--- - name: Check if plus repository is enabled ansible.builtin.command: argv: - dnf - config-manager - --dump - plus changed_when: false register: result when: ansible_distribution == "Rocky" - name: Enable plus repository ansible.builtin.command: argv: - dnf - config-manager - --set-enabled - plus when: - ansible_distribution == "Rocky" - "'enabled = 1' not in result.stdout_lines" - name: Install packages ansible.builtin.package: name: "{{ item }}" state: installed with_items: - cyrus-sasl-gssapi - openldap-servers - ldapvi - name: Fix SELinux context from LDAP data diretory community.general.sefcontext: path: "{{ ldap_datadir }}(/.*)?" setype: slapd_db_t - name: Create LDAP data directory ansible.builtin.file: path: "{{ ldap_datadir }}" state: directory mode: "0700" owner: ldap group: ldap seuser: _default setype: _default - name: Link LDAP data directory ansible.builtin.file: path: /srv/ldap src: /export/ldap state: link owner: root group: root follow: false when: ldap_datadir != "/srv/ldap" - name: Import sftpuser role ansible.builtin.import_role: name: sftpuser vars: chroot: /srv/backup user: backup publickeys: "{{ backup_publickeys }}" - name: Create backup directory ansible.builtin.file: path: "{{ ldap_backupdir }}" state: directory mode: "0750" owner: root group: backup - name: Link backup directory ansible.builtin.file: path: /srv/backup src: /export/backup state: link owner: root group: "{{ ansible_wheel }}" follow: false when: ldap_backupdir != "/srv/backup" - name: Copy backup script ansible.builtin.copy: dest: /usr/local/sbin/ldap-backup src: ldap-backup.sh mode: "0755" owner: root group: "{{ ansible_wheel }}" - name: Create backup cron job ansible.builtin.cron: name: ldap-backup job: /usr/local/sbin/ldap-backup hour: "0" minute: "10" user: root - name: Copy SPN helper script ansible.builtin.copy: dest: /usr/local/sbin/ldapspn src: ldapspn.py mode: "0755" owner: root group: "{{ ansible_wheel }}" when: ldap_master is defined - name: Remove nss cert databases ansible.builtin.file: path: "/etc/openldap/certs/{{ item }}" state: absent with_items: - cert8.db - key3.db - password - secmod.db - name: Configure SASL ansible.builtin.copy: dest: /etc/sasl2/slapd.conf content: | pwcheck_method: saslauthd mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart slapd - name: Copy server certificates ansible.builtin.copy: dest: "{{ tls_certs }}/{{ ldap_server_cert }}.crt" src: "/srv/letsencrypt/live/{{ ldap_server_cert }}/cert.pem" mode: "0644" owner: root group: "{{ ansible_wheel }}" tags: certificates notify: Restart slapd - name: Copy server key ansible.builtin.copy: dest: "{{ tls_private }}/{{ ldap_server_cert }}.key" src: "/srv/letsencrypt/live/{{ ldap_server_cert }}/privkey.pem" mode: "0640" owner: root group: ldap tags: certificates notify: Restart slapd - name: Copy server certificate chain ansible.builtin.copy: dest: "{{ tls_certs }}/{{ ldap_server_cert }}-chain.crt" src: "/srv/letsencrypt/live/{{ ldap_server_cert }}/chain.pem" mode: "0644" owner: root group: "{{ ansible_wheel }}" tags: certificates notify: Restart slapd - name: Get server chain hash ansible.builtin.command: argv: - openssl - x509 - -in - "/srv/letsencrypt/live/{{ ldap_server_cert }}/chain.pem" - -noout - -hash delegate_to: localhost register: result changed_when: false tags: certificates - name: Link server chain certificate ansible.builtin.file: path: "/etc/openldap/certs/{{ result.stdout }}.0" src: "{{ tls_certs }}/{{ ldap_server_cert }}-chain.crt" owner: root group: "{{ ansible_wheel }}" follow: false state: link tags: certificates - name: Link local ca certificate ansible.builtin.file: path: "/etc/openldap/certs/{{ pki_cacert_hash }}.0" src: "{{ tls_certs }}/ca.crt" owner: root group: "{{ ansible_wheel }}" follow: false state: link - name: Create slapd service drop-in directory ansible.builtin.file: path: /etc/systemd/system/slapd.service.d state: directory mode: "0755" owner: root group: "{{ ansible_wheel }}" when: ansible_distribution == "Rocky" - name: Create slapd service drop-in file ansible.builtin.copy: dest: /etc/systemd/system/slapd.service.d/local.conf src: slapd.service mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart slapd when: ansible_distribution == "Rocky" - name: Create slapd sysconfig file ansible.builtin.copy: dest: /etc/sysconfig/slapd src: slapd.sysconfig mode: "0644" owner: root group: "{{ ansible_wheel }}" notify: Restart slapd when: ansible_distribution != "Rocky" - name: Add custom schema files ansible.builtin.copy: dest: "/etc/openldap/schema/{{ item }}" src: "{{ item }}" mode: "0644" owner: root group: "{{ ansible_wheel }}" with_items: - kerberos.schema # centos krb5-server-ldap 1.15.1 - openssh-lpk.schema # via google, no original source found - rfc2307bis.schema # rfc2307bis version 2 - yubikey.schema # http://logix.cz/michal/devel/yubikey-ldap/ - samba.schema # centos samba 4.8.3 notify: Restart slapd - name: Copy check password config ansible.builtin.copy: dest: /etc/openldap/check_password.conf src: check_password.conf mode: "0644" owner: root group: "{{ ansible_wheel }}" - name: Create slapd main config ansible.builtin.template: dest: /etc/openldap/slapd.conf src: slapd.conf.j2 mode: "0640" owner: root group: ldap notify: Restart slapd - name: Add ldap aliases for root ansible.builtin.blockinfile: path: /root/.bash_profile block: | # use slapd.conf by default for slap commands alias slapadd='echo "run as user ldap"' alias slapcat='slapcat -f /etc/openldap/slapd.conf' alias slapindex='echo "run as user ldap"' alias slaptest='slaptest -f /etc/openldap/slapd.conf' # ldapvi connects automatically via socket alias ldapvi='ldapvi -h ldapi:/// -Y EXTERNAL' - name: Enable slapd service ansible.builtin.service: name: slapd state: started enabled: true - name: Copy slapd keytab ansible.builtin.copy: dest: /etc/openldap/slapd.keytab src: "{{ ansible_private }}/files/keytabs/slapd.keytab" mode: "0640" owner: root group: ldap