From 02df5674b158049b2bd79d09a536989b834949e5 Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Mon, 22 Feb 2021 01:22:12 +0100
Subject: [PATCH] [slapd] soyouz, query and regex
---
group_vars/ldap_server.yml | 3 ++-
host_vars/daniel.adm.crans.org.yml | 2 +-
host_vars/jack.adm.crans.org.yml | 2 +-
host_vars/sam.adm.crans.org.yml | 2 +-
host_vars/sputnik.adm.crans.org | 5 +++++
hosts | 1 +
ldap.yml | 5 -----
lookup_plugins/ldap.py | 17 +++++++++++++++++
plays/root.yml | 6 +-----
plays/slapd.yml | 7 +++++++
roles/slapd/templates/ldap/slapd.conf.j2 | 2 +-
11 files changed, 37 insertions(+), 15 deletions(-)
create mode 100644 host_vars/sputnik.adm.crans.org
delete mode 100755 ldap.yml
create mode 100755 plays/slapd.yml
diff --git a/group_vars/ldap_server.yml b/group_vars/ldap_server.yml
index 8818e0c1..7a52a6ca 100644
--- a/group_vars/ldap_server.yml
+++ b/group_vars/ldap_server.yml
@@ -1,7 +1,8 @@
---
glob_slapd:
- master_ip: 172.16.10.1
+ master_ip: "{{ query('ldap', 'ipv4', 'tealc', 'adm') | first }}"
+ regex: "^(role:(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius|backup)|ecdsa-sha2-nistp256:.*|ssh-(ed25519|dss|rsa):.*)$"
replication_credentials: "{{ vault_ldap_replication_credentials }}"
private_key: "{{ vault_ldap_private_keyĆ }}"
certificate: "{{ vault_ldap_certificate }}"
diff --git a/host_vars/daniel.adm.crans.org.yml b/host_vars/daniel.adm.crans.org.yml
index 139b9bd1..6152f24c 100644
--- a/host_vars/daniel.adm.crans.org.yml
+++ b/host_vars/daniel.adm.crans.org.yml
@@ -1,5 +1,5 @@
---
loc_slapd:
- ip: 172.16.10.12
+ ip: "{{ query('ldap', 'ipv4', 'daniel', 'adm') | first }}"
replica: true
replica_rid: 2
diff --git a/host_vars/jack.adm.crans.org.yml b/host_vars/jack.adm.crans.org.yml
index 70c60054..896420ab 100644
--- a/host_vars/jack.adm.crans.org.yml
+++ b/host_vars/jack.adm.crans.org.yml
@@ -1,5 +1,5 @@
---
loc_slapd:
- ip: 172.16.10.13
+ ip: "{{ query('ldap', 'ipv4', 'jack', 'adm') | first }}"
replica: true
replica_rid: 3
diff --git a/host_vars/sam.adm.crans.org.yml b/host_vars/sam.adm.crans.org.yml
index 9ed74927..ce52d174 100644
--- a/host_vars/sam.adm.crans.org.yml
+++ b/host_vars/sam.adm.crans.org.yml
@@ -1,5 +1,5 @@
---
loc_slapd:
- ip: 172.16.10.11
+ ip: "{{ query('ldap', 'ipv4', 'sam', 'adm') | first }}"
replica: true
replica_rid: 1
diff --git a/host_vars/sputnik.adm.crans.org b/host_vars/sputnik.adm.crans.org
new file mode 100644
index 00000000..04c45b94
--- /dev/null
+++ b/host_vars/sputnik.adm.crans.org
@@ -0,0 +1,5 @@
+---
+loc_slapd:
+ ip: "{{ query('ldap', 'ipv4', 'sputnik', 'adm') | first }}"
+ replica: true
+ replica_rid: 4
diff --git a/hosts b/hosts
index 955acc43..bc7e7eac 100644
--- a/hosts
+++ b/hosts
@@ -66,6 +66,7 @@ tealc.adm.crans.org
sam.adm.crans.org
daniel.adm.crans.org
jack.adm.crans.org
+sputnik.adm.crans.org
[linx]
linx.adm.crans.org
diff --git a/ldap.yml b/ldap.yml
deleted file mode 100755
index 5a4d03f4..00000000
--- a/ldap.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/usr/bin/env ansible-playbook
----
-- hosts: daniel
- roles:
- - slapd
diff --git a/lookup_plugins/ldap.py b/lookup_plugins/ldap.py
index 3a77bfb3..838c67b4 100644
--- a/lookup_plugins/ldap.py
+++ b/lookup_plugins/ldap.py
@@ -60,6 +60,21 @@ class LookupModule(LookupBase):
result = [res.decode('utf-8') for res in result['ipHostNumber']]
return result
+ def ipv4(self, host, vlan):
+ if isinstance(vlan, int):
+ network_query_id = self.base.search(f"ou=networks,{self.base_dn}", ldap.SCOPE_ONELEVEL, f"description={vlan}")
+ network_result = self.base.result(network_query_id)
+ vlan = network_result[1][0][1]['cn'][0].decode('utf-8')
+ if vlan == 'srv':
+ query_id = self.base.search(f"cn={host}.crans.org,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
+ else:
+ query_id = self.base.search(f"cn={host}.{vlan}.crans.org,cn={host},ou=hosts,{self.base_dn}", ldap.SCOPE_BASE)
+ result = self.base.result(query_id)
+ result = result[1][0][1]
+ result = [res.decode('utf-8') for res in result['ipHostNumber']]
+ result = [ res for res in result if type(ipaddress.ip_address(res)) is ipaddress.IPv4Address ]
+ return result
+
def all_ip(self, host):
"""
Retrieve all IP addresses of a device
@@ -141,6 +156,8 @@ class LookupModule(LookupBase):
result = self.query(*terms[1:])
elif terms[0] == 'ip':
result = self.ip(*terms[1:])
+ elif terms[0] == 'ipv4':
+ result = self.ipv4(*terms[1:])
elif terms[0] == 'all_ip':
result = self.all_ip(*terms[1:])
elif terms[0] == 'cn':
diff --git a/plays/root.yml b/plays/root.yml
index 39df3297..7c3dee2f 100755
--- a/plays/root.yml
+++ b/plays/root.yml
@@ -48,11 +48,7 @@
- qemu-guest-agent
- serial-tty
-- hosts: ldap_server
- vars:
- slapd: '{{ glob_slapd | combine(loc_slapd | default({})) }}'
- roles:
- - slapd
+- import_playbook: slapd.yml
- hosts: server
vars:
diff --git a/plays/slapd.yml b/plays/slapd.yml
new file mode 100755
index 00000000..60b55e61
--- /dev/null
+++ b/plays/slapd.yml
@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: ldap_server
+ vars:
+ slapd: '{{ glob_slapd | default({}) | combine(loc_slapd | default({})) }}'
+ roles:
+ - slapd
diff --git a/roles/slapd/templates/ldap/slapd.conf.j2 b/roles/slapd/templates/ldap/slapd.conf.j2
index ab870c26..6680b9ee 100644
--- a/roles/slapd/templates/ldap/slapd.conf.j2
+++ b/roles/slapd/templates/ldap/slapd.conf.j2
@@ -31,7 +31,7 @@ auditlog /var/log/openldap/auditlog.log
moduleload constraint
overlay constraint
-constraint_attribute description regex ^(dhcp|dns|dns-primary|dns-secondary|ftp|gitlab|miroir|ntp|pve|radius)$
+constraint_attribute description regex {{ slapd.regex }}
restrict=ldap:///ou=hosts,dc=crans,dc=org??one?(objectClass=device)
constraint_attribute uid regex ^_
restrict=ldap:///ou=passwd,dc=crans,dc=org??one?(objectClass=posixAccount)
--
GitLab