From: Frank Brehm <frank.brehm@pixelpark.com>
Date: Thu, 15 Oct 2020 14:40:26 +0000 (+0200)
Subject: Adding management of Root of config database
X-Git-Url: https://git.uhu-banane.net/?a=commitdiff_plain;h=f494f75ff27bb66df6322a19291b649140499a76;p=pixelpark%2Fldap-migration.git

Adding management of Root of config database
---

diff --git a/roles/base/tasks/config_root_account.yaml b/roles/base/tasks/config_root_account.yaml
new file mode 100644
index 0000000..a6aafa8
--- /dev/null
+++ b/roles/base/tasks/config_root_account.yaml
@@ -0,0 +1,145 @@
+---
+
+################################################################
+# Installs an admin account for the config database
+
+- name: "Detecting the hashed admin password from main database."
+  shell: "ldapsearch -Q -Y EXTERNAL -H ldapi:/// -LLL -s base -b '{{ main_database_rdn.stdout }},cn=config' -o ldif-wrap=no olcRootPW | grep -i '^olcRootPW:' | sed -e 's/^olcRootPW:[ 	]*//i'"
+  changed_when: False
+  ignore_errors: True
+  no_log: True
+  register: admin_password
+
+- name: "Could not detect the hashed admin password of the main database."
+  fail:
+    msg: "I caught an error"
+  when: admin_password.rc != 0
+
+- set_fact:
+  admin_password_hash: "{{ admin_password.stdout }}"
+
+- name: "Detecting a possibly defined root dn for config database"
+  shell: "ldapsearch -Q -Y EXTERNAL -H ldapi:/// -LLL -s base -b 'cn=config' -o ldif-wap=no olcRootDN | grep -i '^olcRootPW:' | sed -e 's/^olcRootDN:[ 	]*//i'"
+  changed_when: False
+  ignore_errors: True
+  register: current_config_admin_dn
+
+- name: "Detecting a possibly defined hashed root password for config database"
+  shell: "ldapsearch -Q -Y EXTERNAL -H ldapi:/// -LLL -s base -b 'cn=config' -o ldif-wrap=no olcRootPW | grep -i '^olcRootPW:' | sed -e 's/^olcRootPW:[ 	]*//i'"
+  changed_when: False
+  ignore_errors: True
+  no_log: True
+  register: current_config_admin_pw
+
+- name: "Applying RootDN for config database"
+  block:
+
+  - name: "Initializing LDIF file for setting RootDN for config database"
+    tempfile:
+      state: 'file'
+      prefix: 'rootdn.config.'
+      suffix: '.ldif'
+    register: rootdn_config_file
+
+  - name: "Get content of adding RootDN for config database"
+    template:
+      src: "templates/rootdn-config-add.ldif.j2"
+      dest: "{{ rootdn_config_file.path }}"
+      owner: root
+      group: root
+      mode: 0644
+    when: current_config_admin_dn.rc != 0
+
+  - name: "Get content of replacing RootDN for config database"
+    template:
+      src: "templates/rootdn-config-replace.ldif.j2"
+      dest: "{{ rootdn_config_file.path }}"
+      owner: root
+      group: root
+      mode: 0644
+    when: current_config_admin_dn.rc == 0
+
+  - name: "Get content of managing RootDN for config database file"
+    shell: "cat '{{ rootdn_config_file.path }}'"
+    register: content_rootdn_config_file
+    changed_when: False
+    no_log: True
+
+  - name: "Show content of managing RootDN for config database file."
+    debug: msg={{ content_rootdn_config_file.stdout_lines }}
+
+  - name: "Applying  managing RootDN for config database file."
+    shell: "ldapadd -Q -Y EXTERNAL -H ldapi:/// -f '{{ rootdn_config_file.path }}'"
+
+  rescue:
+    - name: "Failing base installation of OpenLDAP server because of some errors."
+      fail:
+        msg: "I caught an error"
+
+  always:
+
+    - name: "Removing managing RootDN for config database file ..."
+      file:
+        path: "{{ rootdn_config_file.path }}"
+        state: absent
+
+  when: (current_config_admin_dn.rc != 0) or (current_config_admin_dn.stdout != config_admin_dn
+
+################################################################
+# Setting the paasword for admin account for the config database
+
+- name: "Applying RootPW for config database"
+  block:
+
+  - name: "Initializing LDIF file for setting RootPW for config database"
+    tempfile:
+      state: 'file'
+      prefix: 'rootpw.config.'
+      suffix: '.ldif'
+    register: rootpw_config_file
+
+  - name: "Get content of adding RootPW for config database"
+    template:
+      src: "templates/rootpw-config-add.ldif.j2"
+      dest: "{{ rootpw_config_file.path }}"
+      owner: root
+      group: root
+      mode: 0644
+    when: current_config_admin_pw.rc != 0
+
+  - name: "Get content of replacing RootPW for config database"
+    template:
+      src: "templates/rootpw-config-replace.ldif.j2"
+      dest: "{{ rootpw_config_file.path }}"
+      owner: root
+      group: root
+      mode: 0644
+    when: current_config_admin_pw.rc == 0
+
+  - name: "Get content of managing RootPW for config database file"
+    shell: "cat '{{ rootpw_config_file.path }}'"
+    register: content_rootpw_config_file
+    changed_when: False
+    no_log: True
+
+  - name: "Show content of managing RootPW for config database file."
+    debug: msg={{ content_rootpw_config_file.stdout_lines }}
+
+  - name: "Applying  managing RootPW for config database file."
+    shell: "ldapadd -Q -Y EXTERNAL -H ldapi:/// -f '{{ rootpw_config_file.path }}'"
+
+  rescue:
+    - name: "Failing base installation of OpenLDAP server because of some errors."
+      fail:
+        msg: "I caught an error"
+
+  always:
+
+    - name: "Removing managing RootPW for config database file ..."
+      file:
+        path: "{{ rootpw_config_file.path }}"
+        state: absent
+
+  when: (current_config_admin_pw.rc != 0) or (current_config_admin_pw.stdout != admin_password_hash
+
+
diff --git a/roles/base/tasks/main.yaml b/roles/base/tasks/main.yaml
index 0c7e688..9901fdc 100644
--- a/roles/base/tasks/main.yaml
+++ b/roles/base/tasks/main.yaml
@@ -19,4 +19,5 @@
   when: main_database_rdn.rc != 0
 
 - include: 'overlays0-memberof.yaml'
+- include: 'config_root_account.yaml'
 
diff --git a/roles/base/templates/rootdn-config-add.ldif.j2 b/roles/base/templates/rootdn-config-add.ldif.j2
new file mode 100644
index 0000000..1edeca0
--- /dev/null
+++ b/roles/base/templates/rootdn-config-add.ldif.j2
@@ -0,0 +1,6 @@
+dn: olcDatabase={0}config,cn=config
+changetype: modify
+add: olcRootDN
+olcRootDN: {{ config_admin_dn }}
+
+# vim: filetype=ldif
diff --git a/roles/base/templates/rootdn-config-replace.ldif.j2 b/roles/base/templates/rootdn-config-replace.ldif.j2
new file mode 100644
index 0000000..7920821
--- /dev/null
+++ b/roles/base/templates/rootdn-config-replace.ldif.j2
@@ -0,0 +1,6 @@
+dn: olcDatabase={0}config,cn=config
+changetype: modify
+replace: olcRootDN
+olcRootDN: {{ config_admin_dn }}
+
+# vim: filetype=ldif
diff --git a/roles/base/templates/rootpw-config-add.ldif.j2 b/roles/base/templates/rootpw-config-add.ldif.j2
new file mode 100644
index 0000000..404e970
--- /dev/null
+++ b/roles/base/templates/rootpw-config-add.ldif.j2
@@ -0,0 +1,6 @@
+dn: olcDatabase={0}config,cn=config
+changetype: modify
+add: olcRootPW
+olcRootPW: {{ admin_password_hash }}
+
+# vim: filetype=ldif
diff --git a/roles/base/templates/rootpw-config-replace.ldif.j2 b/roles/base/templates/rootpw-config-replace.ldif.j2
new file mode 100644
index 0000000..d917206
--- /dev/null
+++ b/roles/base/templates/rootpw-config-replace.ldif.j2
@@ -0,0 +1,6 @@
+dn: olcDatabase={0}config,cn=config
+changetype: modify
+replace: olcRootPW
+olcRootPW: {{ admin_password_hash }}
+
+# vim: filetype=ldif
diff --git a/roles/base/vars/main.yaml b/roles/base/vars/main.yaml
index 5bcddc3..a8b69a3 100644
--- a/roles/base/vars/main.yaml
+++ b/roles/base/vars/main.yaml
@@ -5,4 +5,5 @@ openldap_schema_dir: '/etc/openldap/schema'
 openldap_package: 'symas-openldap-servers'
 openldap_service: 'openldap'
 slapd_cfg_dir: '/etc/openldap/slapd.d'
+config_admin_dn: 'cn=admin,cn=config'