disable the Default Apache VirtualHost - file: - path: /etc/apache2/sites-enabled/000-default.conf - state: absent - -- name: Restart Apache - service: - name: apache2 - state: restarted diff --git a/tasks/main.yml b/tasks/main.yml deleted file mode 100644 index a88e031..0000000 --- a/tasks/main.yml +++ /dev/null @@ -1,250 +0,0 @@ ---- -# This will deploy OpenLDAP and FusionDirectory on the mailserver -- name: Prepate /etc/hosts - lineinfile: - path: /etc/hosts - insertafter: '^127.0.1.1 ' - line: "{{ item }}" - with_items: - - "127.0.2.1 mail.{{ domain }} mail" - - "127.0.3.1 auth.{{ domain }} auth" - -- name: Setup OpenLDAP and Dependencies - apt: - name: "{{ item }}" - state: present - update_cache: yes - with_items: - - ldap-utils - - gnutls-bin - - ca-certificates - - python-ldap - - python3-ldap - -- name: debconf configuration for slapd - debconf: - name: slapd - question: "{{ item.question }}" - value: "{{ item.value }}" - vtype: "{{ item.vtype }}" - with_items: - - { question: slapd/no_configuration, value: False, vtype: boolean } - - { question: slapd/domain, value: "{{ domain }}", vtype: string } - - { question: shared/organization, value: "{{ organization }}", vtype: string } - - { question: slapd/password1, value: "{{ ldap_admin_pass }}", vtype: password } - - { question: slapd/password2, value: "{{ ldap_admin_pass }}", vtype: password } - - { question: slapd/backend, value: MDB, vtype: select } - - { question: slapd/purge_database, value: False, vtype: boolean } - - { question: slapd/move_old_database, value: True, vtype: boolean } - no_log: True - -- name: install slapd - apt: - name: slapd - state: present - -- name: Create the ROOT CA store - file: - path: /srv/CA - state: directory - -- name: Generate the CA Certificate template - template: - src: templates/ca-cert.tmpl.j2 - dest: /srv/CA/ca-cert.tmpl - -- name: Generate the ROOT CA private key - command: | - certtool --generate-privkey \ - --outfile {{ domain }}-rootCA.key - args: - chdir: /srv/CA - creates: "/srv/CA/{{ domain }}-rootCA.key" - -- name: Generate the ROOT CA Certificate - command: | - certtool --generate-self-signed \ - --template ca-cert.tmpl \ - --load-privkey {{ domain }}-rootCA.key \ - --outfile {{ domain }}-rootCA.crt - args: - chdir: /srv/CA - creates: "/srv/CA/{{ domain }}-rootCA.crt" - -- name: Add our ROOT CA as trusted - copy: - remote_src: yes - src: "/srv/CA/{{ domain }}-rootCA.crt" - dest: /usr/local/share/ca-certificates/ - notify: - - Update CA Certificates - -- name: Create the LDAP TLS store - file: - path: /etc/ldap/ssl - owner: openldap - group: openldap - state: directory - -- name: Generate the LDAP Certificate template - template: - src: templates/ldap-cert.tmpl.j2 - dest: /srv/CA/ldap-cert.tmpl - -- name: Generate the LDAP private key - command: | - certtool --generate-privkey \ - --outfile {{ domain }}.key - args: - chdir: /etc/ldap/ssl - creates: "/etc/ldap/ssl/{{ domain }}.key" - -- name: Generate the LDAP Certificate - command: | - certtool --generate-certificate \ - --template /srv/CA/ldap-cert.tmpl \ - --load-privkey {{ domain }}.key \ - --outfile {{ domain }}.crt \ - --load-ca-privkey /srv/CA/{{ domain }}-rootCA.key - --load-ca-certificate /srv/CA/{{ domain }}-rootCA.crt - args: - chdir: /etc/ldap/ssl - creates: "/etc/ldap/ssl/{{ domain }}.crt" - -- name: Set the correct ownership on the LDAP cert/key pair - file: - path: "/etc/ldap/ssl/{{ item }}" - owner: openldap - group: openldap - with_items: - - "{{ domain }}.key" - - "{{ domain }}.crt" - -- name: Create the custom_ldifs store - file: - path: /etc/ldap/custom_ldifs - owner: openldap - group: openldap - state: directory - -- name: Create the olcSSL.ldif file (LDAP TLS Configuration) - template: - src: templates/olcSSL.ldif.j2 - dest: /etc/ldap/custom_ldifs/olcSSL.ldif - owner: openldap - group: openldap - notify: - - Apply olcSSL.ldif - - Restart slapd - -- name: Add an apt key by id from a keyserver - apt_key: - keyserver: keys.gnupg.net - id: A94DE63F2EDB5F0DC0785EBBD744D55EACDA69FF - -- name: Add the Fusiondirectory repo - apt_repository: - repo: "{{ item }}" - state: present - with_items: - - 'deb http://repos.fusiondirectory.org/fusiondirectory-current/debian-jessie jessie main' - - 'deb http://repos.fusiondirectory.org/fusiondirectory-extra/debian-jessie jessie main' - -- name: Install FusionDirectory, dependencies and plugins - apt: - name: "{{ item }}" - update_cache: yes - state: present - with_items: - - apache2 - - libapache2-mod-php - - php-ldap - - php-intl - - php-pear - - php-mbstring - - fusiondirectory - - fusiondirectory-schema - - fusiondirectory-plugin-ldapdump - - fusiondirectory-plugin-ldapmanager - - fusiondirectory-plugin-dsa - - fusiondirectory-plugin-dsa-schema - - fusiondirectory-plugin-systems - - fusiondirectory-plugin-systems-schema - notify: - - Apply FusionDirectory Schema - - Apply FusionDirectory Plugins Schema - -- name: Calculate FusionDirectory Configuration hash - stat: - path: /var/cache/fusiondirectory/class.cache - get_md5: yes - register: fd_config_hash - -- name: Generate the Initial FusionDirectory configuration - template: - src: templates/fd-init-config.ldif.j2 - dest: /etc/ldap/custom_ldifs/fd-init-config.ldif - notify: - - Initialize FusionDirectory Configuration - -- name: Migrate FusionDirectory Object Classes - template: - src: templates/fd-migrate-object-classes.ldif.j2 - dest: /etc/ldap/custom_ldifs/fd-migrate-object-classes.ldif - notify: - - Migrate Object Classes - -- name: Create an empty ldap.conf file - file: - path: /etc/ldap/ldap.conf - state: touch - notify: - - Generate FusionDirectory SuperUser and OUs - -- name: Set FusionDirectory SuperUser Password - command: | - true - notify: - - Set SuperUser Password - no_log: True - -- name: Migrate FusionDirectory Defaults ACLs - template: - src: templates/fd-migrate-default-acl.ldif.j2 - dest: /etc/ldap/custom_ldifs/fd-migrate-default-acl.ldif - notify: - - Migrate Default ACLs - -- name: Fix Permissions for the FusionDirectory Configuration - template: - src: templates/fusiondirectory.conf.j2 - dest: /etc/fusiondirectory/fusiondirectory.conf - notify: - - Fix FusionDirectory Configuration Permisions - -- name: Apply FusionDirectory Service Accounts ACL - template: - src: templates/fd-service_accounts_acl.ldif.j2 - dest: /etc/ldap/custom_ldifs/fd-service_accounts_acl.ldif - notify: - - Apply Service Accounts ACL - - -- name: Create a .well-known directory - file: - path: /var/www/html/.well-known - state: directory - owner: www-data - group: www-data - -- name: Deploy the Apache VirtualHosts for FusionDirectory - template: - src: "templates/fd-vhost{{ item }}.j2" - dest: "/etc/apache2/sites-available/{{domain}}{{ item }}" - with_items: - - ".conf" - - "-ssl.conf" - notify: - - Enable the Apache HTTP VirtualHost - - Disable the Default Apache VirtualHost - - Restart Apache