forked from Personal/ansible-deploy-ldap-fusiondirectory
Compare commits
2 commits
Author | SHA1 | Date | |
---|---|---|---|
a9f8548378 | |||
Juan Manuel García del Moral | 5929ba8b80 |
24
README.md
24
README.md
|
@ -1,6 +1,6 @@
|
||||||
# Deploy OpenLDAP/FusionDirectory using Ansible
|
# Deploy OpenLDAP/FusionDirectory using Ansible
|
||||||
|
|
||||||
These playbooks will deploy an OpenLDAP/FusionDirectory server.
|
These Role will deploy an OpenLDAP/FusionDirectory server.
|
||||||
|
|
||||||
Components:
|
Components:
|
||||||
* OpenLDAP (slapd)
|
* OpenLDAP (slapd)
|
||||||
|
@ -16,7 +16,7 @@ Components:
|
||||||
|
|
||||||
## Clone the repository
|
## Clone the repository
|
||||||
|
|
||||||
Clone the reposiroty:
|
Clone the repository:
|
||||||
|
|
||||||
```
|
```
|
||||||
$ git clone https://git.theo-andreou.org/Personal/ansible-deploy-ldap-fusiondirectory.git
|
$ git clone https://git.theo-andreou.org/Personal/ansible-deploy-ldap-fusiondirectory.git
|
||||||
|
@ -49,7 +49,7 @@ timezone: Asia/Nicosia
|
||||||
* Create an encrypted *vars/secrets.yml* file:
|
* Create an encrypted *vars/secrets.yml* file:
|
||||||
|
|
||||||
```
|
```
|
||||||
$ ansible-vault create vars/secrets.yml
|
$ ansible-vault create vars/secrets.yml
|
||||||
```
|
```
|
||||||
|
|
||||||
Use a master password for the file above.
|
Use a master password for the file above.
|
||||||
|
@ -63,12 +63,28 @@ fd_admin: fdadmin
|
||||||
fd_admin_pass: MySecretFDCombination
|
fd_admin_pass: MySecretFDCombination
|
||||||
```
|
```
|
||||||
|
|
||||||
|
* Create a playbook to call this role (fusiondirectory.yml):
|
||||||
|
```
|
||||||
|
- hosts: all
|
||||||
|
become: yes
|
||||||
|
gather_facts: false
|
||||||
|
vars:
|
||||||
|
- ansible_user: "ubuntu"
|
||||||
|
pre_tasks:
|
||||||
|
- name: install python 2
|
||||||
|
raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)
|
||||||
|
changed_when: False
|
||||||
|
roles:
|
||||||
|
- ansible-deploy-ldap-fusiondirectory
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
## Deploy LDAP and FusionDirectory
|
## Deploy LDAP and FusionDirectory
|
||||||
|
|
||||||
When done with the configuration run this command (provide your master password):
|
When done with the configuration run this command (provide your master password):
|
||||||
|
|
||||||
```
|
```
|
||||||
$ ansible-playbook --vault-id @prompt deploy_fusiondirectory.yml
|
$ ansible-playbook --vault-id @prompt fusiondirectory.yml
|
||||||
```
|
```
|
||||||
|
|
||||||
When done visit http://auth.example.org to login for the first time. I suggest you enable HTTPS before doing that.
|
When done visit http://auth.example.org to login for the first time. I suggest you enable HTTPS before doing that.
|
||||||
|
|
|
@ -1,343 +0,0 @@
|
||||||
---
|
|
||||||
# This will deploy OpenLDAP and FusionDirectory on the mailserver
|
|
||||||
- hosts: auth.example.com
|
|
||||||
user: root
|
|
||||||
|
|
||||||
vars_files:
|
|
||||||
- vars/all.yml
|
|
||||||
- vars/secrets.yml
|
|
||||||
|
|
||||||
tasks:
|
|
||||||
|
|
||||||
- name: Prepate /etc/hosts
|
|
||||||
lineinfile:
|
|
||||||
path: /etc/hosts
|
|
||||||
insertafter: '^127.0.1.1 '
|
|
||||||
line: "{{ item }}"
|
|
||||||
with_items:
|
|
||||||
- "127.0.2.1 mail.{{ domain }} mail"
|
|
||||||
- "127.0.3.1 auth.{{ domain }} auth"
|
|
||||||
|
|
||||||
- name: Setup OpenLDAP and Dependencies
|
|
||||||
apt:
|
|
||||||
name: "{{ item }}"
|
|
||||||
state: present
|
|
||||||
update_cache: yes
|
|
||||||
with_items:
|
|
||||||
- ldap-utils
|
|
||||||
- gnutls-bin
|
|
||||||
- ca-certificates
|
|
||||||
- python-ldap
|
|
||||||
- python3-ldap
|
|
||||||
|
|
||||||
- name: debconf configuration for slapd
|
|
||||||
debconf:
|
|
||||||
name: slapd
|
|
||||||
question: "{{ item.question }}"
|
|
||||||
value: "{{ item.value }}"
|
|
||||||
vtype: "{{ item.vtype }}"
|
|
||||||
with_items:
|
|
||||||
- { question: slapd/no_configuration, value: False, vtype: boolean }
|
|
||||||
- { question: slapd/domain, value: "{{ domain }}", vtype: string }
|
|
||||||
- { question: shared/organization, value: "{{ organization }}", vtype: string }
|
|
||||||
- { question: slapd/password1, value: "{{ ldap_admin_pass }}", vtype: password }
|
|
||||||
- { question: slapd/password2, value: "{{ ldap_admin_pass }}", vtype: password }
|
|
||||||
- { question: slapd/backend, value: MDB, vtype: select }
|
|
||||||
- { question: slapd/purge_database, value: False, vtype: boolean }
|
|
||||||
- { question: slapd/move_old_database, value: True, vtype: boolean }
|
|
||||||
no_log: True
|
|
||||||
|
|
||||||
- name: install slapd
|
|
||||||
apt:
|
|
||||||
name: slapd
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Create the ROOT CA store
|
|
||||||
file:
|
|
||||||
path: /srv/CA
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: Generate the CA Certificate template
|
|
||||||
template:
|
|
||||||
src: templates/ca-cert.tmpl.j2
|
|
||||||
dest: /srv/CA/ca-cert.tmpl
|
|
||||||
|
|
||||||
- name: Generate the ROOT CA private key
|
|
||||||
command: |
|
|
||||||
certtool --generate-privkey \
|
|
||||||
--outfile {{ domain }}-rootCA.key
|
|
||||||
args:
|
|
||||||
chdir: /srv/CA
|
|
||||||
creates: "/srv/CA/{{ domain }}-rootCA.key"
|
|
||||||
|
|
||||||
- name: Generate the ROOT CA Certificate
|
|
||||||
command: |
|
|
||||||
certtool --generate-self-signed \
|
|
||||||
--template ca-cert.tmpl \
|
|
||||||
--load-privkey {{ domain }}-rootCA.key \
|
|
||||||
--outfile {{ domain }}-rootCA.crt
|
|
||||||
args:
|
|
||||||
chdir: /srv/CA
|
|
||||||
creates: "/srv/CA/{{ domain }}-rootCA.crt"
|
|
||||||
|
|
||||||
- name: Add our ROOT CA as trusted
|
|
||||||
copy:
|
|
||||||
remote_src: yes
|
|
||||||
src: "/srv/CA/{{ domain }}-rootCA.crt"
|
|
||||||
dest: /usr/local/share/ca-certificates/
|
|
||||||
notify:
|
|
||||||
- Update CA Certificates
|
|
||||||
|
|
||||||
- name: Create the LDAP TLS store
|
|
||||||
file:
|
|
||||||
path: /etc/ldap/ssl
|
|
||||||
owner: openldap
|
|
||||||
group: openldap
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: Generate the LDAP Certificate template
|
|
||||||
template:
|
|
||||||
src: templates/ldap-cert.tmpl.j2
|
|
||||||
dest: /srv/CA/ldap-cert.tmpl
|
|
||||||
|
|
||||||
- name: Generate the LDAP private key
|
|
||||||
command: |
|
|
||||||
certtool --generate-privkey \
|
|
||||||
--outfile {{ domain }}.key
|
|
||||||
args:
|
|
||||||
chdir: /etc/ldap/ssl
|
|
||||||
creates: "/etc/ldap/ssl/{{ domain }}.key"
|
|
||||||
|
|
||||||
- name: Generate the LDAP Certificate
|
|
||||||
command: |
|
|
||||||
certtool --generate-certificate \
|
|
||||||
--template /srv/CA/ldap-cert.tmpl \
|
|
||||||
--load-privkey {{ domain }}.key \
|
|
||||||
--outfile {{ domain }}.crt \
|
|
||||||
--load-ca-privkey /srv/CA/{{ domain }}-rootCA.key
|
|
||||||
--load-ca-certificate /srv/CA/{{ domain }}-rootCA.crt
|
|
||||||
args:
|
|
||||||
chdir: /etc/ldap/ssl
|
|
||||||
creates: "/etc/ldap/ssl/{{ domain }}.crt"
|
|
||||||
|
|
||||||
- name: Set the correct ownership on the LDAP cert/key pair
|
|
||||||
file:
|
|
||||||
path: "/etc/ldap/ssl/{{ item }}"
|
|
||||||
owner: openldap
|
|
||||||
group: openldap
|
|
||||||
with_items:
|
|
||||||
- "{{ domain }}.key"
|
|
||||||
- "{{ domain }}.crt"
|
|
||||||
|
|
||||||
- name: Create the custom_ldifs store
|
|
||||||
file:
|
|
||||||
path: /etc/ldap/custom_ldifs
|
|
||||||
owner: openldap
|
|
||||||
group: openldap
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: Create the olcSSL.ldif file (LDAP TLS Configuration)
|
|
||||||
template:
|
|
||||||
src: templates/olcSSL.ldif.j2
|
|
||||||
dest: /etc/ldap/custom_ldifs/olcSSL.ldif
|
|
||||||
owner: openldap
|
|
||||||
group: openldap
|
|
||||||
notify:
|
|
||||||
- Apply olcSSL.ldif
|
|
||||||
- Restart slapd
|
|
||||||
|
|
||||||
- name: Add an apt key by id from a keyserver
|
|
||||||
apt_key:
|
|
||||||
keyserver: keys.gnupg.net
|
|
||||||
id: A94DE63F2EDB5F0DC0785EBBD744D55EACDA69FF
|
|
||||||
|
|
||||||
- name: Add the Fusiondirectory repo
|
|
||||||
apt_repository:
|
|
||||||
repo: "{{ item }}"
|
|
||||||
state: present
|
|
||||||
with_items:
|
|
||||||
- 'deb http://repos.fusiondirectory.org/fusiondirectory-current/debian-jessie jessie main'
|
|
||||||
- 'deb http://repos.fusiondirectory.org/fusiondirectory-extra/debian-jessie jessie main'
|
|
||||||
|
|
||||||
- name: Install FusionDirectory, dependencies and plugins
|
|
||||||
apt:
|
|
||||||
name: "{{ item }}"
|
|
||||||
update_cache: yes
|
|
||||||
state: present
|
|
||||||
with_items:
|
|
||||||
- apache2
|
|
||||||
- libapache2-mod-php
|
|
||||||
- php-ldap
|
|
||||||
- php-intl
|
|
||||||
- php-pear
|
|
||||||
- php-mbstring
|
|
||||||
- fusiondirectory
|
|
||||||
- fusiondirectory-schema
|
|
||||||
- fusiondirectory-plugin-ldapdump
|
|
||||||
- fusiondirectory-plugin-ldapmanager
|
|
||||||
- fusiondirectory-plugin-dsa
|
|
||||||
- fusiondirectory-plugin-dsa-schema
|
|
||||||
- fusiondirectory-plugin-systems
|
|
||||||
- fusiondirectory-plugin-systems-schema
|
|
||||||
notify:
|
|
||||||
- Apply FusionDirectory Schema
|
|
||||||
- Apply FusionDirectory Plugins Schema
|
|
||||||
|
|
||||||
- name: Calculate FusionDirectory Configuration hash
|
|
||||||
stat:
|
|
||||||
path: /var/cache/fusiondirectory/class.cache
|
|
||||||
get_md5: yes
|
|
||||||
register: fd_config_hash
|
|
||||||
|
|
||||||
- name: Generate the Initial FusionDirectory configuration
|
|
||||||
template:
|
|
||||||
src: templates/fd-init-config.ldif.j2
|
|
||||||
dest: /etc/ldap/custom_ldifs/fd-init-config.ldif
|
|
||||||
notify:
|
|
||||||
- Initialize FusionDirectory Configuration
|
|
||||||
|
|
||||||
- name: Migrate FusionDirectory Object Classes
|
|
||||||
template:
|
|
||||||
src: templates/fd-migrate-object-classes.ldif.j2
|
|
||||||
dest: /etc/ldap/custom_ldifs/fd-migrate-object-classes.ldif
|
|
||||||
notify:
|
|
||||||
- Migrate Object Classes
|
|
||||||
|
|
||||||
- name: Create an empty ldap.conf file
|
|
||||||
file:
|
|
||||||
path: /etc/ldap/ldap.conf
|
|
||||||
state: touch
|
|
||||||
notify:
|
|
||||||
- Generate FusionDirectory SuperUser and OUs
|
|
||||||
|
|
||||||
- name: Set FusionDirectory SuperUser Password
|
|
||||||
command: |
|
|
||||||
true
|
|
||||||
notify:
|
|
||||||
- Set SuperUser Password
|
|
||||||
no_log: True
|
|
||||||
|
|
||||||
- name: Migrate FusionDirectory Defaults ACLs
|
|
||||||
template:
|
|
||||||
src: templates/fd-migrate-default-acl.ldif.j2
|
|
||||||
dest: /etc/ldap/custom_ldifs/fd-migrate-default-acl.ldif
|
|
||||||
notify:
|
|
||||||
- Migrate Default ACLs
|
|
||||||
|
|
||||||
- name: Fix Permissions for the FusionDirectory Configuration
|
|
||||||
template:
|
|
||||||
src: templates/fusiondirectory.conf.j2
|
|
||||||
dest: /etc/fusiondirectory/fusiondirectory.conf
|
|
||||||
notify:
|
|
||||||
- Fix FusionDirectory Configuration Permisions
|
|
||||||
|
|
||||||
- name: Apply FusionDirectory Service Accounts ACL
|
|
||||||
template:
|
|
||||||
src: templates/fd-service_accounts_acl.ldif.j2
|
|
||||||
dest: /etc/ldap/custom_ldifs/fd-service_accounts_acl.ldif
|
|
||||||
notify:
|
|
||||||
- Apply Service Accounts ACL
|
|
||||||
|
|
||||||
|
|
||||||
- name: Create a .well-known directory
|
|
||||||
file:
|
|
||||||
path: /var/www/html/.well-known
|
|
||||||
state: directory
|
|
||||||
owner: www-data
|
|
||||||
group: www-data
|
|
||||||
|
|
||||||
- name: Deploy the Apache VirtualHosts for FusionDirectory
|
|
||||||
template:
|
|
||||||
src: "templates/fd-vhost{{ item }}.j2"
|
|
||||||
dest: "/etc/apache2/sites-available/{{domain}}{{ item }}"
|
|
||||||
with_items:
|
|
||||||
- ".conf"
|
|
||||||
- "-ssl.conf"
|
|
||||||
notify:
|
|
||||||
- Enable the Apache HTTP VirtualHost
|
|
||||||
- Disable the Default Apache VirtualHost
|
|
||||||
- Restart Apache
|
|
||||||
|
|
||||||
handlers:
|
|
||||||
|
|
||||||
- name: Update CA Certificates
|
|
||||||
command: update-ca-certificates
|
|
||||||
|
|
||||||
- name: Apply olcSSL.ldif
|
|
||||||
command: ldapmodify -Y EXTERNAL -H ldapi:/// -f olcSSL.ldif
|
|
||||||
args:
|
|
||||||
chdir: /etc/ldap/custom_ldifs
|
|
||||||
|
|
||||||
- name: Restart slapd
|
|
||||||
service:
|
|
||||||
name: slapd
|
|
||||||
state: restarted
|
|
||||||
|
|
||||||
- name: Apply FusionDirectory Schema
|
|
||||||
command: fusiondirectory-insert-schema
|
|
||||||
|
|
||||||
- name: Apply FusionDirectory Plugins Schema
|
|
||||||
command: |
|
|
||||||
fusiondirectory-insert-schema \
|
|
||||||
-i /etc/ldap/schema/fusiondirectory/{{ item }}.schema
|
|
||||||
with_items:
|
|
||||||
- dsa-fd-conf
|
|
||||||
- service-fd
|
|
||||||
- systems-fd-conf
|
|
||||||
- systems-fd
|
|
||||||
|
|
||||||
- name: Initialize FusionDirectory Configuration
|
|
||||||
command: |
|
|
||||||
ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-init-config.ldif
|
|
||||||
args:
|
|
||||||
chdir: /etc/ldap/custom_ldifs
|
|
||||||
no_log: True
|
|
||||||
|
|
||||||
- name: Migrate Object Classes
|
|
||||||
command: |
|
|
||||||
ldapmodify -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-object-classes.ldif
|
|
||||||
args:
|
|
||||||
chdir: /etc/ldap/custom_ldifs
|
|
||||||
no_log: True
|
|
||||||
|
|
||||||
- name: Generate FusionDirectory SuperUser and OUs
|
|
||||||
shell: |
|
|
||||||
yes '{{ fd_admin }}' | \
|
|
||||||
fusiondirectory-setup --yes --check-ldap
|
|
||||||
|
|
||||||
- name: Set SuperUser Password
|
|
||||||
command: |
|
|
||||||
ldappasswd -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -s {{ fd_admin_pass }} uid={{ fd_admin }},ou=people,{{ base_dn }}
|
|
||||||
no_log: True
|
|
||||||
|
|
||||||
- name: Migrate Default ACLs
|
|
||||||
command: |
|
|
||||||
ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-default-acl.ldif
|
|
||||||
args:
|
|
||||||
chdir: /etc/ldap/custom_ldifs
|
|
||||||
no_log: True
|
|
||||||
|
|
||||||
- name: Fix FusionDirectory Configuration Permisions
|
|
||||||
command: fusiondirectory-setup --yes --check-config
|
|
||||||
|
|
||||||
- name: Apply Service Accounts ACL
|
|
||||||
command: |
|
|
||||||
ldapadd -c -Y EXTERNAL -H ldapi:/// -f fd-service_accounts_acl.ldif
|
|
||||||
args:
|
|
||||||
chdir: /etc/ldap/custom_ldifs
|
|
||||||
|
|
||||||
- name: Enable the Apache HTTP VirtualHost
|
|
||||||
file:
|
|
||||||
src: "/etc/apache2/sites-available/{{ domain }}.conf"
|
|
||||||
dest: "/etc/apache2/sites-enabled/{{ domain }}.conf"
|
|
||||||
state: link
|
|
||||||
|
|
||||||
- name: Disable the Default Apache VirtualHost
|
|
||||||
file:
|
|
||||||
path: /etc/apache2/sites-enabled/000-default.conf
|
|
||||||
state: absent
|
|
||||||
|
|
||||||
- name: Restart Apache
|
|
||||||
service:
|
|
||||||
name: apache2
|
|
||||||
state: restarted
|
|
82
handlers/main.yml
Normal file
82
handlers/main.yml
Normal file
|
@ -0,0 +1,82 @@
|
||||||
|
---
|
||||||
|
- name: Update CA Certificates
|
||||||
|
command: update-ca-certificates
|
||||||
|
|
||||||
|
- name: Apply olcSSL.ldif
|
||||||
|
command: ldapmodify -Y EXTERNAL -H ldapi:/// -f olcSSL.ldif
|
||||||
|
args:
|
||||||
|
chdir: /etc/ldap/custom_ldifs
|
||||||
|
|
||||||
|
- name: Restart slapd
|
||||||
|
service:
|
||||||
|
name: slapd
|
||||||
|
state: restarted
|
||||||
|
|
||||||
|
- name: Apply FusionDirectory Schema
|
||||||
|
command: fusiondirectory-insert-schema
|
||||||
|
|
||||||
|
- name: Apply FusionDirectory Plugins Schema
|
||||||
|
command: |
|
||||||
|
fusiondirectory-insert-schema \
|
||||||
|
-i /etc/ldap/schema/fusiondirectory/{{ item }}.schema
|
||||||
|
with_items:
|
||||||
|
- dsa-fd-conf
|
||||||
|
- service-fd
|
||||||
|
- systems-fd-conf
|
||||||
|
- systems-fd
|
||||||
|
|
||||||
|
- name: Initialize FusionDirectory Configuration
|
||||||
|
command: |
|
||||||
|
ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-init-config.ldif
|
||||||
|
args:
|
||||||
|
chdir: /etc/ldap/custom_ldifs
|
||||||
|
no_log: True
|
||||||
|
|
||||||
|
- name: Migrate Object Classes
|
||||||
|
command: |
|
||||||
|
ldapmodify -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-object-classes.ldif
|
||||||
|
args:
|
||||||
|
chdir: /etc/ldap/custom_ldifs
|
||||||
|
no_log: True
|
||||||
|
|
||||||
|
- name: Generate FusionDirectory SuperUser and OUs
|
||||||
|
shell: |
|
||||||
|
yes '{{ fd_admin }}' | \
|
||||||
|
fusiondirectory-setup --yes --check-ldap
|
||||||
|
|
||||||
|
- name: Set SuperUser Password
|
||||||
|
command: |
|
||||||
|
ldappasswd -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -s {{ fd_admin_pass }} uid={{ fd_admin }},ou=people,{{ base_dn }}
|
||||||
|
no_log: True
|
||||||
|
|
||||||
|
- name: Migrate Default ACLs
|
||||||
|
command: |
|
||||||
|
ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-default-acl.ldif
|
||||||
|
args:
|
||||||
|
chdir: /etc/ldap/custom_ldifs
|
||||||
|
no_log: True
|
||||||
|
|
||||||
|
- name: Fix FusionDirectory Configuration Permisions
|
||||||
|
command: fusiondirectory-setup --yes --check-config
|
||||||
|
|
||||||
|
- name: Apply Service Accounts ACL
|
||||||
|
command: |
|
||||||
|
ldapadd -c -Y EXTERNAL -H ldapi:/// -f fd-service_accounts_acl.ldif
|
||||||
|
args:
|
||||||
|
chdir: /etc/ldap/custom_ldifs
|
||||||
|
|
||||||
|
- name: Enable the Apache HTTP VirtualHost
|
||||||
|
file:
|
||||||
|
src: "/etc/apache2/sites-available/{{ domain }}.conf"
|
||||||
|
dest: "/etc/apache2/sites-enabled/{{ domain }}.conf"
|
||||||
|
state: link
|
||||||
|
|
||||||
|
- name: Disable the Default Apache VirtualHost
|
||||||
|
file:
|
||||||
|
path: /etc/apache2/sites-enabled/000-default.conf
|
||||||
|
state: absent
|
||||||
|
|
||||||
|
- name: Restart Apache
|
||||||
|
service:
|
||||||
|
name: apache2
|
||||||
|
state: restarted
|
250
tasks/main.yml
Normal file
250
tasks/main.yml
Normal file
|
@ -0,0 +1,250 @@
|
||||||
|
---
|
||||||
|
# This will deploy OpenLDAP and FusionDirectory on the mailserver
|
||||||
|
- name: Prepate /etc/hosts
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/hosts
|
||||||
|
insertafter: '^127.0.1.1 '
|
||||||
|
line: "{{ item }}"
|
||||||
|
with_items:
|
||||||
|
- "127.0.2.1 mail.{{ domain }} mail"
|
||||||
|
- "127.0.3.1 auth.{{ domain }} auth"
|
||||||
|
|
||||||
|
- name: Setup OpenLDAP and Dependencies
|
||||||
|
apt:
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: present
|
||||||
|
update_cache: yes
|
||||||
|
with_items:
|
||||||
|
- ldap-utils
|
||||||
|
- gnutls-bin
|
||||||
|
- ca-certificates
|
||||||
|
- python-ldap
|
||||||
|
- python3-ldap
|
||||||
|
|
||||||
|
- name: debconf configuration for slapd
|
||||||
|
debconf:
|
||||||
|
name: slapd
|
||||||
|
question: "{{ item.question }}"
|
||||||
|
value: "{{ item.value }}"
|
||||||
|
vtype: "{{ item.vtype }}"
|
||||||
|
with_items:
|
||||||
|
- { question: slapd/no_configuration, value: False, vtype: boolean }
|
||||||
|
- { question: slapd/domain, value: "{{ domain }}", vtype: string }
|
||||||
|
- { question: shared/organization, value: "{{ organization }}", vtype: string }
|
||||||
|
- { question: slapd/password1, value: "{{ ldap_admin_pass }}", vtype: password }
|
||||||
|
- { question: slapd/password2, value: "{{ ldap_admin_pass }}", vtype: password }
|
||||||
|
- { question: slapd/backend, value: MDB, vtype: select }
|
||||||
|
- { question: slapd/purge_database, value: False, vtype: boolean }
|
||||||
|
- { question: slapd/move_old_database, value: True, vtype: boolean }
|
||||||
|
no_log: True
|
||||||
|
|
||||||
|
- name: install slapd
|
||||||
|
apt:
|
||||||
|
name: slapd
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Create the ROOT CA store
|
||||||
|
file:
|
||||||
|
path: /srv/CA
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Generate the CA Certificate template
|
||||||
|
template:
|
||||||
|
src: templates/ca-cert.tmpl.j2
|
||||||
|
dest: /srv/CA/ca-cert.tmpl
|
||||||
|
|
||||||
|
- name: Generate the ROOT CA private key
|
||||||
|
command: |
|
||||||
|
certtool --generate-privkey \
|
||||||
|
--outfile {{ domain }}-rootCA.key
|
||||||
|
args:
|
||||||
|
chdir: /srv/CA
|
||||||
|
creates: "/srv/CA/{{ domain }}-rootCA.key"
|
||||||
|
|
||||||
|
- name: Generate the ROOT CA Certificate
|
||||||
|
command: |
|
||||||
|
certtool --generate-self-signed \
|
||||||
|
--template ca-cert.tmpl \
|
||||||
|
--load-privkey {{ domain }}-rootCA.key \
|
||||||
|
--outfile {{ domain }}-rootCA.crt
|
||||||
|
args:
|
||||||
|
chdir: /srv/CA
|
||||||
|
creates: "/srv/CA/{{ domain }}-rootCA.crt"
|
||||||
|
|
||||||
|
- name: Add our ROOT CA as trusted
|
||||||
|
copy:
|
||||||
|
remote_src: yes
|
||||||
|
src: "/srv/CA/{{ domain }}-rootCA.crt"
|
||||||
|
dest: /usr/local/share/ca-certificates/
|
||||||
|
notify:
|
||||||
|
- Update CA Certificates
|
||||||
|
|
||||||
|
- name: Create the LDAP TLS store
|
||||||
|
file:
|
||||||
|
path: /etc/ldap/ssl
|
||||||
|
owner: openldap
|
||||||
|
group: openldap
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Generate the LDAP Certificate template
|
||||||
|
template:
|
||||||
|
src: templates/ldap-cert.tmpl.j2
|
||||||
|
dest: /srv/CA/ldap-cert.tmpl
|
||||||
|
|
||||||
|
- name: Generate the LDAP private key
|
||||||
|
command: |
|
||||||
|
certtool --generate-privkey \
|
||||||
|
--outfile {{ domain }}.key
|
||||||
|
args:
|
||||||
|
chdir: /etc/ldap/ssl
|
||||||
|
creates: "/etc/ldap/ssl/{{ domain }}.key"
|
||||||
|
|
||||||
|
- name: Generate the LDAP Certificate
|
||||||
|
command: |
|
||||||
|
certtool --generate-certificate \
|
||||||
|
--template /srv/CA/ldap-cert.tmpl \
|
||||||
|
--load-privkey {{ domain }}.key \
|
||||||
|
--outfile {{ domain }}.crt \
|
||||||
|
--load-ca-privkey /srv/CA/{{ domain }}-rootCA.key
|
||||||
|
--load-ca-certificate /srv/CA/{{ domain }}-rootCA.crt
|
||||||
|
args:
|
||||||
|
chdir: /etc/ldap/ssl
|
||||||
|
creates: "/etc/ldap/ssl/{{ domain }}.crt"
|
||||||
|
|
||||||
|
- name: Set the correct ownership on the LDAP cert/key pair
|
||||||
|
file:
|
||||||
|
path: "/etc/ldap/ssl/{{ item }}"
|
||||||
|
owner: openldap
|
||||||
|
group: openldap
|
||||||
|
with_items:
|
||||||
|
- "{{ domain }}.key"
|
||||||
|
- "{{ domain }}.crt"
|
||||||
|
|
||||||
|
- name: Create the custom_ldifs store
|
||||||
|
file:
|
||||||
|
path: /etc/ldap/custom_ldifs
|
||||||
|
owner: openldap
|
||||||
|
group: openldap
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Create the olcSSL.ldif file (LDAP TLS Configuration)
|
||||||
|
template:
|
||||||
|
src: templates/olcSSL.ldif.j2
|
||||||
|
dest: /etc/ldap/custom_ldifs/olcSSL.ldif
|
||||||
|
owner: openldap
|
||||||
|
group: openldap
|
||||||
|
notify:
|
||||||
|
- Apply olcSSL.ldif
|
||||||
|
- Restart slapd
|
||||||
|
|
||||||
|
- name: Add an apt key by id from a keyserver
|
||||||
|
apt_key:
|
||||||
|
keyserver: keys.gnupg.net
|
||||||
|
id: A94DE63F2EDB5F0DC0785EBBD744D55EACDA69FF
|
||||||
|
|
||||||
|
- name: Add the Fusiondirectory repo
|
||||||
|
apt_repository:
|
||||||
|
repo: "{{ item }}"
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- 'deb http://repos.fusiondirectory.org/fusiondirectory-current/debian-jessie jessie main'
|
||||||
|
- 'deb http://repos.fusiondirectory.org/fusiondirectory-extra/debian-jessie jessie main'
|
||||||
|
|
||||||
|
- name: Install FusionDirectory, dependencies and plugins
|
||||||
|
apt:
|
||||||
|
name: "{{ item }}"
|
||||||
|
update_cache: yes
|
||||||
|
state: present
|
||||||
|
with_items:
|
||||||
|
- apache2
|
||||||
|
- libapache2-mod-php
|
||||||
|
- php-ldap
|
||||||
|
- php-intl
|
||||||
|
- php-pear
|
||||||
|
- php-mbstring
|
||||||
|
- fusiondirectory
|
||||||
|
- fusiondirectory-schema
|
||||||
|
- fusiondirectory-plugin-ldapdump
|
||||||
|
- fusiondirectory-plugin-ldapmanager
|
||||||
|
- fusiondirectory-plugin-dsa
|
||||||
|
- fusiondirectory-plugin-dsa-schema
|
||||||
|
- fusiondirectory-plugin-systems
|
||||||
|
- fusiondirectory-plugin-systems-schema
|
||||||
|
notify:
|
||||||
|
- Apply FusionDirectory Schema
|
||||||
|
- Apply FusionDirectory Plugins Schema
|
||||||
|
|
||||||
|
- name: Calculate FusionDirectory Configuration hash
|
||||||
|
stat:
|
||||||
|
path: /var/cache/fusiondirectory/class.cache
|
||||||
|
get_md5: yes
|
||||||
|
register: fd_config_hash
|
||||||
|
|
||||||
|
- name: Generate the Initial FusionDirectory configuration
|
||||||
|
template:
|
||||||
|
src: templates/fd-init-config.ldif.j2
|
||||||
|
dest: /etc/ldap/custom_ldifs/fd-init-config.ldif
|
||||||
|
notify:
|
||||||
|
- Initialize FusionDirectory Configuration
|
||||||
|
|
||||||
|
- name: Migrate FusionDirectory Object Classes
|
||||||
|
template:
|
||||||
|
src: templates/fd-migrate-object-classes.ldif.j2
|
||||||
|
dest: /etc/ldap/custom_ldifs/fd-migrate-object-classes.ldif
|
||||||
|
notify:
|
||||||
|
- Migrate Object Classes
|
||||||
|
|
||||||
|
- name: Create an empty ldap.conf file
|
||||||
|
file:
|
||||||
|
path: /etc/ldap/ldap.conf
|
||||||
|
state: touch
|
||||||
|
notify:
|
||||||
|
- Generate FusionDirectory SuperUser and OUs
|
||||||
|
|
||||||
|
- name: Set FusionDirectory SuperUser Password
|
||||||
|
command: |
|
||||||
|
true
|
||||||
|
notify:
|
||||||
|
- Set SuperUser Password
|
||||||
|
no_log: True
|
||||||
|
|
||||||
|
- name: Migrate FusionDirectory Defaults ACLs
|
||||||
|
template:
|
||||||
|
src: templates/fd-migrate-default-acl.ldif.j2
|
||||||
|
dest: /etc/ldap/custom_ldifs/fd-migrate-default-acl.ldif
|
||||||
|
notify:
|
||||||
|
- Migrate Default ACLs
|
||||||
|
|
||||||
|
- name: Fix Permissions for the FusionDirectory Configuration
|
||||||
|
template:
|
||||||
|
src: templates/fusiondirectory.conf.j2
|
||||||
|
dest: /etc/fusiondirectory/fusiondirectory.conf
|
||||||
|
notify:
|
||||||
|
- Fix FusionDirectory Configuration Permisions
|
||||||
|
|
||||||
|
- name: Apply FusionDirectory Service Accounts ACL
|
||||||
|
template:
|
||||||
|
src: templates/fd-service_accounts_acl.ldif.j2
|
||||||
|
dest: /etc/ldap/custom_ldifs/fd-service_accounts_acl.ldif
|
||||||
|
notify:
|
||||||
|
- Apply Service Accounts ACL
|
||||||
|
|
||||||
|
|
||||||
|
- name: Create a .well-known directory
|
||||||
|
file:
|
||||||
|
path: /var/www/html/.well-known
|
||||||
|
state: directory
|
||||||
|
owner: www-data
|
||||||
|
group: www-data
|
||||||
|
|
||||||
|
- name: Deploy the Apache VirtualHosts for FusionDirectory
|
||||||
|
template:
|
||||||
|
src: "templates/fd-vhost{{ item }}.j2"
|
||||||
|
dest: "/etc/apache2/sites-available/{{domain}}{{ item }}"
|
||||||
|
with_items:
|
||||||
|
- ".conf"
|
||||||
|
- "-ssl.conf"
|
||||||
|
notify:
|
||||||
|
- Enable the Apache HTTP VirtualHost
|
||||||
|
- Disable the Default Apache VirtualHost
|
||||||
|
- Restart Apache
|
Loading…
Reference in a new issue