Personal
/
ansible-deploy-ldap-fusiondirectory
1
0
Fork 1
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
An Ansible Playbook to deploy OpenLDAP and FusionDirectory
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
84KB
Tree: 5929ba8b80
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '5929ba8b80'
${ noResults }
ansible-deploy-ldap-fusiond.../tasks/main.yml

251 lines
6.6KB
Raw Blame History 

  1. ---

  2. # This will deploy OpenLDAP and FusionDirectory on the mailserver

  3. - name: Prepate /etc/hosts

  4.   lineinfile:

  5.     path: /etc/hosts

  6.     insertafter: '^127.0.1.1 '

  7.     line: "{{ item }}"

  8.   with_items:

  9.     - "127.0.2.1   mail.{{ domain }} mail"

  10.     - "127.0.3.1   auth.{{ domain }} auth"

  11. 

  12. - name: Setup OpenLDAP and Dependencies

  13.   apt:

  14.     name: "{{ item }}"

  15.     state: present

  16.     update_cache: yes

  17.   with_items:

  18.     - ldap-utils

  19.     - gnutls-bin

  20.     - ca-certificates

  21.     - python-ldap

  22.     - python3-ldap

  23. 

  24. - name: debconf configuration for slapd

  25.   debconf:

  26.     name: slapd

  27.     question: "{{ item.question }}"

  28.     value: "{{ item.value }}"

  29.     vtype: "{{ item.vtype }}"

  30.   with_items:

  31.     - { question: slapd/no_configuration, value: False, vtype: boolean }

  32.     - { question: slapd/domain, value: "{{ domain }}", vtype: string }

  33.     - { question: shared/organization, value: "{{ organization }}", vtype: string }

  34.     - { question: slapd/password1, value: "{{ ldap_admin_pass }}", vtype: password }

  35.     - { question: slapd/password2, value: "{{ ldap_admin_pass }}", vtype: password }

  36.     - { question: slapd/backend, value: MDB, vtype: select }

  37.     - { question: slapd/purge_database, value: False, vtype: boolean }

  38.     - { question: slapd/move_old_database, value: True, vtype: boolean }

  39.   no_log: True

  40. 

  41. - name: install slapd

  42.   apt:

  43.     name: slapd

  44.     state: present

  45. 

  46. - name: Create the ROOT CA store

  47.   file:

  48.     path: /srv/CA

  49.     state: directory

  50. 

  51. - name: Generate the CA Certificate template

  52.   template:

  53.     src: templates/ca-cert.tmpl.j2

  54.     dest: /srv/CA/ca-cert.tmpl

  55. 

  56. - name: Generate the ROOT CA private key

  57.   command: |

  58.     certtool --generate-privkey \

  59.     --outfile {{ domain }}-rootCA.key

  60.   args:

  61.     chdir: /srv/CA

  62.     creates: "/srv/CA/{{ domain }}-rootCA.key"

  63. 

  64. - name: Generate the ROOT CA Certificate

  65.   command: |

  66.     certtool --generate-self-signed \

  67.     --template ca-cert.tmpl \

  68.     --load-privkey {{ domain }}-rootCA.key \

  69.     --outfile {{ domain }}-rootCA.crt

  70.   args:

  71.     chdir: /srv/CA

  72.     creates: "/srv/CA/{{ domain }}-rootCA.crt"

  73. 

  74. - name: Add our ROOT CA as trusted

  75.   copy:

  76.     remote_src: yes

  77.     src: "/srv/CA/{{ domain }}-rootCA.crt"

  78.     dest: /usr/local/share/ca-certificates/

  79.   notify:

  80.     - Update CA Certificates

  81. 

  82. - name: Create the LDAP TLS store

  83.   file:

  84.     path: /etc/ldap/ssl

  85.     owner: openldap

  86.     group: openldap

  87.     state: directory

  88. 

  89. - name: Generate the LDAP Certificate template

  90.   template:

  91.     src: templates/ldap-cert.tmpl.j2

  92.     dest: /srv/CA/ldap-cert.tmpl

  93. 

  94. - name: Generate the LDAP private key

  95.   command: |

  96.     certtool --generate-privkey \

  97.     --outfile {{ domain }}.key

  98.   args:

  99.     chdir: /etc/ldap/ssl

  100.     creates: "/etc/ldap/ssl/{{ domain }}.key"

  101. 

  102. - name: Generate the LDAP Certificate

  103.   command: |

  104.     certtool --generate-certificate \

  105.     --template /srv/CA/ldap-cert.tmpl \

  106.     --load-privkey {{ domain }}.key \

  107.     --outfile {{ domain }}.crt \

  108.     --load-ca-privkey /srv/CA/{{ domain }}-rootCA.key

  109.     --load-ca-certificate /srv/CA/{{ domain }}-rootCA.crt

  110.   args:

  111.     chdir: /etc/ldap/ssl

  112.     creates: "/etc/ldap/ssl/{{ domain }}.crt"

  113. 

  114. - name: Set the correct ownership on the LDAP cert/key pair

  115.   file:

  116.     path: "/etc/ldap/ssl/{{ item }}"

  117.     owner: openldap

  118.     group: openldap

  119.   with_items:

  120.     - "{{ domain }}.key"

  121.     - "{{ domain }}.crt"

  122. 

  123. - name: Create the custom_ldifs store

  124.   file:

  125.     path: /etc/ldap/custom_ldifs

  126.     owner: openldap

  127.     group: openldap

  128.     state: directory

  129. 

  130. - name: Create the olcSSL.ldif file (LDAP TLS Configuration)

  131.   template:

  132.     src: templates/olcSSL.ldif.j2

  133.     dest: /etc/ldap/custom_ldifs/olcSSL.ldif

  134.     owner: openldap

  135.     group: openldap

  136.   notify:

  137.     - Apply olcSSL.ldif

  138.     - Restart slapd

  139. 

  140. - name: Add an apt key by id from a keyserver

  141.   apt_key:

  142.     keyserver: keys.gnupg.net

  143.     id: A94DE63F2EDB5F0DC0785EBBD744D55EACDA69FF

  144. 

  145. - name: Add the Fusiondirectory repo

  146.   apt_repository:

  147.     repo: "{{ item }}"

  148.     state: present

  149.   with_items:

  150.     - 'deb http://repos.fusiondirectory.org/fusiondirectory-current/debian-jessie jessie main'

  151.     - 'deb http://repos.fusiondirectory.org/fusiondirectory-extra/debian-jessie jessie main'

  152. 

  153. - name: Install FusionDirectory, dependencies and plugins

  154.   apt:

  155.     name: "{{ item }}"

  156.     update_cache: yes

  157.     state: present

  158.   with_items:

  159.     - apache2

  160.     - libapache2-mod-php

  161.     - php-ldap

  162.     - php-intl

  163.     - php-pear

  164.     - php-mbstring

  165.     - fusiondirectory

  166.     - fusiondirectory-schema

  167.     - fusiondirectory-plugin-ldapdump

  168.     - fusiondirectory-plugin-ldapmanager

  169.     - fusiondirectory-plugin-dsa

  170.     - fusiondirectory-plugin-dsa-schema

  171.     - fusiondirectory-plugin-systems

  172.     - fusiondirectory-plugin-systems-schema

  173.   notify:

  174.     - Apply FusionDirectory Schema

  175.     - Apply FusionDirectory Plugins Schema

  176. 

  177. - name: Calculate FusionDirectory Configuration hash

  178.   stat:

  179.     path: /var/cache/fusiondirectory/class.cache

  180.     get_md5: yes

  181.   register: fd_config_hash

  182. 

  183. - name: Generate the Initial FusionDirectory configuration

  184.   template:

  185.     src: templates/fd-init-config.ldif.j2

  186.     dest: /etc/ldap/custom_ldifs/fd-init-config.ldif

  187.   notify:

  188.     - Initialize FusionDirectory Configuration

  189. 

  190. - name: Migrate FusionDirectory Object Classes

  191.   template:

  192.     src: templates/fd-migrate-object-classes.ldif.j2

  193.     dest: /etc/ldap/custom_ldifs/fd-migrate-object-classes.ldif

  194.   notify:

  195.     - Migrate Object Classes

  196. 

  197. - name: Create an empty ldap.conf file

  198.   file:

  199.     path: /etc/ldap/ldap.conf

  200.     state: touch

  201.   notify:

  202.     - Generate FusionDirectory SuperUser and OUs

  203. 

  204. - name: Set FusionDirectory SuperUser Password

  205.   command: |

  206.     true

  207.   notify:

  208.     - Set SuperUser Password

  209.   no_log: True

  210. 

  211. - name: Migrate FusionDirectory Defaults ACLs

  212.   template:

  213.     src: templates/fd-migrate-default-acl.ldif.j2

  214.     dest: /etc/ldap/custom_ldifs/fd-migrate-default-acl.ldif

  215.   notify:

  216.     - Migrate Default ACLs

  217. 

  218. - name: Fix Permissions for the FusionDirectory Configuration

  219.   template:

  220.     src: templates/fusiondirectory.conf.j2

  221.     dest: /etc/fusiondirectory/fusiondirectory.conf

  222.   notify:

  223.     - Fix FusionDirectory Configuration Permisions

  224. 

  225. - name: Apply FusionDirectory Service Accounts ACL

  226.   template:

  227.     src: templates/fd-service_accounts_acl.ldif.j2

  228.     dest: /etc/ldap/custom_ldifs/fd-service_accounts_acl.ldif

  229.   notify:

  230.     - Apply Service Accounts ACL

  231. 

  232. 

  233. - name: Create a .well-known directory

  234.   file:

  235.     path: /var/www/html/.well-known

  236.     state: directory

  237.     owner: www-data

  238.     group: www-data

  239. 

  240. - name: Deploy the Apache VirtualHosts for FusionDirectory

  241.   template:

  242.     src: "templates/fd-vhost{{ item }}.j2"

  243.     dest: "/etc/apache2/sites-available/{{domain}}{{ item }}"

  244.   with_items:

  245.     - ".conf"

  246.     - "-ssl.conf"

  247.   notify:

  248.     - Enable the Apache HTTP VirtualHost

  249.     - Disable the Default Apache VirtualHost

  250.     - Restart Apache