1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
# XXX If #742056 gets fixed, we should preseed slapd to use peercreds as
# RootDN once the fix enters stable.
- name: Install OpenLDAP
apt: pkg={{ item }}
with_items:
- slapd
- ldap-utils
- ldapvi
- db-util
- python-ldap
- name: Configure slapd
template: src=etc/default/slapd.j2
dest=/etc/default/slapd
owner=root group=root
mode=0644
register: r1
notify:
- Restart slapd
# Upon install slapd create and populate a database under /var/lib/ldap.
# We clear it up and create a children directory to get finer-grain
# control.
- name: Clear empty /var/lib/ldap
# Don't remove the database (and fail) if it contains something else
# than its suffix or cn=admin,...
openldap: dbdirectory=/var/lib/ldap ignoredn=cn=admin
state=absent
- name: Create directory /var/lib/ldap/fripost
file: path=/var/lib/ldap/fripost
state=directory
owner=openldap group=openldap
mode=0700
- name: Copy /var/lib/ldap/fripost/DB_CONFIG
copy: src=var/lib/ldap/fripost/DB_CONFIG
dest=/var/lib/ldap/fripost/DB_CONFIG
owner=openldap group=openldap
mode=0600
register: r2
notify:
# Not sure if required
- Restart slapd
- name: Create directory /etc/ldap/ssl
file: path=/etc/ldap/ssl
state=directory
owner=root group=root
mode=0755
tags:
- genkey
- name: Generate a private key and a X.509 certificate for slapd
# XXX: GnuTLS (libgnutls26 2.12.20-8+deb7u2, found in Wheezy) doesn't
# support ECDSA; and slapd doesn't seem to support DHE (!?) so
# we're stuck with "plain RSA" Key-Exchange. Also, there is a bug with
# SHA-512.
command: genkeypair.sh x509
--pubkey=/etc/ldap/ssl/{{ item.name }}.pem
--privkey=/etc/ldap/ssl/{{ item.name }}.key
--ou=LDAP {{ item.ou }} --cn={{ item.name }}
--usage=digitalSignature,keyEncipherment
-t rsa -b 4096 -h sha256
--chown="root:openldap" --chmod=0640
register: r3
changed_when: r3.rc == 0
failed_when: r3.rc > 1
with_items:
- { group: 'LDAP-provider', name: ldap.fripost.org, ou: }
- { group: 'MX', name: mx, ou: --ou=SyncRepl }
- { group: 'lists', name: lists, ou: --ou=SyncRepl }
when: "item.group in group_names"
tags:
- genkey
- name: Fetch slapd's X.509 certificate
# Ensure we don't fetch private data
sudo: False
fetch: src=/etc/ldap/ssl/{{ item.name }}.pem
dest=certs/ldap/
fail_on_missing=yes
flat=yes
with_items:
- { group: 'LDAP-provider', name: ldap.fripost.org }
- { group: 'MX', name: mx }
- { group: 'lists', name: lists }
when: "item.group in group_names"
tags:
- genkey
- name: Copy the SyncProv's server certificate
copy: src=certs/ldap/ldap.fripost.org.pem
dest=/etc/ldap/ssl/ldap.fripost.org.pem
owner=root group=root
mode=0644
tags:
- genkey
when: "'LDAP-provider' not in group_names"
- name: Copy fripost & amavis' schema
copy: src=etc/ldap/schema/{{ item }}
dest=/etc/ldap/schema/{{ item }}
owner=root group=root
mode=0644
# It'd certainly be nicer if we didn't have to deploy amavis' schema
# everywhere, but we need the 'objectClass' in our replicates, hence
# they need to be aware of the 'amavisAccount' class.
with_items:
- fripost.ldif
- amavis.schema
tags:
- amavis
- name: Load amavis' schema
openldap: target=/etc/ldap/schema/amavis.schema state=present
format=slapd.conf name=amavis
tags:
- ldap
- name: Load Fripost' schema
openldap: target=/etc/ldap/schema/fripost.ldif state=present
tags:
- ldap
- name: Configure the LDAP database
openldap: target=etc/ldap/database.ldif.j2 local=template
state=present
- name: Start slapd
service: name=slapd state=started
when: not (r1.changed or r2.changed or r3.changed)
- meta: flush_handlers
|
