sheppy/no-secrets-athq-ansible
1
0
Fork 0
mirror of https://github.com/FAUSheppy/no-secrets-athq-ansible synced 2025-12-08 01:51:37 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: slapd group & systemd

Browse Source
This commit is contained in:
Johnathen Sheppard
2023-01-15 08:31:53 +01:00
parent 6c8a690a39
commit 6c8718e948
7 changed files with 151 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
group_vars/usermanagement.yaml
View File

@@ -1,5 +1,7 @@
--- ---
ldap_password: flanigan ldap_password: flanigan
ldap_dc: "atlantishq"
ldap_org: "atlantishq de"
ldap_suffix: "dc=atlantishq,dc=de" ldap_suffix: "dc=atlantishq,dc=de"
ldap_bind_dn: "cn=Manager,dc=atlantishq,dc=de" ldap_bind_dn: "cn=Manager,dc=atlantishq,dc=de"
ldap_user_dn: "ou=People,dc=atlantishq,dc=de" ldap_user_dn: "ou=People,dc=atlantishq,dc=de"

2
roles/global-handlers/handlers/main.yml
View File

@@ -42,7 +42,7 @@
- name: restart slapd - name: restart slapd
systemd: systemd:
name: slapd name: slapd-custom
state: restarted state: restarted
- name: daemon reload - name: daemon reload

2
roles/usermanagement/files/ldap.conf
View File

@@ -1,2 +0,0 @@
BASE dc=atlantishq.de,dc=de
URI ldap://ldap.atlantishq.de, ldaps://ldap.atlantishq.de

118
roles/usermanagement/tasks/ldap.yaml
View File

@@ -3,16 +3,118 @@
pkg: pkg:
- slapd - slapd
- ldap-utils - ldap-utils
- python3-ldap
- name: Slapd /etc/default - name: directory /var/lib/slapd/
lineinfile: file:
path: /etc/default/slapd path: /var/lib/ldap/
regex: "^SLAP_SERVICES=.*$" owner: root
line: SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" group: openldap
notify: restart slapd mode: 0770
state: directory
# etc default slapd conf - name: slapd-LDAP Conf
- name: LDAP Conf
template: template:
src: slapd.conf src: slapd.conf
dest: /etc/ldap/slapd.conf dest: /etc/ldap/slapd.conf
owner: openldap
notify:
- restart slapd
- name: Disable & mask broken debian slapd unit
systemd:
name: slapd
state: stopped
enabled: false
masked: yes
- name: Copy slapd systemd unit
template:
src: slapd-custom.service
dest: /etc/systemd/system/slapd-custom.service
mode: 0644
notify:
- daemon reload
- restart slapd
- name: Enable and start slapd custom service
systemd:
name: slapd-custom.service
state: started
enabled: yes
- meta: flush_handlers
- name: Wait for LDAP to become ready
wait_for:
port: 389
timeout: 30
delay: 5
- name: LDAP (client) conf
template:
src: ldap.conf
dest: /etc/ldap/ldap.conf
owner: openldap
- name: Create LDAP root (1)
ldap_entry:
dn: "{{ ldap_suffix }}"
objectClass:
- dcObject
- organization
attributes: |
{ "o" : "{{ ldap_org }}", "dc" : "{{ ldap_dc }}" }
state: present
server_uri: "ldap://localhost"
bind_dn: "{{ ldap_bind_dn }}"
bind_pw: "{{ ldap_password }}"
- name: Create LDAP root (2)
ldap_entry:
dn: "cn=Manager,dc=atlantishq,dc=de"
objectClass:
- organizationalRole
attributes: |
{ "cn" : "Manager" }
state: present
server_uri: "ldap://localhost"
bind_dn: "{{ ldap_bind_dn }}"
bind_pw: "{{ ldap_password }}"
- name: Create LDAP Group people
ldap_entry:
dn: "ou=People,{{ ldap_suffix }}"
objectClass:
- organizationalUnit
state: present
server_uri: "ldap://localhost"
bind_dn: "{{ ldap_bind_dn }}"
bind_pw: "{{ ldap_password }}"
- name: Create LDAP groups root
ldap_entry:
dn: "ou=groups,{{ ldap_suffix }}"
objectClass:
- organizationalUnit
state: present
server_uri: "ldap://localhost"
bind_dn: "{{ ldap_bind_dn }}"
bind_pw: "{{ ldap_password }}"
- name: Create LDAP groups
ldap_entry:
dn: "cn={{ item }},ou=groups,{{ ldap_suffix }}"
objectClass:
- groupOfNames
attributes: { "member" : "" }
state: present
server_uri: "ldap://localhost"
bind_dn: "{{ ldap_bind_dn }}"
bind_pw: "{{ ldap_password }}"
with_items:
- nextcloud
- images
- mail
- soundlib
- monitoring

2
roles/usermanagement/templates/ldap.conf Normal file
View File

@@ -0,0 +1,2 @@
BASE {{ ldap_bind_dn }}
URI {{ ldap_connection_url }}

29
roles/usermanagement/templates/slapd-custom.service Normal file
View File

@@ -0,0 +1,29 @@
[Unit]
Description=Slapd Custom Service
[Service]
Type=forking
ExecStart=/usr/sbin/slapd -f /etc/ldap/slapd.conf -h "ldapi:/// ldap:///"
User=openldap
Group=openldap
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
Restart=on-failure
PrivateTmp=yes
ProtectSystem=full
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes
NoNewPrivileges=yes
MountFlags=private
SystemCallArchitectures=native
PrivateDevices=yes
[Install]
WantedBy=multi-user.target

13
roles/usermanagement/templates/slapd.conf
View File

@@ -1,8 +1,8 @@
modulepath /usr/lib/ldap/ modulepath /usr/lib/ldap/
moduleload back_bdb.la moduleload back_bdb.la
pidfile /var/run/slapd.pid pidfile /var/lib/ldap/slapd.pid
argsfile /var/run/slapd.args argsfile /var/lib/ldap/slapd.args
include /etc/ldap/schema/core.schema include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/cosine.schema
@@ -14,14 +14,15 @@ suffix "{{ ldap_suffix }}"
rootdn "{{ ldap_bind_dn }}" rootdn "{{ ldap_bind_dn }}"
rootpw {SSHA}HISTORY_PURGED_SECRET rootpw {SSHA}HISTORY_PURGED_SECRET
TLSCACertificateFile /etc/ssl/certs/ca-certificates.crt #TLSCACertificateFile /etc/ssl/certs/ca-certificates.crt
TLSCertificateFile /etc/letsencrypt/live/ldap.atlantishq.de/cert.pem #TLSCertificateFile /etc/letsencrypt/live/ldap.atlantishq.de/cert.pem
TLSCertificateKeyFile /etc/letsencrypt/live/ldap.atlantishq.de/privkey.pem #TLSCertificateKeyFile /etc/letsencrypt/live/ldap.atlantishq.de/privkey.pem
TLSVerifyClient try TLSVerifyClient try
logfile /var/log/slapd.log logfile /var/log/slapd.log
loglevel -1 #loglevel -1
loglevel none
directory /var/lib/ldap/ directory /var/lib/ldap/
cachesize 2000 cachesize 2000