Personal
/
ansible-deploy-ldap-fusiondirectory
1
0
Bifurcation 1
Code Tickets 0 Demandes d'ajout 0 Versions 0 Wiki Activité
An Ansible Playbook to deploy OpenLDAP and FusionDirectory
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
2 Révisions
1 Branche
84KB
Aborescence: 5929ba8b80
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de '5929ba8b80'
${ noResults }
ansible-deploy-ldap-fusiond.../tasks/main.yml

251 lignes
6.6KB
Brut Annotations Historique 

  1. ---

  2. # This will deploy OpenLDAP and FusionDirectory on the mailserver

  3. - name: Prepate /etc/hosts

  4.   lineinfile:

  5.     path: /etc/hosts

  6.     insertafter: '^127.0.1.1 '

  7.     line: "{{ item }}"

  8.   with_items:

  9.     - "127.0.2.1   mail.{{ domain }} mail"

  10.     - "127.0.3.1   auth.{{ domain }} auth"

  11. 

  12. - name: Setup OpenLDAP and Dependencies

  13.   apt:

  14.     name: "{{ item }}"

  15.     state: present

  16.     update_cache: yes

  17.   with_items:

  18.     - ldap-utils

  19.     - gnutls-bin

  20.     - ca-certificates

  21.     - python-ldap

  22.     - python3-ldap

  23. 

  24. - name: debconf configuration for slapd

  25.   debconf:

  26.     name: slapd

  27.     question: "{{ item.question }}"

  28.     value: "{{ item.value }}"

  29.     vtype: "{{ item.vtype }}"

  30.   with_items:

  31.     - { question: slapd/no_configuration, value: False, vtype: boolean }

  32.     - { question: slapd/domain, value: "{{ domain }}", vtype: string }

  33.     - { question: shared/organization, value: "{{ organization }}", vtype: string }

  34.     - { question: slapd/password1, value: "{{ ldap_admin_pass }}", vtype: password }

  35.     - { question: slapd/password2, value: "{{ ldap_admin_pass }}", vtype: password }

  36.     - { question: slapd/backend, value: MDB, vtype: select }

  37.     - { question: slapd/purge_database, value: False, vtype: boolean }

  38.     - { question: slapd/move_old_database, value: True, vtype: boolean }

  39.   no_log: True

  40. 

  41. - name: install slapd

  42.   apt:

  43.     name: slapd

  44.     state: present

  45. 

  46. - name: Create the ROOT CA store

  47.   file:

  48.     path: /srv/CA

  49.     state: directory

  50. 

  51. - name: Generate the CA Certificate template

  52.   template:

  53.     src: templates/ca-cert.tmpl.j2

  54.     dest: /srv/CA/ca-cert.tmpl

  55. 

  56. - name: Generate the ROOT CA private key

  57.   command: |

  58.     certtool --generate-privkey \

  59.     --outfile {{ domain }}-rootCA.key

  60.   args:

  61.     chdir: /srv/CA

  62.     creates: "/srv/CA/{{ domain }}-rootCA.key"

  63. 

  64. - name: Generate the ROOT CA Certificate

  65.   command: |

  66.     certtool --generate-self-signed \

  67.     --template ca-cert.tmpl \

  68.     --load-privkey {{ domain }}-rootCA.key \

  69.     --outfile {{ domain }}-rootCA.crt

  70.   args:

  71.     chdir: /srv/CA

  72.     creates: "/srv/CA/{{ domain }}-rootCA.crt"

  73. 

  74. - name: Add our ROOT CA as trusted

  75.   copy:

  76.     remote_src: yes

  77.     src: "/srv/CA/{{ domain }}-rootCA.crt"

  78.     dest: /usr/local/share/ca-certificates/

  79.   notify:

  80.     - Update CA Certificates

  81. 

  82. - name: Create the LDAP TLS store

  83.   file:

  84.     path: /etc/ldap/ssl

  85.     owner: openldap

  86.     group: openldap

  87.     state: directory

  88. 

  89. - name: Generate the LDAP Certificate template

  90.   template:

  91.     src: templates/ldap-cert.tmpl.j2

  92.     dest: /srv/CA/ldap-cert.tmpl

  93. 

  94. - name: Generate the LDAP private key

  95.   command: |

  96.     certtool --generate-privkey \

  97.     --outfile {{ domain }}.key

  98.   args:

  99.     chdir: /etc/ldap/ssl

  100.     creates: "/etc/ldap/ssl/{{ domain }}.key"

  101. 

  102. - name: Generate the LDAP Certificate

  103.   command: |

  104.     certtool --generate-certificate \

  105.     --template /srv/CA/ldap-cert.tmpl \

  106.     --load-privkey {{ domain }}.key \

  107.     --outfile {{ domain }}.crt \

  108.     --load-ca-privkey /srv/CA/{{ domain }}-rootCA.key

  109.     --load-ca-certificate /srv/CA/{{ domain }}-rootCA.crt

  110.   args:

  111.     chdir: /etc/ldap/ssl

  112.     creates: "/etc/ldap/ssl/{{ domain }}.crt"

  113. 

  114. - name: Set the correct ownership on the LDAP cert/key pair

  115.   file:

  116.     path: "/etc/ldap/ssl/{{ item }}"

  117.     owner: openldap

  118.     group: openldap

  119.   with_items:

  120.     - "{{ domain }}.key"

  121.     - "{{ domain }}.crt"

  122. 

  123. - name: Create the custom_ldifs store

  124.   file:

  125.     path: /etc/ldap/custom_ldifs

  126.     owner: openldap

  127.     group: openldap

  128.     state: directory

  129. 

  130. - name: Create the olcSSL.ldif file (LDAP TLS Configuration)

  131.   template:

  132.     src: templates/olcSSL.ldif.j2

  133.     dest: /etc/ldap/custom_ldifs/olcSSL.ldif

  134.     owner: openldap

  135.     group: openldap

  136.   notify:

  137.     - Apply olcSSL.ldif

  138.     - Restart slapd

  139. 

  140. - name: Add an apt key by id from a keyserver

  141.   apt_key:

  142.     keyserver: keys.gnupg.net

  143.     id: A94DE63F2EDB5F0DC0785EBBD744D55EACDA69FF

  144. 

  145. - name: Add the Fusiondirectory repo

  146.   apt_repository:

  147.     repo: "{{ item }}"

  148.     state: present

  149.   with_items:

  150.     - 'deb http://repos.fusiondirectory.org/fusiondirectory-current/debian-jessie jessie main'

  151.     - 'deb http://repos.fusiondirectory.org/fusiondirectory-extra/debian-jessie jessie main'

  152. 

  153. - name: Install FusionDirectory, dependencies and plugins

  154.   apt:

  155.     name: "{{ item }}"

  156.     update_cache: yes

  157.     state: present

  158.   with_items:

  159.     - apache2

  160.     - libapache2-mod-php

  161.     - php-ldap

  162.     - php-intl

  163.     - php-pear

  164.     - php-mbstring

  165.     - fusiondirectory

  166.     - fusiondirectory-schema

  167.     - fusiondirectory-plugin-ldapdump

  168.     - fusiondirectory-plugin-ldapmanager

  169.     - fusiondirectory-plugin-dsa

  170.     - fusiondirectory-plugin-dsa-schema

  171.     - fusiondirectory-plugin-systems

  172.     - fusiondirectory-plugin-systems-schema

  173.   notify:

  174.     - Apply FusionDirectory Schema

  175.     - Apply FusionDirectory Plugins Schema

  176. 

  177. - name: Calculate FusionDirectory Configuration hash

  178.   stat:

  179.     path: /var/cache/fusiondirectory/class.cache

  180.     get_md5: yes

  181.   register: fd_config_hash

  182. 

  183. - name: Generate the Initial FusionDirectory configuration

  184.   template:

  185.     src: templates/fd-init-config.ldif.j2

  186.     dest: /etc/ldap/custom_ldifs/fd-init-config.ldif

  187.   notify:

  188.     - Initialize FusionDirectory Configuration

  189. 

  190. - name: Migrate FusionDirectory Object Classes

  191.   template:

  192.     src: templates/fd-migrate-object-classes.ldif.j2

  193.     dest: /etc/ldap/custom_ldifs/fd-migrate-object-classes.ldif

  194.   notify:

  195.     - Migrate Object Classes

  196. 

  197. - name: Create an empty ldap.conf file

  198.   file:

  199.     path: /etc/ldap/ldap.conf

  200.     state: touch

  201.   notify:

  202.     - Generate FusionDirectory SuperUser and OUs

  203. 

  204. - name: Set FusionDirectory SuperUser Password

  205.   command: |

  206.     true

  207.   notify:

  208.     - Set SuperUser Password

  209.   no_log: True

  210. 

  211. - name: Migrate FusionDirectory Defaults ACLs

  212.   template:

  213.     src: templates/fd-migrate-default-acl.ldif.j2

  214.     dest: /etc/ldap/custom_ldifs/fd-migrate-default-acl.ldif

  215.   notify:

  216.     - Migrate Default ACLs

  217. 

  218. - name: Fix Permissions for the FusionDirectory Configuration

  219.   template:

  220.     src: templates/fusiondirectory.conf.j2

  221.     dest: /etc/fusiondirectory/fusiondirectory.conf

  222.   notify:

  223.     - Fix FusionDirectory Configuration Permisions

  224. 

  225. - name: Apply FusionDirectory Service Accounts ACL

  226.   template:

  227.     src: templates/fd-service_accounts_acl.ldif.j2

  228.     dest: /etc/ldap/custom_ldifs/fd-service_accounts_acl.ldif

  229.   notify:

  230.     - Apply Service Accounts ACL

  231. 

  232. 

  233. - name: Create a .well-known directory

  234.   file:

  235.     path: /var/www/html/.well-known

  236.     state: directory

  237.     owner: www-data

  238.     group: www-data

  239. 

  240. - name: Deploy the Apache VirtualHosts for FusionDirectory

  241.   template:

  242.     src: "templates/fd-vhost{{ item }}.j2"

  243.     dest: "/etc/apache2/sites-available/{{domain}}{{ item }}"

  244.   with_items:

  245.     - ".conf"

  246.     - "-ssl.conf"

  247.   notify:

  248.     - Enable the Apache HTTP VirtualHost

  249.     - Disable the Default Apache VirtualHost

  250.     - Restart Apache