jonathan/infra
1
0
Fork 0
Code Actions Activity

Init new ldap server role

Browse Source
This commit is contained in:
Jonathan DeMasi
2026-01-23 16:26:39 -07:00
parent d18353d2ae
commit 7a377c09e0
7 changed files with 153 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ansible/roles/openldap_server/defaults/main.yaml Normal file
View File

@@ -0,0 +1,8 @@
ldap_domain: example.com
ldap_basedn: dc=example,dc=com
ldap_admin_dn: cn=admin,{{ ldap_basedn }}
ldap_bind_dn: cn=binduser,{{ ldap_basedn }}
ldap_cert_path: /etc/openldap/certs/ldap.crt
ldap_key_path: /etc/openldap/certs/ldap.key

21
ansible/roles/openldap_server/tasks/acls.yaml Normal file
View File

@@ -0,0 +1,21 @@
- name: Set LDAP ACLs
community.general.ldap_attrs:
dn: olcDatabase={2}mdb,cn=config
state: exact
attributes:
olcAccess:
- >-
to attrs=userPassword
by dn="{{ ldap_admin_dn }}" write
by dn="{{ ldap_bind_dn }}" read
by self write
by * none
- >-
to *
by dn="{{ ldap_admin_dn }}" write
by dn="{{ ldap_bind_dn }}" read
by self read
by * none
args:
server_uri: ldapi:///
sasl_mech: EXTERNAL

11
ansible/roles/openldap_server/tasks/config.yaml Normal file
View File

@@ -0,0 +1,11 @@
- name: Configure database suffix
community.general.ldap_attrs:
dn: olcDatabase={2}mdb,cn=config
state: exact
attributes:
olcSuffix: "{{ ldap_basedn }}"
olcRootDN: "{{ ldap_admin_dn }}"
args:
server_uri: ldapi:///
sasl_mech: EXTERNAL

57
ansible/roles/openldap_server/tasks/install.yaml Normal file
View File

@@ -0,0 +1,57 @@
- name: Install epel
package:
name: epel-release
state: present
- name: Install openldap server and other required packages
package:
name:
- openldap-servers
- openldap-clients
- openldap-devel
- cyrus-sasl-devel
- openssl
- openssl-devel
state: present
- name: Permanently enable ldap service firewalld
ansible.posix.firewalld:
service: ldap
state: enabled
permanent: true
immediate: true
offline: true
- name: Permanently enable ldaps service firewalld
ansible.posix.firewalld:
service: ldaps
state: enabled
permanent: true
immediate: true
offline: true
- name: Create ldifs directory
file:
path: /etc/openldap/ldifs
state: directory
mode: '0700'
owner: ldap
group: ldap
- name: Set upldap.conf base
lineinfile:
path: /etc/openldap/ldap.conf
regexp: '^#BASE'
line: 'BASE: dc=ldap,dc=home,dc=jthan,dc=io'
- name: Setup ldap.conf URIs
lineinfile:
path: /etc/openldap/ldap.conf
regexp: '^#URI'
line: 'URI: ldap://ldap.home.jthan.io'
- name: Enable slapd
service:
name: slapd
state: started
enabled: yes

85
ansible/roles/openldap_server/tasks/main.yaml
View File

@@ -1,80 +1,5 @@
- name: Install epel - import_tasks: install.yaml
package: - import_tasks: schemas.yaml
name: epel-release - import_tasks: config.yaml
state: present - import_tasks: tls.yaml
- import_tasks: acls.yaml
- name: Install openldap server and other required packages
package:
name:
- openldap-servers
- openldap-clients
- openldap-devel
- cyrus-sasl-devel
- openssl
- openssl-devel
state: present
- name: Permanently enable ldap service firewalld
ansible.posix.firewalld:
service: ldap
state: enabled
permanent: true
immediate: true
offline: true
- name: Permanently enable ldaps service firewalld
ansible.posix.firewalld:
service: ldaps
state: enabled
permanent: true
immediate: true
offline: true
- name: Create ldifs directory
file:
path: /etc/openldap/ldifs
state: directory
mode: '0700'
owner: ldap
group: ldap
- name: Copy default configuration ldif
copy:
src: /usr/share/openldap-servers/slapd.ldif
dest: /etc/openldap/ldifs/slapd.ldif
owner: ldap
group: ldap
mode: '0600'
force: false
remote_src: true
- name: Set upldap.conf base
lineinfile:
path: /etc/openldap/ldap.conf
regexp: '^#BASE'
line: 'BASE: dc=ldap,dc=home,dc=jthan,dc=io'
- name: Setup ldap.conf URIs
lineinfile:
path: /etc/openldap/ldap.conf
regexp: '^#URI'
line: 'URI: ldap://ldap.home.jthan.io'
- name: Set olcSuffix for domain
lineinfile:
path: /etc/openldap/ldifs/slapd.ldif
regexp: '^olcSuffix:'
line: 'olcSuffix: dc=ldap,dc=home,dc=jthan,dc=io'
- name: Set olcRootDN
lineinfile:
path: /etc/openldap/ldifs/slapd.ldif
regexp: '^olcRootDN:'
line: 'olcRootDN: cn=Manager,dc=ldap,dc=home,dc=jthan,dc=io'
#- name: Start and enable slapd
# service:
# name: slapd
# state: started
# enabled: true

31
ansible/roles/openldap_server/tasks/schemas.yaml Normal file
View File

@@ -0,0 +1,31 @@
- name: List existing schemas
command: >
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn
register: ldap_schemas
changed_when: false
- name: Load cosine schema
command: >
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
when: "'cn=cosine,cn=schema,cn=config' not in ldap_schemas.stdout"
- name: Load inetorgperson schema
command: >
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
when: "'cn=inetorgperson,cn=schema,cn=config' not in ldap_schemas.stdout"
- name: Load nis schema
command: >
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
when: "'cn=nis,cn=schema,cn=config' not in ldap_schemas.stdout"
- name: Load sudo schema
command: >
ldapadd -Y EXTERNAL -H ldapi:/// -f /usr/share/doc/sudo/schema.OpenLDAP
when: "'cn=sudo,cn=schema,cn=config' not in ldap_schemas.stdout"
- name: Load OpenSSH public key schema
command: >
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/openssh-lpk.ldif
when: "'cn=openssh-lpk,cn=schema,cn=config' not in ldap_schemas.stdout"

20
ansible/roles/openldap_server/tasks/tls.yaml Normal file
View File

@@ -0,0 +1,20 @@
- name: Configure TLS cert
community.general.ldap_attrs:
dn: cn=config
state: present
attributes:
olcTLSCertificateFile: "{{ ldap_cert_path }}"
olcTLSCertificateKeyFile: "{{ ldap_key_path }}"
args:
server_uri: ldapi:///
sasl_mech: EXTERNAL
- name: Require TLS
community.general.ldap_attrs:
dn: olcDatabase={2}mdb,cn=config
state: present
attributes:
olcSecurity: tls=1
args:
server_uri: ldapi:///
sasl_mech: EXTERNAL