add ldap role with slapd and fusiondirectory

roles/ldap/DESIGN.md

@@ -0,0 +1,62 @@
+# LDAP
+
+- Run this role
+
+- Execute `sudo fusiondirectory-setup --check-ldap`
+    - Answer Y, Y, admin, {{ slapd_admin_password }}, Y
+
+- Now go to users.DOMAIN and the setup wizard should run
+
+- Go through it and do everything it wants.
+
+- When done, it gives you a configuration file. This should be equivalent
+  to the one already on the system as .bak. So just run this command, or upload again:
+  `sudo mv /etc/fusiondirectory/fusiondirectory.conf.bak /etc/fusiondirectory/fusiondirectory.conf`
+
+- You can now login as the admin user you created.
+
+To setup eg. Nextcloud LDAP login, give it the following credentials:
+Username: uid=admin,ou=people,dc=DOMAIN,dc=TLD
+Password: {{ slapd_admin_password }}
+Base DN: dc=DOMAIN,dc=TLD
+
+## ToDo
+
+These two steps are currently missing for full automation of the FusionDirectory Setup.
+
+-----
+
+Add required object classes to the LDAP base
+Current
+
+dn: dc=shagohod,dc=de
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+
+
+After migration
+
+dn: dc=shagohod,dc=de
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+xxx  objectClass: gosaDepartment
+xxx  ou: shagohod
+xxx  description: shagohod
+
+-----
+
+Default ACL roles have been inserted
+
+## Reset
+
+To start from a fresh state:
+
+    sudo apt-get remove slapd fusiondirectory
+    echo PURGE | sudo debconf-communicate slapd
+    sudo rm -rf /etc/fusiondirectory/fusiondirectory.conf
+    sudo rm -rf /etc/ldap/slapd.d
+    sudo rm -rf /var/backups/slapd*
+    sudo rm -rf /var/lib/ldap/data.mdb
+    sudo rm -rf /var/lib/ldap/lock.mdb

roles/ldap/defaults/main.yml

@@ -0,0 +1,8 @@
+ldap_domain: "{{ domain }}"
+ldap_subdomain: 'users'
+ldap_orga: "{{ ldap_domain }}"
+
+# TODO split auto
+ldap_domain_string: "dc=shagohod,dc=de"
+
+slapd_admin_password: "{{ lookup('password', secret + '/' + 'slapd_admin_password length=32') }}"

roles/ldap/handlers/main.yml

@@ -0,0 +1,2 @@
+- name: restart apache
+  service: name=apache2 state=restarted

roles/ldap/tasks/fusiondirectory.yml

@@ -0,0 +1,40 @@
+- name: Install FusionDirectory from Debian repository
+  apt:
+    name: "{{ packages }}"
+    state: present
+    update_cache: yes
+  vars:
+    packages:
+    - fusiondirectory
+    - fusiondirectory-schema
+    - expect
+  tags:
+    - dependencies
+
+- name: Create the FusionDirectory config file
+  template:
+    src=etc_fusiondirectory_fusiondirectory.conf.j2
+    dest=/etc/fusiondirectory/fusiondirectory.conf.bak
+    owner=root
+    group=www-data
+    mode=0640
+
+- name: Install FusionDirectory LDAP schema
+  command: fusiondirectory-insert-schema
+
+- name: Disable default Apache FusionDirectory config
+  command: a2disconf fusiondirectory.conf removes=/etc/apache2/conf-enabled/fusiondirectory.conf
+  notify: restart apache
+
+- name: Create the Apache LDAP sites config files
+  template:
+    src=etc_apache2_sites-available_ldap.j2
+    dest=/etc/apache2/sites-available/ldap_{{ item.name }}.conf
+    owner=root
+    group=root
+  with_items: "{{ virtual_domains }}"
+
+- name: Enable Apache sites (creates new sites-enabled symlinks)
+  command: a2ensite ldap_{{ item }}.conf creates=/etc/apache2/sites-enabled/ldap_{{ item }}.conf
+  notify: restart apache
+  with_items: "{{ virtual_domains | json_query('[*].name') }}"

roles/ldap/tasks/main.yml

@@ -0,0 +1,2 @@
+- include: slapd.yml tags=ldap
+- include: fusiondirectory.yml tags=ldap

roles/ldap/tasks/slapd.yml

@@ -0,0 +1,77 @@
+- name: Set slapd admin password
+  debconf:
+    name: slapd
+    question: "{{ item }}"
+    value: "{{ slapd_admin_password }}"
+    vtype: string
+  with_items:
+    - slapd/password1
+    - slapd/password2
+  tags:
+    - dependencies
+
+- name: Set slapd domain
+  debconf:
+    name: slapd
+    question: slapd/domain
+    value: "{{ ldap_domain }}"
+    vtype: string
+  tags:
+    - dependencies
+
+- name: Set slapd orga
+  debconf:
+    name: slapd
+    question: slapd/organization
+    value: "{{ ldap_orga }}"
+    vtype: string
+  tags:
+    - dependencies
+
+- name: Set some slapd defaults (no_configuration)
+  debconf:
+    name: slapd
+    question: slapd/no_configuration
+    value: false
+    vtype: boolean
+  tags:
+    - dependencies
+
+- name: Set some slapd defaults (dump_database)
+  debconf:
+    name: slapd
+    question: slapd/dump_database
+    value: always
+    vtype: select
+  tags:
+    - dependencies
+
+- name: Set some slapd defaults (move_old_database)
+  debconf:
+    name: slapd
+    question: slapd/move_old_database
+    value: true
+    vtype: boolean
+  tags:
+    - dependencies
+
+- name: Set some slapd defaults (purge_database)
+  debconf:
+    name: slapd
+    question: slapd/purge_database
+    value: false
+    vtype: boolean
+  tags:
+    - dependencies
+
+- name: Install slapd and utilities from Debian repository
+  apt:
+    name: "{{ packages }}"
+    state: present
+    update_cache: yes
+  vars:
+    packages:
+    - slapd
+    - ldap-utils
+  tags:
+    - dependencies

roles/ldap/templates/etc_apache2_sites-available_ldap.j2

@@ -0,0 +1,16 @@
+<VirtualHost *:80>
+    ServerName {{ ldap_subdomain }}.{{ item.name }}
+
+    Redirect temp / https://{{ ldap_subdomain }}.{{ item.name }}/
+</VirtualHost>
+
+<VirtualHost *:443>
+    ServerName {{ ldap_subdomain }}.{{ item.name }}
+
+    SSLEngine               On
+    DocumentRoot            /usr/share/fusiondirectory/html
+    Options                 -Indexes
+    LogLevel                warn
+    ErrorLog                /var/log/apache2/ldap.info-error_log
+    CustomLog               /var/log/apache2/ldap.info-access_log common
+</VirtualHost>

roles/ldap/templates/etc_fusiondirectory_fusiondirectory.conf.j2

@@ -0,0 +1,26 @@
+<?xml version="1.0"?>
+<conf>
+  <!-- Main section **********************************************************
+       The main section defines global settings, which might be overridden by
+       each location definition inside.
+
+       For more information about the configuration parameters, take a look at
+       the FusionDirectory.conf(5) manual page.
+  -->
+  <main default="default"
+        logging="TRUE"
+        displayErrors="FALSE"
+        forceSSL="TRUE"
+        templateCompileDirectory="/var/spool/fusiondirectory/"
+        debugLevel="0"
+    >
+
+    <!-- Location definition -->
+    <location name="default"
+    >
+        <referral URI="ldap://localhost:389" base="{{ ldap_domain_string }}"
+                        adminDn="cn=admin,{{ ldap_domain_string }}"
+                        adminPassword="{{ slapd_admin_password }}" />
+    </location>
+  </main>
+</conf>

roles/monitoring/files/etc_monit_conf.d_slapd

@@ -0,0 +1,8 @@
+check process slapd with pidfile /var/run/slapd/slapd.pid
+  group ldap
+  start program = "/bin/systemctl start slapd"
+  stop program = "/bin/systemctl stop slapd"
+  if failed port 389 protocol LDAP3
+    with timeout 10 seconds
+    then restart
+  if 5 restarts within 5 cycles then timeout

roles/monitoring/tasks/monit.yml

@@ -121,6 +121,10 @@
   stat: path=/etc/ssh/sshd_config
   register: sshd_config_file
 
+- name: Determine if slapd is installed
+  stat: path=/usr/sbin/slapd
+  register: slapd_config_file
+
 - name: Determine if pgsql_deb9 is installed
   stat: path=/etc/postgresql/9.6/main/pg_ctl.conf
   register: pgsql9_config_file
@@ -253,6 +257,11 @@
   notify: restart monit
   when: sshd_config_file.stat.exists == True
 
+- name: Copy slapd monit service config files into place
+  copy: src=etc_monit_conf.d_slapd dest=/etc/monit/conf.d/slapd
+  notify: restart monit
+  when: slapd_config_file.stat.exists == True
+
 - name: Copy pgsql deb9 monit service config files into place
   copy: src=etc_monit_conf.d_pgsql_deb9 dest=/etc/monit/conf.d/pgsql_deb9
   notify: restart monit

roles/nextcloud/tasks/nextcloud.yml

@@ -104,7 +104,7 @@
   command: php occ app:install contacts
   args:
     chdir: /var/www/nextcloud
-    creates: /var/www/nextcloud/apps/contacts/COPYING
+  ignore_errors: True
 
 - name: Install NextCloud calendar app
   become: true
@@ -112,7 +112,22 @@
   command: php occ app:install calendar
   args:
     chdir: /var/www/nextcloud
-    creates: /var/www/nextcloud/apps/calendar/COPYING
+  ignore_errors: True
+
+- name: Install NextCloud LDAP app
+  become: true
+  become_user: www-data
+  command: php occ app:install user_ldap
+  args:
+    chdir: /var/www/nextcloud
+  ignore_errors: True
+
+#- name: Update installed Nextcloud apps
+#  become: true
+#  become_user: www-data
+#  command: php occ app:update
+#  args:
+#    chdir: /var/www/nextcloud
 
 - name: Add our domains to the NextCloud trusted domains
   lineinfile: