added first pass of the ldapd role

Signed-off-by: Aisha Tammy <[email protected]>

Author: epsilon-0

defaults/main.yml

@@ -0,0 +1,38 @@
+---
+
+ldap_domains: []
+  # - domain: domain.tld
+  #   users: 
+  #     - uid: puffy
+  #       first: "Puffy"
+  #       last: "Fish"
+  #       pw_hash: "$2b$10$leismHABjnpr/lGk4bQ6ce374PYKP/8LyNDh7ZYJAgAG0CNFVdcj2"
+  #       pubkey: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUJHLRqynSi5YpWU0v6xogi0hiRFdXAckAw+KOek6TA"
+
+ldap_admin: root
+ldap_passwd: '{BSDAUTH}root'
+
+ldap_uid_start: 1000
+ldap_gid_start: 1000
+
+ldap_indexes:
+  - objectClass
+  - uid
+  - uidNumber
+  - gidNumber
+  - userPassword
+  - cn            # common name
+  - sn            # surname
+  - givenName     # first name
+  - ou            # organizational unit
+  - mail
+  - sshPublicKey
+  - quotaBytes
+
+ldap_schemas:
+  - "ldap_extras.schema"
+
+
+ldap_groups: [
+        { gidnum: 666, name: _ldap, member_uids: [ puffy ] }
+]

files/ldap_extras.schema

@@ -0,0 +1,9 @@
+attributetype ( 1.3.6.1.4.1.30155.115.3 NAME 'sshPublicKey'
+	DESC 'SSH public key'
+	EQUALITY caseExactIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.30155.115.4 NAME 'mailQuotaBytes'
+	DESC 'Dovecot mailbox quota'
+	EQUALITY integerMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )

handlers/main.yml

@@ -0,0 +1,5 @@
+---
+- name: restart ldapd
+  service:
+    name: ldapd
+    state: restarted

tasks/main.yml

@@ -0,0 +1,41 @@
+---
+- name: install additional ldap packages
+  openbsd_pkg:
+    name: '{{ item }}'
+    state: present
+  with_items: "{{ ldap_packages }}"
+
+- name: install schema files
+  copy:
+    src: "{{ item }}"
+    dest: "/etc/ldap/{{ item }}"
+  with_items: "{{ ldap_schemas }}"
+
+- name: make sure extra config files exist
+  file:
+    path: "{{ item }}"
+    state: touch
+    owner: root
+    group: wheel
+    mode: 0600
+  with_items:
+    - "/etc/ldapd_before.conf"
+    - "/etc/ldapd_after.conf"
+
+- name: generate ldap config file
+  template:
+    src: ldapd.conf.j2
+    dest: /etc/ldapd.conf
+    mode: 0600
+    owner: root
+    group: wheel
+    validate: /usr/sbin/ldapd -n -f %s
+  notify: restart ldapd
+
+- name: enable and start ldapd service
+  service:
+    name: ldapd
+    state: started
+    enabled: true
+
+

templates/ldap.conf.j2

@@ -0,0 +1,43 @@
+include "/etc/ldapd_before.conf"
+
+listen on "/var/run/ldapi"
+listen on "/var/www/run/ldapi"
+listen on lo0 secure
+
+schema "/etc/ldap/core.schema"
+schema "/etc/ldap/inetorgperson.schema"
+schema "/etc/ldap/nis.schema"
+schema "/etc/ldap/excision.schema"
+
+{% for domain in ldap_domains %}
+namespace "dc={{ domain.name }},dc={{ domain.tld }}" {
+  rootdn "cn={{ domain.admin | default(ldap_admin) }},dc={{ domain.name }},dc={{ domain.tld }}"
+  rootpw "{CRYPT}{{ lookup('pipe', 'encrypt -b a ' + ( domain.passwd | default(ldap_rootpw) ) |quote ) }}"
+
+  {% for i in ldap_indexes %}
+  index {{ i }}
+  {% endfor %}
+
+  deny
+  allow read access to subtree "{{ domain.name }}"
+  allow bind access to children of "ou=users,{{ domain.name }}"
+  allow write access to any attribute sshPublicKey by self
+  deny to any attribute userPassword
+  allow read access to any attribute userPassword by self
+  allow write access to any attribute userPassword by self
+
+  # TODO: need a way for user's to change their own password, but there's nothing
+  # stopping them from writing a plain text password into their entry.
+  #
+  # Solution is probably a service user with write access to all userPassword
+  # entries which writes a new {CRYPT} string after verifying a bind with the
+  # user's old password.
+
+  {% for user in (domain.admin_users | default([])) %}
+  allow to any by "uid={{ user }},ou=users,{{ domain.name }}"
+  {% endfor %}
+}
+
+{% endfor %}
+
+include "/etc/ldapd_after.conf"