[re2o-ldap-replica] → [re2o-ldap]

group_vars/re2o_ldap.yml

@@ -1,8 +1,5 @@
 ---
-glob_re2o_ldap_replica:
+glob_re2o_ldap:
-  replicator:
-    username: replicator
-    password: "{{ vault.ldap_replication_re2o_credentials }}"
   suffix: dc=crans,dc=org
   url: "ldaps://{{ query('ldap', 'ip', 'terenez', 'adm') | ipv4 | first }}:636"
   root_password_hash: "{{ vault.ldap_master_password_hash }}"

host_vars/yson-partou.adm.crans.org.yml

@@ -1,3 +1,8 @@
 ---
 interfaces:
   adm: eth0
+
+loc_re2o_ldap:
+  replica:
+    username: replicator
+    password: "{{ vault.ldap_replication_re2o_credentials }}"

hosts

@@ -193,7 +193,7 @@ radius
 [re2o_front]
 re2o.adm.crans.org
 
-[re2o_ldap_replica]
+[re2o_ldap]
 re2o-dev.adm.crans.org
 yson-partou.adm.crans.org
 

plays/re2o-ldap-replica.yml

@@ -1,7 +0,0 @@
-#!/usr/bin/env ansible-playbook
----
-- hosts: re2o_ldap_replica
-  vars:
-    re2o_ldap_replica: "{{ glob_re2o_ldap_replica | default({}) | combine(loc_re2o_ldap_replica | default({})) }}"
-  roles:
-    - re2o-ldap-replica

plays/re2o-ldap.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: re2o_ldap
+  vars:
+    re2o_ldap: "{{ glob_re2o_ldap | default({}) | combine(loc_re2o_ldap | default({})) }}"
+  roles:
+    - re2o-ldap-replica

roles/re2o-ldap-replica/templates/ldap/certinfo.ldif.j2

@@ -1,8 +0,0 @@
-{{ ansible_header | comment }}
-
-dn: cn=config
-add: olcTLSCertificateFile
-olcTLSCertificateFile: /etc/ldap/ldap.pem
--
-add: olcTLSCertificateKeyFile
-olcTLSCertificateKeyFile: /etc/ldap/ldap.key

roles/re2o-ldap-replica/templates/ldap/ldap.key.j2

@@ -1 +0,0 @@
-{{ re2o_ldap_replica.private_key }}

roles/re2o-ldap-replica/templates/ldap/ldap.pem.j2

@@ -1 +0,0 @@
-{{ re2o_ldap_replica.certificate }}

roles/re2o-ldap/tasks/main.yml

@@ -58,8 +58,7 @@
   loop:
     - db
     - schema
-    - consumer_simple_sync
+    - replication
-    - certinfo
 
 - name: Initialize re2o-ldap schema
   when: not installation.stat.exists
@@ -78,8 +77,8 @@
     state: started
 
 - name: Enable data replication
-  when: not installation.stat.exists
+  when: not installation.stat.exists and re2o_ldap.replica exists
-  shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /var/lib/slapd/consumer_simple_sync.ldif
+  shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /var/lib/slapd/replication.ldif
 
 # LDAPS configuration
 - name: Copy TLS certificate
@@ -93,17 +92,13 @@
     - ldap.pem
     - ldap.key
 
-- name: Load TLS certificates
-  when: not installation.stat.exists
-  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /var/lib/slapd/certinfo.ldif
-
 - name: Enable LDAPS
   lineinfile:
     path: /etc/default/slapd
     regexp: '^SLAPD_SERVICES='
     line: 'SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"'
   notify: Restart slapd
-  check_mode: false
+  when: not ansible_check_mode
 
 - name: Touch installation marker
   when: not installation.stat.exists

roles/re2o-ldap/templates/ldap/db.ldif.j2

@@ -3,7 +3,7 @@
 # This file comes from the installation of Re2o
 # https://gitlab.federez.net/re2o/re2o/-/blob/master/install_utils/db.ldiff
 
-dn: {{ re2o_ldap_replica.suffix }}
+dn: {{ re2o_ldap.suffix }}
 o: rezo
 structuralObjectClass: organization
 description: ldap
@@ -12,15 +12,15 @@ objectClass: dcObject
 objectClass: organization
 contextCSN: 20161004233332.689769Z#000000#000#000000
 
-dn: cn=admin,{{ re2o_ldap_replica.suffix }}
+dn: cn=admin,{{ re2o_ldap.suffix }}
 objectClass: simpleSecurityObject
 objectClass: organizationalRole
 cn: admin
 structuralObjectClass: organizationalRole
 description:: TERBUCBhZG1pbmlzdHJhdG9yDQo=
-userPassword: {{ re2o_ldap_replica.root_password_hash }}
+userPassword: {{ re2o_ldap.root_password_hash }}
 
-dn: cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}
+dn: cn=Utilisateurs,{{ re2o_ldap.suffix }}
 gidNumber: 500
 cn: Utilisateurs
 structuralObjectClass: posixGroup
@@ -31,74 +31,74 @@ objectClass: top
 objectClass: sambaSamAccount
 objectClass: radiusprofile
 
-dn: ou=groups,{{ re2o_ldap_replica.suffix }}
+dn: ou=groups,{{ re2o_ldap.suffix }}
 objectClass: organizationalUnit
 description: Groupes d'utilisateurs
 ou: groups
 structuralObjectClass: organizationalUnit
 
-dn: ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}
+dn: ou=services,ou=groups,{{ re2o_ldap.suffix }}
 objectClass: organizationalUnit
 description: Groupes de comptes techniques
 ou: services
 structuralObjectClass: organizationalUnit
 
-dn: ou=service-users,{{ re2o_ldap_replica.suffix }}
+dn: ou=service-users,{{ re2o_ldap.suffix }}
 objectClass: organizationalUnit
 description: Utilisateurs techniques de l'annuaire
 ou: service-users
 structuralObjectClass: organizationalUnit
 
-dn: cn=freeradius,ou=service-users,{{ re2o_ldap_replica.suffix }}
+dn: cn=freeradius,ou=service-users,{{ re2o_ldap.suffix }}
 objectClass: applicationProcess
 objectClass: simpleSecurityObject
 cn: freeradius
-userPassword: {{ re2o_ldap_replica.root_password_hash }}
+userPassword: {{ re2o_ldap.root_password_hash }}
 structuralObjectClass: applicationProcess
 
-dn: cn=nssauth,ou=service-users,{{ re2o_ldap_replica.suffix }}
+dn: cn=nssauth,ou=service-users,{{ re2o_ldap.suffix }}
 objectClass: applicationProcess
 objectClass: simpleSecurityObject
 cn: nssauth
 structuralObjectClass: applicationProcess
-userPassword: {{ re2o_ldap_replica.root_password_hash }}
+userPassword: {{ re2o_ldap.root_password_hash }}
 
-dn: cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}
+dn: cn=auth,ou=services,ou=groups,{{ re2o_ldap.suffix }}
 objectClass: groupOfNames
 cn: auth
-member: cn=nssauth,ou=service-users,{{ re2o_ldap_replica.suffix }}
+member: cn=nssauth,ou=service-users,{{ re2o_ldap.suffix }}
 structuralObjectClass: groupOfNames
 
-dn: ou=posix,ou=groups,{{ re2o_ldap_replica.suffix }}
+dn: ou=posix,ou=groups,{{ re2o_ldap.suffix }}
 objectClass: organizationalUnit
 description: Groupes de comptes POSIX
 ou: posix
 structuralObjectClass: organizationalUnit
 
-dn: cn=wifi,ou=service-users,{{ re2o_ldap_replica.suffix }}
+dn: cn=wifi,ou=service-users,{{ re2o_ldap.suffix }}
 objectClass: applicationProcess
 objectClass: simpleSecurityObject
 cn: wifi
 structuralObjectClass: applicationProcess
-userPassword: {{ re2o_ldap_replica.root_password_hash }}
+userPassword: {{ re2o_ldap.root_password_hash }}
 
-dn: cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}
+dn: cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap.suffix }}
 objectClass: groupOfNames
 cn: usermgmt
 structuralObjectClass: groupOfNames
-member: cn=wifi,ou=service-users,{{ re2o_ldap_replica.suffix }}
+member: cn=wifi,ou=service-users,{{ re2o_ldap.suffix }}
 
-dn: cn=replica,ou=service-users,{{ re2o_ldap_replica.suffix }}
+dn: cn=replica,ou=service-users,{{ re2o_ldap.suffix }}
 objectClass: applicationProcess
 objectClass: simpleSecurityObject
 cn: replica
 structuralObjectClass: applicationProcess
-userPassword: {{ re2o_ldap_replica.root_password_hash }}
+userPassword: {{ re2o_ldap.root_password_hash }}
 
-dn: cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}
+dn: cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}
 objectClass: groupOfNames
 cn: readonly
 structuralObjectClass: groupOfNames
-member: cn=replica,ou=service-users,{{ re2o_ldap_replica.suffix }}
+member: cn=replica,ou=service-users,{{ re2o_ldap.suffix }}
-member: cn=freeradius,ou=service-users,{{ re2o_ldap_replica.suffix }}
+member: cn=freeradius,ou=service-users,{{ re2o_ldap.suffix }}
 

roles/re2o-ldap/templates/ldap/ldap.key.j2

@@ -0,0 +1 @@
+{{ re2o_ldap.private_key }}

roles/re2o-ldap/templates/ldap/ldap.pem.j2

@@ -0,0 +1 @@
+{{ re2o_ldap.certificate }}

roles/re2o-ldap/templates/ldap/replication.ldif.j2

@@ -4,11 +4,11 @@ dn: olcDatabase={1}hdb,cn=config
 changetype: modify
 add: olcSyncrepl
 olcSyncrepl: rid=1
-        provider={{ re2o_ldap_replica.url }}
+        provider={{ re2o_ldap.url }}
         bindmethod=simple
-        binddn="cn={{ re2o_ldap_replica.replicator.username }},{{ re2o_ldap_replica.suffix }}"
+        binddn="cn={{ re2o_ldap.replica.username }},{{ re2o_ldap.suffix }}"
-        credentials={{ re2o_ldap_replica.replicator.password }}
+        credentials={{ re2o_ldap.replica.password }}
-        searchbase="{{ re2o_ldap_replica.suffix }}"
+        searchbase="{{ re2o_ldap.suffix }}"
         scope=sub
         schemachecking=on
         type=refreshAndPersist
@@ -18,4 +18,4 @@ olcSyncrepl: rid=1
         tls_reqcert=allow
 -
 add: olcUpdateRef
-olcUpdateRef: {{ re2o_ldap_replica.url }}
+olcUpdateRef: {{ re2o_ldap.url }}

roles/re2o-ldap/templates/ldap/schema.ldif.j2

@@ -14,6 +14,8 @@ olcSaslSecProps: none
 olcToolThreads: 1
 structuralObjectClass: olcGlobal
 contextCSN: 20160619215244.315124Z#000000#000#000000
+olcTLSCertificateFile: /etc/ldap/ldap.pem
+olcTLSCertificateKeyFile: /etc/ldap/ldap.key
 
 dn: cn=module{0},cn=config
 objectClass: olcModuleList
@@ -1021,7 +1023,7 @@ olcDatabase: {0}config
 olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
  al,cn=auth manage by * break
 olcRootDN: cn=config
-olcRootPW: {{ re2o_ldap_replica.root_password_hash }}
+olcRootPW: {{ re2o_ldap.root_password_hash }}
 structuralObjectClass: olcDatabaseConfig
 
 dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
@@ -1035,52 +1037,52 @@ objectClass: olcDatabaseConfig
 objectClass: olcHdbConfig
 olcDatabase: {1}hdb
 olcDbDirectory: /var/lib/ldap
-olcSuffix: {{ re2o_ldap_replica.suffix }}
+olcSuffix: {{ re2o_ldap.suffix }}
 olcAccess: {0}to attrs=userPassword,sambaNTPassword,mail
         by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
         by self write
         by anonymous auth
-        by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write
+        by dn="cn=admin,{{ re2o_ldap.suffix }}" write
-        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
-        by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write
+        by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap.suffix }}" write
         by * none
 olcAccess: {1}to attrs=shadowLastChange,gecos,loginShell
         by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
         by self write
         by anonymous auth
-        by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write
+        by dn="cn=admin,{{ re2o_ldap.suffix }}" write
-        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
-        by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
-        by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write
+        by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap.suffix }}" write
         by * none
 olcAccess: {2}to dn.base=""
         by * read
-olcAccess: {3}to dn.sub="ou=groups,{{ re2o_ldap_replica.suffix }}"
+olcAccess: {3}to dn.sub="ou=groups,{{ re2o_ldap.suffix }}"
         by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
-        by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
-        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
-olcAccess: {4}to dn.base="cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}"
+olcAccess: {4}to dn.base="cn=Utilisateurs,{{ re2o_ldap.suffix }}"
         by * read
-olcAccess: {5}to dn.sub="cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}"
+olcAccess: {5}to dn.sub="cn=Utilisateurs,{{ re2o_ldap.suffix }}"
-        by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
         by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
         by self read
-        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
-        by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write
+        by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap.suffix }}" write
-olcAccess: {6}to dn.sub="ou=service-users,{{ re2o_ldap_replica.suffix }}"
+olcAccess: {6}to dn.sub="ou=service-users,{{ re2o_ldap.suffix }}"
         by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
-        by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
-        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
-olcAccess: {7}to dn.base="{{ re2o_ldap_replica.suffix }}"
+olcAccess: {7}to dn.base="{{ re2o_ldap.suffix }}"
         by * read
 olcAccess: {8}to *
         by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
-        by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write
+        by dn="cn=admin,{{ re2o_ldap.suffix }}" write
         by self read
-        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+        by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
 olcLastMod: TRUE
-olcRootDN: cn=admin,{{ re2o_ldap_replica.suffix }}
+olcRootDN: cn=admin,{{ re2o_ldap.suffix }}
-olcRootPW: {{ re2o_ldap_replica.root_password_hash }}
+olcRootPW: {{ re2o_ldap.root_password_hash }}
 olcDbCheckpoint: 512 30
 olcDbConfig: {0}set_cachesize 0 2097152 0
 olcDbConfig: {1}set_lk_max_objects 1500