From 911332ec6ff8a4a435ca95f60673eac7e4d8350c Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Fri, 31 May 2019 19:11:32 +0300
Subject: [PATCH] add daily ldap database dumps to ldap master

---
 roles/ldap/server/files/ldap-backup.sh | 32 ++++++++++++++++++++++++++
 roles/ldap/server/tasks/main.yml       | 32 ++++++++++++++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100755 roles/ldap/server/files/ldap-backup.sh

diff --git a/roles/ldap/server/files/ldap-backup.sh b/roles/ldap/server/files/ldap-backup.sh
new file mode 100755
index 0000000..50e6915
--- /dev/null
+++ b/roles/ldap/server/files/ldap-backup.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+umask 027
+
+PATH="/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin"
+
+if [ "$(whoami)" != "ldap" ]; then
+    echo "ERR: Script needs to be run as ldap user" 1>&2
+    exit 1
+fi
+
+BACKUPDIR="/srv/backup"
+BACKUPAGE="7"
+
+DATE="$(date '+%Y-%m-%d')"
+
+ldapsearch -LLL -x -H ldapi:// -s base -b 'cn=Databases,cn=Monitor' \
+    '(objectClass=*)' namingContexts | \
+    sed -n 's/^namingContexts: \(.*\)/\1/p' | while read db ; do
+        [ "${db}" = "cn=config" ] && continue
+        slapcat -f /etc/openldap/slapd.conf -b "${db}" 2> /dev/null | gzip > \
+            "${BACKUPDIR}/${db}.${DATE}.gz"
+        if [ $? -ne 0 ]; then
+            echo "ERR: Failed to backup database ${db}" 1>&2
+            continue
+        fi
+done
+
+cd ${BACKUPDIR} && {
+    find . -xdev -depth -mindepth 1 -maxdepth 1 -type f -mtime +${BACKUPAGE} \
+        -name '*.gz' -execdir rm -f -- {} \;
+}
diff --git a/roles/ldap/server/tasks/main.yml b/roles/ldap/server/tasks/main.yml
index 868f3d9..9171db1 100644
--- a/roles/ldap/server/tasks/main.yml
+++ b/roles/ldap/server/tasks/main.yml
@@ -28,6 +28,38 @@
     follow: false
   when: ldap_datadir != "/srv/ldap"
 
+- block:
+  - name: create backup directory
+    file:
+      path: /export/backup
+      state: directory
+      mode: 0750
+      owner: ldap
+      group: ldap
+  - name: link backup directory
+    file:
+      path: /srv/backup
+      src: /export/backup
+      state: link
+      owner: root
+      group: "{{ ansible_wheel }}"
+      follow: false
+  - name: copy backup script
+    copy:
+      dest: /usr/local/sbin/ldap-backup
+      src: ldap-backup.sh
+      mode: 0755
+      owner: root
+      group: "{{ ansible_wheel }}"
+  - name: create backup cron job
+    cron:
+      name: ldap-backup
+      job: /usr/local/sbin/ldap-backup
+      hour: 0
+      minute: 10
+      user: ldap
+  when: ldap_master is defined
+
 - name: remove nss cert databases
   file:
     path: "/etc/openldap/certs/{{ item }}"