forked from finallycoffee/base
110 lines
4.1 KiB
YAML
110 lines
4.1 KiB
YAML
---
|
|
- name: Configure LDAP directory information tree
|
|
hosts: "{{ ldap_hosts | default('ldap') }}"
|
|
become: "{{ ldap_become | default(false) }}"
|
|
gather_facts: "{{ ldap_gather_facts | default(false) }}"
|
|
vars:
|
|
_state: "{{ ldap_state | default('present') }}"
|
|
_ldap_bind_info: &ldap_bind_info
|
|
server_uri: "{{ ldap_server_uri }}"
|
|
bind_dn: "{{ ldap_bind_dn }}"
|
|
bind_pw: "{{ ldap_bind_pw }}"
|
|
roles:
|
|
# Ensure all defaults from openldap role are in scope
|
|
- role: finallycoffee.base.openldap
|
|
when: false
|
|
tasks:
|
|
- name: Ensure org units in '{{ ldap_base_dn }}' are {{ _state }}
|
|
community.general.ldap_entry:
|
|
<<: *ldap_bind_info
|
|
dn: "ou={{ org_unit }},{{ ldap_base_dn }}"
|
|
objectClass: "organizationalUnit"
|
|
state: "{{ _state }}"
|
|
loop: "{{ ldap_org_units | default([], true) }}"
|
|
loop_control:
|
|
loop_var: org_unit
|
|
|
|
- name: Ensure admin user is {{ _state }}
|
|
community.general.ldap_entry:
|
|
<<: *ldap_bind_info
|
|
dn: "uid={{ ldap_admin_user_rdn }},{{ ldap_admin_user_base }}"
|
|
objectClass: "{{ ldap_admin_user_object_classes }}"
|
|
attributes: "{{ ldap_admin_user_attributes }}"
|
|
state: "{{ _state }}"
|
|
vars:
|
|
ldap_admin_user_base: >-2
|
|
{{ ldap_admin_user_base_dn | default(ldap_base_dn, true) }}
|
|
when: ldap_admin_user_rdn is defined
|
|
|
|
- name: Ensure admin user attributes are correct
|
|
community.general.ldap_attrs:
|
|
<<: *ldap_bind_info
|
|
dn: "uid={{ ldap_admin_user_rdn }},{{ ldap_admin_user_base }}"
|
|
attributes: "{{ ldap_admin_user_attributes }}"
|
|
state: "{{ _state }}"
|
|
vars:
|
|
ldap_admin_user_base: >-2
|
|
{{ ldap_admin_user_base_dn | default(ldap_base_dn, true) }}
|
|
when:
|
|
- ldap_admin_user_rdn is defined
|
|
- _state == 'present'
|
|
|
|
- name: Ensure ldap groups are {{ _state }}
|
|
community.general.ldap_entry:
|
|
<<: *ldap_bind_info
|
|
dn: "{{ _ldap_group_dn }}"
|
|
objectClass: "{{ _ldap_group_object_classes }}"
|
|
attributes: "{{ _ldap_group_attributes }}"
|
|
state: "{{ _state }}"
|
|
vars:
|
|
_ldap_group_dn: >-2
|
|
cn={{ _ldap_group.name }},{{ ldap_group_base_dn }}
|
|
_ldap_group_object_classes:
|
|
- "groupOfNames"
|
|
_ldap_group_attributes:
|
|
cn: "{{ _ldap_group.name }}"
|
|
member: >-2
|
|
{{ _ldap_group.members | default([]) }}
|
|
loop: "{{ ldap_groups | default([], true) }}"
|
|
loop_control:
|
|
loop_var: _ldap_group
|
|
label: "{{ _ldap_group.name }}"
|
|
when:
|
|
- ldap_groups is defined
|
|
- ldap_group_base_dn is defined
|
|
|
|
- name: Ensure service accounts are {{ _state }}
|
|
community.general.ldap_entry:
|
|
<<: *ldap_bind_info
|
|
dn: "{{ _ldap_service_account_dn }}"
|
|
objectClass: "{{ _ldap_service_account_object_classes }}"
|
|
attributes: "{{ _ldap_service_account_attributes }}"
|
|
state: "{{ _state }}"
|
|
loop: &ldap_service_account_loop "{{ ldap_service_accounts | default([]) }}"
|
|
loop_control: &ldap_service_account_loop_control
|
|
loop_var: "_ldap_service_account"
|
|
label: "{{ _ldap_service_account.name }}"
|
|
vars: &ldap_service_account_vars
|
|
_ldap_service_account_dn: >-2
|
|
uid={{ _ldap_service_account.name }},{{ ldap_service_account_base_dn }}
|
|
_ldap_service_account_object_classes:
|
|
- "account"
|
|
- "simpleSecurityObject"
|
|
_ldap_service_account_attributes:
|
|
uid: "{{ _ldap_service_account.name }}"
|
|
userPassword: "{{ _ldap_service_account.password }}"
|
|
when: &ldap_service_account_when
|
|
- ldap_service_accounts is defined
|
|
- ldap_service_account_base_dn is defined
|
|
|
|
- name: Ensure service accounts attributes are correct
|
|
community.general.ldap_attrs:
|
|
<<: *ldap_bind_info
|
|
dn: "{{ _ldap_service_account_dn }}"
|
|
attributes: "{{ _ldap_service_account_attributes }}"
|
|
state: exact
|
|
loop: *ldap_service_account_loop
|
|
loop_control: *ldap_service_account_loop_control
|
|
vars: *ldap_service_account_vars
|
|
when: *ldap_service_account_when
|