initial commit
This commit is contained in:
commit
e7aaed3b33
5 changed files with 203 additions and 0 deletions
162
README.md
Normal file
162
README.md
Normal file
|
@ -0,0 +1,162 @@
|
|||
# Role : docker_openldap
|
||||
|
||||
|
||||
## Services fournis
|
||||
|
||||
Installation de openldap sur un serveur docker_host
|
||||
|
||||
|
||||
## Variables
|
||||
|
||||
Fournir les variables suivantes. Par exemple :
|
||||
|
||||
```yaml
|
||||
docker_openldap_data_dir: /data1
|
||||
docker_openldap_service_id: openldap
|
||||
```
|
||||
|
||||
| Option | Valeur par défaut | Description |
|
||||
|--------------------------------|-------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| docker_openldap_data_dir | | L'emplacement dans lequel se trouvent les volumes de donnees docker pour le service |
|
||||
| docker_openldap_service_id | | Le nom de service souhaité : conditionne le nommage des volumes |
|
||||
| docker_openldap_port | 389 | Le numero de port local pour la connexion à openldap |
|
||||
| docker_openldap_version | | Version du conteneur docker souhaité |
|
||||
| docker_openldap_rootdn | | dn de la racine de l'annuaire (par exemple: dc=example,dc=com) |
|
||||
| docker_openldap_admin_password | | Mot de passe administrateur de l'annuaire ; le dn de l'administrateur est cn=admin suivi du rootdn, par exemple : cn=admin,dc=example,dc=com) |
|
||||
| docker_openldap_organization | | Le nom de l'organisation pour cet annuaire (attribut o de la racine) |
|
||||
|
||||
|
||||
# Poursuite de l'installation du serveur openldap
|
||||
|
||||
## Configuration de la strategie de mot de passe avec le module ppolicy
|
||||
|
||||
### Activation du module ppolicy
|
||||
|
||||
```
|
||||
# docker exec -ti -u openldap 7520847e9e47 bash
|
||||
openldap@7520847e9e47:/$ cd /tmp
|
||||
|
||||
openldap@7520847e9e47:/tmp$ slapcat -n 0 | grep olcModuleLoad | grep ppolicy
|
||||
|
||||
openldap@7520847e9e47:/tmp$ cat > ppolicy-module.ldif
|
||||
dn: cn=module,cn=config
|
||||
objectClass: olcModuleList
|
||||
cn: module
|
||||
olcModuleLoad: ppolicy
|
||||
^D
|
||||
|
||||
openldap@7520847e9e47:/tmp$ slapadd -n0 -l ppolicy-module.ldif
|
||||
_#################### 100.00% eta none elapsed none fast!
|
||||
Closing DB...
|
||||
|
||||
openldap@7520847e9e47:/tmp$ slapcat -n 0 | grep olcModuleLoad | grep ppolicy
|
||||
olcModuleLoad: {0}ppolicy
|
||||
```
|
||||
|
||||
et redémarrer le conteneur
|
||||
|
||||
### Ajout de la configuration du module ppolicy
|
||||
|
||||
```
|
||||
# docker exec -ti d7f2803e5cfb bash
|
||||
root@d7f2803e5cfb:/# cd /tmp/
|
||||
|
||||
root@d7f2803e5cfb:/tmp# cat > ppolicyoverlay.ldif
|
||||
dn: olcOverlay={2}ppolicy,olcDatabase={1}mdb,cn=config
|
||||
changetype: add
|
||||
objectClass: olcPPolicyConfig
|
||||
objectClass: olcOverlayConfig
|
||||
olcOverlay: {2}ppolicy
|
||||
olcPPolicyDefault: cn=defaultPasswordPolicy,ou=policies,dc=libretic,dc=fr
|
||||
olcPPolicyForwardUpdates: TRUE
|
||||
olcPPolicyHashCleartext: TRUE
|
||||
olcPPolicyUseLockout: TRUE
|
||||
^D
|
||||
|
||||
root@d7f2803e5cfb:/tmp# ldapadd -Y EXTERNAL -H ldapi:// -f ppolicyoverlay.ldif
|
||||
SASL/EXTERNAL authentication started
|
||||
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
|
||||
SASL SSF: 0
|
||||
adding new entry "olcOverlay={2}ppolicy,olcDatabase={1}mdb,cn=config"
|
||||
```
|
||||
|
||||
### Ajout d'une stratégie de mot de passe par défaut
|
||||
|
||||
Valeurs à adapter en fonction du besoin.
|
||||
|
||||
```
|
||||
root@d7f2803e5cfb:/tmp# cat > defaultppolicy.ldif
|
||||
dn: ou=policies,dc=libretic,dc=fr
|
||||
objectClass: organizationalUnit
|
||||
ou: policies
|
||||
|
||||
dn: cn=defaultPasswordPolicy,ou=policies,dc=libretic,dc=fr
|
||||
objectClass: top
|
||||
objectClass: device
|
||||
objectClass: pwdPolicyChecker
|
||||
objectClass: pwdPolicy
|
||||
cn: defaultPasswordPolicy
|
||||
pwdAttribute: userPassword
|
||||
pwdInHistory: 3
|
||||
pwdMinLength: 8
|
||||
pwdMaxFailure: 5
|
||||
pwdFailureCountInterval: 600
|
||||
pwdCheckQuality: 0
|
||||
pwdMustChange: FALSE
|
||||
pwdGraceAuthNLimit: 0
|
||||
pwdMaxAge: 0
|
||||
pwdExpireWarning: 1209600
|
||||
pwdLockoutDuration: 900
|
||||
pwdLockout: TRUE
|
||||
root@d7f2803e5cfb:/tmp# ldapadd -Y EXTERNAL -H ldapi:// -f defaultppolicy.ldif
|
||||
SASL/EXTERNAL authentication started
|
||||
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
|
||||
SASL SSF: 0
|
||||
adding new entry "ou=policies,dc=libretic,dc=fr"
|
||||
|
||||
adding new entry "cn=defaultPasswordPolicy,ou=policies,dc=libretic,dc=fr"
|
||||
```
|
||||
|
||||
|
||||
## Accès à l'annuaire en tant qu'administrateur de config
|
||||
|
||||
Permet par exemple une modification des acl pour une modification avec apache directory studio (pratique).
|
||||
|
||||
|
||||
### Modifier le mdp de l'administrateur de config
|
||||
|
||||
#### Créer la valeur chiffrée du mdp
|
||||
```
|
||||
root@docker-host:/# docker exec -ti 04a84d35f749 bash
|
||||
|
||||
root@04a84d35f749:/# slappasswd
|
||||
New password:
|
||||
Re-enter new password:
|
||||
{SSHA}FqKYv/azMmj/tp2LTSWzOzJf65h/nRKp
|
||||
```
|
||||
|
||||
#### Créer un fichier modify.ldif pour
|
||||
```
|
||||
root@04a84d35f749:/# cd /tmp/
|
||||
|
||||
root@04a84d35f749:/tmp# cat > modify.ldif
|
||||
dn: olcDatabase={0}config,cn=config
|
||||
changetype: modify
|
||||
delete: olcRootPW
|
||||
-
|
||||
add: olcRootPW
|
||||
olcRootPW: {SSHA}FqKYv/azMmj/tp2LTSWzOzJf65h/nRKp
|
||||
^D
|
||||
|
||||
root@04a84d35f749:/tmp# ldapmodify -Y EXTERNAL -H ldapi:// -f modify.ldif
|
||||
```
|
||||
|
||||
|
||||
## Connection depuis apache directory studio
|
||||
|
||||
Configurer ADS avec :
|
||||
- compte : cn=admin,cn=config
|
||||
- mdp : celui utilisé avec slappasswd
|
||||
- dn de base : olcDatabase={1}mdb,cn=config => pour configurer le serveur openldap
|
||||
- dn de base : cn=schema,cn=config => pour consulter les schemas connus par openldap
|
||||
|
1
defaults/main.yml
Normal file
1
defaults/main.yml
Normal file
|
@ -0,0 +1 @@
|
|||
docker_openldap_port: "389"
|
5
handlers/main.yml
Normal file
5
handlers/main.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
- name: docker-compose-up
|
||||
shell: |
|
||||
docker-compose up -d
|
||||
args:
|
||||
chdir: /opt/{{ docker_openldap_service_id }}/
|
14
tasks/main.yml
Normal file
14
tasks/main.yml
Normal file
|
@ -0,0 +1,14 @@
|
|||
- name: docker directory
|
||||
file:
|
||||
path: /opt/{{ docker_openldap_service_id }}/
|
||||
state: directory
|
||||
|
||||
- name: prepare docker-compose.yml
|
||||
template:
|
||||
src: "{{ item }}"
|
||||
dest: /opt/{{ docker_openldap_service_id }}/
|
||||
with_items:
|
||||
- docker-compose.yml
|
||||
notify: docker-compose-up
|
||||
|
||||
|
21
templates/docker-compose.yml
Normal file
21
templates/docker-compose.yml
Normal file
|
@ -0,0 +1,21 @@
|
|||
# {{ ansible_managed }}
|
||||
version: '3.1'
|
||||
|
||||
services:
|
||||
openldap:
|
||||
image: osixia/openldap:{{ docker_openldap_version }}
|
||||
environment:
|
||||
- LDAP_ORGANISATION={{ docker_openldap_organization }}
|
||||
- LDAP_DOMAIN={{ docker_openldap_rootdn }}
|
||||
- LDAP_ADMIN_PASSWORD={{ docker_openldap_admin_password }}
|
||||
- LDAP_TLS=false
|
||||
- LDAP_RFC2307BIS_SCHEMA=true
|
||||
restart: always
|
||||
volumes:
|
||||
- {{ docker_openldap_data_dir }}/{{ docker_openldap_service_id }}/ldap:/var/lib/ldap
|
||||
- {{ docker_openldap_data_dir }}/{{ docker_openldap_service_id }}/slapd.d:/etc/ldap/slapd.d
|
||||
- /etc/timezone:/etc/timezone:ro
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
ports:
|
||||
- {{ docker_openldap_port }}:389
|
||||
|
Loading…
Reference in a new issue