--- - name: check if plus repository is enabled ansible.builtin.command: argv: - dnf - config-manager - --dump - plus warn: false changed_when: false register: result when: ansible_distribution == "Rocky" - name: enable plus repository ansible.builtin.command: argv: - dnf - config-manager - --set-enabled - plus warn: false when: - ansible_distribution == "Rocky" - "'enabled = 1' not in result.stdout_lines" - name: install packages ansible.builtin.package: name: "{{ item }}" state: installed with_items: - cyrus-sasl-gssapi - openldap-servers - ldapvi - name: fix selinux context from ldap data diretory community.general.sefcontext: path: "{{ ldap_datadir }}(/.*)?" setype: slapd_db_t - name: create ldap data directory ansible.builtin.file: path: "{{ ldap_datadir }}" state: directory mode: 0700 owner: ldap group: ldap seuser: _default setype: _default - name: link ldap data directory ansible.builtin.file: path: /srv/ldap src: /export/ldap state: link owner: root group: root follow: false when: ldap_datadir != "/srv/ldap" - name: import sftpuser role ansible.builtin.import_role: name: sftpuser vars: chroot: /srv/backup user: backup publickeys: "{{ backup_publickeys }}" - name: create backup directory ansible.builtin.file: path: "{{ ldap_backupdir }}" state: directory mode: 0750 owner: root group: backup - name: link backup directory ansible.builtin.file: path: /srv/backup src: /export/backup state: link owner: root group: "{{ ansible_wheel }}" follow: false when: ldap_backupdir != "/srv/backup" - name: copy backup script ansible.builtin.copy: dest: /usr/local/sbin/ldap-backup src: ldap-backup.sh mode: 0755 owner: root group: "{{ ansible_wheel }}" - name: create backup cron job ansible.builtin.cron: name: ldap-backup job: /usr/local/sbin/ldap-backup hour: "0" minute: "10" user: root - name: copy spn helper script ansible.builtin.copy: dest: /usr/local/sbin/ldapspn src: ldapspn.py mode: 0755 owner: root group: "{{ ansible_wheel }}" when: ldap_master is defined - name: remove nss cert databases ansible.builtin.file: path: "/etc/openldap/certs/{{ item }}" state: absent with_items: - cert8.db - key3.db - password - secmod.db - name: copy ldap server certificates ansible.builtin.copy: dest: "{{ tls_certs }}/{{ ldap_server_cert }}.crt" src: "/srv/letsencrypt/live/{{ ldap_server_cert }}/cert.pem" mode: 0644 owner: root group: "{{ ansible_wheel }}" tags: certificates notify: restart slapd - name: copy ldap server key ansible.builtin.copy: dest: "{{ tls_private }}/{{ ldap_server_cert }}.key" src: "/srv/letsencrypt/live/{{ ldap_server_cert }}/privkey.pem" mode: 0640 owner: root group: ldap tags: certificates notify: restart slapd - name: copy ldap server certificate chain ansible.builtin.copy: dest: "{{ tls_certs }}/{{ ldap_server_cert }}-chain.crt" src: "/srv/letsencrypt/live/{{ ldap_server_cert }}/chain.pem" mode: 0644 owner: root group: "{{ ansible_wheel }}" tags: certificates notify: restart slapd - name: get ldap server chain hash ansible.builtin.command: argv: - openssl - x509 - -in - "/srv/letsencrypt/live/{{ ldap_server_cert }}/chain.pem" - -noout - -hash delegate_to: localhost register: result changed_when: false tags: certificates - name: link server chain certificate ansible.builtin.file: path: "/etc/openldap/certs/{{ result.stdout }}.0" src: "{{ tls_certs }}/{{ ldap_server_cert }}-chain.crt" owner: root group: "{{ ansible_wheel }}" follow: false state: link tags: certificates - name: link local ca certificate ansible.builtin.file: path: "/etc/openldap/certs/{{ pki_cacert_hash }}.0" src: "{{ tls_certs }}/ca.crt" owner: root group: "{{ ansible_wheel }}" follow: false state: link - name: create slapd service drop-in directory ansible.builtin.file: path: /etc/systemd/system/slapd.service.d state: directory mode: 0755 owner: root group: "{{ ansible_wheel }}" when: ansible_distribution == "Rocky" - name: create slapd service drop-in file ansible.builtin.copy: dest: /etc/systemd/system/slapd.service.d/local.conf src: slapd.service mode: 0644 owner: root group: "{{ ansible_wheel }}" notify: restart slapd when: ansible_distribution == "Rocky" - name: create slapd sysconfig file ansible.builtin.copy: dest: /etc/sysconfig/slapd src: slapd.sysconfig mode: 0644 owner: root group: "{{ ansible_wheel }}" notify: restart slapd when: ansible_distribution != "Rocky" - name: add custom schema files ansible.builtin.copy: dest: "/etc/openldap/schema/{{ item }}" src: "{{ item }}" mode: 0644 owner: root group: "{{ ansible_wheel }}" with_items: - kerberos.schema # centos krb5-server-ldap 1.15.1 - openssh-lpk.schema # via google, no original source found - rfc2307bis.schema # rfc2307bis version 2 - yubikey.schema # http://logix.cz/michal/devel/yubikey-ldap/ - samba.schema # centos samba 4.8.3 notify: restart slapd - name: copy check password config ansible.builtin.copy: dest: /etc/openldap/check_password.conf src: check_password.conf mode: 0644 owner: root group: "{{ ansible_wheel }}" - name: create slapd main config ansible.builtin.template: dest: /etc/openldap/slapd.conf src: slapd.conf.j2 mode: 0640 owner: root group: ldap notify: restart slapd - name: add ldap aliases for root ansible.builtin.blockinfile: path: /root/.bash_profile block: | # use slapd.conf by default for slap commands alias slapadd='echo "run as user ldap"' alias slapcat='slapcat -f /etc/openldap/slapd.conf' alias slapindex='echo "run as user ldap"' alias slaptest='slaptest -f /etc/openldap/slapd.conf' # ldapvi connects automatically via socket alias ldapvi='ldapvi -h ldapi:/// -Y EXTERNAL' - name: enable slapd service ansible.builtin.service: name: slapd state: started enabled: true - name: copy slapd keytab ansible.builtin.copy: dest: /etc/openldap/slapd.keytab src: "{{ ansible_private }}/files/keytabs/slapd.keytab" mode: 0640 owner: root group: ldap