summaryrefslogtreecommitdiffstats
path: root/roles/common-LDAP/tasks/main.yml
blob: 60ccc7670d0859c5c58ee0825c98daa2467de406 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
# XXX If #742056 gets fixed, we should preseed slapd to use peercreds as
# RootDN once the fix enters stable.
- name: Install OpenLDAP
  apt: pkg={{ item }}
  with_items:
    - slapd
    - ldap-utils
    - ldapvi
    - db-util
    - python-ldap

- name: Configure slapd
  template: src=etc/default/slapd.j2
            dest=/etc/default/slapd
            owner=root group=root
            mode=0644
  register: r1
  notify:
    - Restart slapd

- name: Copy DB_CONFIG
  copy: src=var/lib/ldap/DB_CONFIG
        dest=/var/lib/ldap/DB_CONFIG
        owner=openldap group=openldap
        mode=0644

- name: Create directory /etc/ldap/ssl
  file: path=/etc/ldap/ssl
        state=directory
        owner=root group=root
        mode=0755
  tags:
    - genkey

# XXX: It's ugly to list all roles here, and to prunes them with a
# conditional...
- name: Generate a private key and a X.509 certificate for slapd
  # XXX: GnuTLS (libgnutls26 2.12.20-8+deb7u2, found in Wheezy) doesn't
  # support ECDSA; and slapd doesn't seem to support DHE (!?) so
  # we're stuck with "plain RSA" Key-Exchange. Also, there is a bug with
  # SHA-512.
  command: genkeypair.sh x509
                         --pubkey=/etc/ldap/ssl/{{ item.name }}.pem
                         --privkey=/etc/ldap/ssl/{{ item.name }}.key
                         --ou=LDAP {{ item.ou }} --cn={{ item.name }}
                         --usage=digitalSignature,keyEncipherment,keyCertSign
                         -t rsa -b 4096 -h sha256
                         --chown="root:openldap" --chmod=0640
  register: r2
  changed_when: r2.rc == 0
  failed_when: r2.rc > 1
  with_items:
    - { group: 'LDAP-provider', name: ldap.fripost.org, ou:               }
    - { group: 'MX',            name: mx,               ou: --ou=SyncRepl }
    - { group: 'lists',         name: lists,            ou: --ou=SyncRepl }
  when: "item.group in group_names"
  tags:
    - genkey

- name: Fetch slapd's X.509 certificate
  # Ensure we don't fetch private data
  sudo: False
  fetch: src=/etc/ldap/ssl/{{ item.name }}.pem
         dest=certs/ldap/
         fail_on_missing=yes
         flat=yes
  with_items:
    - { group: 'LDAP-provider', name: ldap.fripost.org }
    - { group: 'MX',            name: mx               }
    - { group: 'lists',         name: lists            }
  when: "item.group in group_names"
  tags:
    - genkey

- name: Copy the SyncProv's server certificate
  copy: src=certs/ldap/ldap.fripost.org.pem
        dest=/etc/ldap/ssl/ldap.fripost.org.pem
        owner=root group=root
        mode=0644
  when: "'LDAP-provider' not in group_names"
  tags:
    - genkey

- name: Copy the SyncRepls's client certificates
  assemble: src=certs/ldap
            remote_src=no
            dest=/etc/ldap/ssl/clients.pem
            owner=root group=root
            mode=0644
  when: "'LDAP-provider' in group_names"
  tags:
    - genkey

- name: Start slapd
  service: name=slapd state=started
  when: not (r1.changed or r2.changed)

- meta: flush_handlers

- name: Copy fripost & amavis' schema
  copy: src=etc/ldap/schema/{{ item }}
        dest=/etc/ldap/schema/{{ item }}
        owner=root group=root
        mode=0644
  # It'd certainly be nicer if we didn't have to deploy amavis' schema
  # everywhere, but we need the 'objectClass' in our replicates, hence
  # they need to be aware of the 'amavisAccount' class.
  with_items:
    - fripost.ldif
    - amavis.schema
  tags:
    - amavis

- name: Load amavis' schema
  openldap: target=/etc/ldap/schema/amavis.schema
            format=slapd.conf name=amavis
  tags:
    - ldap

- name: Load Fripost' schema
  openldap: target=/etc/ldap/schema/fripost.ldif
  tags:
    - ldap

# We assume a clean (=stock) cn=config
- name: Configure the LDAP database
  openldap: target=etc/ldap/database.ldif.j2 local=template

# On read-only replicates, you might have to temporarily switch back to
# read-write, delete the SyncRepl, and delete the DN manually:
#     sudo ldapdelete -Y EXTERNAL -H ldapi:// cn=admin,dc=fripost,dc=org
- name: Remove cn=admin,dc=fripost,dc=org
  openldap: name="cn=admin,dc=fripost,dc=org" delete=entry

- name: Remove the rootDN under the 'config' database
  openldap: name="olcDatabase={0}config,cn=config" delete=olcRootDN,olcRootPW