diff --git a/group_vars/re2o_ldap_replica.yml b/group_vars/re2o_ldap.yml
similarity index 68%
rename from group_vars/re2o_ldap_replica.yml
rename to group_vars/re2o_ldap.yml
index ae4b34c1663e78c4f730d46f287937dc1822c552..fc2be9063d1cd6c0ad5ed39d857b8cbb6eb6f159 100644
--- a/group_vars/re2o_ldap_replica.yml
+++ b/group_vars/re2o_ldap.yml
@@ -1,8 +1,5 @@
---
-glob_re2o_ldap_replica:
- replicator:
- username: replicator
- password: "{{ vault.ldap_replication_re2o_credentials }}"
+glob_re2o_ldap:
suffix: dc=crans,dc=org
url: "ldaps://{{ query('ldap', 'ip', 'terenez', 'adm') | ipv4 | first }}:636"
root_password_hash: "{{ vault.ldap_master_password_hash }}"
diff --git a/host_vars/yson-partou.adm.crans.org.yml b/host_vars/yson-partou.adm.crans.org.yml
index 5cde204461d4051fcc160eab974a5c25e3663a6c..647582fefb30f22e50c7d778fd3da47cf654aaa0 100644
--- a/host_vars/yson-partou.adm.crans.org.yml
+++ b/host_vars/yson-partou.adm.crans.org.yml
@@ -1,3 +1,8 @@
---
interfaces:
adm: eth0
+
+loc_re2o_ldap:
+ replica:
+ username: replicator
+ password: "{{ vault.ldap_replication_re2o_credentials }}"
diff --git a/hosts b/hosts
index b87feae27884d778d0a24f731e38f6408ed83dbd..af37685348f815a6f7f9025967ea007528262d50 100644
--- a/hosts
+++ b/hosts
@@ -193,7 +193,7 @@ radius
[re2o_front]
re2o.adm.crans.org
-[re2o_ldap_replica]
+[re2o_ldap]
re2o-dev.adm.crans.org
yson-partou.adm.crans.org
diff --git a/plays/re2o-ldap-replica.yml b/plays/re2o-ldap-replica.yml
deleted file mode 100755
index 1d1344a04e03ee97bf7ca2f404577122701eae8d..0000000000000000000000000000000000000000
--- a/plays/re2o-ldap-replica.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/usr/bin/env ansible-playbook
----
-- hosts: re2o_ldap_replica
- vars:
- re2o_ldap_replica: "{{ glob_re2o_ldap_replica | default({}) | combine(loc_re2o_ldap_replica | default({})) }}"
- roles:
- - re2o-ldap-replica
diff --git a/plays/re2o-ldap.yml b/plays/re2o-ldap.yml
new file mode 100755
index 0000000000000000000000000000000000000000..33964e190a7888a10b0e305ef7e0295566bd3242
--- /dev/null
+++ b/plays/re2o-ldap.yml
@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: re2o_ldap
+ vars:
+ re2o_ldap: "{{ glob_re2o_ldap | default({}) | combine(loc_re2o_ldap | default({})) }}"
+ roles:
+ - re2o-ldap-replica
diff --git a/roles/re2o-ldap-replica/templates/ldap/certinfo.ldif.j2 b/roles/re2o-ldap-replica/templates/ldap/certinfo.ldif.j2
deleted file mode 100644
index 8571016c49550c556b8d95fee23c700736850eeb..0000000000000000000000000000000000000000
--- a/roles/re2o-ldap-replica/templates/ldap/certinfo.ldif.j2
+++ /dev/null
@@ -1,8 +0,0 @@
-{{ ansible_header | comment }}
-
-dn: cn=config
-add: olcTLSCertificateFile
-olcTLSCertificateFile: /etc/ldap/ldap.pem
--
-add: olcTLSCertificateKeyFile
-olcTLSCertificateKeyFile: /etc/ldap/ldap.key
diff --git a/roles/re2o-ldap-replica/templates/ldap/ldap.key.j2 b/roles/re2o-ldap-replica/templates/ldap/ldap.key.j2
deleted file mode 100644
index 1dc6da0ca8f682be4727c0395fb680fad31cbc81..0000000000000000000000000000000000000000
--- a/roles/re2o-ldap-replica/templates/ldap/ldap.key.j2
+++ /dev/null
@@ -1 +0,0 @@
-{{ re2o_ldap_replica.private_key }}
diff --git a/roles/re2o-ldap-replica/templates/ldap/ldap.pem.j2 b/roles/re2o-ldap-replica/templates/ldap/ldap.pem.j2
deleted file mode 100644
index 71d67e1ab8360ed865a8ea1b3868930d25089a1d..0000000000000000000000000000000000000000
--- a/roles/re2o-ldap-replica/templates/ldap/ldap.pem.j2
+++ /dev/null
@@ -1 +0,0 @@
-{{ re2o_ldap_replica.certificate }}
diff --git a/roles/re2o-ldap-replica/handlers/main.yml b/roles/re2o-ldap/handlers/main.yml
similarity index 100%
rename from roles/re2o-ldap-replica/handlers/main.yml
rename to roles/re2o-ldap/handlers/main.yml
diff --git a/roles/re2o-ldap-replica/tasks/main.yml b/roles/re2o-ldap/tasks/main.yml
similarity index 87%
rename from roles/re2o-ldap-replica/tasks/main.yml
rename to roles/re2o-ldap/tasks/main.yml
index 0bcd4c8dbac29cf810ad499c9f07ff25416dfe8e..687f13324e4a9c28353c28defa3084906fabfe30 100644
--- a/roles/re2o-ldap-replica/tasks/main.yml
+++ b/roles/re2o-ldap/tasks/main.yml
@@ -58,8 +58,7 @@
loop:
- db
- schema
- - consumer_simple_sync
- - certinfo
+ - replication
- name: Initialize re2o-ldap schema
when: not installation.stat.exists
@@ -78,8 +77,8 @@
state: started
- name: Enable data replication
- when: not installation.stat.exists
- shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /var/lib/slapd/consumer_simple_sync.ldif
+ when: not installation.stat.exists and re2o_ldap.replica exists
+ shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /var/lib/slapd/replication.ldif
# LDAPS configuration
- name: Copy TLS certificate
@@ -93,17 +92,13 @@
- ldap.pem
- ldap.key
-- name: Load TLS certificates
- when: not installation.stat.exists
- shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /var/lib/slapd/certinfo.ldif
-
- name: Enable LDAPS
lineinfile:
path: /etc/default/slapd
regexp: '^SLAPD_SERVICES='
line: 'SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"'
notify: Restart slapd
- check_mode: false
+ when: not ansible_check_mode
- name: Touch installation marker
when: not installation.stat.exists
diff --git a/roles/re2o-ldap-replica/templates/ldap/db.ldif.j2 b/roles/re2o-ldap/templates/ldap/db.ldif.j2
similarity index 58%
rename from roles/re2o-ldap-replica/templates/ldap/db.ldif.j2
rename to roles/re2o-ldap/templates/ldap/db.ldif.j2
index 16414ad97e1f826c325c53241e044a44b66b4db4..0181c093c918888cba435733144a6696702f3049 100644
--- a/roles/re2o-ldap-replica/templates/ldap/db.ldif.j2
+++ b/roles/re2o-ldap/templates/ldap/db.ldif.j2
@@ -3,7 +3,7 @@
# This file comes from the installation of Re2o
# https://gitlab.federez.net/re2o/re2o/-/blob/master/install_utils/db.ldiff
-dn: {{ re2o_ldap_replica.suffix }}
+dn: {{ re2o_ldap.suffix }}
o: rezo
structuralObjectClass: organization
description: ldap
@@ -12,15 +12,15 @@ objectClass: dcObject
objectClass: organization
contextCSN: 20161004233332.689769Z#000000#000#000000
-dn: cn=admin,{{ re2o_ldap_replica.suffix }}
+dn: cn=admin,{{ re2o_ldap.suffix }}
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
structuralObjectClass: organizationalRole
description:: TERBUCBhZG1pbmlzdHJhdG9yDQo=
-userPassword: {{ re2o_ldap_replica.root_password_hash }}
+userPassword: {{ re2o_ldap.root_password_hash }}
-dn: cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}
+dn: cn=Utilisateurs,{{ re2o_ldap.suffix }}
gidNumber: 500
cn: Utilisateurs
structuralObjectClass: posixGroup
@@ -31,74 +31,74 @@ objectClass: top
objectClass: sambaSamAccount
objectClass: radiusprofile
-dn: ou=groups,{{ re2o_ldap_replica.suffix }}
+dn: ou=groups,{{ re2o_ldap.suffix }}
objectClass: organizationalUnit
description: Groupes d'utilisateurs
ou: groups
structuralObjectClass: organizationalUnit
-dn: ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}
+dn: ou=services,ou=groups,{{ re2o_ldap.suffix }}
objectClass: organizationalUnit
description: Groupes de comptes techniques
ou: services
structuralObjectClass: organizationalUnit
-dn: ou=service-users,{{ re2o_ldap_replica.suffix }}
+dn: ou=service-users,{{ re2o_ldap.suffix }}
objectClass: organizationalUnit
description: Utilisateurs techniques de l'annuaire
ou: service-users
structuralObjectClass: organizationalUnit
-dn: cn=freeradius,ou=service-users,{{ re2o_ldap_replica.suffix }}
+dn: cn=freeradius,ou=service-users,{{ re2o_ldap.suffix }}
objectClass: applicationProcess
objectClass: simpleSecurityObject
cn: freeradius
-userPassword: {{ re2o_ldap_replica.root_password_hash }}
+userPassword: {{ re2o_ldap.root_password_hash }}
structuralObjectClass: applicationProcess
-dn: cn=nssauth,ou=service-users,{{ re2o_ldap_replica.suffix }}
+dn: cn=nssauth,ou=service-users,{{ re2o_ldap.suffix }}
objectClass: applicationProcess
objectClass: simpleSecurityObject
cn: nssauth
structuralObjectClass: applicationProcess
-userPassword: {{ re2o_ldap_replica.root_password_hash }}
+userPassword: {{ re2o_ldap.root_password_hash }}
-dn: cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}
+dn: cn=auth,ou=services,ou=groups,{{ re2o_ldap.suffix }}
objectClass: groupOfNames
cn: auth
-member: cn=nssauth,ou=service-users,{{ re2o_ldap_replica.suffix }}
+member: cn=nssauth,ou=service-users,{{ re2o_ldap.suffix }}
structuralObjectClass: groupOfNames
-dn: ou=posix,ou=groups,{{ re2o_ldap_replica.suffix }}
+dn: ou=posix,ou=groups,{{ re2o_ldap.suffix }}
objectClass: organizationalUnit
description: Groupes de comptes POSIX
ou: posix
structuralObjectClass: organizationalUnit
-dn: cn=wifi,ou=service-users,{{ re2o_ldap_replica.suffix }}
+dn: cn=wifi,ou=service-users,{{ re2o_ldap.suffix }}
objectClass: applicationProcess
objectClass: simpleSecurityObject
cn: wifi
structuralObjectClass: applicationProcess
-userPassword: {{ re2o_ldap_replica.root_password_hash }}
+userPassword: {{ re2o_ldap.root_password_hash }}
-dn: cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}
+dn: cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap.suffix }}
objectClass: groupOfNames
cn: usermgmt
structuralObjectClass: groupOfNames
-member: cn=wifi,ou=service-users,{{ re2o_ldap_replica.suffix }}
+member: cn=wifi,ou=service-users,{{ re2o_ldap.suffix }}
-dn: cn=replica,ou=service-users,{{ re2o_ldap_replica.suffix }}
+dn: cn=replica,ou=service-users,{{ re2o_ldap.suffix }}
objectClass: applicationProcess
objectClass: simpleSecurityObject
cn: replica
structuralObjectClass: applicationProcess
-userPassword: {{ re2o_ldap_replica.root_password_hash }}
+userPassword: {{ re2o_ldap.root_password_hash }}
-dn: cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}
+dn: cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}
objectClass: groupOfNames
cn: readonly
structuralObjectClass: groupOfNames
-member: cn=replica,ou=service-users,{{ re2o_ldap_replica.suffix }}
-member: cn=freeradius,ou=service-users,{{ re2o_ldap_replica.suffix }}
+member: cn=replica,ou=service-users,{{ re2o_ldap.suffix }}
+member: cn=freeradius,ou=service-users,{{ re2o_ldap.suffix }}
diff --git a/roles/re2o-ldap/templates/ldap/ldap.key.j2 b/roles/re2o-ldap/templates/ldap/ldap.key.j2
new file mode 100644
index 0000000000000000000000000000000000000000..007496f0db3034a985a4a582c7e7775471cb2e94
--- /dev/null
+++ b/roles/re2o-ldap/templates/ldap/ldap.key.j2
@@ -0,0 +1 @@
+{{ re2o_ldap.private_key }}
diff --git a/roles/re2o-ldap/templates/ldap/ldap.pem.j2 b/roles/re2o-ldap/templates/ldap/ldap.pem.j2
new file mode 100644
index 0000000000000000000000000000000000000000..853d78b66c41355cb2ef4ea9d378c09e5666a148
--- /dev/null
+++ b/roles/re2o-ldap/templates/ldap/ldap.pem.j2
@@ -0,0 +1 @@
+{{ re2o_ldap.certificate }}
diff --git a/roles/re2o-ldap-replica/templates/ldap/consumer_simple_sync.ldif.j2 b/roles/re2o-ldap/templates/ldap/replication.ldif.j2
similarity index 53%
rename from roles/re2o-ldap-replica/templates/ldap/consumer_simple_sync.ldif.j2
rename to roles/re2o-ldap/templates/ldap/replication.ldif.j2
index f15a81dfcde86af2b4cce00ee9612bdaa96a642b..7065c26057978edc3b3f0ccb3918383c462942a4 100644
--- a/roles/re2o-ldap-replica/templates/ldap/consumer_simple_sync.ldif.j2
+++ b/roles/re2o-ldap/templates/ldap/replication.ldif.j2
@@ -4,11 +4,11 @@ dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcSyncrepl
olcSyncrepl: rid=1
- provider={{ re2o_ldap_replica.url }}
+ provider={{ re2o_ldap.url }}
bindmethod=simple
- binddn="cn={{ re2o_ldap_replica.replicator.username }},{{ re2o_ldap_replica.suffix }}"
- credentials={{ re2o_ldap_replica.replicator.password }}
- searchbase="{{ re2o_ldap_replica.suffix }}"
+ binddn="cn={{ re2o_ldap.replica.username }},{{ re2o_ldap.suffix }}"
+ credentials={{ re2o_ldap.replica.password }}
+ searchbase="{{ re2o_ldap.suffix }}"
scope=sub
schemachecking=on
type=refreshAndPersist
@@ -18,4 +18,4 @@ olcSyncrepl: rid=1
tls_reqcert=allow
-
add: olcUpdateRef
-olcUpdateRef: {{ re2o_ldap_replica.url }}
+olcUpdateRef: {{ re2o_ldap.url }}
diff --git a/roles/re2o-ldap-replica/templates/ldap/schema.ldif.j2 b/roles/re2o-ldap/templates/ldap/schema.ldif.j2
similarity index 98%
rename from roles/re2o-ldap-replica/templates/ldap/schema.ldif.j2
rename to roles/re2o-ldap/templates/ldap/schema.ldif.j2
index 174374371f07a202795a0e5365f4b81b9a5cfbaa..036ab3afd2ab27ec043e40096ecd34f1a5386011 100644
--- a/roles/re2o-ldap-replica/templates/ldap/schema.ldif.j2
+++ b/roles/re2o-ldap/templates/ldap/schema.ldif.j2
@@ -14,6 +14,8 @@ olcSaslSecProps: none
olcToolThreads: 1
structuralObjectClass: olcGlobal
contextCSN: 20160619215244.315124Z#000000#000#000000
+olcTLSCertificateFile: /etc/ldap/ldap.pem
+olcTLSCertificateKeyFile: /etc/ldap/ldap.key
dn: cn=module{0},cn=config
objectClass: olcModuleList
@@ -1021,7 +1023,7 @@ olcDatabase: {0}config
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth manage by * break
olcRootDN: cn=config
-olcRootPW: {{ re2o_ldap_replica.root_password_hash }}
+olcRootPW: {{ re2o_ldap.root_password_hash }}
structuralObjectClass: olcDatabaseConfig
dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
@@ -1035,52 +1037,52 @@ objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
-olcSuffix: {{ re2o_ldap_replica.suffix }}
+olcSuffix: {{ re2o_ldap.suffix }}
olcAccess: {0}to attrs=userPassword,sambaNTPassword,mail
by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
by self write
by anonymous auth
- by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write
- by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
- by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write
+ by dn="cn=admin,{{ re2o_ldap.suffix }}" write
+ by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
+ by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap.suffix }}" write
by * none
olcAccess: {1}to attrs=shadowLastChange,gecos,loginShell
by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
by self write
by anonymous auth
- by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write
- by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
- by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
- by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write
+ by dn="cn=admin,{{ re2o_ldap.suffix }}" write
+ by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
+ by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
+ by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap.suffix }}" write
by * none
olcAccess: {2}to dn.base=""
by * read
-olcAccess: {3}to dn.sub="ou=groups,{{ re2o_ldap_replica.suffix }}"
+olcAccess: {3}to dn.sub="ou=groups,{{ re2o_ldap.suffix }}"
by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
- by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
- by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
-olcAccess: {4}to dn.base="cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}"
+ by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
+ by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
+olcAccess: {4}to dn.base="cn=Utilisateurs,{{ re2o_ldap.suffix }}"
by * read
-olcAccess: {5}to dn.sub="cn=Utilisateurs,{{ re2o_ldap_replica.suffix }}"
- by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+olcAccess: {5}to dn.sub="cn=Utilisateurs,{{ re2o_ldap.suffix }}"
+ by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
by self read
- by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
- by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" write
-olcAccess: {6}to dn.sub="ou=service-users,{{ re2o_ldap_replica.suffix }}"
+ by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
+ by group="cn=usermgmt,ou=services,ou=groups,{{ re2o_ldap.suffix }}" write
+olcAccess: {6}to dn.sub="ou=service-users,{{ re2o_ldap.suffix }}"
by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
- by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
- by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
-olcAccess: {7}to dn.base="{{ re2o_ldap_replica.suffix }}"
+ by group="cn=auth,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
+ by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
+olcAccess: {7}to dn.base="{{ re2o_ldap.suffix }}"
by * read
olcAccess: {8}to *
by set="[cn=nounou,ou=posix,ou=groups,dc=crans,dc=org]/memberUid & user/uid" write
- by dn="cn=admin,{{ re2o_ldap_replica.suffix }}" write
+ by dn="cn=admin,{{ re2o_ldap.suffix }}" write
by self read
- by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap_replica.suffix }}" read
+ by group="cn=readonly,ou=services,ou=groups,{{ re2o_ldap.suffix }}" read
olcLastMod: TRUE
-olcRootDN: cn=admin,{{ re2o_ldap_replica.suffix }}
-olcRootPW: {{ re2o_ldap_replica.root_password_hash }}
+olcRootDN: cn=admin,{{ re2o_ldap.suffix }}
+olcRootPW: {{ re2o_ldap.root_password_hash }}
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500