From 00e9eb0e6a3ab76ff2f79e281b59075a352c42e6 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Thu, 12 Dec 2024 16:44:09 +0100 Subject: [PATCH] Fixed configuration of 389ds plugins --- group_vars/all/main.yaml | 10 +- inventory/dpx-ldap-dev1.yaml | 92 ++++++++++--------- inventory/spk-ldap-stage.yaml | 5 + playbooks/configure-ldap-servers.yaml | 7 +- plugins/test/tests.py | 4 +- .../tasks/attr-uniq-entry-add.yaml | 2 +- .../tasks/attr-uniq-entry-modify.yaml | 30 ++++-- .../tasks/attr-uniq-entry.yaml | 2 +- .../389ds-config-plugins/tasks/attr-uniq.yaml | 37 +++++--- roles/389ds-config-plugins/tasks/main.yaml | 20 ++++ .../389ds-config-plugins/tasks/referint.yaml | 2 +- 11 files changed, 137 insertions(+), 74 deletions(-) diff --git a/group_vars/all/main.yaml b/group_vars/all/main.yaml index 28a4b51..b1f11d4 100644 --- a/group_vars/all/main.yaml +++ b/group_vars/all/main.yaml @@ -1,9 +1,9 @@ --- -ds389_logging_config: true -ds389_plugin_memberof_config: true -ds389_plugin_referint_config: true -ds389_plugin_attr_uniq_config: true -ds389_plugin_account_policy_config: true +# ds389_logging_config: true +# ds389_plugin_memberof_config: true +# ds389_plugin_referint_config: true +# ds389_plugin_attr_uniq_config: true +# ds389_plugin_account_policy_config: true # vim: filetype=yaml diff --git a/inventory/dpx-ldap-dev1.yaml b/inventory/dpx-ldap-dev1.yaml index 2837913..cce6422 100644 --- a/inventory/dpx-ldap-dev1.yaml +++ b/inventory/dpx-ldap-dev1.yaml @@ -15,58 +15,60 @@ all: replica_id: 3 slapd_instance: dev-ds03 ldap_uri: 'ldaps://dev-ds03.pixelpark.com' + vars: + suffix: 'o=isp' + dirsrv_root_dn: 'cn=admin' + dirsrv_root_passwd_file: '/root/.private/dirsrv-mngr-pwd-wonl.txt' + replication_manager_dn: 'cn=Replication Manager,cn=config' + replication_manager_password_file: '/root/.private/dirserv-repl-mngr-pwd.txt' + replication_manager_idle_timeout: 0 + ldaps_validate_certs: false + # ds389_plugin_attr_uniq_purge: false + ds389_plugin_attr_uniq_attributes: + 'uid': + across_all_subtrees: false + subtrees: + - 'o=bmas,o=isp' + - 'o=bmf,o=isp' + - 'o=BMWA,o=isp' + - 'o=bmwi,o=isp' + - 'o=bmwi-unternehmergeist,o=isp' + - 'o=cosTemplates,o=isp' + - 'o=Internet,o=isp' + - 'o=mbvd,o=isp' + - 'o=pfizer,o=isp' + - 'o=Pixelpark,o=isp' + - 'o=publicis,o=isp' + - 'o=PuF,o=isp' + - 'o=Radeberger,o=isp' + - 'o=sirona,o=isp' + - 'o=tov,o=isp' + 'gidNumber': + subtrees: + - 'o=isp' + 'mail': + subtrees: + - 'o=isp' + 'uidNumber': + subtrees: + - 'o=isp' + 'blaBlub': + ensure: absent + + # Tempporary + ds389_logging_config: false + ds389_plugin_memberof_config: false + ds389_plugin_referint_config: false + # ds389_plugin_attr_uniq_config: false + ds389_plugin_account_policy_config: false + haproxy_servers: hosts: dev-ds-hap01.pixelpark.com: {} dev-ds-hap02.pixelpark.com: {} vars: ansible_user: root - suffix: 'o=isp' - dirsrv_root_dn: 'cn=admin' - dirsrv_root_passwd_file: '/root/.private/dirsrv-mngr-pwd-wonl.txt' - replication_manager_dn: 'cn=Replication Manager,cn=config' - replication_manager_password_file: '/root/.private/dirserv-repl-mngr-pwd.txt' - replication_manager_idle_timeout: 0 haproxy_backend_name: 'be-ldap-dev1' - ldaps_validate_certs: false - # ds389_plugin_attr_uniq_purge: false - ds389_plugin_attr_uniq_attributes: - 'uid': - across_all_subtrees: false - subtrees: - - 'o=bmas,o=isp' - - 'o=bmf,o=isp' - - 'o=BMWA,o=isp' - - 'o=bmwi,o=isp' - - 'o=bmwi-unternehmergeist,o=isp' - - 'o=cosTemplates,o=isp' - - 'o=Internet,o=isp' - - 'o=mbvd,o=isp' - - 'o=pfizer,o=isp' - - 'o=Pixelpark,o=isp' - - 'o=publicis,o=isp' - - 'o=PuF,o=isp' - - 'o=Radeberger,o=isp' - - 'o=sirona,o=isp' - - 'o=tov,o=isp' - 'gidNumber': - subtrees: - - 'o=isp' - 'mail': - subtrees: - - 'o=isp' - 'uidNumber': - subtrees: - - 'o=isp' - 'blaBlub': - ensure: absent - - - # Tempporary - # ds389_logging_config: false - # ds389_plugin_memberof_config: false - # ds389_plugin_referint_config: false - # ds389_plugin_attr_uniq_config: false # vim: filetype=yaml diff --git a/inventory/spk-ldap-stage.yaml b/inventory/spk-ldap-stage.yaml index c5bb4a5..8b8c2b6 100644 --- a/inventory/spk-ldap-stage.yaml +++ b/inventory/spk-ldap-stage.yaml @@ -34,4 +34,9 @@ all: - 'dc=spk,dc=pixelpark,dc=net' ds389_plugin_account_policy_config: false + # Temporary + ds389_logging_config: false + ds389_plugin_memberof_config: false + ds389_plugin_referint_config: false + # vim: filetype=yaml diff --git a/playbooks/configure-ldap-servers.yaml b/playbooks/configure-ldap-servers.yaml index 4b88139..ace9247 100644 --- a/playbooks/configure-ldap-servers.yaml +++ b/playbooks/configure-ldap-servers.yaml @@ -10,12 +10,17 @@ include_role: name: 389ds-check-initial + - name: "Set default for ds389_logging_config." + set_fact: + ds389_logging_config: true + when: ds389_logging_config is undefined + - name: "Configure logging for 389ds LDAP server." include_role: name: 389ds-config-logging when: ( ds389_logging_config | bool ) == true - - name: "Configure all necessay plugins of the 389ds LDAP server." + - name: "Configure all necessary plugins of the 389ds LDAP server." include_role: name: 389ds-config-plugins diff --git a/plugins/test/tests.py b/plugins/test/tests.py index f87b1e5..be8f73e 100644 --- a/plugins/test/tests.py +++ b/plugins/test/tests.py @@ -20,8 +20,8 @@ def empty_test(value: t.Any) -> bool: """Check whether a value is false or an empty string, list or dict.""" if isinstance(value, Undefined): return True - if isinstance(value, bool): - return not value + # if isinstance(value, bool): + # return not value if value is None: return True if value == '': diff --git a/roles/389ds-config-plugins/tasks/attr-uniq-entry-add.yaml b/roles/389ds-config-plugins/tasks/attr-uniq-entry-add.yaml index e667753..53d5ac4 100644 --- a/roles/389ds-config-plugins/tasks/attr-uniq-entry-add.yaml +++ b/roles/389ds-config-plugins/tasks/attr-uniq-entry-add.yaml @@ -38,7 +38,7 @@ - name: "Adding entry name to entry_add_cmd." set_fact: - entry_add_cmd: "{{ entry_add_cmd }} {{ entry_name | quote }}." + entry_add_cmd: "{{ entry_add_cmd }} {{ entry_name | quote }}" - name: "Show command for adding an attr-uniq entry." debug: diff --git a/roles/389ds-config-plugins/tasks/attr-uniq-entry-modify.yaml b/roles/389ds-config-plugins/tasks/attr-uniq-entry-modify.yaml index 3fa7416..52ccb24 100644 --- a/roles/389ds-config-plugins/tasks/attr-uniq-entry-modify.yaml +++ b/roles/389ds-config-plugins/tasks/attr-uniq-entry-modify.yaml @@ -72,12 +72,13 @@ - name: "Check across-all-subtrees for should be vanished." set_fact: remove_attr_uniq_entry_before: true - when: "('across-all-subtrees' in attr_uniq_config) and ('across_all_subtrees' not in entry_data or entry_data['across_all_subtrees'] is empty)" + when: "('across-all-subtrees' in attr_uniq_config) and ('across_all_subtrees' not in entry_data)" - name: "Check across-all-subtrees" set_fact: exec_set: true - when: "'across_all_subtrees' in entry_data and entry_data['across_all_subtrees'] is not empty and ('across-all-subtrees' not in attr_uniq_config or entry_data['across_all_subtrees'] != attr_uniq_config['across-all-subtrees'])" + when: "'across_all_subtrees' in entry_data and entry_data['across_all_subtrees'] is not empty \ + and ('across-all-subtrees' not in attr_uniq_config or entry_data['across_all_subtrees'] != attr_uniq_config['across-all-subtrees'])" - name: "Check top-entry-oc for should be vanished." set_fact: @@ -87,7 +88,8 @@ - name: 'Check top-entry-oc' set_fact: exec_set: true - when: "('top_entry_oc' in entry_data) and (entry_data['top_entry_oc'] is not empty) and (('top-entry-oc' not in attr_uniq_config) or ((attr_uniq_config['top-entry-oc'] | lower) != (entry_data['top_entry_oc'] | lower)) )" + when: "('top_entry_oc' in entry_data) and (entry_data['top_entry_oc'] is not empty) and \ + (('top-entry-oc' not in attr_uniq_config) or ((attr_uniq_config['top-entry-oc'] | lower) != (entry_data['top_entry_oc'] | lower)) )" - name: "Check subtree-entries-oc for should be vanished." set_fact: @@ -97,7 +99,9 @@ - name: 'Check subtree-entries-oc' set_fact: exec_set: true - when: "('subtree_entries_oc' in entry_data) and (entry_data['subtree_entries_oc'] is not empty) and (('subtree-entries-oc' not in attr_uniq_config) or ((attr_uniq_config['subtree-entries-oc'] | lower) != (entry_data['subtree_entries_oc'] | lower)) )" + when: "('subtree_entries_oc' in entry_data) and (entry_data['subtree_entries_oc'] is not empty) and \ + (('subtree-entries-oc' not in attr_uniq_config) or \ + ((attr_uniq_config['subtree-entries-oc'] | lower) != (entry_data['subtree_entries_oc'] | lower)) )" - name: 'Actions for removing attr-uniq entry.' when: remove_attr_uniq_entry_before == true @@ -115,6 +119,10 @@ - name: 'Remove attr-uniq entry.' ansible.builtin.shell: "dsconf {{ slapd_instance | quote }} plugin attr-uniq delete {{ entry_name | quote }}" + - name: "Setting restart_389ds." + set_fact: + restart_389ds: true + - name: 'Actions for adding or modifying attr-uniq entry.' when: exec_set == true block: @@ -158,15 +166,23 @@ - name: "Adding entry name to entry_set_cmd." set_fact: - entry_set_cmd: "{{ entry_set_cmd }} {{ entry_name | quote }}." + entry_set_cmd: "{{ entry_set_cmd }} {{ entry_name | quote }}" - name: "Show command for adding/modifying an attr-uniq entry." debug: var: entry_set_cmd verbosity: 0 -- name: "Finally adding attr-uniq entry." - ansible.builtin.shell: "{{ entry_add_cmd }}" + - name: "Finally adding attr-uniq entry." + ansible.builtin.shell: "{{ entry_set_cmd }}" + + - name: "Setting restart_389ds." + set_fact: + restart_389ds: true +- name: "The attr-uniq entry should not be set." + debug: + var: entry_name + when: exec_set != true # vim: filetype=yaml diff --git a/roles/389ds-config-plugins/tasks/attr-uniq-entry.yaml b/roles/389ds-config-plugins/tasks/attr-uniq-entry.yaml index a8258c5..c8723f6 100644 --- a/roles/389ds-config-plugins/tasks/attr-uniq-entry.yaml +++ b/roles/389ds-config-plugins/tasks/attr-uniq-entry.yaml @@ -45,7 +45,7 @@ - debug: msg: "Entry {{ entry_name | quote }} should exists: {{ entry_should_exists }}" - verbosity: 2 + verbosity: 0 - name: 'Ensure absence of attr-uniq entry.' when: "entry_should_exists == false" diff --git a/roles/389ds-config-plugins/tasks/attr-uniq.yaml b/roles/389ds-config-plugins/tasks/attr-uniq.yaml index da0b928..33667ec 100644 --- a/roles/389ds-config-plugins/tasks/attr-uniq.yaml +++ b/roles/389ds-config-plugins/tasks/attr-uniq.yaml @@ -31,7 +31,7 @@ - name: 'Show cur_attr_uniq_entries.' debug: var: cur_attr_uniq_entries - verbosity: 2 + verbosity: 0 - name: 'Show cur_attr_uniq_entries_lc.' debug: @@ -50,16 +50,23 @@ - name: 'Show exp_attr_uniq_entries_lc.' debug: var: exp_attr_uniq_entries_lc - verbosity: 2 + verbosity: 0 -- name: 'Configure attr-uniq entry.' - include_tasks: 'attr-uniq-entry.yaml' - vars: - attr_name: "{{ attrdict.key }}" - entry_data: "{{ attrdict.value }}" - loop: "{{ uniq_attributes | dict2items }}" +- name: "Predefine attr_uniq_entries_for_remove." + set_fact: + attr_uniq_entries_for_remove: [] + +- name: "Get all attr-uniq entries for removing." + set_fact: + attr_uniq_entries_for_remove: "{{ attr_uniq_entries_for_remove + [attr_uniq_entry] }}" + when: ( attr_uniq_entry | lower ) not in exp_attr_uniq_entries_lc + loop: "{{ cur_attr_uniq_entries }}" loop_control: - loop_var: attrdict + loop_var: attr_uniq_entry + +- name: "All attr_uniq_entries_for_remove." + debug: + var: attr_uniq_entries_for_remove - name: 'Purge attr-uniq entries.' when: (ds389_plugin_attr_uniq_purge | bool) == true @@ -69,9 +76,17 @@ include_tasks: 'attr-uniq-entry-remove.yaml' vars: entry_name: "{{ attr_uniq_entry }}" - when: ( attr_uniq_entry | lower ) not in exp_attr_uniq_entries_lc - loop: "{{ cur_attr_uniq_entries }}" + loop: "{{ attr_uniq_entries_for_remove }}" loop_control: loop_var: attr_uniq_entry +- name: 'Configure attr-uniq entry.' + include_tasks: 'attr-uniq-entry.yaml' + vars: + attr_name: "{{ attrdict.key }}" + entry_data: "{{ attrdict.value }}" + loop: "{{ uniq_attributes | dict2items }}" + loop_control: + loop_var: attrdict + # vim: filetype=yaml diff --git a/roles/389ds-config-plugins/tasks/main.yaml b/roles/389ds-config-plugins/tasks/main.yaml index 892844e..53256bd 100644 --- a/roles/389ds-config-plugins/tasks/main.yaml +++ b/roles/389ds-config-plugins/tasks/main.yaml @@ -1,17 +1,37 @@ --- +- name: "Set default for ds389_plugin_memberof_config." + set_fact: + ds389_plugin_memberof_config: true + when: ds389_plugin_memberof_config is undefined + - name: "Configuring the 389ds memberOf-Plugin." include_tasks: 'memberof.yaml' when: (ds389_plugin_memberof_config | bool) == true +- name: "Set default for ds389_plugin_referint_config." + set_fact: + ds389_plugin_referint_config: true + when: ds389_plugin_referint_config is undefined + - name: "Configuring the 389ds referential-integrity-Plugin." include_tasks: 'referint.yaml' when: (ds389_plugin_referint_config | bool) == true +- name: "Set default for ds389_plugin_attr_uniq_config." + set_fact: + ds389_plugin_attr_uniq_config: true + when: ds389_plugin_attr_uniq_config is undefined + - name: "Configuring the 389ds attr-uniq-Plugin." include_tasks: 'attr-uniq.yaml' when: (ds389_plugin_attr_uniq_config | bool) == true +- name: "Set default for ds389_plugin_account_policy_config." + set_fact: + ds389_plugin_account_policy_config: true + when: ds389_plugin_account_policy_config is undefined + - name: "Configuring the 389ds account-policy-Plugin." include_tasks: 'account-policy.yaml' when: (ds389_plugin_account_policy_config | bool) == true diff --git a/roles/389ds-config-plugins/tasks/referint.yaml b/roles/389ds-config-plugins/tasks/referint.yaml index 192dbee..5250482 100644 --- a/roles/389ds-config-plugins/tasks/referint.yaml +++ b/roles/389ds-config-plugins/tasks/referint.yaml @@ -84,7 +84,7 @@ - name: "Show the command to execute:" debug: var: plugin_referint_cmd - verbosity: 1 + verbosity: 0 - name: "Finally configure the referential-integrity plugin." ansible.builtin.shell: "{{ plugin_referint_cmd }}" -- 2.39.5