From 6492a7de034f2b2b5e4f8548081f05da5ecee944 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Sun, 19 Sep 2021 16:17:37 +0000
Subject: [PATCH] ldap-server: Run backups as root and share them via sftp

---
 roles/ldap-server/files/ldap-backup.sh | 10 +++++-----
 roles/ldap-server/tasks/main.yml       | 13 ++++++++++---
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/roles/ldap-server/files/ldap-backup.sh b/roles/ldap-server/files/ldap-backup.sh
index 50e6915..9669766 100755
--- a/roles/ldap-server/files/ldap-backup.sh
+++ b/roles/ldap-server/files/ldap-backup.sh
@@ -4,8 +4,8 @@ umask 027
 
 PATH="/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin"
 
-if [ "$(whoami)" != "ldap" ]; then
-    echo "ERR: Script needs to be run as ldap user" 1>&2
+if [ "$(whoami)" != "root" ]; then
+    echo "ERR: Script needs to be run as root user" 1>&2
     exit 1
 fi
 
@@ -18,12 +18,12 @@ ldapsearch -LLL -x -H ldapi:// -s base -b 'cn=Databases,cn=Monitor' \
     '(objectClass=*)' namingContexts | \
     sed -n 's/^namingContexts: \(.*\)/\1/p' | while read db ; do
         [ "${db}" = "cn=config" ] && continue
-        slapcat -f /etc/openldap/slapd.conf -b "${db}" 2> /dev/null | gzip > \
-            "${BACKUPDIR}/${db}.${DATE}.gz"
-        if [ $? -ne 0 ]; then
+        if ! slapcat -f /etc/openldap/slapd.conf -b "${db}" 2> /dev/null | \
+            gzip > "${BACKUPDIR}/${db}.${DATE}.gz" ; then
             echo "ERR: Failed to backup database ${db}" 1>&2
             continue
         fi
+	chgrp backup "${BACKUPDIR}/${db}.${DATE}.gz"
 done
 
 cd ${BACKUPDIR} && {
diff --git a/roles/ldap-server/tasks/main.yml b/roles/ldap-server/tasks/main.yml
index 73367fd..6e39073 100644
--- a/roles/ldap-server/tasks/main.yml
+++ b/roles/ldap-server/tasks/main.yml
@@ -31,13 +31,20 @@
     follow: false
   when: ldap_datadir != "/srv/ldap"
 
+- import_role:
+    name: sftpuser
+  vars:
+    chroot: /export/backup
+    user: backup
+    publickeys: "{{ backup_publickeys }}"
+
 - name: create backup directory
   file:
     path: /export/backup
     state: directory
     mode: 0750
-    owner: ldap
-    group: ldap
+    owner: root
+    group: backup
 - name: link backup directory
   file:
     path: /srv/backup
@@ -59,7 +66,7 @@
     job: /usr/local/sbin/ldap-backup
     hour: "0"
     minute: "10"
-    user: ldap
+    user: root
 
 - name: copy spn helper script
   copy: