Ansible role #2
24
README.md
24
README.md
|
@ -1,6 +1,6 @@
|
|||
# Deploy OpenLDAP/FusionDirectory using Ansible
|
||||
|
||||
These playbooks will deploy an OpenLDAP/FusionDirectory server.
|
||||
These Role will deploy an OpenLDAP/FusionDirectory server.
|
||||
|
||||
Components:
|
||||
* OpenLDAP (slapd)
|
||||
|
@ -16,7 +16,7 @@ Components:
|
|||
|
||||
## Clone the repository
|
||||
|
||||
Clone the reposiroty:
|
||||
Clone the repository:
|
||||
|
||||
```
|
||||
$ git clone https://git.theo-andreou.org/Personal/ansible-deploy-ldap-fusiondirectory.git
|
||||
|
@ -49,7 +49,7 @@ timezone: Asia/Nicosia
|
|||
* Create an encrypted *vars/secrets.yml* file:
|
||||
|
||||
```
|
||||
$ ansible-vault create vars/secrets.yml
|
||||
$ ansible-vault create vars/secrets.yml
|
||||
```
|
||||
|
||||
Use a master password for the file above.
|
||||
|
@ -63,12 +63,28 @@ fd_admin: fdadmin
|
|||
fd_admin_pass: MySecretFDCombination
|
||||
```
|
||||
|
||||
* Create a playbook to call this role (fusiondirectory.yml):
|
||||
```
|
||||
- hosts: all
|
||||
become: yes
|
||||
gather_facts: false
|
||||
vars:
|
||||
- ansible_user: "ubuntu"
|
||||
pre_tasks:
|
||||
- name: install python 2
|
||||
raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)
|
||||
changed_when: False
|
||||
roles:
|
||||
- ansible-deploy-ldap-fusiondirectory
|
||||
```
|
||||
|
||||
|
||||
## Deploy LDAP and FusionDirectory
|
||||
|
||||
When done with the configuration run this command (provide your master password):
|
||||
|
||||
```
|
||||
$ ansible-playbook --vault-id @prompt deploy_fusiondirectory.yml
|
||||
$ ansible-playbook --vault-id @prompt fusiondirectory.yml
|
||||
```
|
||||
|
||||
When done visit http://auth.example.org to login for the first time. I suggest you enable HTTPS before doing that.
|
||||
|
|
|
@ -1,343 +0,0 @@
|
|||
---
|
||||
# This will deploy OpenLDAP and FusionDirectory on the mailserver
|
||||
- hosts: auth.example.com
|
||||
user: root
|
||||
|
||||
vars_files:
|
||||
- vars/all.yml
|
||||
- vars/secrets.yml
|
||||
|
||||
tasks:
|
||||
|
||||
- name: Prepate /etc/hosts
|
||||
lineinfile:
|
||||
path: /etc/hosts
|
||||
insertafter: '^127.0.1.1 '
|
||||
line: "{{ item }}"
|
||||
with_items:
|
||||
- "127.0.2.1 mail.{{ domain }} mail"
|
||||
- "127.0.3.1 auth.{{ domain }} auth"
|
||||
|
||||
- name: Setup OpenLDAP and Dependencies
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
update_cache: yes
|
||||
with_items:
|
||||
- ldap-utils
|
||||
- gnutls-bin
|
||||
- ca-certificates
|
||||
- python-ldap
|
||||
- python3-ldap
|
||||
|
||||
- name: debconf configuration for slapd
|
||||
debconf:
|
||||
name: slapd
|
||||
question: "{{ item.question }}"
|
||||
value: "{{ item.value }}"
|
||||
vtype: "{{ item.vtype }}"
|
||||
with_items:
|
||||
- { question: slapd/no_configuration, value: False, vtype: boolean }
|
||||
- { question: slapd/domain, value: "{{ domain }}", vtype: string }
|
||||
- { question: shared/organization, value: "{{ organization }}", vtype: string }
|
||||
- { question: slapd/password1, value: "{{ ldap_admin_pass }}", vtype: password }
|
||||
- { question: slapd/password2, value: "{{ ldap_admin_pass }}", vtype: password }
|
||||
- { question: slapd/backend, value: MDB, vtype: select }
|
||||
- { question: slapd/purge_database, value: False, vtype: boolean }
|
||||
- { question: slapd/move_old_database, value: True, vtype: boolean }
|
||||
no_log: True
|
||||
|
||||
- name: install slapd
|
||||
apt:
|
||||
name: slapd
|
||||
state: present
|
||||
|
||||
- name: Create the ROOT CA store
|
||||
file:
|
||||
path: /srv/CA
|
||||
state: directory
|
||||
|
||||
- name: Generate the CA Certificate template
|
||||
template:
|
||||
src: templates/ca-cert.tmpl.j2
|
||||
dest: /srv/CA/ca-cert.tmpl
|
||||
|
||||
- name: Generate the ROOT CA private key
|
||||
command: |
|
||||
certtool --generate-privkey \
|
||||
--outfile {{ domain }}-rootCA.key
|
||||
args:
|
||||
chdir: /srv/CA
|
||||
creates: "/srv/CA/{{ domain }}-rootCA.key"
|
||||
|
||||
- name: Generate the ROOT CA Certificate
|
||||
command: |
|
||||
certtool --generate-self-signed \
|
||||
--template ca-cert.tmpl \
|
||||
--load-privkey {{ domain }}-rootCA.key \
|
||||
--outfile {{ domain }}-rootCA.crt
|
||||
args:
|
||||
chdir: /srv/CA
|
||||
creates: "/srv/CA/{{ domain }}-rootCA.crt"
|
||||
|
||||
- name: Add our ROOT CA as trusted
|
||||
copy:
|
||||
remote_src: yes
|
||||
src: "/srv/CA/{{ domain }}-rootCA.crt"
|
||||
dest: /usr/local/share/ca-certificates/
|
||||
notify:
|
||||
- Update CA Certificates
|
||||
|
||||
- name: Create the LDAP TLS store
|
||||
file:
|
||||
path: /etc/ldap/ssl
|
||||
owner: openldap
|
||||
group: openldap
|
||||
state: directory
|
||||
|
||||
- name: Generate the LDAP Certificate template
|
||||
template:
|
||||
src: templates/ldap-cert.tmpl.j2
|
||||
dest: /srv/CA/ldap-cert.tmpl
|
||||
|
||||
- name: Generate the LDAP private key
|
||||
command: |
|
||||
certtool --generate-privkey \
|
||||
--outfile {{ domain }}.key
|
||||
args:
|
||||
chdir: /etc/ldap/ssl
|
||||
creates: "/etc/ldap/ssl/{{ domain }}.key"
|
||||
|
||||
- name: Generate the LDAP Certificate
|
||||
command: |
|
||||
certtool --generate-certificate \
|
||||
--template /srv/CA/ldap-cert.tmpl \
|
||||
--load-privkey {{ domain }}.key \
|
||||
--outfile {{ domain }}.crt \
|
||||
--load-ca-privkey /srv/CA/{{ domain }}-rootCA.key
|
||||
--load-ca-certificate /srv/CA/{{ domain }}-rootCA.crt
|
||||
args:
|
||||
chdir: /etc/ldap/ssl
|
||||
creates: "/etc/ldap/ssl/{{ domain }}.crt"
|
||||
|
||||
- name: Set the correct ownership on the LDAP cert/key pair
|
||||
file:
|
||||
path: "/etc/ldap/ssl/{{ item }}"
|
||||
owner: openldap
|
||||
group: openldap
|
||||
with_items:
|
||||
- "{{ domain }}.key"
|
||||
- "{{ domain }}.crt"
|
||||
|
||||
- name: Create the custom_ldifs store
|
||||
file:
|
||||
path: /etc/ldap/custom_ldifs
|
||||
owner: openldap
|
||||
group: openldap
|
||||
state: directory
|
||||
|
||||
- name: Create the olcSSL.ldif file (LDAP TLS Configuration)
|
||||
template:
|
||||
src: templates/olcSSL.ldif.j2
|
||||
dest: /etc/ldap/custom_ldifs/olcSSL.ldif
|
||||
owner: openldap
|
||||
group: openldap
|
||||
notify:
|
||||
- Apply olcSSL.ldif
|
||||
- Restart slapd
|
||||
|
||||
- name: Add an apt key by id from a keyserver
|
||||
apt_key:
|
||||
keyserver: keys.gnupg.net
|
||||
id: A94DE63F2EDB5F0DC0785EBBD744D55EACDA69FF
|
||||
|
||||
- name: Add the Fusiondirectory repo
|
||||
apt_repository:
|
||||
repo: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- 'deb http://repos.fusiondirectory.org/fusiondirectory-current/debian-jessie jessie main'
|
||||
- 'deb http://repos.fusiondirectory.org/fusiondirectory-extra/debian-jessie jessie main'
|
||||
|
||||
- name: Install FusionDirectory, dependencies and plugins
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
update_cache: yes
|
||||
state: present
|
||||
with_items:
|
||||
- apache2
|
||||
- libapache2-mod-php
|
||||
- php-ldap
|
||||
- php-intl
|
||||
- php-pear
|
||||
- php-mbstring
|
||||
- fusiondirectory
|
||||
- fusiondirectory-schema
|
||||
- fusiondirectory-plugin-ldapdump
|
||||
- fusiondirectory-plugin-ldapmanager
|
||||
- fusiondirectory-plugin-dsa
|
||||
- fusiondirectory-plugin-dsa-schema
|
||||
- fusiondirectory-plugin-systems
|
||||
- fusiondirectory-plugin-systems-schema
|
||||
notify:
|
||||
- Apply FusionDirectory Schema
|
||||
- Apply FusionDirectory Plugins Schema
|
||||
|
||||
- name: Calculate FusionDirectory Configuration hash
|
||||
stat:
|
||||
path: /var/cache/fusiondirectory/class.cache
|
||||
get_md5: yes
|
||||
register: fd_config_hash
|
||||
|
||||
- name: Generate the Initial FusionDirectory configuration
|
||||
template:
|
||||
src: templates/fd-init-config.ldif.j2
|
||||
dest: /etc/ldap/custom_ldifs/fd-init-config.ldif
|
||||
notify:
|
||||
- Initialize FusionDirectory Configuration
|
||||
|
||||
- name: Migrate FusionDirectory Object Classes
|
||||
template:
|
||||
src: templates/fd-migrate-object-classes.ldif.j2
|
||||
dest: /etc/ldap/custom_ldifs/fd-migrate-object-classes.ldif
|
||||
notify:
|
||||
- Migrate Object Classes
|
||||
|
||||
- name: Create an empty ldap.conf file
|
||||
file:
|
||||
path: /etc/ldap/ldap.conf
|
||||
state: touch
|
||||
notify:
|
||||
- Generate FusionDirectory SuperUser and OUs
|
||||
|
||||
- name: Set FusionDirectory SuperUser Password
|
||||
command: |
|
||||
true
|
||||
notify:
|
||||
- Set SuperUser Password
|
||||
no_log: True
|
||||
|
||||
- name: Migrate FusionDirectory Defaults ACLs
|
||||
template:
|
||||
src: templates/fd-migrate-default-acl.ldif.j2
|
||||
dest: /etc/ldap/custom_ldifs/fd-migrate-default-acl.ldif
|
||||
notify:
|
||||
- Migrate Default ACLs
|
||||
|
||||
- name: Fix Permissions for the FusionDirectory Configuration
|
||||
template:
|
||||
src: templates/fusiondirectory.conf.j2
|
||||
dest: /etc/fusiondirectory/fusiondirectory.conf
|
||||
notify:
|
||||
- Fix FusionDirectory Configuration Permisions
|
||||
|
||||
- name: Apply FusionDirectory Service Accounts ACL
|
||||
template:
|
||||
src: templates/fd-service_accounts_acl.ldif.j2
|
||||
dest: /etc/ldap/custom_ldifs/fd-service_accounts_acl.ldif
|
||||
notify:
|
||||
- Apply Service Accounts ACL
|
||||
|
||||
|
||||
- name: Create a .well-known directory
|
||||
file:
|
||||
path: /var/www/html/.well-known
|
||||
state: directory
|
||||
owner: www-data
|
||||
group: www-data
|
||||
|
||||
- name: Deploy the Apache VirtualHosts for FusionDirectory
|
||||
template:
|
||||
src: "templates/fd-vhost{{ item }}.j2"
|
||||
dest: "/etc/apache2/sites-available/{{domain}}{{ item }}"
|
||||
with_items:
|
||||
- ".conf"
|
||||
- "-ssl.conf"
|
||||
notify:
|
||||
- Enable the Apache HTTP VirtualHost
|
||||
- Disable the Default Apache VirtualHost
|
||||
- Restart Apache
|
||||
|
||||
handlers:
|
||||
|
||||
- name: Update CA Certificates
|
||||
command: update-ca-certificates
|
||||
|
||||
- name: Apply olcSSL.ldif
|
||||
command: ldapmodify -Y EXTERNAL -H ldapi:/// -f olcSSL.ldif
|
||||
args:
|
||||
chdir: /etc/ldap/custom_ldifs
|
||||
|
||||
- name: Restart slapd
|
||||
service:
|
||||
name: slapd
|
||||
state: restarted
|
||||
|
||||
- name: Apply FusionDirectory Schema
|
||||
command: fusiondirectory-insert-schema
|
||||
|
||||
- name: Apply FusionDirectory Plugins Schema
|
||||
command: |
|
||||
fusiondirectory-insert-schema \
|
||||
-i /etc/ldap/schema/fusiondirectory/{{ item }}.schema
|
||||
with_items:
|
||||
- dsa-fd-conf
|
||||
- service-fd
|
||||
- systems-fd-conf
|
||||
- systems-fd
|
||||
|
||||
- name: Initialize FusionDirectory Configuration
|
||||
command: |
|
||||
ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-init-config.ldif
|
||||
args:
|
||||
chdir: /etc/ldap/custom_ldifs
|
||||
no_log: True
|
||||
|
||||
- name: Migrate Object Classes
|
||||
command: |
|
||||
ldapmodify -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-object-classes.ldif
|
||||
args:
|
||||
chdir: /etc/ldap/custom_ldifs
|
||||
no_log: True
|
||||
|
||||
- name: Generate FusionDirectory SuperUser and OUs
|
||||
shell: |
|
||||
yes '{{ fd_admin }}' | \
|
||||
fusiondirectory-setup --yes --check-ldap
|
||||
|
||||
- name: Set SuperUser Password
|
||||
command: |
|
||||
ldappasswd -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -s {{ fd_admin_pass }} uid={{ fd_admin }},ou=people,{{ base_dn }}
|
||||
no_log: True
|
||||
|
||||
- name: Migrate Default ACLs
|
||||
command: |
|
||||
ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-default-acl.ldif
|
||||
args:
|
||||
chdir: /etc/ldap/custom_ldifs
|
||||
no_log: True
|
||||
|
||||
- name: Fix FusionDirectory Configuration Permisions
|
||||
command: fusiondirectory-setup --yes --check-config
|
||||
|
||||
- name: Apply Service Accounts ACL
|
||||
command: |
|
||||
ldapadd -c -Y EXTERNAL -H ldapi:/// -f fd-service_accounts_acl.ldif
|
||||
args:
|
||||
chdir: /etc/ldap/custom_ldifs
|
||||
|
||||
- name: Enable the Apache HTTP VirtualHost
|
||||
file:
|
||||
src: "/etc/apache2/sites-available/{{ domain }}.conf"
|
||||
dest: "/etc/apache2/sites-enabled/{{ domain }}.conf"
|
||||
state: link
|
||||
|
||||
- name: Disable the Default Apache VirtualHost
|
||||
file:
|
||||
path: /etc/apache2/sites-enabled/000-default.conf
|
||||
state: absent
|
||||
|
||||
- name: Restart Apache
|
||||
service:
|
||||
name: apache2
|
||||
state: restarted
|
82
handlers/main.yml
Normal file
82
handlers/main.yml
Normal file
|
@ -0,0 +1,82 @@
|
|||
---
|
||||
- name: Update CA Certificates
|
||||
command: update-ca-certificates
|
||||
|
||||
- name: Apply olcSSL.ldif
|
||||
command: ldapmodify -Y EXTERNAL -H ldapi:/// -f olcSSL.ldif
|
||||
args:
|
||||
chdir: /etc/ldap/custom_ldifs
|
||||
|
||||
- name: Restart slapd
|
||||
service:
|
||||
name: slapd
|
||||
state: restarted
|
||||
|
||||
- name: Apply FusionDirectory Schema
|
||||
command: fusiondirectory-insert-schema
|
||||
|
||||
- name: Apply FusionDirectory Plugins Schema
|
||||
command: |
|
||||
fusiondirectory-insert-schema \
|
||||
-i /etc/ldap/schema/fusiondirectory/{{ item }}.schema
|
||||
with_items:
|
||||
- dsa-fd-conf
|
||||
- service-fd
|
||||
- systems-fd-conf
|
||||
- systems-fd
|
||||
|
||||
- name: Initialize FusionDirectory Configuration
|
||||
command: |
|
||||
ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-init-config.ldif
|
||||
args:
|
||||
chdir: /etc/ldap/custom_ldifs
|
||||
no_log: True
|
||||
|
||||
- name: Migrate Object Classes
|
||||
command: |
|
||||
ldapmodify -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-object-classes.ldif
|
||||
args:
|
||||
chdir: /etc/ldap/custom_ldifs
|
||||
no_log: True
|
||||
|
||||
- name: Generate FusionDirectory SuperUser and OUs
|
||||
shell: |
|
||||
yes '{{ fd_admin }}' | \
|
||||
fusiondirectory-setup --yes --check-ldap
|
||||
|
||||
- name: Set SuperUser Password
|
||||
command: |
|
||||
ldappasswd -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -s {{ fd_admin_pass }} uid={{ fd_admin }},ou=people,{{ base_dn }}
|
||||
no_log: True
|
||||
|
||||
- name: Migrate Default ACLs
|
||||
command: |
|
||||
ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-default-acl.ldif
|
||||
args:
|
||||
chdir: /etc/ldap/custom_ldifs
|
||||
no_log: True
|
||||
|
||||
- name: Fix FusionDirectory Configuration Permisions
|
||||
command: fusiondirectory-setup --yes --check-config
|
||||
|
||||
- name: Apply Service Accounts ACL
|
||||
command: |
|
||||
ldapadd -c -Y EXTERNAL -H ldapi:/// -f fd-service_accounts_acl.ldif
|
||||
args:
|
||||
chdir: /etc/ldap/custom_ldifs
|
||||
|
||||
- name: Enable the Apache HTTP VirtualHost
|
||||
file:
|
||||
src: "/etc/apache2/sites-available/{{ domain }}.conf"
|
||||
dest: "/etc/apache2/sites-enabled/{{ domain }}.conf"
|
||||
state: link
|
||||
|
||||
- name: Disable the Default Apache VirtualHost
|
||||
file:
|
||||
path: /etc/apache2/sites-enabled/000-default.conf
|
||||
state: absent
|
||||
|
||||
- name: Restart Apache
|
||||
service:
|
||||
name: apache2
|
||||
state: restarted
|
250
tasks/main.yml
Normal file
250
tasks/main.yml
Normal file
|
@ -0,0 +1,250 @@
|
|||
---
|
||||
# This will deploy OpenLDAP and FusionDirectory on the mailserver
|
||||
- name: Prepate /etc/hosts
|
||||
lineinfile:
|
||||
path: /etc/hosts
|
||||
insertafter: '^127.0.1.1 '
|
||||
line: "{{ item }}"
|
||||
with_items:
|
||||
- "127.0.2.1 mail.{{ domain }} mail"
|
||||
- "127.0.3.1 auth.{{ domain }} auth"
|
||||
|
||||
- name: Setup OpenLDAP and Dependencies
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
state: present
|
||||
update_cache: yes
|
||||
with_items:
|
||||
- ldap-utils
|
||||
- gnutls-bin
|
||||
- ca-certificates
|
||||
- python-ldap
|
||||
- python3-ldap
|
||||
|
||||
- name: debconf configuration for slapd
|
||||
debconf:
|
||||
name: slapd
|
||||
question: "{{ item.question }}"
|
||||
value: "{{ item.value }}"
|
||||
vtype: "{{ item.vtype }}"
|
||||
with_items:
|
||||
- { question: slapd/no_configuration, value: False, vtype: boolean }
|
||||
- { question: slapd/domain, value: "{{ domain }}", vtype: string }
|
||||
- { question: shared/organization, value: "{{ organization }}", vtype: string }
|
||||
- { question: slapd/password1, value: "{{ ldap_admin_pass }}", vtype: password }
|
||||
- { question: slapd/password2, value: "{{ ldap_admin_pass }}", vtype: password }
|
||||
- { question: slapd/backend, value: MDB, vtype: select }
|
||||
- { question: slapd/purge_database, value: False, vtype: boolean }
|
||||
- { question: slapd/move_old_database, value: True, vtype: boolean }
|
||||
no_log: True
|
||||
|
||||
- name: install slapd
|
||||
apt:
|
||||
name: slapd
|
||||
state: present
|
||||
|
||||
- name: Create the ROOT CA store
|
||||
file:
|
||||
path: /srv/CA
|
||||
state: directory
|
||||
|
||||
- name: Generate the CA Certificate template
|
||||
template:
|
||||
src: templates/ca-cert.tmpl.j2
|
||||
dest: /srv/CA/ca-cert.tmpl
|
||||
|
||||
- name: Generate the ROOT CA private key
|
||||
command: |
|
||||
certtool --generate-privkey \
|
||||
--outfile {{ domain }}-rootCA.key
|
||||
args:
|
||||
chdir: /srv/CA
|
||||
creates: "/srv/CA/{{ domain }}-rootCA.key"
|
||||
|
||||
- name: Generate the ROOT CA Certificate
|
||||
command: |
|
||||
certtool --generate-self-signed \
|
||||
--template ca-cert.tmpl \
|
||||
--load-privkey {{ domain }}-rootCA.key \
|
||||
--outfile {{ domain }}-rootCA.crt
|
||||
args:
|
||||
chdir: /srv/CA
|
||||
creates: "/srv/CA/{{ domain }}-rootCA.crt"
|
||||
|
||||
- name: Add our ROOT CA as trusted
|
||||
copy:
|
||||
remote_src: yes
|
||||
src: "/srv/CA/{{ domain }}-rootCA.crt"
|
||||
dest: /usr/local/share/ca-certificates/
|
||||
notify:
|
||||
- Update CA Certificates
|
||||
|
||||
- name: Create the LDAP TLS store
|
||||
file:
|
||||
path: /etc/ldap/ssl
|
||||
owner: openldap
|
||||
group: openldap
|
||||
state: directory
|
||||
|
||||
- name: Generate the LDAP Certificate template
|
||||
template:
|
||||
src: templates/ldap-cert.tmpl.j2
|
||||
dest: /srv/CA/ldap-cert.tmpl
|
||||
|
||||
- name: Generate the LDAP private key
|
||||
command: |
|
||||
certtool --generate-privkey \
|
||||
--outfile {{ domain }}.key
|
||||
args:
|
||||
chdir: /etc/ldap/ssl
|
||||
creates: "/etc/ldap/ssl/{{ domain }}.key"
|
||||
|
||||
- name: Generate the LDAP Certificate
|
||||
command: |
|
||||
certtool --generate-certificate \
|
||||
--template /srv/CA/ldap-cert.tmpl \
|
||||
--load-privkey {{ domain }}.key \
|
||||
--outfile {{ domain }}.crt \
|
||||
--load-ca-privkey /srv/CA/{{ domain }}-rootCA.key
|
||||
--load-ca-certificate /srv/CA/{{ domain }}-rootCA.crt
|
||||
args:
|
||||
chdir: /etc/ldap/ssl
|
||||
creates: "/etc/ldap/ssl/{{ domain }}.crt"
|
||||
|
||||
- name: Set the correct ownership on the LDAP cert/key pair
|
||||
file:
|
||||
path: "/etc/ldap/ssl/{{ item }}"
|
||||
owner: openldap
|
||||
group: openldap
|
||||
with_items:
|
||||
- "{{ domain }}.key"
|
||||
- "{{ domain }}.crt"
|
||||
|
||||
- name: Create the custom_ldifs store
|
||||
file:
|
||||
path: /etc/ldap/custom_ldifs
|
||||
owner: openldap
|
||||
group: openldap
|
||||
state: directory
|
||||
|
||||
- name: Create the olcSSL.ldif file (LDAP TLS Configuration)
|
||||
template:
|
||||
src: templates/olcSSL.ldif.j2
|
||||
dest: /etc/ldap/custom_ldifs/olcSSL.ldif
|
||||
owner: openldap
|
||||
group: openldap
|
||||
notify:
|
||||
- Apply olcSSL.ldif
|
||||
- Restart slapd
|
||||
|
||||
- name: Add an apt key by id from a keyserver
|
||||
apt_key:
|
||||
keyserver: keys.gnupg.net
|
||||
id: A94DE63F2EDB5F0DC0785EBBD744D55EACDA69FF
|
||||
|
||||
- name: Add the Fusiondirectory repo
|
||||
apt_repository:
|
||||
repo: "{{ item }}"
|
||||
state: present
|
||||
with_items:
|
||||
- 'deb http://repos.fusiondirectory.org/fusiondirectory-current/debian-jessie jessie main'
|
||||
- 'deb http://repos.fusiondirectory.org/fusiondirectory-extra/debian-jessie jessie main'
|
||||
|
||||
- name: Install FusionDirectory, dependencies and plugins
|
||||
apt:
|
||||
name: "{{ item }}"
|
||||
update_cache: yes
|
||||
state: present
|
||||
with_items:
|
||||
- apache2
|
||||
- libapache2-mod-php
|
||||
- php-ldap
|
||||
- php-intl
|
||||
- php-pear
|
||||
- php-mbstring
|
||||
- fusiondirectory
|
||||
- fusiondirectory-schema
|
||||
- fusiondirectory-plugin-ldapdump
|
||||
- fusiondirectory-plugin-ldapmanager
|
||||
- fusiondirectory-plugin-dsa
|
||||
- fusiondirectory-plugin-dsa-schema
|
||||
- fusiondirectory-plugin-systems
|
||||
- fusiondirectory-plugin-systems-schema
|
||||
notify:
|
||||
- Apply FusionDirectory Schema
|
||||
- Apply FusionDirectory Plugins Schema
|
||||
|
||||
- name: Calculate FusionDirectory Configuration hash
|
||||
stat:
|
||||
path: /var/cache/fusiondirectory/class.cache
|
||||
get_md5: yes
|
||||
register: fd_config_hash
|
||||
|
||||
- name: Generate the Initial FusionDirectory configuration
|
||||
template:
|
||||
src: templates/fd-init-config.ldif.j2
|
||||
dest: /etc/ldap/custom_ldifs/fd-init-config.ldif
|
||||
notify:
|
||||
- Initialize FusionDirectory Configuration
|
||||
|
||||
- name: Migrate FusionDirectory Object Classes
|
||||
template:
|
||||
src: templates/fd-migrate-object-classes.ldif.j2
|
||||
dest: /etc/ldap/custom_ldifs/fd-migrate-object-classes.ldif
|
||||
notify:
|
||||
- Migrate Object Classes
|
||||
|
||||
- name: Create an empty ldap.conf file
|
||||
file:
|
||||
path: /etc/ldap/ldap.conf
|
||||
state: touch
|
||||
notify:
|
||||
- Generate FusionDirectory SuperUser and OUs
|
||||
|
||||
- name: Set FusionDirectory SuperUser Password
|
||||
command: |
|
||||
true
|
||||
notify:
|
||||
- Set SuperUser Password
|
||||
no_log: True
|
||||
|
||||
- name: Migrate FusionDirectory Defaults ACLs
|
||||
template:
|
||||
src: templates/fd-migrate-default-acl.ldif.j2
|
||||
dest: /etc/ldap/custom_ldifs/fd-migrate-default-acl.ldif
|
||||
notify:
|
||||
- Migrate Default ACLs
|
||||
|
||||
- name: Fix Permissions for the FusionDirectory Configuration
|
||||
template:
|
||||
src: templates/fusiondirectory.conf.j2
|
||||
dest: /etc/fusiondirectory/fusiondirectory.conf
|
||||
notify:
|
||||
- Fix FusionDirectory Configuration Permisions
|
||||
|
||||
- name: Apply FusionDirectory Service Accounts ACL
|
||||
template:
|
||||
src: templates/fd-service_accounts_acl.ldif.j2
|
||||
dest: /etc/ldap/custom_ldifs/fd-service_accounts_acl.ldif
|
||||
notify:
|
||||
- Apply Service Accounts ACL
|
||||
|
||||
|
||||
- name: Create a .well-known directory
|
||||
file:
|
||||
path: /var/www/html/.well-known
|
||||
state: directory
|
||||
owner: www-data
|
||||
group: www-data
|
||||
|
||||
- name: Deploy the Apache VirtualHosts for FusionDirectory
|
||||
template:
|
||||
src: "templates/fd-vhost{{ item }}.j2"
|
||||
dest: "/etc/apache2/sites-available/{{domain}}{{ item }}"
|
||||
with_items:
|
||||
- ".conf"
|
||||
- "-ssl.conf"
|
||||
notify:
|
||||
- Enable the Apache HTTP VirtualHost
|
||||
- Disable the Default Apache VirtualHost
|
||||
- Restart Apache
|
Loading…
Reference in a new issue