Rename some roles to make ansible-lint happy.
This commit is contained in:
Andreas B. Mundt
Andreas B. Mundt
parent
4d791a65f1
commit
1db0b6ec31
75 changed files with 29 additions and 29 deletions
9
roles/krb5kdcldap/defaults/main.yml
Normal file
9
roles/krb5kdcldap/defaults/main.yml
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
kdc_master_pwd: "{{ lookup('password', '/tmp/kdc_master.pwd chars=ascii_letters,digits length=32') }}"
|
||||
kdc_master_pwd_file: "/root/kdc-master.pwd"
|
||||
|
||||
kdc_service_pwd: "{{ lookup('password', '/tmp/kdc-service.pwd chars=ascii_letters,digits length=32') }}"
|
||||
kadmin_service_pwd: "{{ lookup('password', '/tmp/kadmin-service.pwd chars=ascii_letters,digits length=32') }}"
|
||||
|
||||
kadmin_pwd: "{{ lookup('password', '/tmp/kadmin.pwd chars=ascii_letters,digits length=32') }}"
|
||||
kadmin_pwd_file: "/root/kadmin.pwd"
|
||||
11
roles/krb5kdcldap/handlers/main.yml
Normal file
11
roles/krb5kdcldap/handlers/main.yml
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
- name: restart slapd
|
||||
systemd: name=slapd state=restarted enabled=yes
|
||||
listen: "restart slapd"
|
||||
|
||||
- name: restart krb5-kdc
|
||||
systemd: name=krb5-kdc state=restarted enabled=yes
|
||||
listen: "restart krb5-kdc"
|
||||
|
||||
- name: restart krb5-admin-server
|
||||
systemd: name=krb5-admin-server state=restarted enabled=yes
|
||||
listen: "restart krb5-admin-server"
|
||||
3
roles/krb5kdcldap/meta/main.yml
Normal file
3
roles/krb5kdcldap/meta/main.yml
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
---
|
||||
dependencies: # noqa meta-no-info
|
||||
- role: ldap
|
||||
229
roles/krb5kdcldap/tasks/main.yml
Normal file
229
roles/krb5kdcldap/tasks/main.yml
Normal file
|
|
@ -0,0 +1,229 @@
|
|||
## Install and configure krb5-kdc-ldap (if not done yet),
|
||||
## run most tasks only on krb5-kdc-ldap installation.
|
||||
---
|
||||
- name: check that domain name is available
|
||||
fail: msg="The machine's domain must not be empty."
|
||||
when: ansible_domain | length == 0
|
||||
|
||||
- name: check if krb5kdc is already there
|
||||
stat: path=/usr/sbin/krb5kdc
|
||||
register: krb5kdc
|
||||
|
||||
- name: prepare krb5.conf
|
||||
template:
|
||||
src: krb5.conf.j2
|
||||
dest: /etc/krb5.conf
|
||||
mode: 0644
|
||||
|
||||
- name: make sure krb5kdc exists
|
||||
file:
|
||||
path: /etc/krb5kdc
|
||||
state: directory
|
||||
recurse: true
|
||||
mode: 0755
|
||||
|
||||
- name: prepare kdc.conf
|
||||
template:
|
||||
src: kdc.conf.j2
|
||||
dest: /etc/krb5kdc/kdc.conf
|
||||
mode: 0644
|
||||
|
||||
- name: prepare kadm5.acl
|
||||
template:
|
||||
src: kadm5.acl.j2
|
||||
dest: /etc/krb5kdc/kadm5.acl
|
||||
mode: 0644
|
||||
notify: "restart krb5-admin-server"
|
||||
|
||||
- name: install krb5-kdc-ldap and krb5-admin-server
|
||||
apt:
|
||||
name:
|
||||
- krb5-kdc-ldap
|
||||
- krb5-admin-server
|
||||
state: latest # noqa package-latest
|
||||
|
||||
- name: prepare kerberos.openldap.ldif
|
||||
shell: gunzip -c /usr/share/doc/krb5-kdc-ldap/kerberos.openldap.ldif.gz > /etc/ldap/schema/kerberos.openldap.ldif
|
||||
args:
|
||||
creates: /etc/ldap/schema/kerberos.openldap.ldif
|
||||
|
||||
- name: activate kerberos.openldap.ldif schema
|
||||
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/kerberos.openldap.ldif
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: make sure we have a kerberos container
|
||||
ldap_entry:
|
||||
dn: "cn=kerberos,{{ basedn }}"
|
||||
objectClass: krbContainer
|
||||
bind_dn: "cn=admin,{{ basedn }}"
|
||||
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
|
||||
|
||||
- name: make sure we have a kdc object
|
||||
ldap_entry:
|
||||
dn: "cn=kdc,cn=kerberos,{{ basedn }}"
|
||||
objectClass:
|
||||
- organizationalRole
|
||||
- simpleSecurityObject
|
||||
attributes:
|
||||
userPassword: "{{ kdc_service_pwd }}"
|
||||
bind_dn: "cn=admin,{{ basedn }}"
|
||||
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
|
||||
|
||||
- name: make sure we have a kadmin object
|
||||
ldap_entry:
|
||||
dn: "cn=kadmin,cn=kerberos,{{ basedn }}"
|
||||
objectClass:
|
||||
- organizationalRole
|
||||
- simpleSecurityObject
|
||||
attributes:
|
||||
userPassword: "{{ kadmin_service_pwd }}"
|
||||
bind_dn: "cn=admin,{{ basedn }}"
|
||||
bind_pw: "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
|
||||
|
||||
- name: modify ACLs to account for KDC
|
||||
ldap_attr:
|
||||
dn: "olcDatabase={1}mdb,cn=config"
|
||||
name: olcAccess
|
||||
values:
|
||||
- >-
|
||||
to attrs=userPassword
|
||||
by self write
|
||||
by anonymous auth
|
||||
by * none
|
||||
- >-
|
||||
to attrs=shadowLastChange
|
||||
by self write
|
||||
by * read
|
||||
- >-
|
||||
to dn.subtree="cn=kerberos,{{ basedn }}"
|
||||
by dn.exact="cn=kdc,cn=kerberos,{{ basedn }}" read
|
||||
by dn.exact="cn=kadmin,cn=kerberos,{{ basedn }}" write
|
||||
by * none
|
||||
- >-
|
||||
to attrs=krbPrincipalName,krbLastPwdChange,krbPrincipalKey,krbExtraData
|
||||
by dn.exact="cn=kdc,cn=kerberos,{{ basedn }}" read
|
||||
by dn.exact="cn=kadmin,cn=kerberos,{{ basedn }}" write
|
||||
by self read
|
||||
by * auth
|
||||
- >-
|
||||
to *
|
||||
by dn.exact="cn=kadmin,cn=kerberos,{{ basedn }}" write
|
||||
by * read
|
||||
state: exact
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: add KDC indexes to LDAP
|
||||
ldap_attr:
|
||||
dn: "olcDatabase={1}mdb,cn=config"
|
||||
name: olcDbIndex
|
||||
values:
|
||||
- objectClass eq
|
||||
- cn,uid eq
|
||||
- uidNumber,gidNumber eq
|
||||
- member,memberUid eq
|
||||
- krbPrincipalName pres,sub,eq
|
||||
state: exact
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: add AuthzRegexp to map access via kerberos/GSSAPI
|
||||
ldap_attr:
|
||||
dn: "cn=config"
|
||||
name: olcAuthzRegexp
|
||||
values:
|
||||
- "{0}uid=([^,]*),cn=gssapi,cn=auth uid=$1,ou=people,{{ basedn }}"
|
||||
- "{1}uid=([^,]*),cn=gs2-iakerb,cn=auth uid=$1,ou=people,{{ basedn }}"
|
||||
state: exact
|
||||
|
||||
- name: prepare password for kdc # noqa risky-shell-pipe
|
||||
shell: echo "cn=kdc,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kdc_service_pwd }} | xxd -g0 -ps -c 256 | sed 's/0a$//')" > /etc/krb5kdc/service.keyfile
|
||||
no_log: true
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: prepare password for kadmin # noqa risky-shell-pipe
|
||||
shell: echo "cn=kadmin,cn=kerberos,{{ basedn }}#{HEX}$(echo -n {{ kadmin_service_pwd }} | xxd -g0 -ps -c 256 | sed 's/0a$//')" >> /etc/krb5kdc/service.keyfile
|
||||
no_log: true
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: dump kdc master password
|
||||
shell: echo -n "{{ kdc_master_pwd }}" > "{{ kdc_master_pwd_file }}" ; chmod 0600 "{{ kdc_master_pwd_file }}"
|
||||
no_log: true
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: initialize KDC
|
||||
command:
|
||||
>-
|
||||
kdb5_ldap_util
|
||||
-D cn=admin,"{{ basedn }}"
|
||||
-w "{{ ldap_admin_pwd['content'] | b64decode | replace('\n', '') }}"
|
||||
-H ldapi:///
|
||||
create -s -subtrees "{{ basedn }}"
|
||||
-P "{{ kdc_master_pwd }}"
|
||||
-r "{{ ansible_domain | upper }}"
|
||||
no_log: true
|
||||
notify: "restart krb5-kdc"
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: add root/admin as kadmin
|
||||
command: kadmin.local -q 'addprinc -pw "{{ kadmin_pwd }}" root/admin'
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: dump kadmin password
|
||||
shell: echo -n "{{ kadmin_pwd }}" > "{{ kadmin_pwd_file }}" ; chmod 0600 "{{ kadmin_pwd_file }}"
|
||||
no_log: true
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: add default policy to silence warning when using kadmin
|
||||
command: kadmin.local -q "add_policy default"
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: create machine principals
|
||||
command: kadmin.local -q 'addprinc -randkey {{ item }}/{{ ansible_hostname }}.{{ ansible_domain }}'
|
||||
with_items:
|
||||
- host
|
||||
- ldap
|
||||
- HTTP
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: add principal to the default keytab
|
||||
command: kadmin.local -q 'ktadd {{ item }}/{{ ansible_hostname }}.{{ ansible_domain }}'
|
||||
with_items:
|
||||
- host
|
||||
- ldap
|
||||
- HTTP
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
- name: allow slapd to read the keytab
|
||||
file:
|
||||
path: /etc/krb5.keytab
|
||||
owner: root
|
||||
group: openldap
|
||||
mode: '0640'
|
||||
notify: restart slapd
|
||||
|
||||
- name: "make 'kerberos' an alias hostname resolvable from the LAN"
|
||||
replace:
|
||||
path: /etc/hosts
|
||||
regexp: "^({{ ipaddr_lan | ipaddr('address') }}\\s.+)$"
|
||||
replace: '\1 kerberos'
|
||||
when: not krb5kdc.stat.exists
|
||||
|
||||
########################
|
||||
|
||||
- name: kerberize dummy user foo
|
||||
command: kadmin.local -q 'add_principal -pw "{{ foo_pwd }}" -x dn="uid=foo,ou=people,{{ basedn }}" foo'
|
||||
register: kerberize_result
|
||||
changed_when: kerberize_result.stderr is not search('already exists while creating')
|
||||
no_log: true
|
||||
when: foo_pwd is defined and foo_pwd | length > 0
|
||||
|
||||
- name: allow services in firewalld
|
||||
firewalld:
|
||||
zone: internal
|
||||
service: "{{ item }}"
|
||||
permanent: true
|
||||
immediate: true
|
||||
state: enabled
|
||||
with_items:
|
||||
- kerberos
|
||||
- kadmin
|
||||
- kpasswd
|
||||
2
roles/krb5kdcldap/templates/kadm5.acl.j2
Normal file
2
roles/krb5kdcldap/templates/kadm5.acl.j2
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
## access control for the Kerberos KDC
|
||||
root/admin@{{ ansible_domain | upper }} *
|
||||
15
roles/krb5kdcldap/templates/kdc.conf.j2
Normal file
15
roles/krb5kdcldap/templates/kdc.conf.j2
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
[kdcdefaults]
|
||||
kdc_ports = 750,88
|
||||
|
||||
[realms]
|
||||
{{ ansible_domain | upper }} = {
|
||||
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
|
||||
acl_file = /etc/krb5kdc/kadm5.acl
|
||||
key_stash_file = /etc/krb5kdc/stash
|
||||
kdc_ports = 750,88
|
||||
max_life = 10h 0m 0s
|
||||
max_renewable_life = 7d 0h 0m 0s
|
||||
master_key_type = des3-hmac-sha1
|
||||
#supported_enctypes = aes256-cts:normal aes128-cts:normal
|
||||
default_principal_flags = +preauth
|
||||
}
|
||||
26
roles/krb5kdcldap/templates/krb5.conf.j2
Normal file
26
roles/krb5kdcldap/templates/krb5.conf.j2
Normal file
|
|
@ -0,0 +1,26 @@
|
|||
[libdefaults]
|
||||
default_realm = {{ ansible_domain | upper }}
|
||||
|
||||
[realms]
|
||||
{{ ansible_domain | upper }} = {
|
||||
kdc = {{ ansible_hostname }}
|
||||
admin_server = {{ ansible_hostname }}
|
||||
database_module = LDAP
|
||||
}
|
||||
|
||||
[domain_realm]
|
||||
.{{ ansible_domain }} = {{ ansible_domain | upper }}
|
||||
{{ ansible_domain }} = {{ ansible_domain | upper }}
|
||||
|
||||
[dbdefaults]
|
||||
ldap_kerberos_container_dn = cn=kerberos,{{ basedn }}
|
||||
|
||||
[dbmodules]
|
||||
LDAP = {
|
||||
db_library = kldap
|
||||
ldap_kdc_dn = cn=kdc,cn=kerberos,{{ basedn }}
|
||||
ldap_kadmind_dn = cn=kadmin,cn=kerberos,{{ basedn }}
|
||||
ldap_service_password_file = /etc/krb5kdc/service.keyfile
|
||||
ldap_servers = ldapi:///
|
||||
ldap_conns_per_server = 5
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue