diff options
Diffstat (limited to 'roles/common-LDAP/tasks')
| -rw-r--r-- | roles/common-LDAP/tasks/main.yml | 36 |
1 files changed, 9 insertions, 27 deletions
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml index 43c6bfb..3b8b36c 100644 --- a/roles/common-LDAP/tasks/main.yml +++ b/roles/common-LDAP/tasks/main.yml @@ -1,88 +1,69 @@ # XXX If #742056 gets fixed, we should preseed slapd to use peercreds as # RootDN once the fix enters stable. - name: Install OpenLDAP apt: pkg={{ item }} with_items: - slapd - ldap-utils - ldapvi - db-util - python-ldap - name: Configure slapd template: src=etc/default/slapd.j2 dest=/etc/default/slapd owner=root group=root mode=0644 register: r1 notify: - Restart slapd -# Upon install slapd create and populate a database under /var/lib/ldap. -# We clear it up and create a children directory to get finer-grain -# control. -- name: Clear empty /var/lib/ldap - # Don't remove the database (and fail) if it contains something else - # than its suffix or cn=admin,... - openldap: dbdirectory=/var/lib/ldap ignoredn=cn=admin - state=absent - -- name: Create directory /var/lib/ldap/fripost - file: path=/var/lib/ldap/fripost - state=directory +- name: Copy DB_CONFIG + copy: src=var/lib/ldap/DB_CONFIG + dest=/var/lib/ldap/DB_CONFIG owner=openldap group=openldap - mode=0700 - -- name: Copy /var/lib/ldap/fripost/DB_CONFIG - copy: src=var/lib/ldap/fripost/DB_CONFIG - dest=/var/lib/ldap/fripost/DB_CONFIG - owner=openldap group=openldap - mode=0600 - register: r2 - notify: - # Not sure if required - - Restart slapd + mode=0644 - name: Create directory /etc/ldap/ssl file: path=/etc/ldap/ssl state=directory owner=root group=root mode=0755 tags: - genkey - name: Generate a private key and a X.509 certificate for slapd # XXX: GnuTLS (libgnutls26 2.12.20-8+deb7u2, found in Wheezy) doesn't # support ECDSA; and slapd doesn't seem to support DHE (!?) so # we're stuck with "plain RSA" Key-Exchange. Also, there is a bug with # SHA-512. command: genkeypair.sh x509 --pubkey=/etc/ldap/ssl/{{ item.name }}.pem --privkey=/etc/ldap/ssl/{{ item.name }}.key --ou=LDAP {{ item.ou }} --cn={{ item.name }} --usage=digitalSignature,keyEncipherment -t rsa -b 4096 -h sha256 --chown="root:openldap" --chmod=0640 - register: r3 - changed_when: r3.rc == 0 - failed_when: r3.rc > 1 + register: r2 + changed_when: r2.rc == 0 + failed_when: r2.rc > 1 with_items: - { group: 'LDAP-provider', name: ldap.fripost.org, ou: } - { group: 'MX', name: mx, ou: --ou=SyncRepl } - { group: 'lists', name: lists, ou: --ou=SyncRepl } when: "item.group in group_names" tags: - genkey - name: Fetch slapd's X.509 certificate # Ensure we don't fetch private data sudo: False fetch: src=/etc/ldap/ssl/{{ item.name }}.pem dest=certs/ldap/ fail_on_missing=yes flat=yes with_items: - { group: 'LDAP-provider', name: ldap.fripost.org } - { group: 'MX', name: mx } - { group: 'lists', name: lists } when: "item.group in group_names" @@ -106,29 +87,30 @@ # It'd certainly be nicer if we didn't have to deploy amavis' schema # everywhere, but we need the 'objectClass' in our replicates, hence # they need to be aware of the 'amavisAccount' class. with_items: - fripost.ldif - amavis.schema tags: - amavis - name: Load amavis' schema openldap: target=/etc/ldap/schema/amavis.schema state=present format=slapd.conf name=amavis tags: - ldap - name: Load Fripost' schema openldap: target=/etc/ldap/schema/fripost.ldif state=present tags: - ldap +# We assume a clean (=stock) cn=config - name: Configure the LDAP database openldap: target=etc/ldap/database.ldif.j2 local=template state=present - name: Start slapd service: name=slapd state=started - when: not (r1.changed or r2.changed or r3.changed) + when: not (r1.changed or r2.changed) - meta: flush_handlers |