ldap-server: Run backups as root and share them via sftp

roles/ldap-server/files/ldap-backup.sh

@@ -4,8 +4,8 @@ umask 027
 
 PATH="/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin"
 
-if [ "$(whoami)" != "ldap" ]; then
+if [ "$(whoami)" != "root" ]; then
-    echo "ERR: Script needs to be run as ldap user" 1>&2
+    echo "ERR: Script needs to be run as root user" 1>&2
     exit 1
 fi
 
@@ -18,12 +18,12 @@ ldapsearch -LLL -x -H ldapi:// -s base -b 'cn=Databases,cn=Monitor' \
     '(objectClass=*)' namingContexts | \
     sed -n 's/^namingContexts: \(.*\)/\1/p' | while read db ; do
         [ "${db}" = "cn=config" ] && continue
-        slapcat -f /etc/openldap/slapd.conf -b "${db}" 2> /dev/null | gzip > \
+        if ! slapcat -f /etc/openldap/slapd.conf -b "${db}" 2> /dev/null | \
-            "${BACKUPDIR}/${db}.${DATE}.gz"
+            gzip > "${BACKUPDIR}/${db}.${DATE}.gz" ; then
-        if [ $? -ne 0 ]; then
             echo "ERR: Failed to backup database ${db}" 1>&2
             continue
         fi
+	chgrp backup "${BACKUPDIR}/${db}.${DATE}.gz"
 done
 
 cd ${BACKUPDIR} && {

roles/ldap-server/tasks/main.yml

@@ -31,13 +31,20 @@
     follow: false
   when: ldap_datadir != "/srv/ldap"
 
+- import_role:
+    name: sftpuser
+  vars:
+    chroot: /export/backup
+    user: backup
+    publickeys: "{{ backup_publickeys }}"
+
 - name: create backup directory
   file:
     path: /export/backup
     state: directory
     mode: 0750
-    owner: ldap
+    owner: root
-    group: ldap
+    group: backup
 - name: link backup directory
   file:
     path: /srv/backup
@@ -59,7 +66,7 @@
     job: /usr/local/sbin/ldap-backup
     hour: "0"
     minute: "10"
-    user: ldap
+    user: root
 
 - name: copy spn helper script
   copy: