Init new ldap server role

ansible/roles/openldap_server/defaults/main.yaml

@@ -0,0 +1,8 @@
+ldap_domain: example.com
+ldap_basedn: dc=example,dc=com
+
+ldap_admin_dn: cn=admin,{{ ldap_basedn }}
+ldap_bind_dn: cn=binduser,{{ ldap_basedn }}
+
+ldap_cert_path: /etc/openldap/certs/ldap.crt
+ldap_key_path: /etc/openldap/certs/ldap.key

ansible/roles/openldap_server/tasks/acls.yaml

@@ -0,0 +1,21 @@
+- name: Set LDAP ACLs
+  community.general.ldap_attrs:
+    dn: olcDatabase={2}mdb,cn=config
+    state: exact
+    attributes:
+      olcAccess:
+        - >-
+          to attrs=userPassword
+          by dn="{{ ldap_admin_dn }}" write
+          by dn="{{ ldap_bind_dn }}" read
+          by self write
+          by * none
+        - >-
+          to *
+          by dn="{{ ldap_admin_dn }}" write
+          by dn="{{ ldap_bind_dn }}" read
+          by self read
+          by * none
+  args:
+    server_uri: ldapi:///
+    sasl_mech: EXTERNAL

ansible/roles/openldap_server/tasks/config.yaml

@@ -0,0 +1,11 @@
+- name: Configure database suffix
+  community.general.ldap_attrs:
+    dn: olcDatabase={2}mdb,cn=config
+    state: exact
+    attributes:
+      olcSuffix: "{{ ldap_basedn }}"
+      olcRootDN: "{{ ldap_admin_dn }}"
+  args:
+    server_uri: ldapi:///
+    sasl_mech: EXTERNAL
+

ansible/roles/openldap_server/tasks/install.yaml

@@ -0,0 +1,57 @@
+- name: Install epel
+  package:
+    name: epel-release
+    state: present
+
+- name: Install openldap server and other required packages
+  package:
+    name:
+      - openldap-servers
+      - openldap-clients
+      - openldap-devel
+      - cyrus-sasl-devel
+      - openssl
+      - openssl-devel
+    state: present
+
+- name: Permanently enable ldap service firewalld
+  ansible.posix.firewalld:
+    service: ldap
+    state: enabled
+    permanent: true
+    immediate: true
+    offline: true
+
+- name: Permanently enable ldaps service firewalld
+  ansible.posix.firewalld:
+    service: ldaps
+    state: enabled
+    permanent: true
+    immediate: true
+    offline: true
+
+- name: Create ldifs directory
+  file:
+    path: /etc/openldap/ldifs
+    state: directory
+    mode: '0700'
+    owner: ldap
+    group: ldap
+
+- name: Set upldap.conf base
+  lineinfile:
+    path: /etc/openldap/ldap.conf
+    regexp: '^#BASE'
+    line: 'BASE: dc=ldap,dc=home,dc=jthan,dc=io'
+
+- name: Setup ldap.conf URIs
+  lineinfile:
+    path: /etc/openldap/ldap.conf
+    regexp: '^#URI'
+    line: 'URI: ldap://ldap.home.jthan.io'
+
+- name: Enable slapd
+  service:
+    name: slapd
+    state: started
+    enabled: yes

ansible/roles/openldap_server/tasks/main.yaml

@@ -1,80 +1,5 @@
-- name: Install epel
-  package:
-    name: epel-release
-    state: present
-
-- name: Install openldap server and other required packages
-  package:
-    name:
-      - openldap-servers
-      - openldap-clients
-      - openldap-devel
-      - cyrus-sasl-devel
-      - openssl
-      - openssl-devel
-    state: present
-
-- name: Permanently enable ldap service firewalld
-  ansible.posix.firewalld:
-    service: ldap
-    state: enabled
-    permanent: true
-    immediate: true
-    offline: true
-
-- name: Permanently enable ldaps service firewalld
-  ansible.posix.firewalld:
-    service: ldaps
-    state: enabled
-    permanent: true
-    immediate: true
-    offline: true
-
-- name: Create ldifs directory
-  file:
-    path: /etc/openldap/ldifs
-    state: directory
-    mode: '0700'
-    owner: ldap
-    group: ldap
-
-- name: Copy default configuration ldif
-  copy:
-    src: /usr/share/openldap-servers/slapd.ldif
-    dest: /etc/openldap/ldifs/slapd.ldif
-    owner: ldap
-    group: ldap
-    mode: '0600'
-    force: false
-    remote_src: true
-
-- name: Set upldap.conf base
-  lineinfile:
-    path: /etc/openldap/ldap.conf
-    regexp: '^#BASE'
-    line: 'BASE: dc=ldap,dc=home,dc=jthan,dc=io'
-
-- name: Setup ldap.conf URIs
-  lineinfile:
-    path: /etc/openldap/ldap.conf
-    regexp: '^#URI'
-    line: 'URI: ldap://ldap.home.jthan.io'
-
-- name: Set olcSuffix for domain
-  lineinfile:
-    path: /etc/openldap/ldifs/slapd.ldif
-    regexp: '^olcSuffix:'
-    line: 'olcSuffix: dc=ldap,dc=home,dc=jthan,dc=io'
-
-- name: Set olcRootDN
-  lineinfile:
-    path: /etc/openldap/ldifs/slapd.ldif
-    regexp: '^olcRootDN:'
-    line: 'olcRootDN: cn=Manager,dc=ldap,dc=home,dc=jthan,dc=io'
-
-#- name: Start and enable slapd
-#  service:
-#    name: slapd
-#    state: started
-#    enabled: true
-
+- import_tasks: install.yaml
+- import_tasks: schemas.yaml
+- import_tasks: config.yaml
+- import_tasks: tls.yaml
+- import_tasks: acls.yaml

ansible/roles/openldap_server/tasks/schemas.yaml

@@ -0,0 +1,31 @@
+- name: List existing schemas
+  command: >
+    ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
+  register: ldap_schemas
+  changed_when: false
+
+- name: Load cosine schema
+  command: >
+    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
+  when: "'cn=cosine,cn=schema,cn=config' not in ldap_schemas.stdout"
+
+- name: Load inetorgperson schema
+  command: >
+    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
+  when: "'cn=inetorgperson,cn=schema,cn=config' not in ldap_schemas.stdout"
+
+- name: Load nis schema
+  command: >
+    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
+  when: "'cn=nis,cn=schema,cn=config' not in ldap_schemas.stdout"
+
+- name: Load sudo schema
+  command: >
+    ldapadd -Y EXTERNAL -H ldapi:/// -f /usr/share/doc/sudo/schema.OpenLDAP
+  when: "'cn=sudo,cn=schema,cn=config' not in ldap_schemas.stdout"
+
+- name: Load OpenSSH public key schema
+  command: >
+    ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openssh-lpk.ldif
+  when: "'cn=openssh-lpk,cn=schema,cn=config' not in ldap_schemas.stdout"
+

ansible/roles/openldap_server/tasks/tls.yaml

@@ -0,0 +1,20 @@
+- name: Configure TLS cert
+  community.general.ldap_attrs:
+    dn: cn=config
+    state: present
+    attributes:
+      olcTLSCertificateFile: "{{ ldap_cert_path }}"
+      olcTLSCertificateKeyFile: "{{ ldap_key_path }}"
+  args:
+    server_uri: ldapi:///
+    sasl_mech: EXTERNAL
+
+- name: Require TLS
+  community.general.ldap_attrs:
+    dn: olcDatabase={2}mdb,cn=config
+    state: present
+    attributes:
+      olcSecurity: tls=1
+  args:
+    server_uri: ldapi:///
+    sasl_mech: EXTERNAL