main.yml

---
# tasks file for ansible-openldap

- name: Preseed slapd
  debconf:
    name: slapd
    question: '{{ item.question }}'
    vtype: '{{ item.vtype }}'
    value: '{{ item.value }}'
  with_items:
    - question: shared/organization
      vtype: string
      value: '{{ openldap_organization }}'
    - question: slapd/domain
      vtype: string
      value: '{{ openldap_domain }}'
    - question: slapd/password1
      vtype: password
      value: '{{ openldap_password }}'
    - question: slapd/password2
      vtype: password
      value: '{{ openldap_password }}'

- name: apt install
  apt:
    name: '{{ item }}'
    state: present
    update_cache: yes
    cache_valid_time: 3600
  with_items:
    - ldap-utils
    - slapd
    - gnutls-bin
    - python-ldap
    - ssl-cert

- name: Allow slapd to access the TLS key
  user:
    name: openldap
    groups: ssl-cert
    state: present
  notify:
    - Restart OpenLDAP

- name: Set default ldap client settings
  lineinfile:
    dest: /etc/ldap/ldap.conf
    line: 'URI    ldapi:///'
    regexp: '^URI'
    state: present

- meta: flush_handlers

- name: Allow anonymous read access to chsh and chfn
  ldap_attr:
    dn: 'olcDatabase={1}{{ slapd_backend }},cn=config'
    name: olcAccess
    values: '{1}to attrs=loginShell,gecos by dn="cn=admin,{{ openldap_basedn }}" write by self write by * read'
    state: present

- name: Configure olcTLS attributes (first time, can fail)
  ignore_errors: yes
  with_dict:
    olcTLSCACertificateFile: '{{ openldap_tls_ca_cert }}'
    olcTLSCertificateFile: '{{ openldap_tls_cert }}'
    olcTLSCertificateKeyFile: '{{ openldap_tls_key }}'
    olcTLSCipherSuite: '+AES-128-GCM:+AES-256-GCM:+AES-128-CBC:+AES-256-CBC:+ECDHE-RSA:+DHE-RSA:+AEAD:+SHA1:+SHA256:+SHA384'
  ldap_attr:
    dn: 'cn=config'
    name: '{{ item.key }}'
    values: '{{ item.value }}'
    state: exact
  notify:
    - Restart OpenLDAP

- name: Configure olcTLS attributes
  with_dict:
    olcTLSCACertificateFile: '{{ openldap_tls_ca_cert }}'
    olcTLSCertificateFile: '{{ openldap_tls_cert }}'
    olcTLSCertificateKeyFile: '{{ openldap_tls_key }}'
    olcTLSCipherSuite: '+AES-128-GCM:+AES-256-GCM:+AES-128-CBC:+AES-256-CBC:+ECDHE-RSA:+DHE-RSA:+AEAD:+SHA1:+SHA256:+SHA384'
  ldap_attr:
    dn: 'cn=config'
    name: '{{ item.key }}'
    values: '{{ item.value }}'
    state: exact
  notify:
    - Restart OpenLDAP

- name: Add backup cron job
  copy:
    src: backup.sh
    dest: /etc/cron.daily/slapd
    owner: root
    group: root
    mode: '0755'

- name: Set slapd binds
  lineinfile:
    dest: /etc/default/slapd
    line: SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"
    regexp: '^SLAPD_SERVICES='
    state: present
  notify:
    - Restart OpenLDAP

- name: Allow LDAPS port
  ufw:
    rule: allow
    port: ldaps
    proto: tcp

- include: phpldapadmin.yml