summaryrefslogtreecommitdiffstats
path: root/roles/common-LDAP
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common-LDAP')
-rwxr-xr-xroles/common-LDAP/files/usr/local/sbin/slapcat-all.sh5
-rw-r--r--roles/common-LDAP/handlers/main.yml3
-rw-r--r--roles/common-LDAP/tasks/main.yml33
-rw-r--r--roles/common-LDAP/templates/etc/ldap/database.ldif.j28
4 files changed, 43 insertions, 6 deletions
diff --git a/roles/common-LDAP/files/usr/local/sbin/slapcat-all.sh b/roles/common-LDAP/files/usr/local/sbin/slapcat-all.sh
index 8aa8f78..cd5abd9 100755
--- a/roles/common-LDAP/files/usr/local/sbin/slapcat-all.sh
+++ b/roles/common-LDAP/files/usr/local/sbin/slapcat-all.sh
@@ -1,19 +1,20 @@
#!/bin/sh
# Usage: slapcat-all.sh DIR
# Save all LDAP databases in DIR: DIR/0.ldif, DIR/1.ldif, ...
set -ue
PATH=/usr/sbin:/sbin:/usr/bin:/bin
target="$1"
umask 0077
-prefix=slapd-
+prefix=slapcat-
slapcat -n0 -l"$target/${prefix}0.ldif"
n=$(grep -Ec '^dn:\s+olcDatabase={[1-9][0-9]*}' "$target/${prefix}0.ldif")
while [ $n -gt 0 ]; do
- slapcat -n$n -l"$target/${prefix}$n.ldif"
+ # the Monitor backend can't be slapcat(8)'ed
+ grep -qE "^dn:\s+olcDatabase=\{$n\}monitor,cn=config$" "$target/${prefix}0.ldif" || slapcat -n$n -l"$target/${prefix}$n.ldif"
n=$(( $n - 1 ))
done
diff --git a/roles/common-LDAP/handlers/main.yml b/roles/common-LDAP/handlers/main.yml
index 6972af2..8837729 100644
--- a/roles/common-LDAP/handlers/main.yml
+++ b/roles/common-LDAP/handlers/main.yml
@@ -1,2 +1,5 @@
- name: Restart slapd
service: name=slapd state=restarted
+
+- name: Restart munin-node
+ service: name=munin-node state=restarted
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 2eb0dfb..a8c784d 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -1,30 +1,33 @@
# XXX If #742056 gets fixed, we should preseed slapd to use peercreds as
# RootDN once the fix enters stable.
- name: Install OpenLDAP
apt: pkg={{ item }}
with_items:
- slapd
- ldap-utils
- ldapvi
- db-util
- python-ldap
+ # for the 'slapd2_' munin plugin
+ - libnet-ldap-perl
+ - libauthen-sasl-perl
- name: Configure slapd
template: src=etc/default/slapd.j2
dest=/etc/default/slapd
owner=root group=root
mode=0644
register: r1
notify:
- Restart slapd
- name: Create directory /etc/ldap/ssl
file: path=/etc/ldap/ssl
state=directory
owner=root group=root
mode=0755
tags:
- genkey
# XXX: It's ugly to list all roles here, and to prunes them with a
# conditional...
@@ -90,46 +93,68 @@
- meta: flush_handlers
- name: Copy fripost & amavis' schema
copy: src=etc/ldap/schema/{{ item }}
dest=/etc/ldap/schema/{{ item }}
owner=root group=root
mode=0644
# It'd certainly be nicer if we didn't have to deploy amavis' schema
# everywhere, but we need the 'objectClass' in our replicates, hence
# they need to be aware of the 'amavisAccount' class.
with_items:
- fripost.ldif
- amavis.schema
tags:
- amavis
- name: Load amavis' schema
openldap: target=/etc/ldap/schema/amavis.schema
format=slapd.conf name=amavis
- tags:
- - ldap
- name: Load Fripost' schema
openldap: target=/etc/ldap/schema/fripost.ldif
- tags:
- - ldap
+
+- name: Load the back_monitor overlay
+ openldap: module=back_monitor
# We assume a clean (=stock) cn=config
- name: Configure the LDAP database
openldap: target=etc/ldap/database.ldif.j2 local=template
# On read-only replicates, you might have to temporarily switch back to
# read-write, delete the SyncRepl, and delete the DN manually:
# sudo ldapdelete -Y EXTERNAL -H ldapi:// cn=admin,dc=fripost,dc=org
- name: Remove cn=admin,dc=fripost,dc=org
openldap: name="cn=admin,dc=fripost,dc=org" delete=entry
- name: Remove the rootDN under the 'config' database
openldap: name="olcDatabase={0}config,cn=config" delete=olcRootDN,olcRootPW
- name: Copy /usr/local/sbin/slapcat-all.sh
copy: src=usr/local/sbin/slapcat-all.sh
dest=/usr/local/sbin/slapcat-all.sh
owner=root group=root
mode=0755
+
+
+- name: Install 'slapd2_' Munin wildcard plugin
+ # we don't install 'slapd_' because it doesn't support SASL binds
+ file: src=/usr/local/share/munin/plugins/slapd2_
+ dest=/etc/munin/plugins/slapd2_{{ item }}
+ owner=root group=root
+ state=link force=yes
+ with_items:
+ # sudo /usr/share/munin/plugins/slapd2_ suggest
+ - connections
+ - statistics_entries
+ - operations_diff
+ - statistics_referrals
+ - statistics_pdu
+ - waiters
+ - statistics_bytes
+ - operations
+ tags:
+ - munin
+ - munin-node
+ notify:
+ - Restart munin-node
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index b2981b3..5f9d8b1 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -30,40 +30,48 @@ olcThreads: 8
olcTLSCertificateFile: /etc/ldap/ssl/ldap.fripost.org.pem
olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.fripost.org.key
# If we are being offered a client cert, it has to be trusted (in which
# case we map the X.509 subject to a DN in our namespace), or we
# terminate the connection. Not providing a certificate is fine for
# TLS-protected simple binds, though.
olcTLSVerifyClient: try
olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem
olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$"
"$1,dc=fripost,dc=org"
olcSaslSecProps: minssf=128,noanonymous,noplain,nodict
olcTLSCipherSuite: PFS:%LATEST_RECORD_VERSION:!CIPHER-ALL:+AES-128-GCM:+AES-256-GCM:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1
{% endif %}
olcLocalSSF: 128
# /!\ This is not portable! But we only use glibc's crypt(3), which
# supports (salted, streched) SHA512
olcPasswordHash: {CRYPT}
olcPasswordCryptSaltFormat: $6$%s
+dn: olcDatabase=monitor,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcMonitorConfig
+olcAccess: to dn.subtree="cn=monitor"
+ by dn.exact="username=munin,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" read
+ by * =0
+
+
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=fripost,dc=org
{% if 'LDAP-provider' not in group_names and 'MX' in group_names %}
olcReadOnly: TRUE
{% endif %}
{% if 'LDAP-provider' in group_names %}
olcLastMod: TRUE
olcDbCheckpoint: 512 15
{% else %}
olcLastMod: FALSE
{% endif %}
# The root user has all rights on the whole database (when SASL-binding
# on a UNIX socket).
olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
# Ensure that all DIT access is made according to the LDAPv3 protocol,
# and must use 1/ authentication, and 2/ SASL or TLS. (Local clients
# should use ldapi:// and SASL/EXERNAL, while remote clients should use
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-20 10:33:39 +0000