An Ansible Playbook to deploy OpenLDAP and FusionDirectory
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

344 lines
9.4KB

  1. ---
  2. # This will deploy OpenLDAP and FusionDirectory on the mailserver
  3. - hosts: auth.example.com
  4. user: root
  5. vars_files:
  6. - vars/all.yml
  7. - vars/secrets.yml
  8. tasks:
  9. - name: Prepate /etc/hosts
  10. lineinfile:
  11. path: /etc/hosts
  12. insertafter: '^127.0.1.1 '
  13. line: "{{ item }}"
  14. with_items:
  15. - "127.0.2.1 mail.{{ domain }} mail"
  16. - "127.0.3.1 auth.{{ domain }} auth"
  17. - name: Setup OpenLDAP and Dependencies
  18. apt:
  19. name: "{{ item }}"
  20. state: present
  21. update_cache: yes
  22. with_items:
  23. - ldap-utils
  24. - gnutls-bin
  25. - ca-certificates
  26. - python-ldap
  27. - python3-ldap
  28. - name: debconf configuration for slapd
  29. debconf:
  30. name: slapd
  31. question: "{{ item.question }}"
  32. value: "{{ item.value }}"
  33. vtype: "{{ item.vtype }}"
  34. with_items:
  35. - { question: slapd/no_configuration, value: False, vtype: boolean }
  36. - { question: slapd/domain, value: "{{ domain }}", vtype: string }
  37. - { question: shared/organization, value: "{{ organization }}", vtype: string }
  38. - { question: slapd/password1, value: "{{ ldap_admin_pass }}", vtype: password }
  39. - { question: slapd/password2, value: "{{ ldap_admin_pass }}", vtype: password }
  40. - { question: slapd/backend, value: MDB, vtype: select }
  41. - { question: slapd/purge_database, value: False, vtype: boolean }
  42. - { question: slapd/move_old_database, value: True, vtype: boolean }
  43. no_log: True
  44. - name: install slapd
  45. apt:
  46. name: slapd
  47. state: present
  48. - name: Create the ROOT CA store
  49. file:
  50. path: /srv/CA
  51. state: directory
  52. - name: Generate the CA Certificate template
  53. template:
  54. src: templates/ca-cert.tmpl.j2
  55. dest: /srv/CA/ca-cert.tmpl
  56. - name: Generate the ROOT CA private key
  57. command: |
  58. certtool --generate-privkey \
  59. --outfile {{ domain }}-rootCA.key
  60. args:
  61. chdir: /srv/CA
  62. creates: "/srv/CA/{{ domain }}-rootCA.key"
  63. - name: Generate the ROOT CA Certificate
  64. command: |
  65. certtool --generate-self-signed \
  66. --template ca-cert.tmpl \
  67. --load-privkey {{ domain }}-rootCA.key \
  68. --outfile {{ domain }}-rootCA.crt
  69. args:
  70. chdir: /srv/CA
  71. creates: "/srv/CA/{{ domain }}-rootCA.crt"
  72. - name: Add our ROOT CA as trusted
  73. copy:
  74. remote_src: yes
  75. src: "/srv/CA/{{ domain }}-rootCA.crt"
  76. dest: /usr/local/share/ca-certificates/
  77. notify:
  78. - Update CA Certificates
  79. - name: Create the LDAP TLS store
  80. file:
  81. path: /etc/ldap/ssl
  82. owner: openldap
  83. group: openldap
  84. state: directory
  85. - name: Generate the LDAP Certificate template
  86. template:
  87. src: templates/ldap-cert.tmpl.j2
  88. dest: /srv/CA/ldap-cert.tmpl
  89. - name: Generate the LDAP private key
  90. command: |
  91. certtool --generate-privkey \
  92. --outfile {{ domain }}.key
  93. args:
  94. chdir: /etc/ldap/ssl
  95. creates: "/etc/ldap/ssl/{{ domain }}.key"
  96. - name: Generate the LDAP Certificate
  97. command: |
  98. certtool --generate-certificate \
  99. --template /srv/CA/ldap-cert.tmpl \
  100. --load-privkey {{ domain }}.key \
  101. --outfile {{ domain }}.crt \
  102. --load-ca-privkey /srv/CA/{{ domain }}-rootCA.key
  103. --load-ca-certificate /srv/CA/{{ domain }}-rootCA.crt
  104. args:
  105. chdir: /etc/ldap/ssl
  106. creates: "/etc/ldap/ssl/{{ domain }}.crt"
  107. - name: Set the correct ownership on the LDAP cert/key pair
  108. file:
  109. path: "/etc/ldap/ssl/{{ item }}"
  110. owner: openldap
  111. group: openldap
  112. with_items:
  113. - "{{ domain }}.key"
  114. - "{{ domain }}.crt"
  115. - name: Create the custom_ldifs store
  116. file:
  117. path: /etc/ldap/custom_ldifs
  118. owner: openldap
  119. group: openldap
  120. state: directory
  121. - name: Create the olcSSL.ldif file (LDAP TLS Configuration)
  122. template:
  123. src: templates/olcSSL.ldif.j2
  124. dest: /etc/ldap/custom_ldifs/olcSSL.ldif
  125. owner: openldap
  126. group: openldap
  127. notify:
  128. - Apply olcSSL.ldif
  129. - Restart slapd
  130. - name: Add an apt key by id from a keyserver
  131. apt_key:
  132. keyserver: keys.gnupg.net
  133. id: A94DE63F2EDB5F0DC0785EBBD744D55EACDA69FF
  134. - name: Add the Fusiondirectory repo
  135. apt_repository:
  136. repo: "{{ item }}"
  137. state: present
  138. with_items:
  139. - 'deb http://repos.fusiondirectory.org/fusiondirectory-current/debian-jessie jessie main'
  140. - 'deb http://repos.fusiondirectory.org/fusiondirectory-extra/debian-jessie jessie main'
  141. - name: Install FusionDirectory, dependencies and plugins
  142. apt:
  143. name: "{{ item }}"
  144. update_cache: yes
  145. state: present
  146. with_items:
  147. - apache2
  148. - libapache2-mod-php
  149. - php-ldap
  150. - php-intl
  151. - php-pear
  152. - php-mbstring
  153. - fusiondirectory
  154. - fusiondirectory-schema
  155. - fusiondirectory-plugin-ldapdump
  156. - fusiondirectory-plugin-ldapmanager
  157. - fusiondirectory-plugin-dsa
  158. - fusiondirectory-plugin-dsa-schema
  159. - fusiondirectory-plugin-systems
  160. - fusiondirectory-plugin-systems-schema
  161. notify:
  162. - Apply FusionDirectory Schema
  163. - Apply FusionDirectory Plugins Schema
  164. - name: Calculate FusionDirectory Configuration hash
  165. stat:
  166. path: /var/cache/fusiondirectory/class.cache
  167. get_md5: yes
  168. register: fd_config_hash
  169. - name: Generate the Initial FusionDirectory configuration
  170. template:
  171. src: templates/fd-init-config.ldif.j2
  172. dest: /etc/ldap/custom_ldifs/fd-init-config.ldif
  173. notify:
  174. - Initialize FusionDirectory Configuration
  175. - name: Migrate FusionDirectory Object Classes
  176. template:
  177. src: templates/fd-migrate-object-classes.ldif.j2
  178. dest: /etc/ldap/custom_ldifs/fd-migrate-object-classes.ldif
  179. notify:
  180. - Migrate Object Classes
  181. - name: Create an empty ldap.conf file
  182. file:
  183. path: /etc/ldap/ldap.conf
  184. state: touch
  185. notify:
  186. - Generate FusionDirectory SuperUser and OUs
  187. - name: Set FusionDirectory SuperUser Password
  188. command: |
  189. true
  190. notify:
  191. - Set SuperUser Password
  192. no_log: True
  193. - name: Migrate FusionDirectory Defaults ACLs
  194. template:
  195. src: templates/fd-migrate-default-acl.ldif.j2
  196. dest: /etc/ldap/custom_ldifs/fd-migrate-default-acl.ldif
  197. notify:
  198. - Migrate Default ACLs
  199. - name: Fix Permissions for the FusionDirectory Configuration
  200. template:
  201. src: templates/fusiondirectory.conf.j2
  202. dest: /etc/fusiondirectory/fusiondirectory.conf
  203. notify:
  204. - Fix FusionDirectory Configuration Permisions
  205. - name: Apply FusionDirectory Service Accounts ACL
  206. template:
  207. src: templates/fd-service_accounts_acl.ldif.j2
  208. dest: /etc/ldap/custom_ldifs/fd-service_accounts_acl.ldif
  209. notify:
  210. - Apply Service Accounts ACL
  211. - name: Create a .well-known directory
  212. file:
  213. path: /var/www/html/.well-known
  214. state: directory
  215. owner: www-data
  216. group: www-data
  217. - name: Deploy the Apache VirtualHosts for FusionDirectory
  218. template:
  219. src: "templates/fd-vhost{{ item }}.j2"
  220. dest: "/etc/apache2/sites-available/{{domain}}{{ item }}"
  221. with_items:
  222. - ".conf"
  223. - "-ssl.conf"
  224. notify:
  225. - Enable the Apache HTTP VirtualHost
  226. - Disable the Default Apache VirtualHost
  227. - Restart Apache
  228. handlers:
  229. - name: Update CA Certificates
  230. command: update-ca-certificates
  231. - name: Apply olcSSL.ldif
  232. command: ldapmodify -Y EXTERNAL -H ldapi:/// -f olcSSL.ldif
  233. args:
  234. chdir: /etc/ldap/custom_ldifs
  235. - name: Restart slapd
  236. service:
  237. name: slapd
  238. state: restarted
  239. - name: Apply FusionDirectory Schema
  240. command: fusiondirectory-insert-schema
  241. - name: Apply FusionDirectory Plugins Schema
  242. command: |
  243. fusiondirectory-insert-schema \
  244. -i /etc/ldap/schema/fusiondirectory/{{ item }}.schema
  245. with_items:
  246. - dsa-fd-conf
  247. - service-fd
  248. - systems-fd-conf
  249. - systems-fd
  250. - name: Initialize FusionDirectory Configuration
  251. command: |
  252. ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-init-config.ldif
  253. args:
  254. chdir: /etc/ldap/custom_ldifs
  255. no_log: True
  256. - name: Migrate Object Classes
  257. command: |
  258. ldapmodify -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-object-classes.ldif
  259. args:
  260. chdir: /etc/ldap/custom_ldifs
  261. no_log: True
  262. - name: Generate FusionDirectory SuperUser and OUs
  263. shell: |
  264. yes '{{ fd_admin }}' | \
  265. fusiondirectory-setup --yes --check-ldap
  266. - name: Set SuperUser Password
  267. command: |
  268. ldappasswd -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -s {{ fd_admin_pass }} uid={{ fd_admin }},ou=people,{{ base_dn }}
  269. no_log: True
  270. - name: Migrate Default ACLs
  271. command: |
  272. ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-default-acl.ldif
  273. args:
  274. chdir: /etc/ldap/custom_ldifs
  275. no_log: True
  276. - name: Fix FusionDirectory Configuration Permisions
  277. command: fusiondirectory-setup --yes --check-config
  278. - name: Apply Service Accounts ACL
  279. command: |
  280. ldapadd -c -Y EXTERNAL -H ldapi:/// -f fd-service_accounts_acl.ldif
  281. args:
  282. chdir: /etc/ldap/custom_ldifs
  283. - name: Enable the Apache HTTP VirtualHost
  284. file:
  285. src: "/etc/apache2/sites-available/{{ domain }}.conf"
  286. dest: "/etc/apache2/sites-enabled/{{ domain }}.conf"
  287. state: link
  288. - name: Disable the Default Apache VirtualHost
  289. file:
  290. path: /etc/apache2/sites-enabled/000-default.conf
  291. state: absent
  292. - name: Restart Apache
  293. service:
  294. name: apache2
  295. state: restarted