Browse Source

add ldap role with slapd and fusiondirectory

Thomas Buck 3 years ago
parent
commit
ac59b73845

+ 62
- 0
roles/ldap/DESIGN.md View File

@@ -0,0 +1,62 @@
1
+# LDAP
2
+
3
+- Run this role
4
+
5
+- Execute `sudo fusiondirectory-setup --check-ldap`
6
+    - Answer Y, Y, admin, {{ slapd_admin_password }}, Y
7
+
8
+- Now go to users.DOMAIN and the setup wizard should run
9
+
10
+- Go through it and do everything it wants.
11
+
12
+- When done, it gives you a configuration file. This should be equivalent
13
+  to the one already on the system as .bak. So just run this command, or upload again:
14
+  `sudo mv /etc/fusiondirectory/fusiondirectory.conf.bak /etc/fusiondirectory/fusiondirectory.conf`
15
+
16
+- You can now login as the admin user you created.
17
+
18
+To setup eg. Nextcloud LDAP login, give it the following credentials:
19
+Username: uid=admin,ou=people,dc=DOMAIN,dc=TLD
20
+Password: {{ slapd_admin_password }}
21
+Base DN: dc=DOMAIN,dc=TLD
22
+
23
+## ToDo
24
+
25
+These two steps are currently missing for full automation of the FusionDirectory Setup.
26
+
27
+-----
28
+
29
+Add required object classes to the LDAP base
30
+Current
31
+
32
+dn: dc=shagohod,dc=de
33
+objectClass: top
34
+objectClass: dcObject
35
+objectClass: organization
36
+
37
+
38
+After migration
39
+
40
+dn: dc=shagohod,dc=de
41
+objectClass: top
42
+objectClass: dcObject
43
+objectClass: organization
44
+xxx  objectClass: gosaDepartment
45
+xxx  ou: shagohod
46
+xxx  description: shagohod
47
+
48
+-----
49
+
50
+Default ACL roles have been inserted
51
+
52
+## Reset
53
+
54
+To start from a fresh state:
55
+
56
+    sudo apt-get remove slapd fusiondirectory
57
+    echo PURGE | sudo debconf-communicate slapd
58
+    sudo rm -rf /etc/fusiondirectory/fusiondirectory.conf
59
+    sudo rm -rf /etc/ldap/slapd.d
60
+    sudo rm -rf /var/backups/slapd*
61
+    sudo rm -rf /var/lib/ldap/data.mdb
62
+    sudo rm -rf /var/lib/ldap/lock.mdb

+ 8
- 0
roles/ldap/defaults/main.yml View File

@@ -0,0 +1,8 @@
1
+ldap_domain: "{{ domain }}"
2
+ldap_subdomain: 'users'
3
+ldap_orga: "{{ ldap_domain }}"
4
+
5
+# TODO split auto
6
+ldap_domain_string: "dc=shagohod,dc=de"
7
+
8
+slapd_admin_password: "{{ lookup('password', secret + '/' + 'slapd_admin_password length=32') }}"

+ 2
- 0
roles/ldap/handlers/main.yml View File

@@ -0,0 +1,2 @@
1
+- name: restart apache
2
+  service: name=apache2 state=restarted

+ 40
- 0
roles/ldap/tasks/fusiondirectory.yml View File

@@ -0,0 +1,40 @@
1
+- name: Install FusionDirectory from Debian repository
2
+  apt:
3
+    name: "{{ packages }}"
4
+    state: present
5
+    update_cache: yes
6
+  vars:
7
+    packages:
8
+    - fusiondirectory
9
+    - fusiondirectory-schema
10
+    - expect
11
+  tags:
12
+    - dependencies
13
+
14
+- name: Create the FusionDirectory config file
15
+  template:
16
+    src=etc_fusiondirectory_fusiondirectory.conf.j2
17
+    dest=/etc/fusiondirectory/fusiondirectory.conf.bak
18
+    owner=root
19
+    group=www-data
20
+    mode=0640
21
+
22
+- name: Install FusionDirectory LDAP schema
23
+  command: fusiondirectory-insert-schema
24
+
25
+- name: Disable default Apache FusionDirectory config
26
+  command: a2disconf fusiondirectory.conf removes=/etc/apache2/conf-enabled/fusiondirectory.conf
27
+  notify: restart apache
28
+
29
+- name: Create the Apache LDAP sites config files
30
+  template:
31
+    src=etc_apache2_sites-available_ldap.j2
32
+    dest=/etc/apache2/sites-available/ldap_{{ item.name }}.conf
33
+    owner=root
34
+    group=root
35
+  with_items: "{{ virtual_domains }}"
36
+
37
+- name: Enable Apache sites (creates new sites-enabled symlinks)
38
+  command: a2ensite ldap_{{ item }}.conf creates=/etc/apache2/sites-enabled/ldap_{{ item }}.conf
39
+  notify: restart apache
40
+  with_items: "{{ virtual_domains | json_query('[*].name') }}"

+ 2
- 0
roles/ldap/tasks/main.yml View File

@@ -0,0 +1,2 @@
1
+- include: slapd.yml tags=ldap
2
+- include: fusiondirectory.yml tags=ldap

+ 77
- 0
roles/ldap/tasks/slapd.yml View File

@@ -0,0 +1,77 @@
1
+- name: Set slapd admin password
2
+  debconf:
3
+    name: slapd
4
+    question: "{{ item }}"
5
+    value: "{{ slapd_admin_password }}"
6
+    vtype: string
7
+  with_items:
8
+    - slapd/password1
9
+    - slapd/password2
10
+  tags:
11
+    - dependencies
12
+
13
+- name: Set slapd domain
14
+  debconf:
15
+    name: slapd
16
+    question: slapd/domain
17
+    value: "{{ ldap_domain }}"
18
+    vtype: string
19
+  tags:
20
+    - dependencies
21
+
22
+- name: Set slapd orga
23
+  debconf:
24
+    name: slapd
25
+    question: slapd/organization
26
+    value: "{{ ldap_orga }}"
27
+    vtype: string
28
+  tags:
29
+    - dependencies
30
+
31
+- name: Set some slapd defaults (no_configuration)
32
+  debconf:
33
+    name: slapd
34
+    question: slapd/no_configuration
35
+    value: false
36
+    vtype: boolean
37
+  tags:
38
+    - dependencies
39
+
40
+- name: Set some slapd defaults (dump_database)
41
+  debconf:
42
+    name: slapd
43
+    question: slapd/dump_database
44
+    value: always
45
+    vtype: select
46
+  tags:
47
+    - dependencies
48
+
49
+- name: Set some slapd defaults (move_old_database)
50
+  debconf:
51
+    name: slapd
52
+    question: slapd/move_old_database
53
+    value: true
54
+    vtype: boolean
55
+  tags:
56
+    - dependencies
57
+
58
+- name: Set some slapd defaults (purge_database)
59
+  debconf:
60
+    name: slapd
61
+    question: slapd/purge_database
62
+    value: false
63
+    vtype: boolean
64
+  tags:
65
+    - dependencies
66
+
67
+- name: Install slapd and utilities from Debian repository
68
+  apt:
69
+    name: "{{ packages }}"
70
+    state: present
71
+    update_cache: yes
72
+  vars:
73
+    packages:
74
+    - slapd
75
+    - ldap-utils
76
+  tags:
77
+    - dependencies

+ 16
- 0
roles/ldap/templates/etc_apache2_sites-available_ldap.j2 View File

@@ -0,0 +1,16 @@
1
+<VirtualHost *:80>
2
+    ServerName {{ ldap_subdomain }}.{{ item.name }}
3
+
4
+    Redirect temp / https://{{ ldap_subdomain }}.{{ item.name }}/
5
+</VirtualHost>
6
+
7
+<VirtualHost *:443>
8
+    ServerName {{ ldap_subdomain }}.{{ item.name }}
9
+
10
+    SSLEngine               On
11
+    DocumentRoot            /usr/share/fusiondirectory/html
12
+    Options                 -Indexes
13
+    LogLevel                warn
14
+    ErrorLog                /var/log/apache2/ldap.info-error_log
15
+    CustomLog               /var/log/apache2/ldap.info-access_log common
16
+</VirtualHost>

+ 26
- 0
roles/ldap/templates/etc_fusiondirectory_fusiondirectory.conf.j2 View File

@@ -0,0 +1,26 @@
1
+<?xml version="1.0"?>
2
+<conf>
3
+  <!-- Main section **********************************************************
4
+       The main section defines global settings, which might be overridden by
5
+       each location definition inside.
6
+
7
+       For more information about the configuration parameters, take a look at
8
+       the FusionDirectory.conf(5) manual page.
9
+  -->
10
+  <main default="default"
11
+        logging="TRUE"
12
+        displayErrors="FALSE"
13
+        forceSSL="TRUE"
14
+        templateCompileDirectory="/var/spool/fusiondirectory/"
15
+        debugLevel="0"
16
+    >
17
+
18
+    <!-- Location definition -->
19
+    <location name="default"
20
+    >
21
+        <referral URI="ldap://localhost:389" base="{{ ldap_domain_string }}"
22
+                        adminDn="cn=admin,{{ ldap_domain_string }}"
23
+                        adminPassword="{{ slapd_admin_password }}" />
24
+    </location>
25
+  </main>
26
+</conf>

+ 8
- 0
roles/monitoring/files/etc_monit_conf.d_slapd View File

@@ -0,0 +1,8 @@
1
+check process slapd with pidfile /var/run/slapd/slapd.pid
2
+  group ldap
3
+  start program = "/bin/systemctl start slapd"
4
+  stop program = "/bin/systemctl stop slapd"
5
+  if failed port 389 protocol LDAP3
6
+    with timeout 10 seconds
7
+    then restart
8
+  if 5 restarts within 5 cycles then timeout

+ 9
- 0
roles/monitoring/tasks/monit.yml View File

@@ -121,6 +121,10 @@
121 121
   stat: path=/etc/ssh/sshd_config
122 122
   register: sshd_config_file
123 123
 
124
+- name: Determine if slapd is installed
125
+  stat: path=/usr/sbin/slapd
126
+  register: slapd_config_file
127
+
124 128
 - name: Determine if pgsql_deb9 is installed
125 129
   stat: path=/etc/postgresql/9.6/main/pg_ctl.conf
126 130
   register: pgsql9_config_file
@@ -253,6 +257,11 @@
253 257
   notify: restart monit
254 258
   when: sshd_config_file.stat.exists == True
255 259
 
260
+- name: Copy slapd monit service config files into place
261
+  copy: src=etc_monit_conf.d_slapd dest=/etc/monit/conf.d/slapd
262
+  notify: restart monit
263
+  when: slapd_config_file.stat.exists == True
264
+
256 265
 - name: Copy pgsql deb9 monit service config files into place
257 266
   copy: src=etc_monit_conf.d_pgsql_deb9 dest=/etc/monit/conf.d/pgsql_deb9
258 267
   notify: restart monit

+ 17
- 2
roles/nextcloud/tasks/nextcloud.yml View File

@@ -104,7 +104,7 @@
104 104
   command: php occ app:install contacts
105 105
   args:
106 106
     chdir: /var/www/nextcloud
107
-    creates: /var/www/nextcloud/apps/contacts/COPYING
107
+  ignore_errors: True
108 108
 
109 109
 - name: Install NextCloud calendar app
110 110
   become: true
@@ -112,7 +112,22 @@
112 112
   command: php occ app:install calendar
113 113
   args:
114 114
     chdir: /var/www/nextcloud
115
-    creates: /var/www/nextcloud/apps/calendar/COPYING
115
+  ignore_errors: True
116
+
117
+- name: Install NextCloud LDAP app
118
+  become: true
119
+  become_user: www-data
120
+  command: php occ app:install user_ldap
121
+  args:
122
+    chdir: /var/www/nextcloud
123
+  ignore_errors: True
124
+
125
+#- name: Update installed Nextcloud apps
126
+#  become: true
127
+#  become_user: www-data
128
+#  command: php occ app:update
129
+#  args:
130
+#    chdir: /var/www/nextcloud
116 131
 
117 132
 - name: Add our domains to the NextCloud trusted domains
118 133
   lineinfile:

Loading…
Cancel
Save