Init openldap data

2026-01-24 16:53:59 -07:00
parent 9cb8287808
commit 6e95041033
7 changed files with 84 additions and 1 deletions
--- a/ansible/roles/openldap_directory/tasks/base.yaml
+++ b/ansible/roles/openldap_directory/tasks/base.yaml
@@ -0,0 +1,14 @@
+- name: Create base OUs
+  community.general.ldap_entry:
+    dn: "{{ item }}"
+    state: present
+    objectClass: organizationalUnit
+  loop:
+    - "{{ ldap_people_ou }}"
+    - "{{ ldap_groups_ou }}"
+    - "{{ ldap_sudo_ou }}"
+  args:
+    server_uri: "{{ ldap_uri }}"
+    bind_dn: "{{ ldap_admin_dn }}"
+    bind_pw: "{{ ldap_admin_pw }}"
+    start_tls: yes
--- a/ansible/roles/openldap_directory/tasks/main.yaml
+++ b/ansible/roles/openldap_directory/tasks/main.yaml
@@ -0,0 +1,5 @@
+- import_tasks: base.yaml
+- import_tasks: groups.yaml
+- import_tasks: users.yaml
+- import_tasks: ssh_keys.yaml
+- import_tasks: sudo.yaml
--- a/ansible/roles/openldap_directory/tasks/ssh_keys.yaml
+++ b/ansible/roles/openldap_directory/tasks/ssh_keys.yaml
@@ -0,0 +1,13 @@
+- name: Set SSH keys
+  community.general.ldap_attrs:
+    dn: "uid={{ item.uid }},{{ ldap_people_ou }}"
+    state: exact
+    attributes:
+      sshPublicKey: "{{ item.ssh_keys }}"
+  loop: "{{ ldap_users }}"
+  when: item.ssh_keys is defined
+  args:
+    server_uri: "{{ ldap_uri }}"
+    bind_dn: "{{ ldap_admin_dn }}"
+    bind_pw: "{{ ldap_admin_pw }}"
+    start_tls: yes
--- a/ansible/roles/openldap_directory/tasks/sudo.yaml
+++ b/ansible/roles/openldap_directory/tasks/sudo.yaml
@@ -0,0 +1,15 @@
+- name: Admin sudo rule
+  community.general.ldap_entry:
+    dn: "cn=admins-all,{{ ldap_sudo_ou }}"
+    state: present
+    objectClass: sudoRole
+    attributes:
+      cn: admins-all
+      sudoUser: "%admins"
+      sudoHost: ALL
+      sudoCommand: ALL
+  args:
+    server_uri: "{{ ldap_uri }}"
+    bind_dn: "{{ ldap_admin_dn }}"
+    bind_pw: "{{ ldap_admin_pw }}"
+    start_tls: yes
--- a/ansible/roles/openldap_directory/tasks/users.yaml
+++ b/ansible/roles/openldap_directory/tasks/users.yaml
@@ -0,0 +1,22 @@
+- name: Ensure users exist
+  community.general.ldap_entry:
+    dn: "uid={{ item.uid }},{{ ldap_people_ou }}"
+    state: present
+    objectClass:
+      - inetOrgPerson
+      - posixAccount
+      - ldapPublicKey
+    attributes:
+      cn: "{{ item.cn }}"
+      sn: "{{ item.sn }}"
+      uid: "{{ item.uid }}"
+      uidNumber: "{{ item.uidNumber }}"
+      gidNumber: "{{ item.gidNumber }}"
+      homeDirectory: "/home/{{ item.uid }}"
+      loginShell: /bin/bash
+  loop: "{{ ldap_users }}"
+  args:
+    server_uri: "{{ ldap_uri }}"
+    bind_dn: "{{ ldap_admin_dn }}"
+    bind_pw: "{{ ldap_admin_pw }}"
+    start_tls: yes