# XXX If #742056 gets fixed, we should preseed slapd to use peercreds as # RootDN once the fix enters stable. - name: Install OpenLDAP apt: pkg={{ item }} with_items: - slapd - ldap-utils - ldapvi - db-util - python-ldap - name: Configure slapd template: src=etc/default/slapd.j2 dest=/etc/default/slapd owner=root group=root mode=0644 register: r1 notify: - Restart slapd # Upon install slapd create and populate a database under /var/lib/ldap. # We clear it up and create a children directory to get finer-grain # control. - name: Clear empty /var/lib/ldap # Don't remove the database (and fail) if it contains something else # than its suffix or cn=admin,... openldap: dbdirectory=/var/lib/ldap ignoredn=cn=admin state=absent - name: Create directory /var/lib/ldap/fripost file: path=/var/lib/ldap/fripost state=directory owner=openldap group=openldap mode=0700 - name: Copy /var/lib/ldap/fripost/DB_CONFIG copy: src=var/lib/ldap/fripost/DB_CONFIG dest=/var/lib/ldap/fripost/DB_CONFIG owner=openldap group=openldap mode=0600 register: r2 notify: # Not sure if required - Restart slapd - name: Create directory /etc/ldap/ssl file: path=/etc/ldap/ssl state=directory owner=root group=root mode=0755 tags: - genkey - name: Generate a private key and a X.509 certificate for slapd # XXX: GnuTLS (libgnutls26 2.12.20-8+deb7u2, found in Wheezy) doesn't # support ECDSA; and slapd doesn't seem to support DHE (!?) so # we're stuck with "plain RSA" Key-Exchange. Also, there is a bug with # SHA-512. command: genkeypair.sh x509 --pubkey=/etc/ldap/ssl/{{ item.name }}.pem --privkey=/etc/ldap/ssl/{{ item.name }}.key --ou=LDAP {{ item.ou }} --cn={{ item.name }} --usage=digitalSignature,keyEncipherment -t rsa -b 4096 -h sha256 --chown="root:openldap" --chmod=0640 register: r3 changed_when: r3.rc == 0 failed_when: r3.rc > 1 with_items: - { group: 'LDAP-provider', name: ldap.fripost.org, ou: } - { group: 'MX', name: mx, ou: --ou=SyncRepl } - { group: 'lists', name: lists, ou: --ou=SyncRepl } when: "item.group in group_names" tags: - genkey - name: Fetch slapd's X.509 certificate # Ensure we don't fetch private data sudo: False fetch: src=/etc/ldap/ssl/{{ item.name }}.pem dest=certs/ldap/ fail_on_missing=yes flat=yes with_items: - { group: 'LDAP-provider', name: ldap.fripost.org } - { group: 'MX', name: mx } - { group: 'lists', name: lists } when: "item.group in group_names" tags: - genkey - name: Copy the SyncProv's server certificate copy: src=certs/ldap/ldap.fripost.org.pem dest=/etc/ldap/ssl/ldap.fripost.org.pem owner=root group=root mode=0644 tags: - genkey when: "'LDAP-provider' not in group_names" - name: Copy fripost & amavis' schema copy: src=etc/ldap/schema/{{ item }} dest=/etc/ldap/schema/{{ item }} owner=root group=root mode=0644 # It'd certainly be nicer if we didn't have to deploy amavis' schema # everywhere, but we need the 'objectClass' in our replicates, hence # they need to be aware of the 'amavisAccount' class. with_items: - fripost.ldif - amavis.schema tags: - amavis - name: Load amavis' schema openldap: target=/etc/ldap/schema/amavis.schema state=present format=slapd.conf name=amavis tags: - ldap - name: Load Fripost' schema openldap: target=/etc/ldap/schema/fripost.ldif state=present tags: - ldap - name: Configure the LDAP database openldap: target=etc/ldap/database.ldif.j2 local=template state=present - name: Start slapd service: name=slapd state=started when: not (r1.changed or r2.changed or r3.changed) - meta: flush_handlers