1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
|
# XXX If #742056 gets fixed, we should preseed slapd to use peercreds as
# RootDN once the fix enters stable.
- name: Install OpenLDAP
apt: pkg={{ item }}
with_items:
- slapd
- ldap-utils
- ldapvi
- db-util
- python-ldap
# for the 'slapd2' munin plugin
- libnet-ldap-perl
- libauthen-sasl-perl
- name: Configure slapd
template: src=etc/default/slapd.j2
dest=/etc/default/slapd
owner=root group=root
mode=0644
register: r1
notify:
- Restart slapd
- name: Create directory /etc/ldap/ssl
file: path=/etc/ldap/ssl
state=directory
owner=root group=root
mode=0755
tags:
- genkey
# XXX: It's ugly to list all roles here, and to prunes them with a
# conditional...
- name: Generate a private key and a X.509 certificate for slapd
# XXX: GnuTLS (libgnutls26 2.12.20-8+deb7u2, found in Wheezy) doesn't
# support ECDSA; and slapd doesn't seem to support DHE (!?) so
# we're stuck with "plain RSA" Key-Exchange. Also, there is a bug with
# SHA-512.
command: genkeypair.sh x509
--pubkey=/etc/ldap/ssl/{{ item.name }}.pem
--privkey=/etc/ldap/ssl/{{ item.name }}.key
--ou=LDAP {{ item.ou }} --cn={{ item.name }}
--usage=digitalSignature,keyEncipherment,keyCertSign
-t rsa -b 4096 -h sha256
--owner=root --group=openldap --mode=0640
register: r2
changed_when: r2.rc == 0
failed_when: r2.rc > 1
with_items:
- { group: 'LDAP-provider', name: ldap.fripost.org, ou: }
- { group: 'MX', name: mx, ou: --ou=SyncRepl }
- { group: 'lists', name: lists, ou: --ou=SyncRepl }
when: "item.group in group_names"
tags:
- genkey
- name: Fetch slapd's X.509 certificate
# Ensure we don't fetch private data
become: False
fetch_cmd: cmd="openssl x509"
stdin=/etc/ldap/ssl/{{ item.name }}.pem
dest=certs/ldap/{{ item.name }}.pem
with_items:
- { group: 'LDAP-provider', name: ldap.fripost.org }
- { group: 'MX', name: mx }
- { group: 'lists', name: lists }
when: "item.group in group_names"
tags:
- genkey
- name: Copy the SyncProv's server certificate
copy: src=certs/ldap/ldap.fripost.org.pem
dest=/etc/ldap/ssl/ldap.fripost.org.pem
owner=root group=root
mode=0644
when: "'LDAP-provider' not in group_names"
tags:
- genkey
- name: Copy the SyncRepls's client certificates
assemble: src=certs/ldap remote_src=no
dest=/etc/ldap/ssl/clients.pem
owner=root group=root
mode=0644
when: "'LDAP-provider' in group_names"
tags:
- genkey
- name: Start slapd
service: name=slapd state=started
when: not (r1.changed or r2.changed)
- meta: flush_handlers
- name: Copy fripost & amavis' schema
copy: src=etc/ldap/schema/{{ item }}
dest=/etc/ldap/schema/{{ item }}
owner=root group=root
mode=0644
# It'd certainly be nicer if we didn't have to deploy amavis' schema
# everywhere, but we need the 'objectClass' in our replicates, hence
# they need to be aware of the 'amavisAccount' class.
with_items:
- fripost.ldif
- amavis.schema
tags:
- amavis
- name: Load amavis' schema
openldap: target=/etc/ldap/schema/amavis.schema
format=slapd.conf name=amavis
- name: Load Fripost' schema
openldap: target=/etc/ldap/schema/fripost.ldif
- name: Load the back_monitor overlay
openldap: module=back_monitor
# We assume a clean (=stock) cn=config
- name: Configure the LDAP database
openldap: target=etc/ldap/database.ldif.j2 local=template
# On read-only replicates, you might have to temporarily switch back to
# read-write, delete the SyncRepl, and delete the DN manually:
# sudo ldapdelete -Y EXTERNAL -H ldapi:// cn=admin,dc=fripost,dc=org
- name: Remove cn=admin,dc=fripost,dc=org
openldap: name="cn=admin,dc=fripost,dc=org" delete=entry
- name: Remove the rootDN under the 'config' database
openldap: name="olcDatabase={0}config,cn=config" delete=olcRootDN,olcRootPW
- name: Copy /usr/local/sbin/slapcat-all.sh
copy: src=usr/local/sbin/slapcat-all.sh
dest=/usr/local/sbin/slapcat-all.sh
owner=root group=staff
mode=0755
- name: Install 'slapd2' Munin plugin
# we don't install 'slapd_' because it doesn't support SASL binds and
# ours is more parcimonious with LDAP connections
file: src=/usr/local/share/munin/plugins/slapd2
dest=/etc/munin/plugins/slapd2
owner=root group=root
state=link force=yes
tags:
- munin
- munin-node
notify:
- Restart munin-node
|