Ansible role #2

Merged
theo merged 1 commit from jmgarcialdemoral/ansible-deploy-ldap-fusiondirectory:feature/role into master 2019-10-01 14:09:13 +03:00
4 changed files with 352 additions and 347 deletions

View file

@ -1,6 +1,6 @@
# Deploy OpenLDAP/FusionDirectory using Ansible
These playbooks will deploy an OpenLDAP/FusionDirectory server.
These Role will deploy an OpenLDAP/FusionDirectory server.
Components:
* OpenLDAP (slapd)
@ -16,7 +16,7 @@ Components:
## Clone the repository
Clone the reposiroty:
Clone the repository:
```
$ git clone https://git.theo-andreou.org/Personal/ansible-deploy-ldap-fusiondirectory.git
@ -49,7 +49,7 @@ timezone: Asia/Nicosia
* Create an encrypted *vars/secrets.yml* file:
```
$ ansible-vault create vars/secrets.yml
$ ansible-vault create vars/secrets.yml
```
Use a master password for the file above.
@ -63,12 +63,28 @@ fd_admin: fdadmin
fd_admin_pass: MySecretFDCombination
```
* Create a playbook to call this role (fusiondirectory.yml):
```
- hosts: all
become: yes
gather_facts: false
vars:
- ansible_user: "ubuntu"
pre_tasks:
- name: install python 2
raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)
changed_when: False
roles:
- ansible-deploy-ldap-fusiondirectory
```
## Deploy LDAP and FusionDirectory
When done with the configuration run this command (provide your master password):
```
$ ansible-playbook --vault-id @prompt deploy_fusiondirectory.yml
$ ansible-playbook --vault-id @prompt fusiondirectory.yml
```
When done visit http://auth.example.org to login for the first time. I suggest you enable HTTPS before doing that.

View file

@ -1,343 +0,0 @@
---
# This will deploy OpenLDAP and FusionDirectory on the mailserver
- hosts: auth.example.com
user: root
vars_files:
- vars/all.yml
- vars/secrets.yml
tasks:
- name: Prepate /etc/hosts
lineinfile:
path: /etc/hosts
insertafter: '^127.0.1.1 '
line: "{{ item }}"
with_items:
- "127.0.2.1 mail.{{ domain }} mail"
- "127.0.3.1 auth.{{ domain }} auth"
- name: Setup OpenLDAP and Dependencies
apt:
name: "{{ item }}"
state: present
update_cache: yes
with_items:
- ldap-utils
- gnutls-bin
- ca-certificates
- python-ldap
- python3-ldap
- name: debconf configuration for slapd
debconf:
name: slapd
question: "{{ item.question }}"
value: "{{ item.value }}"
vtype: "{{ item.vtype }}"
with_items:
- { question: slapd/no_configuration, value: False, vtype: boolean }
- { question: slapd/domain, value: "{{ domain }}", vtype: string }
- { question: shared/organization, value: "{{ organization }}", vtype: string }
- { question: slapd/password1, value: "{{ ldap_admin_pass }}", vtype: password }
- { question: slapd/password2, value: "{{ ldap_admin_pass }}", vtype: password }
- { question: slapd/backend, value: MDB, vtype: select }
- { question: slapd/purge_database, value: False, vtype: boolean }
- { question: slapd/move_old_database, value: True, vtype: boolean }
no_log: True
- name: install slapd
apt:
name: slapd
state: present
- name: Create the ROOT CA store
file:
path: /srv/CA
state: directory
- name: Generate the CA Certificate template
template:
src: templates/ca-cert.tmpl.j2
dest: /srv/CA/ca-cert.tmpl
- name: Generate the ROOT CA private key
command: |
certtool --generate-privkey \
--outfile {{ domain }}-rootCA.key
args:
chdir: /srv/CA
creates: "/srv/CA/{{ domain }}-rootCA.key"
- name: Generate the ROOT CA Certificate
command: |
certtool --generate-self-signed \
--template ca-cert.tmpl \
--load-privkey {{ domain }}-rootCA.key \
--outfile {{ domain }}-rootCA.crt
args:
chdir: /srv/CA
creates: "/srv/CA/{{ domain }}-rootCA.crt"
- name: Add our ROOT CA as trusted
copy:
remote_src: yes
src: "/srv/CA/{{ domain }}-rootCA.crt"
dest: /usr/local/share/ca-certificates/
notify:
- Update CA Certificates
- name: Create the LDAP TLS store
file:
path: /etc/ldap/ssl
owner: openldap
group: openldap
state: directory
- name: Generate the LDAP Certificate template
template:
src: templates/ldap-cert.tmpl.j2
dest: /srv/CA/ldap-cert.tmpl
- name: Generate the LDAP private key
command: |
certtool --generate-privkey \
--outfile {{ domain }}.key
args:
chdir: /etc/ldap/ssl
creates: "/etc/ldap/ssl/{{ domain }}.key"
- name: Generate the LDAP Certificate
command: |
certtool --generate-certificate \
--template /srv/CA/ldap-cert.tmpl \
--load-privkey {{ domain }}.key \
--outfile {{ domain }}.crt \
--load-ca-privkey /srv/CA/{{ domain }}-rootCA.key
--load-ca-certificate /srv/CA/{{ domain }}-rootCA.crt
args:
chdir: /etc/ldap/ssl
creates: "/etc/ldap/ssl/{{ domain }}.crt"
- name: Set the correct ownership on the LDAP cert/key pair
file:
path: "/etc/ldap/ssl/{{ item }}"
owner: openldap
group: openldap
with_items:
- "{{ domain }}.key"
- "{{ domain }}.crt"
- name: Create the custom_ldifs store
file:
path: /etc/ldap/custom_ldifs
owner: openldap
group: openldap
state: directory
- name: Create the olcSSL.ldif file (LDAP TLS Configuration)
template:
src: templates/olcSSL.ldif.j2
dest: /etc/ldap/custom_ldifs/olcSSL.ldif
owner: openldap
group: openldap
notify:
- Apply olcSSL.ldif
- Restart slapd
- name: Add an apt key by id from a keyserver
apt_key:
keyserver: keys.gnupg.net
id: A94DE63F2EDB5F0DC0785EBBD744D55EACDA69FF
- name: Add the Fusiondirectory repo
apt_repository:
repo: "{{ item }}"
state: present
with_items:
- 'deb http://repos.fusiondirectory.org/fusiondirectory-current/debian-jessie jessie main'
- 'deb http://repos.fusiondirectory.org/fusiondirectory-extra/debian-jessie jessie main'
- name: Install FusionDirectory, dependencies and plugins
apt:
name: "{{ item }}"
update_cache: yes
state: present
with_items:
- apache2
- libapache2-mod-php
- php-ldap
- php-intl
- php-pear
- php-mbstring
- fusiondirectory
- fusiondirectory-schema
- fusiondirectory-plugin-ldapdump
- fusiondirectory-plugin-ldapmanager
- fusiondirectory-plugin-dsa
- fusiondirectory-plugin-dsa-schema
- fusiondirectory-plugin-systems
- fusiondirectory-plugin-systems-schema
notify:
- Apply FusionDirectory Schema
- Apply FusionDirectory Plugins Schema
- name: Calculate FusionDirectory Configuration hash
stat:
path: /var/cache/fusiondirectory/class.cache
get_md5: yes
register: fd_config_hash
- name: Generate the Initial FusionDirectory configuration
template:
src: templates/fd-init-config.ldif.j2
dest: /etc/ldap/custom_ldifs/fd-init-config.ldif
notify:
- Initialize FusionDirectory Configuration
- name: Migrate FusionDirectory Object Classes
template:
src: templates/fd-migrate-object-classes.ldif.j2
dest: /etc/ldap/custom_ldifs/fd-migrate-object-classes.ldif
notify:
- Migrate Object Classes
- name: Create an empty ldap.conf file
file:
path: /etc/ldap/ldap.conf
state: touch
notify:
- Generate FusionDirectory SuperUser and OUs
- name: Set FusionDirectory SuperUser Password
command: |
true
notify:
- Set SuperUser Password
no_log: True
- name: Migrate FusionDirectory Defaults ACLs
template:
src: templates/fd-migrate-default-acl.ldif.j2
dest: /etc/ldap/custom_ldifs/fd-migrate-default-acl.ldif
notify:
- Migrate Default ACLs
- name: Fix Permissions for the FusionDirectory Configuration
template:
src: templates/fusiondirectory.conf.j2
dest: /etc/fusiondirectory/fusiondirectory.conf
notify:
- Fix FusionDirectory Configuration Permisions
- name: Apply FusionDirectory Service Accounts ACL
template:
src: templates/fd-service_accounts_acl.ldif.j2
dest: /etc/ldap/custom_ldifs/fd-service_accounts_acl.ldif
notify:
- Apply Service Accounts ACL
- name: Create a .well-known directory
file:
path: /var/www/html/.well-known
state: directory
owner: www-data
group: www-data
- name: Deploy the Apache VirtualHosts for FusionDirectory
template:
src: "templates/fd-vhost{{ item }}.j2"
dest: "/etc/apache2/sites-available/{{domain}}{{ item }}"
with_items:
- ".conf"
- "-ssl.conf"
notify:
- Enable the Apache HTTP VirtualHost
- Disable the Default Apache VirtualHost
- Restart Apache
handlers:
- name: Update CA Certificates
command: update-ca-certificates
- name: Apply olcSSL.ldif
command: ldapmodify -Y EXTERNAL -H ldapi:/// -f olcSSL.ldif
args:
chdir: /etc/ldap/custom_ldifs
- name: Restart slapd
service:
name: slapd
state: restarted
- name: Apply FusionDirectory Schema
command: fusiondirectory-insert-schema
- name: Apply FusionDirectory Plugins Schema
command: |
fusiondirectory-insert-schema \
-i /etc/ldap/schema/fusiondirectory/{{ item }}.schema
with_items:
- dsa-fd-conf
- service-fd
- systems-fd-conf
- systems-fd
- name: Initialize FusionDirectory Configuration
command: |
ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-init-config.ldif
args:
chdir: /etc/ldap/custom_ldifs
no_log: True
- name: Migrate Object Classes
command: |
ldapmodify -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-object-classes.ldif
args:
chdir: /etc/ldap/custom_ldifs
no_log: True
- name: Generate FusionDirectory SuperUser and OUs
shell: |
yes '{{ fd_admin }}' | \
fusiondirectory-setup --yes --check-ldap
- name: Set SuperUser Password
command: |
ldappasswd -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -s {{ fd_admin_pass }} uid={{ fd_admin }},ou=people,{{ base_dn }}
no_log: True
- name: Migrate Default ACLs
command: |
ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-default-acl.ldif
args:
chdir: /etc/ldap/custom_ldifs
no_log: True
- name: Fix FusionDirectory Configuration Permisions
command: fusiondirectory-setup --yes --check-config
- name: Apply Service Accounts ACL
command: |
ldapadd -c -Y EXTERNAL -H ldapi:/// -f fd-service_accounts_acl.ldif
args:
chdir: /etc/ldap/custom_ldifs
- name: Enable the Apache HTTP VirtualHost
file:
src: "/etc/apache2/sites-available/{{ domain }}.conf"
dest: "/etc/apache2/sites-enabled/{{ domain }}.conf"
state: link
- name: Disable the Default Apache VirtualHost
file:
path: /etc/apache2/sites-enabled/000-default.conf
state: absent
- name: Restart Apache
service:
name: apache2
state: restarted

82
handlers/main.yml Normal file
View file

@ -0,0 +1,82 @@
---
- name: Update CA Certificates
command: update-ca-certificates
- name: Apply olcSSL.ldif
command: ldapmodify -Y EXTERNAL -H ldapi:/// -f olcSSL.ldif
args:
chdir: /etc/ldap/custom_ldifs
- name: Restart slapd
service:
name: slapd
state: restarted
- name: Apply FusionDirectory Schema
command: fusiondirectory-insert-schema
- name: Apply FusionDirectory Plugins Schema
command: |
fusiondirectory-insert-schema \
-i /etc/ldap/schema/fusiondirectory/{{ item }}.schema
with_items:
- dsa-fd-conf
- service-fd
- systems-fd-conf
- systems-fd
- name: Initialize FusionDirectory Configuration
command: |
ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-init-config.ldif
args:
chdir: /etc/ldap/custom_ldifs
no_log: True
- name: Migrate Object Classes
command: |
ldapmodify -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-object-classes.ldif
args:
chdir: /etc/ldap/custom_ldifs
no_log: True
- name: Generate FusionDirectory SuperUser and OUs
shell: |
yes '{{ fd_admin }}' | \
fusiondirectory-setup --yes --check-ldap
- name: Set SuperUser Password
command: |
ldappasswd -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -s {{ fd_admin_pass }} uid={{ fd_admin }},ou=people,{{ base_dn }}
no_log: True
- name: Migrate Default ACLs
command: |
ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-default-acl.ldif
args:
chdir: /etc/ldap/custom_ldifs
no_log: True
- name: Fix FusionDirectory Configuration Permisions
command: fusiondirectory-setup --yes --check-config
- name: Apply Service Accounts ACL
command: |
ldapadd -c -Y EXTERNAL -H ldapi:/// -f fd-service_accounts_acl.ldif
args:
chdir: /etc/ldap/custom_ldifs
- name: Enable the Apache HTTP VirtualHost
file:
src: "/etc/apache2/sites-available/{{ domain }}.conf"
dest: "/etc/apache2/sites-enabled/{{ domain }}.conf"
state: link
- name: Disable the Default Apache VirtualHost
file:
path: /etc/apache2/sites-enabled/000-default.conf
state: absent
- name: Restart Apache
service:
name: apache2
state: restarted

250
tasks/main.yml Normal file
View file

@ -0,0 +1,250 @@
---
# This will deploy OpenLDAP and FusionDirectory on the mailserver
- name: Prepate /etc/hosts
lineinfile:
path: /etc/hosts
insertafter: '^127.0.1.1 '
line: "{{ item }}"
with_items:
- "127.0.2.1 mail.{{ domain }} mail"
- "127.0.3.1 auth.{{ domain }} auth"
- name: Setup OpenLDAP and Dependencies
apt:
name: "{{ item }}"
state: present
update_cache: yes
with_items:
- ldap-utils
- gnutls-bin
- ca-certificates
- python-ldap
- python3-ldap
- name: debconf configuration for slapd
debconf:
name: slapd
question: "{{ item.question }}"
value: "{{ item.value }}"
vtype: "{{ item.vtype }}"
with_items:
- { question: slapd/no_configuration, value: False, vtype: boolean }
- { question: slapd/domain, value: "{{ domain }}", vtype: string }
- { question: shared/organization, value: "{{ organization }}", vtype: string }
- { question: slapd/password1, value: "{{ ldap_admin_pass }}", vtype: password }
- { question: slapd/password2, value: "{{ ldap_admin_pass }}", vtype: password }
- { question: slapd/backend, value: MDB, vtype: select }
- { question: slapd/purge_database, value: False, vtype: boolean }
- { question: slapd/move_old_database, value: True, vtype: boolean }
no_log: True
- name: install slapd
apt:
name: slapd
state: present
- name: Create the ROOT CA store
file:
path: /srv/CA
state: directory
- name: Generate the CA Certificate template
template:
src: templates/ca-cert.tmpl.j2
dest: /srv/CA/ca-cert.tmpl
- name: Generate the ROOT CA private key
command: |
certtool --generate-privkey \
--outfile {{ domain }}-rootCA.key
args:
chdir: /srv/CA
creates: "/srv/CA/{{ domain }}-rootCA.key"
- name: Generate the ROOT CA Certificate
command: |
certtool --generate-self-signed \
--template ca-cert.tmpl \
--load-privkey {{ domain }}-rootCA.key \
--outfile {{ domain }}-rootCA.crt
args:
chdir: /srv/CA
creates: "/srv/CA/{{ domain }}-rootCA.crt"
- name: Add our ROOT CA as trusted
copy:
remote_src: yes
src: "/srv/CA/{{ domain }}-rootCA.crt"
dest: /usr/local/share/ca-certificates/
notify:
- Update CA Certificates
- name: Create the LDAP TLS store
file:
path: /etc/ldap/ssl
owner: openldap
group: openldap
state: directory
- name: Generate the LDAP Certificate template
template:
src: templates/ldap-cert.tmpl.j2
dest: /srv/CA/ldap-cert.tmpl
- name: Generate the LDAP private key
command: |
certtool --generate-privkey \
--outfile {{ domain }}.key
args:
chdir: /etc/ldap/ssl
creates: "/etc/ldap/ssl/{{ domain }}.key"
- name: Generate the LDAP Certificate
command: |
certtool --generate-certificate \
--template /srv/CA/ldap-cert.tmpl \
--load-privkey {{ domain }}.key \
--outfile {{ domain }}.crt \
--load-ca-privkey /srv/CA/{{ domain }}-rootCA.key
--load-ca-certificate /srv/CA/{{ domain }}-rootCA.crt
args:
chdir: /etc/ldap/ssl
creates: "/etc/ldap/ssl/{{ domain }}.crt"
- name: Set the correct ownership on the LDAP cert/key pair
file:
path: "/etc/ldap/ssl/{{ item }}"
owner: openldap
group: openldap
with_items:
- "{{ domain }}.key"
- "{{ domain }}.crt"
- name: Create the custom_ldifs store
file:
path: /etc/ldap/custom_ldifs
owner: openldap
group: openldap
state: directory
- name: Create the olcSSL.ldif file (LDAP TLS Configuration)
template:
src: templates/olcSSL.ldif.j2
dest: /etc/ldap/custom_ldifs/olcSSL.ldif
owner: openldap
group: openldap
notify:
- Apply olcSSL.ldif
- Restart slapd
- name: Add an apt key by id from a keyserver
apt_key:
keyserver: keys.gnupg.net
id: A94DE63F2EDB5F0DC0785EBBD744D55EACDA69FF
- name: Add the Fusiondirectory repo
apt_repository:
repo: "{{ item }}"
state: present
with_items:
- 'deb http://repos.fusiondirectory.org/fusiondirectory-current/debian-jessie jessie main'
- 'deb http://repos.fusiondirectory.org/fusiondirectory-extra/debian-jessie jessie main'
- name: Install FusionDirectory, dependencies and plugins
apt:
name: "{{ item }}"
update_cache: yes
state: present
with_items:
- apache2
- libapache2-mod-php
- php-ldap
- php-intl
- php-pear
- php-mbstring
- fusiondirectory
- fusiondirectory-schema
- fusiondirectory-plugin-ldapdump
- fusiondirectory-plugin-ldapmanager
- fusiondirectory-plugin-dsa
- fusiondirectory-plugin-dsa-schema
- fusiondirectory-plugin-systems
- fusiondirectory-plugin-systems-schema
notify:
- Apply FusionDirectory Schema
- Apply FusionDirectory Plugins Schema
- name: Calculate FusionDirectory Configuration hash
stat:
path: /var/cache/fusiondirectory/class.cache
get_md5: yes
register: fd_config_hash
- name: Generate the Initial FusionDirectory configuration
template:
src: templates/fd-init-config.ldif.j2
dest: /etc/ldap/custom_ldifs/fd-init-config.ldif
notify:
- Initialize FusionDirectory Configuration
- name: Migrate FusionDirectory Object Classes
template:
src: templates/fd-migrate-object-classes.ldif.j2
dest: /etc/ldap/custom_ldifs/fd-migrate-object-classes.ldif
notify:
- Migrate Object Classes
- name: Create an empty ldap.conf file
file:
path: /etc/ldap/ldap.conf
state: touch
notify:
- Generate FusionDirectory SuperUser and OUs
- name: Set FusionDirectory SuperUser Password
command: |
true
notify:
- Set SuperUser Password
no_log: True
- name: Migrate FusionDirectory Defaults ACLs
template:
src: templates/fd-migrate-default-acl.ldif.j2
dest: /etc/ldap/custom_ldifs/fd-migrate-default-acl.ldif
notify:
- Migrate Default ACLs
- name: Fix Permissions for the FusionDirectory Configuration
template:
src: templates/fusiondirectory.conf.j2
dest: /etc/fusiondirectory/fusiondirectory.conf
notify:
- Fix FusionDirectory Configuration Permisions
- name: Apply FusionDirectory Service Accounts ACL
template:
src: templates/fd-service_accounts_acl.ldif.j2
dest: /etc/ldap/custom_ldifs/fd-service_accounts_acl.ldif
notify:
- Apply Service Accounts ACL
- name: Create a .well-known directory
file:
path: /var/www/html/.well-known
state: directory
owner: www-data
group: www-data
- name: Deploy the Apache VirtualHosts for FusionDirectory
template:
src: "templates/fd-vhost{{ item }}.j2"
dest: "/etc/apache2/sites-available/{{domain}}{{ item }}"
with_items:
- ".conf"
- "-ssl.conf"
notify:
- Enable the Apache HTTP VirtualHost
- Disable the Default Apache VirtualHost
- Restart Apache