diff --git a/README.md b/README.md index 8c20af1..aab6cce 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ You'll need to store the hash value for your admin passwords. You'll get it like /usr/local/openldap/sbin/slappasswd -o module-path="/usr/local/openldap/libexec/openldap" -o module-load="argon2" -h "{ARGON2}" -s "password" ``` -Store the passwords in the vault file in: `tests/credentials-vault.yml` +Store the passwords in the vault file in: `playbook/credentials-vault.yml` Playbook examples @@ -38,46 +38,49 @@ ansible.cfg roles_path=../ ``` -See `tests/standalone.yml` +See `playbook/standalone.yml` Run playbook with: + ``` -ansible-playbook tests/standalone.yml -i tests/inventory --ask-vault-pass +ansible-playbook playbook/standalone.yml -i playbook/inventory --ask-vault-pass ``` -or: +You can also run an openldap cluster with 2 masters and 2 slaves with the multimaster playbook: ``` -ansible-playbook tests/standalone.yml -i tests/inventory --vault-password-file .vault_pass +ansible-playbook playbook/multimaster.yml -i playbook/inventory --ask-vault-pass ``` -If you need a two-nodes multimaster example, give a look at `tests/multimaster1.yml` and `tests/multimaster2.yml` +or: +``` +ansible-playbook playbook/multimaster.yml -i playbook/inventory --vault-password-file .vault_pass +``` -Give a look to `tests/monitoring.yml` for an example of playbook that deploys LTB monitoring and statistics tools +For using this cluster, you must create the corresponding machines and declare the routes, as defined in `playbook/inventory`. -Run the corresponding task with: +You also have to fill the certificate in `playbook/certificates-vault.yml`. You can use this command for editing the file: (the default password is: secret) ``` -ansible-playbook tests/monitoring.yml -i tests/inventory +ansible-vault edit playbook/certificates-vault.yml ``` -If you want to install openldap on RHEL-like OS with certificates, you can define them in `tests/standalone.yml`: +Give a look at `playbook/group_vars/prod.yml`, `playbook/host_vars/master1.yml` and `playbook/host_vars/master2.yml` for variable customization +You can also use `--extra-vars variable=value` at the command line for overloading any variable. -``` -ldaptoolbox_openldap_olcTLSCACertificateFile=/etc/pki/ca-trust/source/anchors/ca-cert.pem -ldaptoolbox_openldap_olcTLSCertificateFile=/etc/pki/tls/certs/ldaps-cert.pem -ldaptoolbox_openldap_olcTLSCertificateKeyFile=/etc/pki/tls/private/ldaps.key -``` -You can also overload these variables in the command line: +Give a look to `playbook/monitoring.yml` for an example of playbook that deploys LTB monitoring and statistics tools + +Run the corresponding task with: ``` -ansible-playbook tests/standalone.yml -i tests/inventory --ask-vault-pass --extra-vars "ldaptoolbox_openldap_olcTLSCACertificateFile=/etc/pki/ca-trust/source/anchors/ca-cert.pem ldaptoolbox_openldap_olcTLSCertificateFile=/etc/pki/tls/certs/ldaps-cert.pem ldaptoolbox_openldap_olcTLSCertificateKeyFile=/etc/pki/tls/private/ldaps.key" +ansible-playbook playbook/monitoring.yml -i playbook/inventory ``` + License ------- diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..12cb11b --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,5 @@ +[defaults] +roles_path=../ +[colors] +warn = white +error = yellow diff --git a/defaults/main.yml b/defaults/main.yml index b8bb49f..e2b0e47 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -9,7 +9,7 @@ ldaptoolbox_openldap_apt_key_url: "https://ltb-project.org/documentation/_static ldaptoolbox_openldap_apt_key_id: "3FC3FD92ABA3975D2BEB95A70AC51F926D45BFC5" ldaptoolbox_openldap_apt_repo_filename: "ltb-project-openldap" ldaptoolbox_openldap_apt_keyrings_path: /usr/share/keyrings -ldaptoolbox_openldap_apt_repo: "deb [arch=amd64 signed-by=/usr/share/keyrings/ltb-project-openldap.gpg] http://ltb-project.org/debian/openldap25/bullseye bullseye main" +ldaptoolbox_openldap_apt_repo: "deb [arch=amd64 signed-by=/usr/share/keyrings/ltb-project-openldap.gpg] http://ltb-project.org/debian/openldap26/bookworm bookworm main" ldaptoolbox_openldap_apt_validate_certs: "true" # Packages @@ -35,6 +35,10 @@ ldaptoolbox_openldap_slapd_cli_cmd: /usr/local/openldap/sbin/slapd-cli # OpenLDAP configuration ################################################################################ +# Options +olcAttributeOptions: + - lang- + # Suffix ldaptoolbox_openldap_suffix: "{{ ldaptoolbox_openldap_suffix }}" @@ -51,13 +55,20 @@ ldaptoolbox_openldap_olcTLSProtocolMin: 3.3 # Log level ldaptoolbox_openldap_olcLogLevel: stats +ldaptoolbox_openldap_olcLogFile: "/var/log/slapd-ltb/slapd.log" +ldaptoolbox_openldap_olcLogFileRotate: "30 1024 24" + +# Size limit +ldaptoolbox_openldap_olcSizeLimit: 1000 # Enabled modules ldaptoolbox_openldap_module_list: - argon2.la - pw-pbkdf2.la + - pw-sha2.la - back_mdb.la - dynlist.la + - memberof.la - ppolicy.la - syncprov.la - unique.la @@ -104,59 +115,19 @@ ldaptoolbox_openldap_database_olcLimits: # Indexes definition ldaptoolbox_openldap_database_olcDbIndexes: + - "entryCSN,entryUUID eq" - "objectClass eq" - - "entryUUID eq" - - "entryCSN eq" - - "cn pres,eq,sub" - - "uid pres,eq,sub" - -######################## -# Replication directives -######################## + - "cn eq,sub" + - "uid pres,eq" + - "givenName pres,eq,sub" + - "l pres,eq" + - "employeeType pres,eq" + - "mail pres,eq,sub" + - "sn pres,eq,sub" -ldaptoolbox_openldap_olcServerID: 1 -ldaptoolbox_openldap_syncrepl: -- rid: "001" - provider: "ldap://localhost:389/" - tlscert: "{{ ldaptoolbox_openldap_olcTLSCertificateFile }}" - tlskey: "{{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}" - tlscacert: "{{ ldaptoolbox_openldap_olcTLSCACertificateFile }}" - tlsreqcert: "demand" - binddn: "uid=syncrepl,ou=accounts,ou=infrastructure,{{ ldaptoolbox_openldap_suffix }}" - password: "{{ ldaptoolbox_openldap_syncrepl_password_vault }}" - searchbase: "{{ ldaptoolbox_openldap_suffix }}" - scope: "sub" - type: "refreshAndPersist" - retry: "5 5 300 +" -- rid: "002" - provider: "ldap://localhost:389/" - tlscert: "{{ ldaptoolbox_openldap_olcTLSCertificateFile }}" - tlskey: "{{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}" - tlscacert: "{{ ldaptoolbox_openldap_olcTLSCACertificateFile }}" - tlsreqcert: "demand" - binddn: "uid=syncrepl,ou=accounts,ou=infrastructure,{{ ldaptoolbox_openldap_suffix }}" - password: "{{ ldaptoolbox_openldap_syncrepl_password_vault }}" - searchbase: "{{ ldaptoolbox_openldap_suffix }}" - scope: "sub" - type: "refreshAndPersist" - retry: "5 5 300 +" ldaptoolbox_openldap_overlay_syncprov_olcSpCheckpoint: "100 10" ldaptoolbox_openldap_overlay_syncprov_olcSpSessionlog: "100" ######################## # Overlays configuration ######################## - -# Password policy -ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyDefault: "cn=default,ou=ppolicies,{{ ldaptoolbox_openldap_suffix }}" -ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyHashCleartext: "TRUE" -ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyUseLockout: "TRUE" - -# Referential integrity -ldaptoolbox_openldap_overlay_refint_olcRefintAttribute: "member" -ldaptoolbox_openldap_overlay_refint_olcRefintNothing: "cn=nothing,{{ ldaptoolbox_openldap_suffix }}" - -# Dynamic groups (dynlist) -ldaptoolbox_openldap_overlay_dynlist_olcDlAttrSet: "groupOfURLs memberURL member+memberOf@groupOfNames*" - - diff --git a/playbook/certificates-vault.yml b/playbook/certificates-vault.yml new file mode 100644 index 0000000..b03653c --- /dev/null +++ b/playbook/certificates-vault.yml @@ -0,0 +1,237 @@ +$ANSIBLE_VAULT;1.1;AES256 +63373638656661636234333364323164366164333034316137303262623530303730346631613361 +3961653061343136383364333663363230393261393337650a316562383462376236626664383033 +61393961393331633866383431383032306533313965373263353237643635666331383761636634 +6461343832616432350a653737653864376636373530386562346436633939376635633632366638 +32393436326135633938636437323631393735383437393438386566343966643837303761393339 +39383337336530336530336261646661636362356465613738346636386130373331326236616264 +39373261616136363636373330306436373730666138643535656633343933666164613861633336 +64663636633764386366623437366136646134343532633562313166623063323933303765663962 +32386564313638353263346666626431646633326263313464303866373638323338653539386330 +62313036363666346332326533323530356331353263343733303336363333323131653833313230 +38636538353961356536393036613733393430653634646235323735366639393830336461633366 +32366238643361656630396466643264396661616264343733623137623631373534613830373063 +66313063353837356366313133343935653531386333616238333765633039663936306161626461 +32383436653836383161663865646532623336363238393337636534336438353865643535656531 +31373937396635343236616165643531393639333131386536363164386462633765383266653963 +35373366363637326166303238363264353161363762613666303362313635666233376230643966 +30326136336338646536396534373839343266636262313861353335303861616236613334656330 +34626338646135653530333962356132653637336264373734306263373930363536323563386365 +63363337613238623836343262303762343735343737643662376332373961376365396534333763 +62366465326530663161653534623137613437623132383563326132343336613233386330653365 +34393030396636646234366362363263383435646666636165653436633461613666363839303337 +39643032633534383939346363663731613265346266383135353861346633633162626361313264 +63386631383331356330383533336165643466316664356337353531663638383330363031616164 +62346338636533323734396431626332646536326662313038633833373964333330663236353535 +36333862333939316263616231623633323366313637616537643036626234663264633566643336 +33653231306430613162383235613733666433306534616262393965653765626638373033353564 +38363461366662316632373133376430616435396164633330376230653263343231336566663039 +36323834636633306464383236636463656437363238333932323166336335376664336132333538 +38323836313538343737626237303138326164326335306633613737343739653961346238616131 +61306464333934633965656135353561643536636531636363643766393130616265656538393462 +39343933353365623463396237663232633832383533346535613830613439616631383631386166 +61633232343963393661323762316161613966643865653565316235363237366461393163616163 +39663462303334303831363466636136376639336132666661633562666537616337626130303036 +64336235656463336266373861386130653039633635633166363234346661623132623365656130 +37643834336339373266633863666564666632313336323766636162376530396638646139646432 +34373966666430616432623362393839656366306438306333393237386534323735343266303733 +66323433336332333064613630383234326635333161353830613534636534373265666664386635 +65396232306532373463333439313839353261353339643930616163306137393532306466316638 +65343662306631623935343664633233303462313436333934663734323033396136393338373732 +30666136363135363331613466393363303561303832313731633836623735373662383438363565 +61623436346138323066646631663635323264653463306433363130613532353863656338663338 +66653630366138653235383139613464616137323732303237653261303136643539626333353634 +34656261373934303134636330383130613964366137353435333734373232323366663634613261 +35323235653633643739316635366332636264366263366632396436343339323463376163636366 +35653565623635346665373234363961626264373939613462656239356531346439663763336631 +38303138613630376362363061313430623337643332383437326162383436643433316163393439 +36366463666565353036353238346566333430666233663430393631353531323338633863356634 +32313861373765366435636166623766356266306462633861663930653966373832613937356166 +32663463316133613835643930633566323739316537663963396630303464316638393339383730 +34653437303637363438643536623739613662346137366163373265393665663331306138336536 +66393034626462653465643932663231636435326335333838353238613465653738343638363234 +30616436313461663766383635623635303363373265623637636638383565346666623931613339 +61336132346365316336396161653062653963326164396262366665333938333366306365626336 +36643332666136653164383265333831363065663735333161303461643338386433373335643339 +31383237323738633765316232346161363937363537376166663664313166616565306631396565 +35666365353366353465653765333130616566343835333363666338333030656461616638656530 +63303366326436343564393331633235623866636563386334633035396639626264336662323535 +64613335363262623330353738346230383138393134306362643037323665616532346437316364 +64646166373135663466363336623439343038613461333732306333656530633064663134343636 +65363633313061613839323432366563303465626561636339613965313733346536666331306661 +32356536653164366430396435366338646666666434336566323835313838393338356532306264 +33666531363235623132343262363163333836383735343331656331643238353632333734383662 +30313664346466313966333563346661336531666339316366326332383232373366396636313434 +33616265616261643231356332613662303738316332386638656533663061323532396334666337 +63663939326330306632353463666633643961613332316563353965313833616463636563333033 +35636430663730393362663435326538306634663334353433633863633437333238393732393337 +32303433623264383365623236333865663837393034643536653838383032383265383261366563 +32306163656434633861323665343033623664323336373530373639373134386537373462363238 +32383531363531316465636462643964636535633465326639653666333930386235376263316332 +34383833313061346335396439376566643233653036393432633463626161313231373937393639 +62373461623264373466343662353936663630346262623465396539373261366239316530373336 +30636336306233643139363263633161613464373234616639323636663765396435643932353330 +38616136656432656236303766663730663733383438373037653338666235376561303832306434 +35363431663939353737356138383039643961336336636433616331386336633861383533666330 +66656334303661306163653761663961666431306239653633376261303235313335366461643963 +36333064333635633332303462343465376334323436343864333236326133613466653765353631 +37396337323930663532613863393636626563333263346431393763323864653766643730313931 +31383962626435363130326438323130666633653561336262323966633337303032633334653562 +32336363616561326163323330303131393063333635633932626334303433616537376430363036 +66343238666462313039323061613937383431656462633435376233343630333166656536313561 +63333431396535326161633630636132303731623663626262373734393661346363353038623630 +37373837363066373333653734393565636663616566363663643937616638333062646237306133 +31376436363337386133303337396431366638643734393336333463666662313939316334636232 +66353237306435643366376638663439633836646465653732663038333131643238306539306435 +35653731646637323034346131636262633739323961623365306132613039636530633232323031 +65393863633338663564363736653636343935393662316262626439626133363339333434633034 +65613363663964613865393364346433383764313337656634663831336136333661383132333738 +61613261653635663332323830613933613163316631393330333336633334346430353831346665 +33366663616637666565363538633634333938303835353837383238343233646530343138386563 +62333063633030623230346234613430303364303338616437346466653533613763353631353339 +30373239383431616231313866613565336637313663373163333766373661343530383636633037 +39363934366539666139383032336239656662663937323936393837313137363232616265643035 +36316435393363633339323265393661313838653034636564343465313963653238353262613533 +63393063633734666263313463313837386532633861653238343932383531633033396634373666 +36633362636239386436313231346264326266633961613065646632326637303337626430646631 +34306430306163316665633063623266376432383232333435323363616430333561643365366639 +65393131656630663630313462326635313661333836323865396163613030663631643339336333 +61333532303862643531303432656632346438663461633033646330393661346364656366626536 +62623939396633633833303232386533353364313562393136303434616666386437666562333864 +64663937376135393731333930623430336564363062333761623735616264323161363235366139 +39303638393830306332343638303638326131303635643765343839653636376330666234323434 +39366536616465626230613632626564656339316535653435366365316638613233396666646366 +32326161363566383738373036313736386132666336373361616231323866313737353763303263 +30363163623135383231343262666338363635333932306435643036636534393333643932333631 +30643736353761356439303531396139303365393737303837393366386237393232643037633338 +64653638303761666632613731343232666137383132313666313634316462376666613536363065 +30323832313435383834353362333837343061363766343434633135353030356162373836373530 +38323662356137373362346534626633633534333265396363333932306637363564313335363039 +31373466333236326633613232306436396431343135386664306363633635613766646433303463 +63353032326433313863633861393130383139616330363539663130313539623165313836346530 +33376633646164306364626266646331386534366464373935383634323938393163346363396361 +37336264393663383664363265333166346661343132323564336636306561636265626132393139 +30346632346138316533656332633037393336326663326333626361646165643963643961323930 +66393737323937306137653938363363613533363432643534356534336339373564313335343864 +36653234646232363031396430326463656333616262656565393537643035346363393037313437 +35303230303665633133396338336561373535376530306165346363633363333136653836383338 +30366165653030646330393061343163393837303830393638626131313166346661333033613938 +63383331373132636262663039303562363133636265383238313364343337393532336335383362 +38326531663932623638343761623438623466633766386231333936666631616639303931343532 +38373739633639623864303761323139383761653433396339383263396565646361613961356664 +63316137363437363939393132666261356434333130383662343666353966326434613538313332 +38363963653233323230353132376633636334626330643833636537326464343936633265663264 +64653737636261613536636232646163303262613131613363646234333835666661623738373437 +66396164396631633130363433393938636532663364633237653139383734616561346362623764 +66333232313662346437656538333930376637333336393636396461356334346539396639323236 +32313936393163616537653765623337353830396434366263346464396334383764346537303234 +39343137616238643833306633366439373163396536643461656334343235363061323264343834 +37666563363035636632306537326266636262373561313337613333663536623466303162363537 +38356232616533646638313937366563663735333335326162346637316432623631303031383131 +39383634386534383535623966656364313366316330396131626462653834653734353438386331 +65663666666332613136373339613136643737333533666231613639316463663533616338643038 +63616430336266636463306432363062666530363836643162316566313636663433643463666330 +38323562373664343335313662366537383261323065666336376239373438653236643064663535 +30336433663533326535636161343134323466333263313961633963333066346531313139643962 +39343234316630663064613737303632333838313964656433336531636239313931343238383236 +36373736303837626261626339373562353835343039323135383834623233666466303965653430 +31626466313561346337636361623034316365346136616635396266383039386566383964643036 +38376438366634333234643236313064393030663537336665646361366332393565636566626264 +31333033343934633933333734386634623332363037366166383766313365313661386435663534 +32393630613634323737393834653561613062666635623630353837303464383734653236616431 +35303161343639373962353865613630623132396334376338643766636230336431353163326566 +38353430323634363132393230373366646535633561663465626133313562383634616164393634 +36333536326532313336333063386261303230633439633634366230383036623432326235356561 +62333337623631636662353733646431613063366135616433336439323239643232333639346364 +35626238373363653633613138326164623064336638346530373064373838653730623137353430 +34313839636430343135313633383838643333633463303438333231336433643731323437346537 +33346535383131313035373236633035623430363932313063373431616262306335636430666434 +62356161643433663462653265616565383139333533396231326539363835316330356634663566 +37306334333633646238663535663464323634616662313139663936663463303930333933313332 +30363066343036613636353535353137396363336463346231366338346534303831386238613439 +63323465346139353463663031663863306366386364623135636338356261623761333436323038 +36623130326661333633393662393932373837363564333931656330383061643835366661353930 +61646532376661646535626137373833663339623566356531323232303666643931373733616661 +39326132393330373535613965633864636465306132306436636339386130356531663839313332 +32383539303735656431353531663530666237376139616464386137323338666239363563386336 +36376539333334323663366238306361396362623063316632653361333730633461346434663564 +33333764373163393666643232616231653530333365393566643165656637313035303066306263 +66643132663637396561643562366562656439313735353663376634303830316338316233333230 +30643938336461386537663735386633613930393235303361316364363832636464646338613535 +38346131393531646532373031303164653132306634626666643430343566396336323866623230 +39363262363936343864663434376361303433396237336537356438353933303064396561636135 +63353234653931646238666635306331656538643035386139303437626337653432393566376333 +35323064343730386339316533353463633564343662633865383533373565626265393834333362 +38663435306334393036306565306635306166653634616564316230376566353138633232663564 +34663434326237623731633766663138386133393966313739333133633766326339316534383731 +66346430636365396238353265373761366230663438343364336532343534663935303834356630 +66366433383131393632373963326666626266636565616465303161303334333635386337306565 +36386135383330613362656633653661666333373436346331313662356662343832383564353861 +35623065323762623036363538393461333038356135313664626436303065353064623833653264 +35623132303164373031643437643133383562316431656636383662666363646131323431636436 +37613739366633636637373132326139636531383962383431373337363732343266663463363139 +33616338393636333964653833306661646231373032346337373239396438343032343936383432 +35316534643536623161313663326237393165663438376339326235653837383135353730613834 +38376363343835303762373161623435646535663062313239396465336166633963356132663665 +34633361623962653563383665316563363064396663323230626461356233646361383132386463 +30363731383434303739643334613832333838363434333766386337613238653861643033623966 +31396366363335613566376236656465383130373731656364313565616265636339306330356433 +38383165323164303839386433623564393238393236633935613064316539303161333239313730 +64613035636633353965646636383237356333613634323064386239653032653862623034373161 +30303335653834336133373965326162366462613136333835376333306438353631383332333962 +38366339653538636165636661353931393136663430306563326239646664306137313661663236 +34356631323665376132316133626366663031623261326330343830386530356230363238373035 +32636463656133333033623335613165656433353966346233393366333232613566376637383966 +63653363626564356232636364383331316263616237666461353435393230333831646163373364 +62376164303437366666663765613164356433613238636365393632353966643536303339353238 +62643938386336396237633864306632613535393965643236366631666330333430623139653839 +39633932386131386563303364313339356163313961346661303434663464396233356232656538 +34363535373332363437643663626564383363323037633263326139633036663837643862373063 +61623331396561373233363734396462303835353930623337303930373534353034313630656632 +32623332343766303839653136626632323362653964653733616133353734643732316130363133 +30346133333935346235346266636335353466623862393631643339333366326131303633376131 +66373037313861373835663037626536343338383934633635346235623731643763643163623533 +35326466626437633833303964316364616333663932373130636266323266383137333665663737 +31613361353963653664623466623662353762616434653735346338313538396663616365373261 +32306233623832346264343535306233623637373737636662336166363938306365636332656531 +31303563333265633663393730633232373630636337623832646530306435383261393362363962 +66653665363661346435383837376663633839613137613232646336346639653839353932346336 +66383539346364326439653134333066346138326238336236643236633066613430356537626566 +66316535333632663533663034393631623266336135356339663964613036666566393532386537 +37313535626232386265383337343731343762313030363436396635393761353233613333383934 +35363264316335343466353162633161323538343836366163643536643231306466656536616539 +64333038343038633139346430666134333030313030633430383733323963383835663535343739 +63663038326336373231393865303563373037633836663361326337303763633233316631653230 +39373434616361313861336361666164336638613838633531343061303763656135363737636433 +34666231326238653839636438333730376430623563646434353130333566616135373961636233 +37616434613866356234393163653535373036383466346437653435663861316464333161346563 +61663364613863343562376361373363633433383334363164343936616562656166656632383065 +64373433633464653565356532386435313637303332633735313965346533663863363761313735 +63653963643436343163376663316464666138653933656334323632313432373230393931326336 +62653436333336343830663563353036613330366637666363316132653937623836666136323437 +32613065643561306238653038373463663462353439613863616366366531396662303039636435 +66333230326664353261616230636535643139623630653064623733666635613930306261376137 +33633039353533393539626332643261643738366264373161306162353466326264313062613939 +33353337373862356335613736643166343139343163343931376561353161303663636638396630 +33313738613835376431313934653134663063373433656237383132653639353436653463643339 +63326664646130353035643662356332633935646637323363303761663165376230636263656537 +38336131346233356464613039353631323132666361646333313735393033653734656534313466 +30653364616162303961363566646434633762353663663366323265303738306330613462393233 +64343838313738306665633833666138373533383265376438353362666637306635366364646237 +35383361343935306633363434613764313838653031626530656132313361373334663361353131 +39643965653134653562663931613662316664643935636662373536353438343261626562663633 +33616533353264626134356139363334306634616662663665373335623636633061303430616238 +64623137323064613866393037373131633435356237656330646163333732633062303463653738 +38346166393839313332656335303163653234613962356334383938643833313232636364653866 +36363434306165623430313434633937663532353631353363313332626461633938393864313238 +66376534613564333036386336373863663839653064383137303661363766326266626339666161 +66386165623064663830633164393234653937626336656564333962383630663265343630303136 +36643138323632646665366462666664363336666538643730663062393666616263333836363334 +61306233303862323863356131326135346633316266343333363634366562643133633233633564 +36303035653162366633646532303836363862353138393134343832613435373966656161333836 +39333237326466623136663264346636366135646232623630386233336166323433366439316232 +62663536363533653930666635313239393334386562363339623938353764613463666535333738 +31373232666566663835626265393930636365326230366135373239383233616666316631316465 +32383637316562313263626132643966633534346536386331646336646339376632303234303664 +66393633633932613538623336633138346235363062613862383831636438303835333164393164 +65393363346336346530 diff --git a/tests/credentials-vault.yml b/playbook/credentials-vault.yml similarity index 100% rename from tests/credentials-vault.yml rename to playbook/credentials-vault.yml diff --git a/tests/files/ldaptoolbox.oldap/usr/local/openldap/etc/openldap/schema/custom.ldif b/playbook/files/ldaptoolbox.oldap/usr/local/openldap/etc/openldap/schema/custom.ldif similarity index 100% rename from tests/files/ldaptoolbox.oldap/usr/local/openldap/etc/openldap/schema/custom.ldif rename to playbook/files/ldaptoolbox.oldap/usr/local/openldap/etc/openldap/schema/custom.ldif diff --git a/playbook/group_vars/prod.yml b/playbook/group_vars/prod.yml new file mode 100644 index 0000000..3d580d0 --- /dev/null +++ b/playbook/group_vars/prod.yml @@ -0,0 +1,45 @@ +--- +# group_vars file for prod servers +ldaptoolbox_openldap_syncrepl: + - rid: "001" + provider: "ldaps://master1" + tlscert: "{{ ldaptoolbox_openldap_olcTLSCertificateFile }}" + tlskey: "{{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}" + tlscacert: "{{ ldaptoolbox_openldap_olcTLSCACertificateFile }}" + tlsreqcert: "demand" + binddn: "uid=replicationmaster,ou=replication,ou=special users,{{ ldaptoolbox_openldap_suffix }}" + password: "{{ ldaptoolbox_openldap_syncrepl_password_vault }}" + searchbase: "{{ ldaptoolbox_openldap_suffix }}" + scope: "sub" + type: "refreshAndPersist" + retry: "60 +" + timeout: "0" + networktimeout: "0" + keepalive: "0:0:0" + starttls: "no" + tls_cipher_suite: "TLSv1.3:TLSv1.2" + tls_protocol_min: "3.4" + tls_crlcheck: "none" + filter: "(objectclass=*)" + schemachecking: "on" + - rid: "002" + provider: "ldaps://master2" + tlscert: "{{ ldaptoolbox_openldap_olcTLSCertificateFile }}" + tlskey: "{{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}" + tlscacert: "{{ ldaptoolbox_openldap_olcTLSCACertificateFile }}" + tlsreqcert: "demand" + binddn: "uid=replicationmaster,ou=replication,ou=special users,{{ ldaptoolbox_openldap_suffix }}" + password: "{{ ldaptoolbox_openldap_syncrepl_password_vault }}" + searchbase: "{{ ldaptoolbox_openldap_suffix }}" + scope: "sub" + type: "refreshAndPersist" + retry: "60 +" + timeout: "0" + networktimeout: "0" + keepalive: "0:0:0" + starttls: "no" + tls_cipher_suite: "TLSv1.3:TLSv1.2" + tls_protocol_min: "3.4" + tls_crlcheck: "none" + filter: "(objectclass=*)" + schemachecking: "on" diff --git a/playbook/host_vars/master1.yml b/playbook/host_vars/master1.yml new file mode 100644 index 0000000..17c6166 --- /dev/null +++ b/playbook/host_vars/master1.yml @@ -0,0 +1,25 @@ +--- +# host_vars file for master1 +ldaptoolbox_openldap_olcServerID: 1 +ldaptoolbox_openldap_syncrepl: + - rid: "001" + provider: "ldaps://master2" + tlscert: "{{ ldaptoolbox_openldap_olcTLSCertificateFile }}" + tlskey: "{{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}" + tlscacert: "{{ ldaptoolbox_openldap_olcTLSCACertificateFile }}" + tlsreqcert: "demand" + binddn: "uid=replicationmaster,ou=replication,ou=special users,{{ ldaptoolbox_openldap_suffix }}" + password: "{{ ldaptoolbox_openldap_syncrepl_password_vault }}" + searchbase: "{{ ldaptoolbox_openldap_suffix }}" + scope: "sub" + type: "refreshAndPersist" + retry: "60 +" + timeout: "0" + networktimeout: "0" + keepalive: "0:0:0" + starttls: "no" + tls_cipher_suite: "TLSv1.3:TLSv1.2" + tls_protocol_min: "3.4" + tls_crlcheck: "none" + filter: "(objectclass=*)" + schemachecking: "on" diff --git a/playbook/host_vars/master2.yml b/playbook/host_vars/master2.yml new file mode 100644 index 0000000..c2720e4 --- /dev/null +++ b/playbook/host_vars/master2.yml @@ -0,0 +1,25 @@ +--- +# host_vars file for master2 +ldaptoolbox_openldap_olcServerID: 2 +ldaptoolbox_openldap_syncrepl: + - rid: "001" + provider: "ldaps://master1" + tlscert: "{{ ldaptoolbox_openldap_olcTLSCertificateFile }}" + tlskey: "{{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}" + tlscacert: "{{ ldaptoolbox_openldap_olcTLSCACertificateFile }}" + tlsreqcert: "demand" + binddn: "uid=replicationmaster,ou=replication,ou=special users,{{ ldaptoolbox_openldap_suffix }}" + password: "{{ ldaptoolbox_openldap_syncrepl_password_vault }}" + searchbase: "{{ ldaptoolbox_openldap_suffix }}" + scope: "sub" + type: "refreshAndPersist" + retry: "60 +" + timeout: "0" + networktimeout: "0" + keepalive: "0:0:0" + starttls: "no" + tls_cipher_suite: "TLSv1.3:TLSv1.2" + tls_protocol_min: "3.4" + tls_crlcheck: "none" + filter: "(objectclass=*)" + schemachecking: "on" diff --git a/playbook/inventory b/playbook/inventory new file mode 100644 index 0000000..2faea5c --- /dev/null +++ b/playbook/inventory @@ -0,0 +1,6 @@ +prod: + hosts: + master1: + master2: + slave1: + slave2: diff --git a/tests/monitoring.yml b/playbook/monitoring.yml similarity index 100% rename from tests/monitoring.yml rename to playbook/monitoring.yml diff --git a/playbook/multimaster.yml b/playbook/multimaster.yml new file mode 100644 index 0000000..2f789f0 --- /dev/null +++ b/playbook/multimaster.yml @@ -0,0 +1,77 @@ +################################################################################ +# example of playbook for 2 multi-master cluster (1st node) +################################################################################ +--- +- hosts: prod + remote_user: root + vars_files: + - credentials-vault.yml + - certificates-vault.yml + vars: + # Define suffix + - ldaptoolbox_openldap_suffix: "dc=my-organization,dc=com" + # include extra schema + - ldaptoolbox_openldap_custom_schema_srcdir: "{{ playbook_dir }}/files/ldaptoolbox.oldap/usr/local/openldap/etc/openldap/schema" + - ldaptoolbox_openldap_custom_schema_list: [ custom.ldif ] + - ldaptoolbox_openldap_olcTLSCACertificateFile: "{{ '/usr/local/openldap/etc/openldap/certs/ca.crt' }}" + - ldaptoolbox_openldap_olcTLSCertificateFile: "{{ '/usr/local/openldap/etc/openldap/certs/openldap.crt' }}" + - ldaptoolbox_openldap_olcTLSCertificateKeyFile: "{{ '/usr/local/openldap/etc/openldap/certs/openldap.key' }}" + - ldaptoolbox_openldap_olcTLSDHParamFile: "{{ '/usr/local/openldap/etc/openldap/certs/dhparams' }}" + # Accounts and passwords + - ldaptoolbox_openldap_config_olcRootDN: cn=admin,cn=config + - ldaptoolbox_openldap_config_olcRootPW_hash: "{{ ldaptoolbox_openldap_config_olcRootPW_hash_vault }}" + - ldaptoolbox_openldap_database_olcRootDN: "cn=admin,{{ ldaptoolbox_openldap_suffix }}" + - ldaptoolbox_openldap_database_olcRootPW_hash: "{{ ldaptoolbox_openldap_database_olcRootPW_hash_vault }}" + - ldaptoolbox_openldap_monitor_olcRootDN: "cn=monitor" + - ldaptoolbox_openldap_monitor_olcRootPW_hash: "{{ ldaptoolbox_openldap_monitor_olcRootPW_hash_vault }}" + # unlimitation for synchronization account (to be defined in data) + - ldaptoolbox_openldap_database_olcLimits: + - "dn.base=uid=syncrepl,ou=accounts,ou=infrastructure,{{ ldaptoolbox_openldap_suffix }} size=unlimited time=unlimited" + - "dn.base=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth size=unlimited time=unlimited" + # ACLs from default role variables + # Replication + # overlay configuration from default role variables + - ldaptoolbox_openldap_olcAttributeOptions: [] + - ldaptoolbox_openldap_olcSaslHost: localhost + - ldaptoolbox_openldap_olcTLSCipherSuite: "TLSv1.3:TLSv1.2" + - ldaptoolbox_openldap_olcLogLevel: stats + - ldaptoolbox_openldap_olcLogFile: "/var/log/slapd-ltb/slapd.log" + - ldaptoolbox_openldap_olcLogFileRotate: "30 1024 24" + # Size limit + - ldaptoolbox_openldap_olcSizeLimit: 1000 + # Enabled modules + - ldaptoolbox_openldap_module_list: + - "argon2.la" + - "pw-pbkdf2.la" + - "pw-sha2.la" + - "back_mdb.la" + - "dynlist.la" + - "memberof.la" + - "ppolicy.la" + - "syncprov.la" + - "unique.la" + - ldaptoolbox_olcPasswordHash: "{SSHA256}" + # Access rights + - ldaptoolbox_openldap_access_list: + - to attrs=userPassword by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" =wxd by group/groupOfNames/member.exact="cn=admin,ou=groups,CONFIG_SUFFIX" =wxd by self =wxd by * auth + - to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by group/groupOfNames/member.exact="cn=admin,ou=groups,CONFIG_SUFFIX" write by users read + # Indexes definition + - ldaptoolbox_openldap_database_olcDbIndexes: + - "entryCSN,entryUUID eq" + - "objectClass eq" + - "cn eq,sub" + - "uid pres,eq" + - "givenName pres,eq,sub" + - "l pres,eq" + - "employeeType pres,eq" + - "mail pres,eq,sub" + - "sn pres,eq,sub" + - ldaptoolbox_openldap_database_olcDbMaxSize: "4294967296" + - ldaptoolbox_openldap_overlay_syncprov_olcSpCheckpoint: "100 10" + - ldaptoolbox_openldap_overlay_syncprov_olcSpSessionlog: "100" + # Password policy + - ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyDefault: "cn=default,ou=ppolicies,{{ ldaptoolbox_openldap_suffix }}" + - ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyHashCleartext: "TRUE" + - ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyUseLockout: "FALSE" + roles: + - ansible-role-ldaptoolbox-openldap diff --git a/tests/standalone.yml b/playbook/standalone.yml similarity index 76% rename from tests/standalone.yml rename to playbook/standalone.yml index 2fdf085..40d66ac 100644 --- a/tests/standalone.yml +++ b/playbook/standalone.yml @@ -30,5 +30,14 @@ # No replication - ldaptoolbox_openldap_syncrepl: [] # overlay configuration from default role variables + # Referential integrity + - ldaptoolbox_openldap_overlay_refint_olcRefintAttribute: "member" + - ldaptoolbox_openldap_overlay_refint_olcRefintNothing: "cn=nothing,{{ ldaptoolbox_openldap_suffix }}" + # Dynamic groups (dynlist) + - ldaptoolbox_openldap_overlay_dynlist_olcDlAttrSet: "groupOfURLs memberURL member+memberOf@groupOfNames*" + # Password policy + - ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyDefault: "cn=default,ou=ppolicies,{{ ldaptoolbox_openldap_suffix }}" + - ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyHashCleartext: "TRUE" + - ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyUseLockout: "TRUE" roles: - ansible-role-ldaptoolbox-openldap diff --git a/tasks/ldaptoolbox-certificates.yml b/tasks/ldaptoolbox-certificates.yml index 4c3b1e6..6ab5039 100644 --- a/tasks/ldaptoolbox-certificates.yml +++ b/tasks/ldaptoolbox-certificates.yml @@ -1,3 +1,47 @@ +- name: Create certificate directory + ansible.builtin.file: + path: "{{ ldaptoolbox_openldap_olcTLSCACertificateFile | dirname }}" + state: directory + mode: '0755' + when: ( ldaptoolbox_openldap_olcTLSCACertificateFile ) + +- name: Deploy TLS CA certificate + ansible.builtin.copy: + content: '{{ ldaptoolbox_openldap_olcTLSCACertificateFile_content }}' + dest: "{{ ldaptoolbox_openldap_olcTLSCACertificateFile }}" + owner: root + group: ldap + mode: 0644 + when: ( ldaptoolbox_openldap_olcTLSCACertificateFile ) + +- name: Deploy TLS certificate + ansible.builtin.copy: + content: '{{ ldaptoolbox_openldap_olcTLSCertificateFile_content }}' + dest: "{{ ldaptoolbox_openldap_olcTLSCertificateFile }}" + owner: root + group: ldap + mode: 0644 + when: ( ldaptoolbox_openldap_olcTLSCACertificateFile ) + +- name: Deploy TLS key file + ansible.builtin.copy: + content: '{{ ldaptoolbox_openldap_olcTLSCertificateKeyFile_content }}' + dest: "{{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}" + owner: root + group: ldap + mode: 0640 + no_log: true + when: ( ldaptoolbox_openldap_olcTLSCertificateKeyFile ) + +- name: Deploy Diffie-Hellman param + ansible.builtin.copy: + content: '{{ ldaptoolbox_openldap_olcTLSDHParamFile_content }}' + dest: "{{ ldaptoolbox_openldap_olcTLSDHParamFile }}" + owner: root + group: ldap + mode: 0640 + no_log: true + when: ( ldaptoolbox_openldap_olcTLSDHParamFile ) - name: allow ldap to read TLS certificates ansible.builtin.user: @@ -6,26 +50,12 @@ state: present when: ( ldaptoolbox_openldap_olcTLSCertificateFile ) -- name: Ensure correct file ownership, group and permissions for CA - ansible.builtin.file: - path: "{{ ldaptoolbox_openldap_olcTLSCACertificateFile }}" - owner: "root" - group: "root" - mode: "644" +- name: Adapt ldap.conf file with CA certificate + ansible.builtin.blockinfile: + path: /usr/local/openldap/etc/openldap/ldap.conf + marker: "# {mark} ANSIBLE MANAGED CONFIGURATION" + insertafter: '^#DEREF' + block: | + TLS_CACERT {{ ldaptoolbox_openldap_olcTLSCACertificateFile }} + TLS_REQCERT demand when: ( ldaptoolbox_openldap_olcTLSCACertificateFile ) - -- name: Ensure correct file ownership, group and permissions for certificate - ansible.builtin.file: - path: "{{ ldaptoolbox_openldap_olcTLSCertificateFile }}" - owner: "root" - group: "root" - mode: "644" - when: ( ldaptoolbox_openldap_olcTLSCertificateFile ) - -- name: Ensure correct file ownership, group and permissions for key - ansible.builtin.file: - path: "{{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}" - owner: "root" - group: "{{ ldaptoolbox_openldap_sslgroup }}" - mode: "640" - when: ( ldaptoolbox_openldap_olcTLSCertificateKeyFile ) diff --git a/tasks/ldaptoolbox-repository.yml b/tasks/ldaptoolbox-repository.yml index 481e022..007d36d 100755 --- a/tasks/ldaptoolbox-repository.yml +++ b/tasks/ldaptoolbox-repository.yml @@ -4,7 +4,7 @@ - name: debian repository block: - - name: fetch repository key + - name: fetch LTB-project repository key ansible.builtin.shell: "curl {{ ldaptoolbox_openldap_apt_key_url }} | gpg --dearmor > {{ ldaptoolbox_openldap_apt_keyrings_path }}/{{ ldaptoolbox_openldap_apt_repo_filename }}.gpg" - name: add debian repository @@ -20,22 +20,25 @@ - name: centos repository block: - - name: fetch repository key - ansible.builtin.shell: "rpm --import https://ltb-project.org/documentation/_static/RPM-GPG-KEY-LTB-project" + - name: fetch LTB-project repository key + ansible.builtin.rpm_key: + state: present + key: https://ltb-project.org/documentation/_static/RPM-GPG-KEY-LTB-PROJECT-SECURITY - name: install EPEL repository - ansible.builtin.shell: | - dnf install -y epel-release + ansible.builtin.yum: + name: epel-release + state: present - name: "setup ldaptoolbox repository on RHEL like version >= 7 " copy: content: | [ltb-project] name=LTB project packages - baseurl=https://ltb-project.org/rpm/openldap25/$releasever/$basearch + baseurl=https://ltb-project.org/rpm/openldap26/$releasever/$basearch enabled=1 gpgcheck=1 - gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project + gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-LTB-project-security dest: /etc/yum.repos.d/ltb-project.repo when: ( ansible_os_family == "RedHat" ) and ( ansible_distribution_major_version >= "7" ) diff --git a/templates/var/backups/openldap/config.ldif b/templates/var/backups/openldap/config.ldif index 3a1c2ea..ac53b3d 100644 --- a/templates/var/backups/openldap/config.ldif +++ b/templates/var/backups/openldap/config.ldif @@ -1,10 +1,12 @@ dn: cn=config objectClass: olcGlobal cn: config -olcConfigFile: slapd.conf -olcConfigDir: slapd.d +olcConfigFile: /usr/local/openldap/etc/openldap/slapd.conf +olcConfigDir: /usr/local/openldap/etc/openldap/slapd.d olcArgsFile: /usr/local/openldap/var/run/slapd.args -olcAttributeOptions: lang- +{% for attributeoption in ldaptoolbox_openldap_olcAttributeOptions %} +olcAttributeOptions: {{ attributeoption }} +{% endfor %} olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 @@ -15,35 +17,50 @@ olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 +olcIndexHash64: FALSE olcIndexIntLen: 4 olcListenerThreads: 1 olcLocalSSF: 71 +olcLogFile: {{ ldaptoolbox_openldap_olcLogFile }} +olcLogFileOnly: TRUE +olcLogFileRotate: {{ ldaptoolbox_openldap_olcLogFileRotate }} +olcLogLevel: {{ ldaptoolbox_openldap_olcLogLevel }} +olcMaxFilterDepth: 1000 olcPidFile: /usr/local/openldap/var/run/slapd.pid olcReadOnly: FALSE +olcReverseLookup: FALSE +olcSaslAuxpropsDontUseCopyIgnore: FALSE olcSaslHost: {{ ldaptoolbox_openldap_olcSaslHost }} olcSaslSecProps: none +{% if ldaptoolbox_openldap_olcServerID is defined and ldaptoolbox_openldap_olcServerID %} olcServerID: {{ ldaptoolbox_openldap_olcServerID }} +{% endif %} +olcSizeLimit: {{ ldaptoolbox_openldap_olcSizeLimit }} olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 -{% if ldaptoolbox_openldap_olcTLSCACertificateFile %} +olcThreadQueues: 1 +{% if ldaptoolbox_openldap_olcTLSCACertificateFile is defined and ldaptoolbox_openldap_olcTLSCACertificateFile %} olcTLSCACertificateFile: {{ ldaptoolbox_openldap_olcTLSCACertificateFile }} olcTLSCRLCheck: none olcTLSVerifyClient: allow {% endif %} -{% if ldaptoolbox_openldap_olcTLSCertificateFile %} +{% if ldaptoolbox_openldap_olcTLSCertificateFile is defined and ldaptoolbox_openldap_olcTLSCACertificateFile %} olcTLSProtocolMin: {{ ldaptoolbox_openldap_olcTLSProtocolMin }} +olcTLSCipherSuite: {{ ldaptoolbox_openldap_olcTLSCipherSuite }} olcTLSCertificateFile: {{ ldaptoolbox_openldap_olcTLSCertificateFile }} olcTLSCertificateKeyFile: {{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }} +{% if ldaptoolbox_openldap_olcTLSDHParamFile is defined and ldaptoolbox_openldap_olcTLSDHParamFile %} +olcTLSDHParamFile: {{ ldaptoolbox_openldap_olcTLSDHParamFile }} +{% endif %} {% endif %} olcToolThreads: 1 olcWriteTimeout: 0 -olcLogLevel: {{ ldaptoolbox_openldap_olcLogLevel }} dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} -olcModulePath: /usr/local/openldap/lib64/:/usr/local/openldap/libexec/openldap/ +olcModulePath: /usr/local/openldap/libexec/openldap {% for module in ldaptoolbox_openldap_module_list %} olcModuleLoad: {{ module }} {% endfor %} @@ -62,23 +79,26 @@ include: file:///usr/local/openldap/etc/openldap/schema/inetorgperson.ldif include: file:///usr/local/openldap/etc/openldap/schema/dyngroup.ldif +include: file:///usr/local/openldap/etc/openldap/schema/duaconf.ldif + {% for schema in ldaptoolbox_openldap_custom_schema_list %} +{% if (schema != "core.ldif") and (schema != "cosine.ldif") and (schema != "nis.ldif") and (schema != "inetorgperson.ldif") %} include: file://{{ ldaptoolbox_openldap_schema_dir }}/{{ schema }} +{% endif %} {% endfor %} dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend -{% for rule in ldaptoolbox_openldap_access_list %} -olcAccess: {{ rule }} -{% endfor %} +olcAccess: {0}to dn.base="" by * read +olcAccess: {1}to dn.base="cn=subschema" by * read olcAddContentAcl: FALSE olcLastMod: TRUE +olcLastBind: TRUE olcMaxDerefDepth: 0 olcReadOnly: FALSE olcSchemaDN: cn=Subschema -olcSizeLimit: 500 olcSyncUseSubentry: FALSE olcMonitoring: FALSE olcPasswordHash: {{ ldaptoolbox_olcPasswordHash }} @@ -87,9 +107,11 @@ olcSortVals: {{ ldaptoolbox_openldap_olcSortVals }} dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config -olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * none +olcAccess: {0}to attrs=userPassword by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" =wxd by * auth +olcAccess: {1}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage olcAddContentAcl: TRUE olcLastMod: TRUE +olcLastBind: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: {{ ldaptoolbox_openldap_config_olcRootDN }} @@ -101,9 +123,13 @@ dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb -olcDbDirectory: /usr/local/openldap/var/openldap-data olcSuffix: {{ ldaptoolbox_openldap_suffix }} +{% for rule in ldaptoolbox_openldap_access_list %} +olcAccess: {{ rule }} +{% endfor %} +olcAddContentAcl: FALSE olcLastMod: TRUE +olcLastBind: TRUE {% for limit in ldaptoolbox_openldap_database_olcLimits %} olcLimits: {{ limit }} {% endfor %} @@ -112,18 +138,24 @@ olcReadOnly: FALSE olcRootDN: {{ ldaptoolbox_openldap_database_olcRootDN }} olcRootPW: {{ ldaptoolbox_openldap_database_olcRootPW_hash }} olcSyncUseSubentry: FALSE -olcLastBind: TRUE -{% for syncrepl in ldaptoolbox_openldap_syncrepl %} -olcSyncrepl: rid={{ syncrepl.rid }} provider={{ syncrepl.provider }} bindmethod=simple timeout=0 network-timeout=0 binddn="{{ syncrepl.binddn }}" credentials="{{ syncrepl.password }}" keepalive=0:0:0 starttls=no {% if syncrepl.tlscert %}tls_cert="{{ syncrepl.tlscert }}" tls_key={{ syncrepl.tlskey }}" tls_cacert="{{ syncrepl.tlscacert }}" tls_reqcert="{{ syncrepl.tlsreqcert }}"{% endif %} filter="(objectclass=*)" searchbase="{{ syncrepl.searchbase }}" scope="{{ syncrepl.scope }}" schemachecking=on type="{{ syncrepl.type }}" retry="{{ syncrepl.retry }}" -{% endfor %} -{% if ldaptoolbox_openldap_syncrepl|length > 0 %} -olcMultiProvider: TRUE -{% endif %} olcMonitoring: TRUE +olcDbDirectory: /usr/local/openldap/var/openldap-data +olcDbNoSync: FALSE {% for index in ldaptoolbox_openldap_database_olcDbIndexes %} olcDbIndex: {{ index }} {% endfor %} olcDbMaxSize: {{ ldaptoolbox_openldap_database_olcDbMaxSize }} +olcDbMaxReaders: 0 +olcDbMode: 0600 +olcDbSearchStack: 16 +olcDbMaxEntrySize: 0 +olcDbRtxnSize: 10000 +{% for syncrepl in ldaptoolbox_openldap_syncrepl %} +olcSyncrepl: rid={{ syncrepl.rid }} provider="{{ syncrepl.provider }}" bindmethod=simple binddn="{{ syncrepl.binddn }}" credentials="{{ syncrepl.password }}" keepalive=0:0:0 starttls=no {% if syncrepl.tlscert is defined and syncrepl.tlscert %}tls_cert="{{ syncrepl.tlscert }}" tls_key="{{ syncrepl.tlskey }}" tls_cacert="{{ syncrepl.tlscacert }}" tls_reqcert="{{ syncrepl.tlsreqcert }}" starttls="{{ syncrepl.starttls }}" tls_cipher_suite="{{ syncrepl.tls_cipher_suite }}" tls_protocol_min="{{ syncrepl.tls_protocol_min }}" tls_crlcheck={{ syncrepl.tls_crlcheck }}{% endif %} searchbase="{{ syncrepl.searchbase }}" scope="{{ syncrepl.scope }}" schemachecking=on type="{{ syncrepl.type }}" retry="{{ syncrepl.retry }}" timeout="{{ syncrepl.timeout }}" network-timeout="{{ syncrepl.networktimeout }}" keepalive="{{ syncrepl.keepalive }}" filter="{{ syncrepl.filter }}" schemachecking="{{ syncrepl.schemachecking }}" +{% endfor %} +{% if ldaptoolbox_openldap_olcServerID is defined and ldaptoolbox_openldap_olcServerID %} +olcMultiProvider: TRUE +{% endif %} dn: olcOverlay={0}syncprov,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig @@ -136,32 +168,41 @@ dn: olcOverlay={1}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {1}ppolicy +{% if ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyDefault is defined and ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyDefault %} olcPPolicyDefault: {{ ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyDefault }} +{% endif %} olcPPolicyHashCleartext: {{ ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyHashCleartext }} olcPPolicyUseLockout: {{ ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyUseLockout }} +{% if ldaptoolbox_openldap_overlay_refint_olcRefintAttribute is defined and ldaptoolbox_openldap_overlay_refint_olcRefintAttribute %} dn: olcOverlay={2}refint,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcRefintConfig olcOverlay: {2}refint olcRefintAttribute: {{ ldaptoolbox_openldap_overlay_refint_olcRefintAttribute }} +{% if ldaptoolbox_openldap_overlay_refint_olcRefintNothing is defined and ldaptoolbox_openldap_overlay_refint_olcRefintNothing %} olcRefintNothing: {{ ldaptoolbox_openldap_overlay_refint_olcRefintNothing }} +{% endif %} +{% endif %} +{% if ldaptoolbox_openldap_overlay_dynlist_olcDlAttrSet is defined and ldaptoolbox_openldap_overlay_dynlist_olcDlAttrSet %} dn: olcOverlay={3}dynlist,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcDynamicList olcOverlay: {3}dynlist olcDlAttrSet: {{ ldaptoolbox_openldap_overlay_dynlist_olcDlAttrSet }} +{% endif %} dn: olcDatabase={2}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {2}monitor olcRootDN: {{ ldaptoolbox_openldap_monitor_olcRootDN }} olcRootPW: {{ ldaptoolbox_openldap_monitor_olcRootPW_hash }} +olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage olcAddContentAcl: FALSE olcLastMod: TRUE +olcLastBind: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcSyncUseSubentry: FALSE olcMonitoring: FALSE - diff --git a/tests/inventory b/tests/inventory deleted file mode 100644 index 878877b..0000000 --- a/tests/inventory +++ /dev/null @@ -1,2 +0,0 @@ -localhost - diff --git a/tests/multimaster1.yml b/tests/multimaster1.yml deleted file mode 100644 index 9376540..0000000 --- a/tests/multimaster1.yml +++ /dev/null @@ -1,60 +0,0 @@ -################################################################################ -# example of playbook for 2 multi-master cluster (1st node) -################################################################################ ---- -- hosts: localhost - remote_user: root - vars_files: - - credentials-vault.yml - vars: - # Define suffix - - ldaptoolbox_openldap_suffix: "dc=my-organization,dc=com" - # include extra schema - - ldaptoolbox_openldap_custom_schema_srcdir: "{{ playbook_dir }}/files/ldaptoolbox.oldap/usr/local/openldap/etc/openldap/schema" - - ldaptoolbox_openldap_custom_schema_list: [ custom.ldif ] - # define certificates (must be deployed before) - - ldaptoolbox_openldap_olcTLSCACertificateFile: "{{ '' if ansible_os_family == 'RedHat' else '/etc/ssl/certs/ca-certificates.crt' }}" - - ldaptoolbox_openldap_olcTLSCertificateFile: "{{ '' if ansible_os_family == 'RedHat' else '/etc/ssl/certs/ssl-cert-snakeoil.pem' }}" - - ldaptoolbox_openldap_olcTLSCertificateKeyFile: "{{ '' if ansible_os_family == 'RedHat' else '/etc/ssl/private/ssl-cert-snakeoil.key' }}" - # Accounts and passwords - - ldaptoolbox_openldap_config_olcRootDN: cn=admin,cn=config - - ldaptoolbox_openldap_config_olcRootPW_hash: "{{ ldaptoolbox_openldap_config_olcRootPW_hash_vault }}" - - ldaptoolbox_openldap_database_olcRootDN: "cn=admin,{{ ldaptoolbox_openldap_suffix }}" - - ldaptoolbox_openldap_database_olcRootPW_hash: "{{ ldaptoolbox_openldap_database_olcRootPW_hash_vault }}" - - ldaptoolbox_openldap_monitor_olcRootDN: "cn=monitor" - - ldaptoolbox_openldap_monitor_olcRootPW_hash: "{{ ldaptoolbox_openldap_monitor_olcRootPW_hash_vault }}" - # unlimitation for synchronization account (to be defined in data) - - ldaptoolbox_openldap_database_olcLimits: - - "dn.base=uid=syncrepl,ou=accounts,ou=infrastructure,{{ ldaptoolbox_openldap_suffix }} size=unlimited time=unlimited" - - "dn.base=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth size=unlimited time=unlimited" - # ACLs from default role variables - # Replication - - ldaptoolbox_openldap_olcServerID: 1 - - ldaptoolbox_openldap_syncrepl: - - rid: "001" - provider: "ldap://localhost:389/" - tlscert: "{{ ldaptoolbox_openldap_olcTLSCertificateFile }}" - tlskey: "{{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}" - tlscacert: "{{ ldaptoolbox_openldap_olcTLSCACertificateFile }}" - tlsreqcert: "demand" - binddn: "uid=syncrepl,ou=accounts,ou=infrastructure,{{ ldaptoolbox_openldap_suffix }}" - password: "{{ ldaptoolbox_openldap_syncrepl_password_vault }}" - searchbase: "{{ ldaptoolbox_openldap_suffix }}" - scope: "sub" - type: "refreshAndPersist" - retry: "5 5 300 +" - - rid: "002" - provider: "ldap://localhost:389/" - tlscert: "{{ ldaptoolbox_openldap_olcTLSCertificateFile }}" - tlskey: "{{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}" - tlscacert: "{{ ldaptoolbox_openldap_olcTLSCACertificateFile }}" - tlsreqcert: "demand" - binddn: "uid=syncrepl,ou=accounts,ou=infrastructure,{{ ldaptoolbox_openldap_suffix }}" - password: "{{ ldaptoolbox_openldap_syncrepl_password_vault }}" - searchbase: "{{ ldaptoolbox_openldap_suffix }}" - scope: "sub" - type: "refreshAndPersist" - retry: "5 5 300 +" - # overlay configuration from default role variables - roles: - - ansible-role-ldaptoolbox-openldap diff --git a/tests/multimaster2.yml b/tests/multimaster2.yml deleted file mode 100644 index b66b475..0000000 --- a/tests/multimaster2.yml +++ /dev/null @@ -1,60 +0,0 @@ -################################################################################ -# example of playbook for 2 multi-master cluster (2nd node) -################################################################################ ---- -- hosts: localhost - remote_user: root - vars_files: - - credentials-vault.yml - vars: - # Define suffix - - ldaptoolbox_openldap_suffix: "dc=my-organization,dc=com" - # include extra schema - - ldaptoolbox_openldap_custom_schema_srcdir: "{{ playbook_dir }}/files/ldaptoolbox.oldap/usr/local/openldap/etc/openldap/schema" - - ldaptoolbox_openldap_custom_schema_list: [ custom.ldif ] - # define certificates (must be deployed before) - - ldaptoolbox_openldap_olcTLSCACertificateFile: "{{ '' if ansible_os_family == 'RedHat' else '/etc/ssl/certs/ca-certificates.crt' }}" - - ldaptoolbox_openldap_olcTLSCertificateFile: "{{ '' if ansible_os_family == 'RedHat' else '/etc/ssl/certs/ssl-cert-snakeoil.pem' }}" - - ldaptoolbox_openldap_olcTLSCertificateKeyFile: "{{ '' if ansible_os_family == 'RedHat' else '/etc/ssl/private/ssl-cert-snakeoil.key' }}" - # Accounts and passwords - - ldaptoolbox_openldap_config_olcRootDN: cn=admin,cn=config - - ldaptoolbox_openldap_config_olcRootPW_hash: "{{ ldaptoolbox_openldap_config_olcRootPW_hash_vault }}" - - ldaptoolbox_openldap_database_olcRootDN: "cn=admin,{{ ldaptoolbox_openldap_suffix }}" - - ldaptoolbox_openldap_database_olcRootPW_hash: "{{ ldaptoolbox_openldap_database_olcRootPW_hash_vault }}" - - ldaptoolbox_openldap_monitor_olcRootDN: "cn=monitor" - - ldaptoolbox_openldap_monitor_olcRootPW_hash: "{{ ldaptoolbox_openldap_monitor_olcRootPW_hash_vault }}" - # unlimitation for synchronization account (to be defined in data) - - ldaptoolbox_openldap_database_olcLimits: - - "dn.base=uid=syncrepl,ou=accounts,ou=infrastructure,{{ ldaptoolbox_openldap_suffix }} size=unlimited time=unlimited" - - "dn.base=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth size=unlimited time=unlimited" - # ACLs from default role variables - # Replication - - ldaptoolbox_openldap_olcServerID: 2 - - ldaptoolbox_openldap_syncrepl: - - rid: "001" - provider: "ldap://localhost:389/" - tlscert: "{{ ldaptoolbox_openldap_olcTLSCertificateFile }}" - tlskey: "{{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}" - tlscacert: "{{ ldaptoolbox_openldap_olcTLSCACertificateFile }}" - tlsreqcert: "demand" - binddn: "uid=syncrepl,ou=accounts,ou=infrastructure,{{ ldaptoolbox_openldap_suffix }}" - password: "{{ ldaptoolbox_openldap_syncrepl_password_vault }}" - searchbase: "{{ ldaptoolbox_openldap_suffix }}" - scope: "sub" - type: "refreshAndPersist" - retry: "5 5 300 +" - - rid: "002" - provider: "ldap://localhost:389/" - tlscert: "{{ ldaptoolbox_openldap_olcTLSCertificateFile }}" - tlskey: "{{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}" - tlscacert: "{{ ldaptoolbox_openldap_olcTLSCACertificateFile }}" - tlsreqcert: "demand" - binddn: "uid=syncrepl,ou=accounts,ou=infrastructure,{{ ldaptoolbox_openldap_suffix }}" - password: "{{ ldaptoolbox_openldap_syncrepl_password_vault }}" - searchbase: "{{ ldaptoolbox_openldap_suffix }}" - scope: "sub" - type: "refreshAndPersist" - retry: "5 5 300 +" - # overlay configuration from default role variables - roles: - - ansible-role-ldaptoolbox-openldap