[re2o-ldap-replica] Deploy a re2o-ldap-replica

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
2021-05-13 00:26:33 +02:00 · 2021-05-13 00:26:33 +02:00 · 05c641fa7e
parent b14fd01ce0
commit 05c641fa7e
7 changed files with 1486 additions and 0 deletions
--- a/group_vars/re2o_ldap_replica.yml
+++ b/group_vars/re2o_ldap_replica.yml
@ -0,0 +1,8 @@
+---
+glob_re2o_ldap_replica:
+  replicator:
+    username: replicator
+    password: "{{ vault.ldap_replication_re2o_credentials }}"
+  suffix: dc=crans,dc=org
+  url: "ldaps://{{ query('ldap', 'ip', 're2o-ldap', 'adm') | ipv4 | first }}:636"
+  root_password_hash: "{{ vault.ldap_master_password_hash }}"
--- a/3
+++ b/3
@ -158,6 +158,9 @@ radius
 re2o.adm.crans.org
 re2o.cachan-adm.crans.org

+[re2o_ldap_replica:children]
+adh_server
+
 [reverseproxy]
 hodaur.adm.crans.org
 rodauh.cachan-adm.crans.org
--- a/plays/slapd.yml
+++ b/plays/slapd.yml
@ -5,3 +5,9 @@
    slapd: '{{ glob_slapd | default({}) | combine(loc_slapd | default({})) }}'
  roles:
    - slapd
+
+- hosts: re2o_ldap_replica
+  vars:
+    re2o_ldap_replica: '{{ glob_re2o_ldap_replica | default({}) | combine(loc_re2o_ldap_replica | default({})) }}'
+  roles:
+    - re2o-ldap-replica
--- a/roles/re2o-ldap-replica/tasks/main.yml
+++ b/roles/re2o-ldap-replica/tasks/main.yml
@ -0,0 +1,84 @@
+---
+- name: Install slapd
+  apt:
+    name:
+      - ldap-utils
+      - libio-socket-ssl-perl
+      - slapd
+    update_cache: true
+    install_recommends: false
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Check if installation was done
+  stat:
+    path: /root/.delete_me_to_reset_ldap_configuration
+  register: installation
+
+- name: Stop slapd
+  when: not installation.stat.exists
+  systemd:
+    name: slapd
+    state: stopped
+
+- name: Delete old slapd configuration and data
+  when: not installation.stat.exists
+  file:
+    path: '{{ item }}'
+    state: absent
+  loop:
+    - /etc/ldap/slapd.d
+    - /var/lib/ldap
+
+- name: Create slapd configuration and data directory
+  file:
+    path: '{{ item }}'
+    state: directory
+    owner: openldap
+    group: openldap
+    mode: 0700
+  loop:
+    - /etc/ldap/slapd.d
+    - /var/lib/ldap
+
+- name: Copy ldiff files
+  template:
+    src: 'ldap/{{ item }}.ldiff.j2'
+    dest: '/tmp/{{ item }}.ldiff'
+    owner: openldap
+    group: openldap
+    mode: 0600
+  loop:
+    - db
+    - schema
+    - consumer_simple_sync
+
+- name: Initialize re2o-ldap schema
+  when: not installation.stat.exists
+  shell: slapadd -n 0 -l /tmp/schema.ldiff -F /etc/ldap/slapd.d/
+  become_user: openldap
+
+- name: Initialize re2o-ldap database
+  when: not installation.stat.exists
+  shell: slapadd -n 1 -l /tmp/db.ldiff
+  become_user: openldap
+
+- name: Start slapd
+  when: not installation.stat.exists
+  systemd:
+    name: slapd
+    state: started
+
+- name: Enable data replication
+  when: not installation.stat.exists
+  shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/consumer_simple_sync.ldiff
+
+- name: Touch installation marker
+  when: not installation.stat.exists
+  file:
+    path: /root/.delete_me_to_reset_ldap_configuration
+    state: touch
+    owner: root
+    group: root
+    mode: 0600
--- a/roles/re2o-ldap-replica/templates/ldap/consumer_simple_sync.ldiff.j2
+++ b/roles/re2o-ldap-replica/templates/ldap/consumer_simple_sync.ldiff.j2
@ -0,0 +1,19 @@
+dn: olcDatabase={1}hdb,cn=config
+changetype: modify
+add: olcSyncrepl
+olcSyncrepl: rid=1
+        provider={{ re2o_ldap_replica.url }}
+        bindmethod=simple
+        binddn="cn={{ re2o_ldap_replica.replicator.username }},{{ re2o_ldap_replica.suffix }}"
+        credentials={{ re2o_ldap_replica.replicator.password }}
+        searchbase="{{ re2o_ldap_replica.suffix }}"
+        scope=sub
+        schemachecking=on
+        type=refreshAndPersist
+        timeout=0
+        network-timeout=0
+        retry="30 20 300 +"
+        tls_reqcert=allow
+-
+add: olcUpdateRef
+olcUpdateRef: {{ re2o_ldap_replica.url }}
--- a/roles/re2o-ldap-replica/templates/ldap/db.ldiff.j2
+++ b/roles/re2o-ldap-replica/templates/ldap/db.ldiff.j2
@ -0,0 +1,183 @@
+dn: {{ re2o_ldap_replica.suffix }}
+o: rezo
+structuralObjectClass: organization
+entryUUID: fc97a0fe-514b-1034-9e4d-59675b32507b
+creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
+createTimestamp: 20150225150906Z
+description: ldap
+objectClass: top
+objectClass: dcObject
+objectClass: organization
+entryCSN: 20151003212702.245118Z#000000#000#000000
+modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
+modifyTimestamp: 20151003212702Z
+contextCSN: 20161004233332.689769Z#000000#000#000000
+
+dn: cn=admin,{{ re2o_ldap_replica.suffix }}
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+cn: admin
+structuralObjectClass: organizationalRole
+entryUUID: fc97fa72-514b-1034-9e4e-59675b32507b
+creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
+createTimestamp: 20150225150906Z
+description:: TERBUCBhZG1pbmlzdHJhdG9yDQo=
+userPassword: {{ re2o_ldap_replica.root_password_hash }}
+entryCSN: 20160604005945.576566Z#000000#000#000000
+modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
+modifyTimestamp: 20160604005945Z
+
+dn: cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}
+gidNumber: 500
+cn: Utilisateurs
+structuralObjectClass: posixGroup
+entryUUID: 5d53854e-5204-1034-8c61-8da535cabdfc
+creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
+createTimestamp: 20150226130856Z
+sambaSID: 500
+uid: Users
+objectClass: posixGroup
+objectClass: top
+objectClass: sambaSamAccount
+objectClass: radiusprofile
+entryCSN: 20150226130950.194154Z#000000#000#000000
+modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
+modifyTimestamp: 20150226130950Z
+
+dn: ou=groups,{{ re2o_ldap_replica.suffix }}
+objectClass: organizationalUnit
+description: Groupes d'utilisateurs
+ou: groups
+structuralObjectClass: organizationalUnit
+entryUUID: 986aa1b6-bb86-1035-9a4c-2ff0c800ec24
+creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
+createTimestamp: 20160531142039Z
+entryCSN: 20160531142039.780151Z#000000#000#000000
+modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
+modifyTimestamp: 20160531142039Z
+
+dn: ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}
+objectClass: organizationalUnit
+description: Groupes de comptes techniques
+ou: services
+structuralObjectClass: organizationalUnit
+entryUUID: cbb56904-bc6a-1035-9fbb-3dc3850d88ba
+creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
+createTimestamp: 20160601173411Z
+entryCSN: 20160601173411.088359Z#000000#000#000000
+modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
+modifyTimestamp: 20160601173411Z
+
+dn: ou=service-users,{{ re2o_ldap_replica.suffix }}
+objectClass: organizationalUnit
+description: Utilisateurs techniques de l'annuaire
+ou: service-users
+structuralObjectClass: organizationalUnit
+entryUUID: 0e397270-bc6b-1035-9fbd-3dc3850d88ba
+creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
+createTimestamp: 20160601173602Z
+entryCSN: 20160601173602.683304Z#000000#000#000000
+modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
+modifyTimestamp: 20160601173602Z
+
+dn: cn=freeradius,ou=service-users,{{ re2o_ldap_replica.suffix }}
+objectClass: applicationProcess
+objectClass: simpleSecurityObject
+cn: freeradius
+userPassword: {{ re2o_ldap_replica.root_password_hash }}
+structuralObjectClass: applicationProcess
+entryUUID: 8596e4ec-bc6b-1035-9fbf-3dc3850d88ba
+creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
+createTimestamp: 20160601173922Z
+entryCSN: 20160601173922.944598Z#000000#000#000000
+modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
+modifyTimestamp: 20160601173922Z
+
+dn: cn=nssauth,ou=service-users,{{ re2o_ldap_replica.suffix }}
+objectClass: applicationProcess
+objectClass: simpleSecurityObject
+cn: nssauth
+structuralObjectClass: applicationProcess
+entryUUID: cfbdadc6-bc6b-1035-9fc4-3dc3850d88ba
+creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
+createTimestamp: 20160601174127Z
+userPassword: {{ re2o_ldap_replica.root_password_hash }}
+entryCSN: 20160603093724.770069Z#000000#000#000000
+modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
+modifyTimestamp: 20160603093724Z
+
+dn: cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}
+objectClass: groupOfNames
+cn: auth
+member: cn=nssauth,ou=service-users,{{ re2o_ldap_replica.suffix }}
+structuralObjectClass: groupOfNames
+entryUUID: 98524836-bc6d-1035-9fc7-3dc3850d88ba
+creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
+createTimestamp: 20160601175413Z
+entryCSN: 20160620005705.309928Z#000000#000#000000
+modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
+modifyTimestamp: 20160620005705Z
+
+dn: ou=posix,ou=groups,{{ re2o_ldap_replica.suffix }}
+objectClass: organizationalUnit
+description: Groupes de comptes POSIX
+ou: posix
+structuralObjectClass: organizationalUnit
+entryUUID: fbd89c4a-bdb5-1035-9045-d5a09894d93e
+creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
+createTimestamp: 20160603090455Z
+entryCSN: 20160603090455.267192Z#000000#000#000000
+modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
+modifyTimestamp: 20160603090455Z
+
+dn: cn=wifi,ou=service-users,{{ re2o_ldap_replica.suffix }}
+objectClass: applicationProcess
+objectClass: simpleSecurityObject
+cn: wifi
+structuralObjectClass: applicationProcess
+entryUUID: 8cc2d1a6-bdc2-1035-9051-d5a09894d93e
+creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
+createTimestamp: 20160603103452Z
+userPassword: {{ re2o_ldap_replica.root_password_hash }}
+entryCSN: 20160603103638.682210Z#000000#000#000000
+modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
+modifyTimestamp: 20160603103638Z
+
+dn: cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}
+objectClass: groupOfNames
+cn: usermgmt
+structuralObjectClass: groupOfNames
+entryUUID: ec01e206-bdc2-1035-9054-d5a09894d93e
+creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
+createTimestamp: 20160603103732Z
+member: cn=wifi,ou=service-users,{{ re2o_ldap_replica.suffix }}
+entryCSN: 20160603103746.897151Z#000000#000#000000
+modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
+modifyTimestamp: 20160603103746Z
+
+dn: cn=replica,ou=service-users,{{ re2o_ldap_replica.suffix }}
+objectClass: applicationProcess
+objectClass: simpleSecurityObject
+cn: replica
+structuralObjectClass: applicationProcess
+entryUUID: caef5c54-c0e4-1035-948f-dfe369fe3d4f
+creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
+createTimestamp: 20160607101733Z
+userPassword: {{ re2o_ldap_replica.root_password_hash }}
+entryCSN: 20160607101829.424643Z#000000#000#000000
+modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
+modifyTimestamp: 20160607101829Z
+
+dn: cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}
+objectClass: groupOfNames
+cn: readonly
+structuralObjectClass: groupOfNames
+entryUUID: f6bd2366-c0e4-1035-9492-dfe369fe3d4f
+creatorsName: cn=admin,{{ re2o_ldap_replica.suffix }}
+createTimestamp: 20160607101846Z
+member: cn=replica,ou=service-users,{{ re2o_ldap_replica.suffix }}
+member: cn=freeradius,ou=service-users,{{ re2o_ldap_replica.suffix }}
+entryCSN: 20160619214628.287369Z#000000#000#000000
+modifiersName: cn=admin,{{ re2o_ldap_replica.suffix }}
+modifyTimestamp: 20160619214628Z
+
--- a/roles/re2o-ldap-replica/templates/ldap/schema.ldiff.j2
+++ b/roles/re2o-ldap-replica/templates/ldap/schema.ldiff.j2