diff --git a/group_vars/usermanagement.yaml b/group_vars/usermanagement.yaml index 0e86e3a..7b4765d 100644 --- a/group_vars/usermanagement.yaml +++ b/group_vars/usermanagement.yaml @@ -1,5 +1,7 @@ --- ldap_password: flanigan +ldap_dc: "atlantishq" +ldap_org: "atlantishq de" ldap_suffix: "dc=atlantishq,dc=de" ldap_bind_dn: "cn=Manager,dc=atlantishq,dc=de" ldap_user_dn: "ou=People,dc=atlantishq,dc=de" diff --git a/roles/global-handlers/handlers/main.yml b/roles/global-handlers/handlers/main.yml index 2020cff..c83c0e9 100644 --- a/roles/global-handlers/handlers/main.yml +++ b/roles/global-handlers/handlers/main.yml @@ -42,7 +42,7 @@ - name: restart slapd systemd: - name: slapd + name: slapd-custom state: restarted - name: daemon reload diff --git a/roles/usermanagement/files/ldap.conf b/roles/usermanagement/files/ldap.conf deleted file mode 100644 index 19b0428..0000000 --- a/roles/usermanagement/files/ldap.conf +++ /dev/null @@ -1,2 +0,0 @@ -BASE dc=atlantishq.de,dc=de -URI ldap://ldap.atlantishq.de, ldaps://ldap.atlantishq.de diff --git a/roles/usermanagement/tasks/ldap.yaml b/roles/usermanagement/tasks/ldap.yaml index 2eb59bf..7ad4c28 100644 --- a/roles/usermanagement/tasks/ldap.yaml +++ b/roles/usermanagement/tasks/ldap.yaml @@ -3,16 +3,118 @@ pkg: - slapd - ldap-utils + - python3-ldap -- name: Slapd /etc/default - lineinfile: - path: /etc/default/slapd - regex: "^SLAP_SERVICES=.*$" - line: SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" - notify: restart slapd +- name: directory /var/lib/slapd/ + file: + path: /var/lib/ldap/ + owner: root + group: openldap + mode: 0770 + state: directory -# etc default slapd conf -- name: LDAP Conf +- name: slapd-LDAP Conf template: src: slapd.conf dest: /etc/ldap/slapd.conf + owner: openldap + notify: + - restart slapd + +- name: Disable & mask broken debian slapd unit + systemd: + name: slapd + state: stopped + enabled: false + masked: yes + +- name: Copy slapd systemd unit + template: + src: slapd-custom.service + dest: /etc/systemd/system/slapd-custom.service + mode: 0644 + notify: + - daemon reload + - restart slapd + +- name: Enable and start slapd custom service + systemd: + name: slapd-custom.service + state: started + enabled: yes + +- meta: flush_handlers + +- name: Wait for LDAP to become ready + wait_for: + port: 389 + timeout: 30 + delay: 5 + +- name: LDAP (client) conf + template: + src: ldap.conf + dest: /etc/ldap/ldap.conf + owner: openldap + +- name: Create LDAP root (1) + ldap_entry: + dn: "{{ ldap_suffix }}" + objectClass: + - dcObject + - organization + attributes: | + { "o" : "{{ ldap_org }}", "dc" : "{{ ldap_dc }}" } + state: present + server_uri: "ldap://localhost" + bind_dn: "{{ ldap_bind_dn }}" + bind_pw: "{{ ldap_password }}" + +- name: Create LDAP root (2) + ldap_entry: + dn: "cn=Manager,dc=atlantishq,dc=de" + objectClass: + - organizationalRole + attributes: | + { "cn" : "Manager" } + state: present + server_uri: "ldap://localhost" + bind_dn: "{{ ldap_bind_dn }}" + bind_pw: "{{ ldap_password }}" + +- name: Create LDAP Group people + ldap_entry: + dn: "ou=People,{{ ldap_suffix }}" + objectClass: + - organizationalUnit + state: present + server_uri: "ldap://localhost" + bind_dn: "{{ ldap_bind_dn }}" + bind_pw: "{{ ldap_password }}" + +- name: Create LDAP groups root + ldap_entry: + dn: "ou=groups,{{ ldap_suffix }}" + objectClass: + - organizationalUnit + state: present + server_uri: "ldap://localhost" + bind_dn: "{{ ldap_bind_dn }}" + bind_pw: "{{ ldap_password }}" + +- name: Create LDAP groups + ldap_entry: + dn: "cn={{ item }},ou=groups,{{ ldap_suffix }}" + objectClass: + - groupOfNames + attributes: { "member" : "" } + state: present + server_uri: "ldap://localhost" + bind_dn: "{{ ldap_bind_dn }}" + bind_pw: "{{ ldap_password }}" + with_items: + - nextcloud + - images + - mail + - soundlib + - monitoring diff --git a/roles/usermanagement/templates/ldap.conf b/roles/usermanagement/templates/ldap.conf new file mode 100644 index 0000000..3d60cd4 --- /dev/null +++ b/roles/usermanagement/templates/ldap.conf @@ -0,0 +1,2 @@ +BASE {{ ldap_bind_dn }} +URI {{ ldap_connection_url }} diff --git a/roles/usermanagement/templates/slapd-custom.service b/roles/usermanagement/templates/slapd-custom.service new file mode 100644 index 0000000..8a67522 --- /dev/null +++ b/roles/usermanagement/templates/slapd-custom.service @@ -0,0 +1,29 @@ +[Unit] +Description=Slapd Custom Service + +[Service] + +Type=forking +ExecStart=/usr/sbin/slapd -f /etc/ldap/slapd.conf -h "ldapi:/// ldap:///" + +User=openldap +Group=openldap + +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE + +Restart=on-failure + +PrivateTmp=yes +ProtectSystem=full +ProtectHome=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectControlGroups=yes +NoNewPrivileges=yes +MountFlags=private +SystemCallArchitectures=native +PrivateDevices=yes + +[Install] +WantedBy=multi-user.target diff --git a/roles/usermanagement/templates/slapd.conf b/roles/usermanagement/templates/slapd.conf index 4d437b5..bb6a49b 100644 --- a/roles/usermanagement/templates/slapd.conf +++ b/roles/usermanagement/templates/slapd.conf @@ -1,8 +1,8 @@ modulepath /usr/lib/ldap/ moduleload back_bdb.la -pidfile /var/run/slapd.pid -argsfile /var/run/slapd.args +pidfile /var/lib/ldap/slapd.pid +argsfile /var/lib/ldap/slapd.args include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema @@ -14,14 +14,15 @@ suffix "{{ ldap_suffix }}" rootdn "{{ ldap_bind_dn }}" rootpw {SSHA}HISTORY_PURGED_SECRET -TLSCACertificateFile /etc/ssl/certs/ca-certificates.crt -TLSCertificateFile /etc/letsencrypt/live/ldap.atlantishq.de/cert.pem -TLSCertificateKeyFile /etc/letsencrypt/live/ldap.atlantishq.de/privkey.pem +#TLSCACertificateFile /etc/ssl/certs/ca-certificates.crt +#TLSCertificateFile /etc/letsencrypt/live/ldap.atlantishq.de/cert.pem +#TLSCertificateKeyFile /etc/letsencrypt/live/ldap.atlantishq.de/privkey.pem TLSVerifyClient try logfile /var/log/slapd.log -loglevel -1 +#loglevel -1 +loglevel none directory /var/lib/ldap/ cachesize 2000