From 54e51a3d9fc121af9c5bc052122f8d8560febd40 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Wed, 11 Dec 2024 16:49:47 +0100 Subject: [PATCH] Extending 389ds account policy configuration --- .../tasks/account-policy.yaml | 106 +++++++++++++++++- 1 file changed, 102 insertions(+), 4 deletions(-) diff --git a/roles/389ds-config-plugins/tasks/account-policy.yaml b/roles/389ds-config-plugins/tasks/account-policy.yaml index 9f9cd68..80f789c 100644 --- a/roles/389ds-config-plugins/tasks/account-policy.yaml +++ b/roles/389ds-config-plugins/tasks/account-policy.yaml @@ -65,7 +65,7 @@ - name: 'Check for alt-state-attr for vanishing' set_fact: attrs_remove: "{{ alt-state-attr + ['altstateattrname']" - when: "('altstateattrname' in acc_plugin_cfg) and (ds389_plugin_account_policy_alt-state-attr == None or ds389_plugin_account_policy_alt-state-attr == '')" + when: "('altstateattrname' in acc_plugin_cfg) and (ds389_plugin_account_policy_alt_state_attr == None or ds389_plugin_account_policy_alt_state_attr == '')" - name: 'Check for alt-state-attr' set_fact: @@ -74,7 +74,7 @@ - name: 'Check for always-record-login-attr for vanishing' set_fact: - attrs_remove: "{{ always-record-login-attr + ['alwaysrecordloginattr']" + attrs_remove: "{{ attrs_remove + ['alwaysrecordloginattr']" when: "('alwaysrecordloginattr' in acc_plugin_cfg) and (ds389_plugin_account_policy_always-record-login-attr == None or ds389_plugin_account_policy_always-record-login-attr == '')" - name: 'Check for always-record-login-attr' @@ -82,7 +82,81 @@ exec_set: true when: "ds389_plugin_account_policy_always_record_login_attr != None and ds389_plugin_account_policy_always_record_login_attr != '' and ('alwaysrecordloginattr' not in acc_plugin_cfg or (acc_plugin_cfg['alwaysrecordloginattr'] != ds389_plugin_account_policy_always_record_login_attr))" -# Failing: --limit-attr --spec-attr --state-attr --login-history-size --check-all-state-attrs +- name: 'Check limit-attr for vanishing' + set_fact: + attrs_remove: "{{ attrs_remove + ['limitattrname'] }}" + when: "('limitattrname' in acc_plugin_cfg) and (ds389_plugin_account_policy_limit_attr == None or ds389_plugin_account_policy_limit_attr == '')" + +- name: 'Check limit-attr' + set_fact: + exec_set: true + when: "ds389_plugin_account_policy_limit_attr != None and ds389_plugin_account_policy_limit_attr != '' and ('limitattrname' not in acc_plugin_cfg or ((acc_plugin_cfg['limitattrname'] | lower) != (ds389_plugin_account_policy_limit_attr | lower)))" + +- name: 'Check spec-attr for vanishing' + set_fact: + attrs_remove: "{{ attrs_remove + ['specattrname'] }}" + when: "('specattrname' in acc_plugin_cfg) and (ds389_plugin_account_policy_spec_attr == None or ds389_plugin_account_policy_spec_attr == '')" + +- name: 'Check spec-attr' + set_fact: + exec_set: true + when: "ds389_plugin_account_policy_spec_attr != None and ds389_plugin_account_policy_spec_attr != '' and ('specattrname' not in acc_plugin_cfg or ((acc_plugin_cfg['specattrname'] | lower) != (ds389_plugin_account_policy_spec_attr | lower)))" + +- name: 'Check state-attr for vanishing' + set_fact: + attrs_remove: "{{ attrs_remove + ['stateattrname'] }}" + when: "('stateattrname' in acc_plugin_cfg) and (ds389_plugin_account_policy_state_attr == None or ds389_plugin_account_policy_state_attr == '')" + +- name: 'Check state-attr' + set_fact: + exec_set: true + when: "ds389_plugin_account_policy_state_attr != None and ds389_plugin_account_policy_state_attr != '' and ('stateattrname' not in acc_plugin_cfg or ((acc_plugin_cfg['stateattrname'] | lower) != (ds389_plugin_account_policy_state_attr | lower)))" + +- name: 'Check login-history-size for vanishing' + set_fact: + attrs_remove: "{{ attrs_remove + ['lastloginhistsize'] }}" + when: "('lastloginhistsize' in acc_plugin_cfg) and (ds389_plugin_account_policy_login_history_size == None or ds389_plugin_account_policy_login_history_size == '')" + +- name: 'Check login-history-size' + set_fact: + exec_set: true + when: "ds389_plugin_account_policy_login_history_size != None and ds389_plugin_account_policy_login_history_size != '' and ('lastloginhistsize' not in acc_plugin_cfg or (acc_plugin_cfg['lastloginhistsize'] != ds389_plugin_account_policy_login_history_size ))" + +- name: 'Check check-all-state-attrs for vanishing' + set_fact: + attrs_remove: "{{ attrs_remove + ['checkallstateattrs'] }}" + when: "('checkallstateattrs' in acc_plugin_cfg) and (ds389_plugin_account_policy_check_all_state_attrs == None or ds389_plugin_account_policy_check_all_state_attrs == '')" + +- name: 'Check check-all-state-attrs' + set_fact: + exec_set: true + when: "ds389_plugin_account_policy_check_all_state_attrs != None and ds389_plugin_account_policy_check_all_state_attrs != '' and (('checkallstateattrs' not in acc_plugin_cfg) or (acc_plugin_cfg['checkallstateattrs'] | bool) != (ds389_plugin_account_policy_check_all_state_attrs | bool))" + +- name: "Task block for removing pointless config entries." + when: attrs_remove | length > 0 + block: + + - name: "Account policy config entries to remove:" + debug: + var: attrs_remove + verbosity: 0 + + - name: "Removing account policy config entries from config entry." + community.general.ldap_attrs: + dn: "{{ acc_plugin_entry }}" + attributes: + "{{ attribute }}": [] + state: exact + server_uri: "{{ ldap_uri }}" + bind_dn: "{{ dirsrv_root_dn }}" + bind_pw: "{{ dirsrv_root_passwd }}" + loop: "{{ attrs_remove }}" + loop_control: + loop_var: attribute + + - name: "Set var restart_389ds to true." + set_fact: + restart_389ds: true - name: 'Setting new configuration for account-policy Plugin' when: exec_set == true @@ -107,6 +181,31 @@ plugin_acc_policy_cmd: "{{ plugin_acc_policy_cmd }} --always-record-login-attr {{ ds389_plugin_account_policy_always_record_login_attr | quote }}" when: ds389_plugin_account_policy_always_record_login_attr != None and ds389_plugin_account_policy_always_record_login_attr != '' + - name: "Add --limit-attr to command." + set_fact: + plugin_acc_policy_cmd: "{{ plugin_acc_policy_cmd }} --limit-attr {{ ds389_plugin_account_policy_limit_attr | quote }}" + when: ds389_plugin_account_policy_limit_attr != None and ds389_plugin_account_policy_limit_attr != '' + + - name: "Add --spec-attr to command" + set_fact: + plugin_acc_policy_cmd: "{{ plugin_acc_policy_cmd }} --spec-attr {{ ds389_plugin_account_policy_spec_attr | quote }}" + when: ds389_plugin_account_policy_spec_attr != None and ds389_plugin_account_policy_spec_attr != '' + + - name: "Add --state-attr to command" + set_fact: + plugin_acc_policy_cmd: "{{ plugin_acc_policy_cmd }} --state-attr {{ ds389_plugin_account_policy_state_attr | quote }}" + when: ds389_plugin_account_policy_state_attr != None and ds389_plugin_account_policy_state_attr != '' + + - name: "Add --login-history-size to command" + set_fact: + plugin_acc_policy_cmd: "{{ plugin_acc_policy_cmd }} --login-history-size {{ ds389_plugin_account_policy_login_history_size | quote }}" + when: ds389_plugin_account_policy_login_history_size != None and ds389_plugin_account_policy_login_history_size!= '' + + - name: "Add --check-all-state-attrs to command" + set_fact: + plugin_acc_policy_cmd: "{{ plugin_acc_policy_cmd }} --check-all-state-attrs {{ ds389_plugin_account_policy_check_all_state_attrs | bool_to_yes_no }}" + when: ds389_plugin_account_policy_check_all_state_attrs != None and ds389_plugin_account_policy_check_all_state_attrs != '' + - name: "Add config DN to plugin_acc_policy_cmd." set_fact: plugin_acc_policy_cmd: "{{ plugin_acc_policy_cmd }} {{ acc_plugin_entry | quote }}" @@ -116,5 +215,4 @@ var: plugin_acc_policy_cmd verbosity: 0 - # vim: filetype=yaml -- 2.39.5