summaryrefslogtreecommitdiffstats
path: root/roles/common-LDAP/tasks/main.yml
blob: 22265cd56297f7e19a47b89cbae35b9df3841f21 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# XXX If #742056 gets fixed, we should preseed slapd to use peercreds as
# RootDN once the fix enters stable.
- name: Install OpenLDAP
  apt: pkg={{ item }}
  with_items:
    - slapd
    - ldap-utils
    - ldapvi
    - db-util
    - python-ldap
    # for the 'slapd2' munin plugin
    - libnet-ldap-perl
    - libauthen-sasl-perl

- name: Configure slapd
  template: src=etc/default/slapd.j2
            dest=/etc/default/slapd
            owner=root group=root
            mode=0644
  register: r1
  notify:
    - Restart slapd

- name: Create directory /etc/ldap/ssl
  file: path=/etc/ldap/ssl
        state=directory
        owner=root group=root
        mode=0755
  tags:
    - genkey

# XXX: It's ugly to list all roles here, and to prunes them with a
# conditional...
- name: Generate a private key and a X.509 certificate for slapd
  # XXX: GnuTLS (libgnutls26 2.12.20-8+deb7u2, found in Wheezy) doesn't
  # support ECDSA; and slapd doesn't seem to support DHE (!?) so
  # we're stuck with "plain RSA" Key-Exchange. Also, there is a bug with
  # SHA-512.
  command: genkeypair.sh x509
                         --pubkey=/etc/ldap/ssl/{{ item.name }}.pem
                         --privkey=/etc/ldap/ssl/{{ item.name }}.key
                         --ou=LDAP {{ item.ou }} --cn={{ item.name }}
                         --usage=digitalSignature,keyEncipherment,keyCertSign
                         -t rsa -b 4096 -h sha256
                         --owner=root --group=openldap --mode=0640
  register: r2
  changed_when: r2.rc == 0
  failed_when: r2.rc > 1
  with_items:
    - { group: 'LDAP-provider', name: ldap.fripost.org, ou:               }
    - { group: 'MX',            name: mx,               ou: --ou=SyncRepl }
    - { group: 'lists',         name: lists,            ou: --ou=SyncRepl }
  when: "item.group in group_names"
  tags:
    - genkey

- name: Fetch slapd's X.509 certificate
  # Ensure we don't fetch private data
  become: False
  fetch_cmd: cmd="openssl x509"
             stdin=/etc/ldap/ssl/{{ item.name }}.pem
             dest=certs/ldap/{{ item.name }}.pem
  with_items:
    - { group: 'LDAP-provider', name: ldap.fripost.org }
    - { group: 'MX',            name: mx               }
    - { group: 'lists',         name: lists            }
  when: "item.group in group_names"
  tags:
    - genkey

- name: Copy the SyncProv's server certificate
  copy: src=certs/ldap/ldap.fripost.org.pem
        dest=/etc/ldap/ssl/ldap.fripost.org.pem
        owner=root group=root
        mode=0644
  when: "'LDAP-provider' not in group_names"
  tags:
    - genkey

- name: Copy the SyncRepls's client certificates
  assemble: src=certs/ldap remote_src=no
            dest=/etc/ldap/ssl/clients.pem
            owner=root group=root
            mode=0644
  when: "'LDAP-provider' in group_names"
  tags:
    - genkey

- name: Start slapd
  service: name=slapd state=started
  when: not (r1.changed or r2.changed)

- meta: flush_handlers

- name: Copy fripost & amavis' schema
  copy: src=etc/ldap/schema/{{ item }}
        dest=/etc/ldap/schema/{{ item }}
        owner=root group=root
        mode=0644
  # It'd certainly be nicer if we didn't have to deploy amavis' schema
  # everywhere, but we need the 'objectClass' in our replicates, hence
  # they need to be aware of the 'amavisAccount' class.
  with_items:
    - fripost.ldif
    - amavis.schema
  tags:
    - amavis

- name: Load amavis' schema
  openldap: target=/etc/ldap/schema/amavis.schema
            format=slapd.conf name=amavis

- name: Load Fripost' schema
  openldap: target=/etc/ldap/schema/fripost.ldif

- name: Load the back_monitor overlay
  openldap: module=back_monitor

# We assume a clean (=stock) cn=config
- name: Configure the LDAP database
  openldap: target=etc/ldap/database.ldif.j2 local=template

# On read-only replicates, you might have to temporarily switch back to
# read-write, delete the SyncRepl, and delete the DN manually:
#     sudo ldapdelete -Y EXTERNAL -H ldapi:// cn=admin,dc=fripost,dc=org
- name: Remove cn=admin,dc=fripost,dc=org
  openldap: name="cn=admin,dc=fripost,dc=org" delete=entry

- name: Remove the rootDN under the 'config' database
  openldap: name="olcDatabase={0}config,cn=config" delete=olcRootDN,olcRootPW

- name: Copy /usr/local/sbin/slapcat-all.sh
  copy: src=usr/local/sbin/slapcat-all.sh
        dest=/usr/local/sbin/slapcat-all.sh
        owner=root group=staff
        mode=0755


- name: Install 'slapd2' Munin plugin
  # we don't install 'slapd_' because it doesn't support SASL binds and
  # ours is more parcimonious with LDAP connections
  file: src=/usr/local/share/munin/plugins/slapd2
        dest=/etc/munin/plugins/slapd2
        owner=root group=root
        state=link force=yes
  tags:
    - munin
    - munin-node
  notify:
    - Restart munin-node