feat: slapd group & systemd

2025-12-10 06:48:33 +01:00 · 2023-01-15 08:31:53 +01:00
parent 6c8a690a39
commit 6c8718e948
7 changed files with 151 additions and 17 deletions
--- a/roles/usermanagement/tasks/ldap.yaml
+++ b/roles/usermanagement/tasks/ldap.yaml
@@ -3,16 +3,118 @@
    pkg:
      - slapd
      - ldap-utils
+      - python3-ldap

- name: Slapd /etc/default
-  lineinfile:
-    path: /etc/default/slapd
-    regex: "^SLAP_SERVICES=.*$"
-    line: SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
-  notify: restart slapd
+- name: directory /var/lib/slapd/
+  file:
+    path: /var/lib/ldap/
+    owner: root
+    group: openldap
+    mode: 0770
+    state: directory

-# etc default slapd conf
- name: LDAP Conf
+- name: slapd-LDAP Conf
  template:
    src: slapd.conf
    dest: /etc/ldap/slapd.conf
+    owner: openldap
+  notify:
+    - restart slapd
+
+- name: Disable & mask broken debian slapd unit
+  systemd:
+    name: slapd
+    state: stopped
+    enabled: false
+    masked: yes
+
+- name: Copy slapd systemd unit
+  template:
+    src: slapd-custom.service
+    dest: /etc/systemd/system/slapd-custom.service
+    mode: 0644
+  notify:
+    - daemon reload
+    - restart slapd
+
+- name: Enable and start slapd custom service
+  systemd:
+    name: slapd-custom.service
+    state: started
+    enabled: yes
+
+- meta: flush_handlers
+
+- name: Wait for LDAP to become ready
+  wait_for:
+    port: 389
+    timeout: 30
+    delay: 5
+
+- name: LDAP (client) conf
+  template:
+    src: ldap.conf
+    dest: /etc/ldap/ldap.conf
+    owner: openldap
+
+- name: Create LDAP root (1)
+  ldap_entry:
+    dn: "{{ ldap_suffix }}"
+    objectClass:
+      - dcObject
+      - organization
+    attributes: |
+        { "o" : "{{ ldap_org }}", "dc" : "{{ ldap_dc }}" }
+    state: present
+    server_uri: "ldap://localhost"
+    bind_dn: "{{ ldap_bind_dn }}"
+    bind_pw: "{{ ldap_password }}"
+
+- name: Create LDAP root (2)
+  ldap_entry:
+    dn: "cn=Manager,dc=atlantishq,dc=de"
+    objectClass:
+      - organizationalRole
+    attributes: |
+        { "cn" : "Manager" }
+    state: present
+    server_uri: "ldap://localhost"
+    bind_dn: "{{ ldap_bind_dn }}"
+    bind_pw: "{{ ldap_password }}"
+
+- name: Create LDAP Group people
+  ldap_entry:
+    dn: "ou=People,{{ ldap_suffix }}"
+    objectClass:
+      - organizationalUnit
+    state: present
+    server_uri: "ldap://localhost"
+    bind_dn: "{{ ldap_bind_dn }}"
+    bind_pw: "{{ ldap_password }}"
+
+- name: Create LDAP groups root
+  ldap_entry:
+    dn: "ou=groups,{{ ldap_suffix }}"
+    objectClass:
+      - organizationalUnit
+    state: present
+    server_uri: "ldap://localhost"
+    bind_dn: "{{ ldap_bind_dn }}"
+    bind_pw: "{{ ldap_password }}"
+
+- name: Create LDAP groups
+  ldap_entry:
+    dn: "cn={{ item }},ou=groups,{{ ldap_suffix }}"
+    objectClass:
+      - groupOfNames
+    attributes: { "member" : "" }
+    state: present
+    server_uri: "ldap://localhost"
+    bind_dn: "{{ ldap_bind_dn }}"
+    bind_pw: "{{ ldap_password }}"
+  with_items:
+    - nextcloud
+    - images
+    - mail
+    - soundlib
+    - monitoring