jmgarcialdemoral
/
ansible-deploy-ldap-fusiondirectory
bifurqué depuis Personal/ansible-deploy-ldap-fusiondirectory
1
0
Bifurcation 0
Code Tickets 0 Demandes d'ajout 0 Versions 0 Wiki Activité
An Ansible Playbook to deploy OpenLDAP and FusionDirectory
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
1 Commit
2 Branches
112KB
Branche: master
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de 'master'
${ noResults }
ansible-deploy-ldap-fusiond.../deploy-ldap-fusiondirectory...

344 lignes
9.4KB
Brut Lien permanent Annotations Historique 

  1. ---

  2. # This will deploy OpenLDAP and FusionDirectory on the mailserver

  3. - hosts: auth.example.com

  4.   user: root

  5. 

  6.   vars_files:

  7.   - vars/all.yml

  8.   - vars/secrets.yml

  9. 

  10.   tasks:

  11. 

  12.   - name: Prepate /etc/hosts

  13.     lineinfile: 

  14.       path: /etc/hosts

  15.       insertafter: '^127.0.1.1 '

  16.       line: "{{ item }}"

  17.     with_items:

  18.       - "127.0.2.1   mail.{{ domain }} mail"

  19.       - "127.0.3.1   auth.{{ domain }} auth"

  20. 

  21.   - name: Setup OpenLDAP and Dependencies

  22.     apt:

  23.       name: "{{ item }}"

  24.       state: present

  25.       update_cache: yes

  26.     with_items:

  27.       - ldap-utils

  28.       - gnutls-bin

  29.       - ca-certificates

  30.       - python-ldap

  31.       - python3-ldap

  32. 

  33.   - name: debconf configuration for slapd

  34.     debconf:

  35.       name: slapd

  36.       question: "{{ item.question }}"

  37.       value: "{{ item.value }}"

  38.       vtype: "{{ item.vtype }}"

  39.     with_items:

  40.       - { question: slapd/no_configuration, value: False, vtype: boolean }

  41.       - { question: slapd/domain, value: "{{ domain }}", vtype: string }

  42.       - { question: shared/organization, value: "{{ organization }}", vtype: string }

  43.       - { question: slapd/password1, value: "{{ ldap_admin_pass }}", vtype: password }

  44.       - { question: slapd/password2, value: "{{ ldap_admin_pass }}", vtype: password }

  45.       - { question: slapd/backend, value: MDB, vtype: select }

  46.       - { question: slapd/purge_database, value: False, vtype: boolean }

  47.       - { question: slapd/move_old_database, value: True, vtype: boolean }

  48.     no_log: True

  49. 

  50.   - name: install slapd

  51.     apt:

  52.       name: slapd

  53.       state: present

  54. 

  55.   - name: Create the ROOT CA store

  56.     file:

  57.       path: /srv/CA

  58.       state: directory

  59. 

  60.   - name: Generate the CA Certificate template

  61.     template:

  62.       src: templates/ca-cert.tmpl.j2

  63.       dest: /srv/CA/ca-cert.tmpl

  64. 

  65.   - name: Generate the ROOT CA private key

  66.     command: |

  67.       certtool --generate-privkey \

  68.       --outfile {{ domain }}-rootCA.key

  69.     args:

  70.       chdir: /srv/CA

  71.       creates: "/srv/CA/{{ domain }}-rootCA.key"

  72. 

  73.   - name: Generate the ROOT CA Certificate

  74.     command: |

  75.       certtool --generate-self-signed \

  76.       --template ca-cert.tmpl \

  77.       --load-privkey {{ domain }}-rootCA.key \

  78.       --outfile {{ domain }}-rootCA.crt

  79.     args:

  80.       chdir: /srv/CA

  81.       creates: "/srv/CA/{{ domain }}-rootCA.crt"

  82. 

  83.   - name: Add our ROOT CA as trusted

  84.     copy:

  85.       remote_src: yes

  86.       src: "/srv/CA/{{ domain }}-rootCA.crt"

  87.       dest: /usr/local/share/ca-certificates/

  88.     notify:

  89.       - Update CA Certificates

  90. 

  91.   - name: Create the LDAP TLS store

  92.     file:

  93.       path: /etc/ldap/ssl

  94.       owner: openldap

  95.       group: openldap

  96.       state: directory

  97. 

  98.   - name: Generate the LDAP Certificate template

  99.     template:

  100.       src: templates/ldap-cert.tmpl.j2

  101.       dest: /srv/CA/ldap-cert.tmpl

  102. 

  103.   - name: Generate the LDAP private key

  104.     command: |

  105.       certtool --generate-privkey \

  106.       --outfile {{ domain }}.key

  107.     args:

  108.       chdir: /etc/ldap/ssl

  109.       creates: "/etc/ldap/ssl/{{ domain }}.key"

  110. 

  111.   - name: Generate the LDAP Certificate

  112.     command: |

  113.       certtool --generate-certificate \

  114.       --template /srv/CA/ldap-cert.tmpl \

  115.       --load-privkey {{ domain }}.key \

  116.       --outfile {{ domain }}.crt \

  117.       --load-ca-privkey /srv/CA/{{ domain }}-rootCA.key

  118.       --load-ca-certificate /srv/CA/{{ domain }}-rootCA.crt

  119.     args:

  120.       chdir: /etc/ldap/ssl

  121.       creates: "/etc/ldap/ssl/{{ domain }}.crt"

  122. 

  123.   - name: Set the correct ownership on the LDAP cert/key pair

  124.     file:

  125.       path: "/etc/ldap/ssl/{{ item }}"

  126.       owner: openldap

  127.       group: openldap

  128.     with_items:

  129.       - "{{ domain }}.key"

  130.       - "{{ domain }}.crt"

  131. 

  132.   - name: Create the custom_ldifs store

  133.     file:

  134.       path: /etc/ldap/custom_ldifs

  135.       owner: openldap

  136.       group: openldap

  137.       state: directory

  138. 

  139.   - name: Create the olcSSL.ldif file (LDAP TLS Configuration)

  140.     template:

  141.       src: templates/olcSSL.ldif.j2

  142.       dest: /etc/ldap/custom_ldifs/olcSSL.ldif

  143.       owner: openldap

  144.       group: openldap

  145.     notify:

  146.       - Apply olcSSL.ldif

  147.       - Restart slapd

  148. 

  149.   - name: Add an apt key by id from a keyserver

  150.     apt_key:

  151.       keyserver: keys.gnupg.net

  152.       id: A94DE63F2EDB5F0DC0785EBBD744D55EACDA69FF

  153. 

  154.   - name: Add the Fusiondirectory repo

  155.     apt_repository:

  156.       repo: "{{ item }}"

  157.       state: present

  158.     with_items:

  159.       - 'deb http://repos.fusiondirectory.org/fusiondirectory-current/debian-jessie jessie main'

  160.       - 'deb http://repos.fusiondirectory.org/fusiondirectory-extra/debian-jessie jessie main'

  161. 

  162.   - name: Install FusionDirectory, dependencies and plugins

  163.     apt: 

  164.       name: "{{ item }}"

  165.       update_cache: yes

  166.       state: present

  167.     with_items:

  168.       - apache2

  169.       - libapache2-mod-php

  170.       - php-ldap

  171.       - php-intl

  172.       - php-pear

  173.       - php-mbstring

  174.       - fusiondirectory

  175.       - fusiondirectory-schema

  176.       - fusiondirectory-plugin-ldapdump

  177.       - fusiondirectory-plugin-ldapmanager

  178.       - fusiondirectory-plugin-dsa

  179.       - fusiondirectory-plugin-dsa-schema

  180.       - fusiondirectory-plugin-systems

  181.       - fusiondirectory-plugin-systems-schema

  182.     notify:

  183.       - Apply FusionDirectory Schema

  184.       - Apply FusionDirectory Plugins Schema

  185. 

  186.   - name: Calculate FusionDirectory Configuration hash

  187.     stat:

  188.       path: /var/cache/fusiondirectory/class.cache

  189.       get_md5: yes

  190.     register: fd_config_hash

  191. 

  192.   - name: Generate the Initial FusionDirectory configuration

  193.     template:

  194.       src: templates/fd-init-config.ldif.j2

  195.       dest: /etc/ldap/custom_ldifs/fd-init-config.ldif

  196.     notify: 

  197.       - Initialize FusionDirectory Configuration

  198. 

  199.   - name: Migrate FusionDirectory Object Classes

  200.     template:

  201.       src: templates/fd-migrate-object-classes.ldif.j2

  202.       dest: /etc/ldap/custom_ldifs/fd-migrate-object-classes.ldif

  203.     notify: 

  204.       - Migrate Object Classes

  205. 

  206.   - name: Create an empty ldap.conf file

  207.     file:

  208.       path: /etc/ldap/ldap.conf

  209.       state: touch

  210.     notify:

  211.       - Generate FusionDirectory SuperUser and OUs 

  212. 

  213.   - name: Set FusionDirectory SuperUser Password

  214.     command: |

  215.       true

  216.     notify: 

  217.       - Set SuperUser Password

  218.     no_log: True

  219. 

  220.   - name: Migrate FusionDirectory Defaults ACLs

  221.     template:

  222.       src: templates/fd-migrate-default-acl.ldif.j2

  223.       dest: /etc/ldap/custom_ldifs/fd-migrate-default-acl.ldif

  224.     notify:

  225.       - Migrate Default ACLs

  226. 

  227.   - name: Fix Permissions for the FusionDirectory Configuration

  228.     template:

  229.       src: templates/fusiondirectory.conf.j2

  230.       dest: /etc/fusiondirectory/fusiondirectory.conf

  231.     notify:

  232.       - Fix FusionDirectory Configuration Permisions

  233. 

  234.   - name: Apply FusionDirectory Service Accounts ACL

  235.     template:

  236.       src: templates/fd-service_accounts_acl.ldif.j2

  237.       dest: /etc/ldap/custom_ldifs/fd-service_accounts_acl.ldif

  238.     notify:

  239.       - Apply Service Accounts ACL

  240. 

  241. 

  242.   - name: Create a .well-known directory

  243.     file:

  244.       path: /var/www/html/.well-known

  245.       state: directory

  246.       owner: www-data

  247.       group: www-data

  248. 

  249.   - name: Deploy the Apache VirtualHosts for FusionDirectory

  250.     template: 

  251.       src: "templates/fd-vhost{{ item }}.j2"

  252.       dest: "/etc/apache2/sites-available/{{domain}}{{ item }}"

  253.     with_items:

  254.       - ".conf"

  255.       - "-ssl.conf"

  256.     notify:

  257.       - Enable the Apache HTTP VirtualHost

  258.       - Disable the Default Apache VirtualHost

  259.       - Restart Apache

  260. 

  261.   handlers:

  262. 

  263.   - name: Update CA Certificates

  264.     command: update-ca-certificates

  265. 

  266.   - name: Apply olcSSL.ldif

  267.     command: ldapmodify -Y EXTERNAL -H ldapi:/// -f olcSSL.ldif

  268.     args:

  269.       chdir: /etc/ldap/custom_ldifs

  270. 

  271.   - name: Restart slapd

  272.     service:

  273.       name: slapd

  274.       state: restarted

  275. 

  276.   - name: Apply FusionDirectory Schema

  277.     command: fusiondirectory-insert-schema

  278. 

  279.   - name: Apply FusionDirectory Plugins Schema

  280.     command: |

  281.       fusiondirectory-insert-schema \

  282.       -i /etc/ldap/schema/fusiondirectory/{{ item }}.schema

  283.     with_items:

  284.       - dsa-fd-conf

  285.       - service-fd

  286.       - systems-fd-conf

  287.       - systems-fd

  288. 

  289.   - name: Initialize FusionDirectory Configuration

  290.     command: |

  291.       ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-init-config.ldif

  292.     args:

  293.       chdir: /etc/ldap/custom_ldifs

  294.     no_log: True

  295. 

  296.   - name: Migrate Object Classes

  297.     command: |

  298.       ldapmodify -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-object-classes.ldif

  299.     args:

  300.       chdir: /etc/ldap/custom_ldifs

  301.     no_log: True

  302. 

  303.   - name: Generate FusionDirectory SuperUser and OUs

  304.     shell: |

  305.       yes '{{ fd_admin }}' | \

  306.       fusiondirectory-setup --yes --check-ldap

  307. 

  308.   - name: Set SuperUser Password

  309.     command: |

  310.       ldappasswd -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -s {{ fd_admin_pass }} uid={{ fd_admin }},ou=people,{{ base_dn }}

  311.     no_log: True

  312. 

  313.   - name: Migrate Default ACLs

  314.     command: |

  315.       ldapadd -x -D {{ ldap_admin_dn }} -w {{ ldap_admin_pass }} -H ldapi:/// -f fd-migrate-default-acl.ldif

  316.     args:

  317.       chdir: /etc/ldap/custom_ldifs

  318.     no_log: True

  319. 

  320.   - name: Fix FusionDirectory Configuration Permisions

  321.     command: fusiondirectory-setup --yes --check-config

  322. 

  323.   - name: Apply Service Accounts ACL

  324.     command: |

  325.       ldapadd -c -Y EXTERNAL -H ldapi:/// -f fd-service_accounts_acl.ldif

  326.     args:

  327.       chdir: /etc/ldap/custom_ldifs

  328. 

  329.   - name: Enable the Apache HTTP VirtualHost

  330.     file:

  331.       src: "/etc/apache2/sites-available/{{ domain }}.conf"

  332.       dest: "/etc/apache2/sites-enabled/{{ domain }}.conf"

  333.       state: link

  334. 

  335.   - name: Disable the Default Apache VirtualHost

  336.     file:

  337.       path: /etc/apache2/sites-enabled/000-default.conf

  338.       state: absent

  339. 

  340.   - name: Restart Apache

  341.     service:

  342.       name: apache2

  343.       state: restarted