1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
# XXX If #742056 gets fixed, we should preseed slapd to use peercreds as
# RootDN once the fix enters stable.
- name: Install OpenLDAP
apt: pkg={{ item }}
with_items:
- slapd
- ldap-utils
- ldapvi
- db-util
- python-ldap
- name: Configure slapd
template: src=etc/default/slapd.j2
dest=/etc/default/slapd
owner=root group=root
mode=0644
register: r1
notify:
- Restart slapd
- name: Copy DB_CONFIG
copy: src=var/lib/ldap/DB_CONFIG
dest=/var/lib/ldap/DB_CONFIG
owner=openldap group=openldap
mode=0644
- name: Create directory /etc/ldap/ssl
file: path=/etc/ldap/ssl
state=directory
owner=root group=root
mode=0755
tags:
- genkey
# XXX: It's ugly to list all roles here, and to prunes them with a
# conditional...
- name: Generate a private key and a X.509 certificate for slapd
# XXX: GnuTLS (libgnutls26 2.12.20-8+deb7u2, found in Wheezy) doesn't
# support ECDSA; and slapd doesn't seem to support DHE (!?) so
# we're stuck with "plain RSA" Key-Exchange. Also, there is a bug with
# SHA-512.
command: genkeypair.sh x509
--pubkey=/etc/ldap/ssl/{{ item.name }}.pem
--privkey=/etc/ldap/ssl/{{ item.name }}.key
--ou=LDAP {{ item.ou }} --cn={{ item.name }}
--usage=digitalSignature,keyEncipherment,keyCertSign
-t rsa -b 4096 -h sha256
--chown="root:openldap" --chmod=0640
register: r2
changed_when: r2.rc == 0
failed_when: r2.rc > 1
with_items:
- { group: 'LDAP-provider', name: ldap.fripost.org, ou: }
- { group: 'MX', name: mx, ou: --ou=SyncRepl }
- { group: 'lists', name: lists, ou: --ou=SyncRepl }
when: "item.group in group_names"
tags:
- genkey
- name: Fetch slapd's X.509 certificate
# Ensure we don't fetch private data
sudo: False
fetch: src=/etc/ldap/ssl/{{ item.name }}.pem
dest=certs/ldap/
fail_on_missing=yes
flat=yes
with_items:
- { group: 'LDAP-provider', name: ldap.fripost.org }
- { group: 'MX', name: mx }
- { group: 'lists', name: lists }
when: "item.group in group_names"
tags:
- genkey
- name: Copy the SyncProv's server certificate
copy: src=certs/ldap/ldap.fripost.org.pem
dest=/etc/ldap/ssl/ldap.fripost.org.pem
owner=root group=root
mode=0644
when: "'LDAP-provider' not in group_names"
tags:
- genkey
- name: Copy the SyncRepls's client certificates
assemble: src=certs/ldap
remote_src=no
dest=/etc/ldap/ssl/clients.pem
owner=root group=root
mode=0644
when: "'LDAP-provider' in group_names"
tags:
- genkey
- name: Start slapd
service: name=slapd state=started
when: not (r1.changed or r2.changed)
- meta: flush_handlers
- name: Copy fripost & amavis' schema
copy: src=etc/ldap/schema/{{ item }}
dest=/etc/ldap/schema/{{ item }}
owner=root group=root
mode=0644
# It'd certainly be nicer if we didn't have to deploy amavis' schema
# everywhere, but we need the 'objectClass' in our replicates, hence
# they need to be aware of the 'amavisAccount' class.
with_items:
- fripost.ldif
- amavis.schema
tags:
- amavis
- name: Load amavis' schema
openldap: target=/etc/ldap/schema/amavis.schema
format=slapd.conf name=amavis
tags:
- ldap
- name: Load Fripost' schema
openldap: target=/etc/ldap/schema/fripost.ldif
tags:
- ldap
# We assume a clean (=stock) cn=config
- name: Configure the LDAP database
openldap: target=etc/ldap/database.ldif.j2 local=template
# On read-only replicates, you might have to temporarily switch back to
# read-write, delete the SyncRepl, and delete the DN manually:
# sudo ldapdelete -Y EXTERNAL -H ldapi:// cn=admin,dc=fripost,dc=org
- name: Remove cn=admin,dc=fripost,dc=org
openldap: name="cn=admin,dc=fripost,dc=org" delete=entry
- name: Remove the rootDN under the 'config' database
openldap: name="olcDatabase={0}config,cn=config" delete=olcRootDN,olcRootPW
|