update to OpenLDAP 2.6 + deploy certificates + new multi-master recipe (

#14)
ltb-project · Nov 21, 2024 · 667ee79 · 667ee79
1 parent 695a689
commit 667ee79
Show file tree

Hide file tree

Showing 20 changed files with 607 additions and 251 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -20,4 +20,4 @@ jobs:
           sudo pip3 install ansible
           ansible --version
           printf '[defaults]\nroles_path=../' >ansible.cfg
-          ansible-playbook tests/standalone.yml -i tests/inventory --syntax-check --vault-password-file .vault_pass
+          ansible-playbook playbook/standalone.yml -i playbook/inventory --syntax-check --vault-password-file .vault_pass
diff --git a/README.md b/README.md
@@ -22,7 +22,7 @@ You'll need to store the hash value for your admin passwords. You'll get it like
 /usr/local/openldap/sbin/slappasswd -o module-path="/usr/local/openldap/libexec/openldap" -o module-load="argon2" -h "{ARGON2}" -s "password"
 ```
 
-Store the passwords in the vault file in: `tests/credentials-vault.yml`
+Store the passwords in the vault file in: `playbook/credentials-vault.yml`
 
 
 Playbook examples
@@ -38,46 +38,49 @@ ansible.cfg
 roles_path=../
 ```
 
-See `tests/standalone.yml`
+See `playbook/standalone.yml`
 
 Run playbook with:
 
+
 ```
-ansible-playbook tests/standalone.yml -i tests/inventory --ask-vault-pass
+ansible-playbook playbook/standalone.yml -i playbook/inventory --ask-vault-pass
 ```
 
-or:
+You can also run an openldap cluster with 2 masters and 2 slaves with the multimaster playbook:
 
 ```
-ansible-playbook tests/standalone.yml -i tests/inventory --vault-password-file .vault_pass
+ansible-playbook playbook/multimaster.yml -i playbook/inventory --ask-vault-pass
 ```
 
-If you need a two-nodes multimaster example, give a look at `tests/multimaster1.yml` and `tests/multimaster2.yml`
+or:
 
+```
+ansible-playbook playbook/multimaster.yml -i playbook/inventory --vault-password-file .vault_pass
+```
 
-Give a look to `tests/monitoring.yml` for an example of playbook that deploys LTB monitoring and statistics tools
+For using this cluster, you must create the corresponding machines and declare the routes, as defined in `playbook/inventory`.
 
-Run the corresponding task with: 
+You also have to fill the certificate in `playbook/certificates-vault.yml`. You can use this command for editing the file: (the default password is: secret)
 
 ```
-ansible-playbook tests/monitoring.yml -i tests/inventory
+ansible-vault edit playbook/certificates-vault.yml
 ```
 
 
-If you want to install openldap on RHEL-like OS with certificates, you can define them in `tests/standalone.yml`:
+Give a look at `playbook/group_vars/prod.yml`, `playbook/host_vars/master1.yml` and `playbook/host_vars/master2.yml` for variable customization
+You can also use `--extra-vars variable=value` at the command line for overloading any variable.
 
-```
-ldaptoolbox_openldap_olcTLSCACertificateFile=/etc/pki/ca-trust/source/anchors/ca-cert.pem
-ldaptoolbox_openldap_olcTLSCertificateFile=/etc/pki/tls/certs/ldaps-cert.pem
-ldaptoolbox_openldap_olcTLSCertificateKeyFile=/etc/pki/tls/private/ldaps.key
-```
 
-You can also overload these variables in the command line:
+Give a look to `playbook/monitoring.yml` for an example of playbook that deploys LTB monitoring and statistics tools
+
+Run the corresponding task with: 
 
 ```
-ansible-playbook tests/standalone.yml -i tests/inventory --ask-vault-pass --extra-vars "ldaptoolbox_openldap_olcTLSCACertificateFile=/etc/pki/ca-trust/source/anchors/ca-cert.pem ldaptoolbox_openldap_olcTLSCertificateFile=/etc/pki/tls/certs/ldaps-cert.pem ldaptoolbox_openldap_olcTLSCertificateKeyFile=/etc/pki/tls/private/ldaps.key"
+ansible-playbook playbook/monitoring.yml -i playbook/inventory
 ```
 
+
 License
 -------
 

diff --git a/ansible.cfg b/ansible.cfg
@@ -0,0 +1,5 @@
+[defaults]
+roles_path=../
+[colors]
+warn = white
+error = yellow
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -9,12 +9,12 @@ ldaptoolbox_openldap_apt_key_url: "https://ltb-project.org/documentation/_static
 ldaptoolbox_openldap_apt_key_id: "3FC3FD92ABA3975D2BEB95A70AC51F926D45BFC5"
 ldaptoolbox_openldap_apt_repo_filename: "ltb-project-openldap"
 ldaptoolbox_openldap_apt_keyrings_path: /usr/share/keyrings
-ldaptoolbox_openldap_apt_repo: "deb [arch=amd64 signed-by=/usr/share/keyrings/ltb-project-openldap.gpg] http://ltb-project.org/debian/openldap25/bullseye bullseye main"
+ldaptoolbox_openldap_apt_repo: "deb [arch=amd64 signed-by=/usr/share/keyrings/ltb-project-openldap.gpg] http://ltb-project.org/debian/openldap26/bookworm bookworm main"
 ldaptoolbox_openldap_apt_validate_certs: "true"
 
 # Packages
 ldaptoolbox_openldap_packages_base: openldap-ltb, openldap-ltb-contrib-overlays, openldap-ltb-mdb-utils
-ldaptoolbox_openldap_packages_dependencies: libcrack2, curl
+ldaptoolbox_openldap_packages_dependencies: libcrack2, curl, gpg
 ldaptoolbox_openldap_packages_state: present
 
 # Filesystem
@@ -25,7 +25,7 @@ ldaptoolbox_openldap_configuration_prefix: "config"
 ldaptoolbox_openldap_configuration_owner: ldap
 ldaptoolbox_openldap_configuration_group: ldap
 ldaptoolbox_openldap_configuration_mode: 0600
-ldaptoolbox_openldap_sslgroup: "{{ 'root' if ansible_os_family == 'RedHat' else 'ssl-cert' }}"
+ldaptoolbox_openldap_sslgroup: "{{ 'root' }}"
 
 # OpenLDAP LTB CLI command path
 ldaptoolbox_openldap_slapd_cli_cmd: /usr/local/openldap/sbin/slapd-cli
@@ -35,6 +35,10 @@ ldaptoolbox_openldap_slapd_cli_cmd: /usr/local/openldap/sbin/slapd-cli
 # OpenLDAP configuration
 ################################################################################
 
+# Options
+ldaptoolbox_openldap_olcAttributeOptions:
+  - lang-
+
 # Suffix
 ldaptoolbox_openldap_suffix: "{{ ldaptoolbox_openldap_suffix }}"
 
@@ -44,20 +48,25 @@ ldaptoolbox_openldap_custom_schema_list: []
 ldaptoolbox_openldap_schema_dir: /usr/local/openldap/etc/openldap/schema
 
 # Certificates
-ldaptoolbox_openldap_olcTLSCACertificateFile: "{{ '' if ansible_os_family == 'RedHat' else '/etc/ssl/certs/ca-certificates.crt' }}"
-ldaptoolbox_openldap_olcTLSCertificateFile: "{{ '' if ansible_os_family == 'RedHat' else '/etc/ssl/certs/ssl-cert-snakeoil.pem' }}"
-ldaptoolbox_openldap_olcTLSCertificateKeyFile: "{{ '' if ansible_os_family == 'RedHat' else '/etc/ssl/private/ssl-cert-snakeoil.key' }}"
+ldaptoolbox_openldap_olcTLSCipherSuite: "TLSv1.3:TLSv1.2"
 ldaptoolbox_openldap_olcTLSProtocolMin: 3.3
 
 # Log level
 ldaptoolbox_openldap_olcLogLevel: stats
+ldaptoolbox_openldap_olcLogFile: "/var/log/slapd-ltb/slapd.log"
+ldaptoolbox_openldap_olcLogFileRotate: "30 1024 24"
+
+# Size limit
+ldaptoolbox_openldap_olcSizeLimit: 1000
 
 # Enabled modules
 ldaptoolbox_openldap_module_list:
   - argon2.la
   - pw-pbkdf2.la
+  - pw-sha2.la
   - back_mdb.la
   - dynlist.la
+  - memberof.la
   - ppolicy.la
   - syncprov.la
   - unique.la
@@ -104,59 +113,19 @@ ldaptoolbox_openldap_database_olcLimits:
 
 # Indexes definition
 ldaptoolbox_openldap_database_olcDbIndexes:
+  - "entryCSN,entryUUID eq"
   - "objectClass eq"
-  - "entryUUID eq"
-  - "entryCSN eq"
-  - "cn pres,eq,sub"
-  - "uid pres,eq,sub"
-
-########################
-# Replication directives
-########################
+  - "cn eq,sub"
+  - "uid pres,eq"
+  - "givenName pres,eq,sub"
+  - "l pres,eq"
+  - "employeeType pres,eq"
+  - "mail pres,eq,sub"
+  - "sn pres,eq,sub"
 
-ldaptoolbox_openldap_olcServerID: 1
-ldaptoolbox_openldap_syncrepl:
-- rid: "001"
-  provider: "ldap://localhost:389/"
-  tlscert: "{{ ldaptoolbox_openldap_olcTLSCertificateFile }}"
-  tlskey: "{{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}"
-  tlscacert: "{{ ldaptoolbox_openldap_olcTLSCACertificateFile }}"
-  tlsreqcert: "demand"
-  binddn: "uid=syncrepl,ou=accounts,ou=infrastructure,{{ ldaptoolbox_openldap_suffix }}"
-  password: "{{ ldaptoolbox_openldap_syncrepl_password_vault }}"
-  searchbase: "{{ ldaptoolbox_openldap_suffix }}"
-  scope: "sub"
-  type: "refreshAndPersist"
-  retry: "5 5 300 +"
-- rid: "002"
-  provider: "ldap://localhost:389/"
-  tlscert: "{{ ldaptoolbox_openldap_olcTLSCertificateFile }}"
-  tlskey: "{{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}"
-  tlscacert: "{{ ldaptoolbox_openldap_olcTLSCACertificateFile }}"
-  tlsreqcert: "demand"
-  binddn: "uid=syncrepl,ou=accounts,ou=infrastructure,{{ ldaptoolbox_openldap_suffix }}"
-  password: "{{ ldaptoolbox_openldap_syncrepl_password_vault }}"
-  searchbase: "{{ ldaptoolbox_openldap_suffix }}"
-  scope: "sub"
-  type: "refreshAndPersist"
-  retry: "5 5 300 +"
 ldaptoolbox_openldap_overlay_syncprov_olcSpCheckpoint: "100 10"
 ldaptoolbox_openldap_overlay_syncprov_olcSpSessionlog: "100"
 
 ########################
 # Overlays configuration
 ########################
-
-# Password policy
-ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyDefault: "cn=default,ou=ppolicies,{{ ldaptoolbox_openldap_suffix }}"
-ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyHashCleartext: "TRUE"
-ldaptoolbox_openldap_overlay_ppolicy_olcPPolicyUseLockout: "TRUE"
-
-# Referential integrity
-ldaptoolbox_openldap_overlay_refint_olcRefintAttribute: "member"
-ldaptoolbox_openldap_overlay_refint_olcRefintNothing: "cn=nothing,{{ ldaptoolbox_openldap_suffix }}"
-
-# Dynamic groups (dynlist)
-ldaptoolbox_openldap_overlay_dynlist_olcDlAttrSet: "groupOfURLs memberURL member+memberOf@groupOfNames*"
-
-