From 6e95041033b60fd5f45a0bbe7d6a9605e2892f5f Mon Sep 17 00:00:00 2001 From: Jonathan DeMasi Date: Sat, 24 Jan 2026 16:53:59 -0700 Subject: [PATCH] Init openldap data --- .../host_vars/ldap.home.jthan.io/vars.yaml | 6 ++++- .../openldap_directory/defaults/main.yaml | 10 +++++++++ .../roles/openldap_directory/tasks/base.yaml | 14 ++++++++++++ .../roles/openldap_directory/tasks/main.yaml | 5 +++++ .../openldap_directory/tasks/ssh_keys.yaml | 13 +++++++++++ .../roles/openldap_directory/tasks/sudo.yaml | 15 +++++++++++++ .../roles/openldap_directory/tasks/users.yaml | 22 +++++++++++++++++++ 7 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 ansible/roles/openldap_directory/defaults/main.yaml create mode 100644 ansible/roles/openldap_directory/tasks/base.yaml create mode 100644 ansible/roles/openldap_directory/tasks/main.yaml create mode 100644 ansible/roles/openldap_directory/tasks/ssh_keys.yaml create mode 100644 ansible/roles/openldap_directory/tasks/sudo.yaml create mode 100644 ansible/roles/openldap_directory/tasks/users.yaml diff --git a/ansible/inventories/production/host_vars/ldap.home.jthan.io/vars.yaml b/ansible/inventories/production/host_vars/ldap.home.jthan.io/vars.yaml index 2b03d71..933a0a8 100644 --- a/ansible/inventories/production/host_vars/ldap.home.jthan.io/vars.yaml +++ b/ansible/inventories/production/host_vars/ldap.home.jthan.io/vars.yaml @@ -1,12 +1,16 @@ root_pw: "{{ lookup('bitwarden.secrets.lookup', '64a96d82-179b-41af-898d-b3dc014f44a0') }}" -ldap_manager_pw_hash: "{{ lookup('bitwarden.secrets.lookup', '32654697-7172-4fe3-9767-b3dc015ddd34') }}" letsencrypt_email: "me@jthan.io" linode_dns_token: "{{ lookup('bitwarden.secrets.lookup', '8849d676-e53e-4aef-a7e6-b3dc014dd698') }}" ldap_domain: ldap.home.jthan.io ldap_basedn: dc=ldap,dc=home,dc=jthan,dc=io +ldap_manager_pw_hash: "{{ lookup('bitwarden.secrets.lookup', '32654697-7172-4fe3-9767-b3dc015ddd34') }}" +ldap_uri: ldap://ldap.home.jthan.io + +ldap_admin_dn: cn=Manager,{{ ldap_basedn }} +ldap_admin_pw: "{{ lookup('bitwarden.secrets.lookup', '04e7d5d8-f97a-4fbc-9ecf-b3dc015dfbd2') }}" ldap_users: - uid: jonathan diff --git a/ansible/roles/openldap_directory/defaults/main.yaml b/ansible/roles/openldap_directory/defaults/main.yaml new file mode 100644 index 0000000..c48a129 --- /dev/null +++ b/ansible/roles/openldap_directory/defaults/main.yaml @@ -0,0 +1,10 @@ +ldap_uri: ldap://ldap.example.com +ldap_basedn: dc=example,dc=com + +ldap_admin_dn: cn=Manager,{{ ldap_basedn }} +ldap_admin_pw: "{{ ldap_admin_password }}" + +ldap_people_ou: ou=people,{{ ldap_basedn }} +ldap_groups_ou: ou=groups,{{ ldap_basedn }} +ldap_sudo_ou: ou=SUDOers,{{ ldap_basedn }} + diff --git a/ansible/roles/openldap_directory/tasks/base.yaml b/ansible/roles/openldap_directory/tasks/base.yaml new file mode 100644 index 0000000..cd07022 --- /dev/null +++ b/ansible/roles/openldap_directory/tasks/base.yaml @@ -0,0 +1,14 @@ +- name: Create base OUs + community.general.ldap_entry: + dn: "{{ item }}" + state: present + objectClass: organizationalUnit + loop: + - "{{ ldap_people_ou }}" + - "{{ ldap_groups_ou }}" + - "{{ ldap_sudo_ou }}" + args: + server_uri: "{{ ldap_uri }}" + bind_dn: "{{ ldap_admin_dn }}" + bind_pw: "{{ ldap_admin_pw }}" + start_tls: yes diff --git a/ansible/roles/openldap_directory/tasks/main.yaml b/ansible/roles/openldap_directory/tasks/main.yaml new file mode 100644 index 0000000..5cd1261 --- /dev/null +++ b/ansible/roles/openldap_directory/tasks/main.yaml @@ -0,0 +1,5 @@ +- import_tasks: base.yaml +- import_tasks: groups.yaml +- import_tasks: users.yaml +- import_tasks: ssh_keys.yaml +- import_tasks: sudo.yaml diff --git a/ansible/roles/openldap_directory/tasks/ssh_keys.yaml b/ansible/roles/openldap_directory/tasks/ssh_keys.yaml new file mode 100644 index 0000000..f927c43 --- /dev/null +++ b/ansible/roles/openldap_directory/tasks/ssh_keys.yaml @@ -0,0 +1,13 @@ +- name: Set SSH keys + community.general.ldap_attrs: + dn: "uid={{ item.uid }},{{ ldap_people_ou }}" + state: exact + attributes: + sshPublicKey: "{{ item.ssh_keys }}" + loop: "{{ ldap_users }}" + when: item.ssh_keys is defined + args: + server_uri: "{{ ldap_uri }}" + bind_dn: "{{ ldap_admin_dn }}" + bind_pw: "{{ ldap_admin_pw }}" + start_tls: yes diff --git a/ansible/roles/openldap_directory/tasks/sudo.yaml b/ansible/roles/openldap_directory/tasks/sudo.yaml new file mode 100644 index 0000000..dfd8281 --- /dev/null +++ b/ansible/roles/openldap_directory/tasks/sudo.yaml @@ -0,0 +1,15 @@ +- name: Admin sudo rule + community.general.ldap_entry: + dn: "cn=admins-all,{{ ldap_sudo_ou }}" + state: present + objectClass: sudoRole + attributes: + cn: admins-all + sudoUser: "%admins" + sudoHost: ALL + sudoCommand: ALL + args: + server_uri: "{{ ldap_uri }}" + bind_dn: "{{ ldap_admin_dn }}" + bind_pw: "{{ ldap_admin_pw }}" + start_tls: yes diff --git a/ansible/roles/openldap_directory/tasks/users.yaml b/ansible/roles/openldap_directory/tasks/users.yaml new file mode 100644 index 0000000..1aad6d6 --- /dev/null +++ b/ansible/roles/openldap_directory/tasks/users.yaml @@ -0,0 +1,22 @@ +- name: Ensure users exist + community.general.ldap_entry: + dn: "uid={{ item.uid }},{{ ldap_people_ou }}" + state: present + objectClass: + - inetOrgPerson + - posixAccount + - ldapPublicKey + attributes: + cn: "{{ item.cn }}" + sn: "{{ item.sn }}" + uid: "{{ item.uid }}" + uidNumber: "{{ item.uidNumber }}" + gidNumber: "{{ item.gidNumber }}" + homeDirectory: "/home/{{ item.uid }}" + loginShell: /bin/bash + loop: "{{ ldap_users }}" + args: + server_uri: "{{ ldap_uri }}" + bind_dn: "{{ ldap_admin_dn }}" + bind_pw: "{{ ldap_admin_pw }}" + start_tls: yes