From d2b819a2f0468631da97568f686fe1a2c2000ac4 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Wed, 27 Nov 2024 18:33:22 +0100 Subject: [PATCH] Working on playbook for disabling replication on a LDAP server. --- includes/del-389ds-backend-repl-agmt.yaml | 17 ++++++++ .../del-389ds-backend-repl-agmts-src.yaml | 7 ++++ .../del-389ds-backend-repl-agmts-target.yaml | 24 +++++++++++ includes/del-389ds-backend-repl-agmts.yaml | 42 ------------------- includes/disable-389ds-replication.yaml | 37 ++++++++++++++++ includes/set-389ds-backend-readonly.yaml | 2 +- playbooks/disable-ldap-server.yaml | 38 +++++++++++------ 7 files changed, 112 insertions(+), 55 deletions(-) create mode 100644 includes/del-389ds-backend-repl-agmt.yaml create mode 100644 includes/del-389ds-backend-repl-agmts-src.yaml create mode 100644 includes/del-389ds-backend-repl-agmts-target.yaml delete mode 100644 includes/del-389ds-backend-repl-agmts.yaml create mode 100644 includes/disable-389ds-replication.yaml diff --git a/includes/del-389ds-backend-repl-agmt.yaml b/includes/del-389ds-backend-repl-agmt.yaml new file mode 100644 index 0000000..1b353af --- /dev/null +++ b/includes/del-389ds-backend-repl-agmt.yaml @@ -0,0 +1,17 @@ +--- + +- name: "Set fact agreement_name." + set_fact: + agreement_name: "{{ slapd_instance }} to {{ target }} agreement" + +- name: "Show replication agreement name for suffix '{{ suffix }}'." + debug: + var: agreement_name + verbosity: 0 + +- name: "Removing replication agreement '{{ agreement_name }}' for suffix '{{ suffix }}'." + ansible.builtin.shell: "dsconf '{{ slapd_instance }}' repl-agmt delete --suffix '{{ suffix }}' '{{ agreement_name }}'" + ignore_errors: true + + +# vim: filetype=yaml diff --git a/includes/del-389ds-backend-repl-agmts-src.yaml b/includes/del-389ds-backend-repl-agmts-src.yaml new file mode 100644 index 0000000..b964d0d --- /dev/null +++ b/includes/del-389ds-backend-repl-agmts-src.yaml @@ -0,0 +1,7 @@ +--- + +- name: "Removing replication agreement to '{{ target }}' on suffix '{{ suffix }}'." + include_tasks: '../includes/del-389ds-backend-repl-agmt.yaml' + when: target == ldapserver_to_disable + +# vim: filetype=yaml diff --git a/includes/del-389ds-backend-repl-agmts-target.yaml b/includes/del-389ds-backend-repl-agmts-target.yaml new file mode 100644 index 0000000..711ca2b --- /dev/null +++ b/includes/del-389ds-backend-repl-agmts-target.yaml @@ -0,0 +1,24 @@ +--- + +# name: "Removing replication agreements to '{{ target }}' on suffix '{{ suffix }}'." +# when: target != ansible_fqdn +# block: + +# - name: "Set fact agreement_name." +# set_fact: +# agreement_name: "{{ slapd_instance }} to {{ target }} agreement" + +# - name: "Show replication agreement name for suffix '{{ suffix }}'." +# debug: +# var: agreement_name +# verbosity: 0 + +# - name: "Removing replication agreement '{{ agreement_name }}' for suffix '{{ suffix }}'." +# ansible.builtin.shell: "dsconf '{{ slapd_instance }}' repl-agmt delete --suffix '{{ suffix }}' '{{ agreement_name }}'" +# ignore_errors: true + +- name: "Removing replication agreements to '{{ target }}' on suffix '{{ suffix }}'." + when: target != ansible_fqdn + include_tasks: '../includes/del-389ds-backend-repl-agmt.yaml' + +# vim: filetype=yaml diff --git a/includes/del-389ds-backend-repl-agmts.yaml b/includes/del-389ds-backend-repl-agmts.yaml deleted file mode 100644 index 7d167f4..0000000 --- a/includes/del-389ds-backend-repl-agmts.yaml +++ /dev/null @@ -1,42 +0,0 @@ ---- - -- name: "Removing replication agreements on {{ ansible_nodename }}." - when: ldapserver_to_disable != ansible_nodename - block: - - - name: "Removing replication agreements to {{ target }}." - when: ldapserver_to_disable == target - block: - - - name: "Set fact agreement_name." - set_fact: - agreement_name: "{{ slapd_instance }} to {{ target }} agreement" - - - name: "Show replication agreement name for suffix '{{ suffix }}'." - debug: - var: agreement_name - verbosity: 0 - - - name: "Removing replication agreement '{{ agreement_name }}' for suffix '{{ suffix }}'." - ansible.builtin.shell: "dsconf '{{ slapd_instance }}' repl-agmt delete --suffix '{{ suffix }}' '{{ agreement_name }}'" - ignore_errors: true - -- name: "Removing replication agreements on {{ ldapserver_to_disable }}." - when: ldapserver_to_disable == ansible_nodename - block: - - - name: "Set fact agreement_name." - set_fact: - agreement_name: "{{ slapd_instance }} to {{ target }} agreement" - - - name: "Show replication agreement name for suffix '{{ suffix }}'." - debug: - var: agreement_name - verbosity: 0 - - - name: "Removing replication agreement '{{ agreement_name }}' for suffix '{{ suffix }}'." - ansible.builtin.shell: "dsconf '{{ slapd_instance }}' repl-agmt delete --suffix '{{ suffix }}' '{{ agreement_name }}'" - ignore_errors: true - - -# vim: filetype=yaml diff --git a/includes/disable-389ds-replication.yaml b/includes/disable-389ds-replication.yaml new file mode 100644 index 0000000..49fb7f5 --- /dev/null +++ b/includes/disable-389ds-replication.yaml @@ -0,0 +1,37 @@ +--- + +- name: "Get a list of all replicated Suffixes." + ansible.builtin.shell: "dsconf '{{ slapd_instance }}' replication list" + check_mode: false + changed_when: false + register: list_of_replicated_suffixes + +- name: "Show current list_of_replicated_suffixes" + debug: + var: list_of_replicated_suffixes + verbosity: 2 + +- name: "Set fact suffix_is_replicated." + no_log: true + set_fact: + suffix_is_replicated: false + +- name: "Searching for suffix '{{ suffix }}' in the list of replicated suffixes." + set_fact: + suffix_is_replicated: true + when: ( this_line | regex_replace('^\\s*') | regex_replace('\\s*$') ) == suffix + loop: "{{ list_of_replicated_suffixes.stdout_lines }}" + loop_control: + loop_var: this_line + +- name: "Set fact list_of_replicated_suffixes." + no_log: true + set_fact: + list_of_replicated_suffixes: ~ + +- name: "The suffix '{{ suffix }}' is replicated:" + debug: + var: suffix_is_replicated + + +# vim: filetype=yaml diff --git a/includes/set-389ds-backend-readonly.yaml b/includes/set-389ds-backend-readonly.yaml index 8fab773..e6042df 100644 --- a/includes/set-389ds-backend-readonly.yaml +++ b/includes/set-389ds-backend-readonly.yaml @@ -20,7 +20,7 @@ debug: var: backend_ro -- name: "Setting '{{ backend.value }}' to readonly." +- name: "Setting backend '{{ backend.value }}' to readonly." ansible.builtin.shell: "dsconf '{{ slapd_instance }}' backend suffix set --enable-readonly '{{ backend.value }}'" when: backend_ro == false diff --git a/playbooks/disable-ldap-server.yaml b/playbooks/disable-ldap-server.yaml index 62ab319..99a1f3d 100644 --- a/playbooks/disable-ldap-server.yaml +++ b/playbooks/disable-ldap-server.yaml @@ -51,46 +51,47 @@ register: tstamp check_mode: false changed_when: false - when: ldapserver_to_disable == ansible_nodename + # when: ldapserver_to_disable == ansible_fqdn - name: "Show current timestamp" debug: var: tstamp verbosity: 3 - when: ldapserver_to_disable == ansible_nodename + # when: ldapserver_to_disable == ansible_fqdn - name: "Set date variables" set_fact: cur_date: "{{ tstamp.stdout[0:10] | default('2024-11-11') }}" cur_time: "{{ tstamp.stdout[11:] | default('16-33-23') }}" cur_timestamp: "{{ tstamp.stdout[0:10] }}_{{ tstamp.stdout[11:] | default('2024-11-11_16-33-23') }}" - when: ldapserver_to_disable == ansible_nodename + # when: ldapserver_to_disable == ansible_fqdn - name: "Show current date" debug: msg: "Current timestamp: '{{ cur_timestamp }}'." - when: ldapserver_to_disable == ansible_nodename + verbosity: 0 + # when: ldapserver_to_disable == ansible_fqdn - name: "Disabling Puppet agent on '{{ ldapserver_to_disable }}'." ansible.builtin.shell: | puppet agent --disable "[$( date +'%Y-%m-%d' )]: Disbled by Ansible playbook 'disable-ldap-server.yaml'." args: creates: '/opt/puppetlabs/puppet/cache/state/agent_disabled.lock' - when: ldapserver_to_disable == ansible_nodename + when: ldapserver_to_disable == ansible_fqdn - name: "Disabling Puppet service on '{{ ldapserver_to_disable }}'." ansible.builtin.service: enabled: false name: puppet state: stopped - when: ldapserver_to_disable == ansible_nodename + when: ldapserver_to_disable == ansible_fqdn - name: "Disabling Wazuh service on '{{ ldapserver_to_disable }}'." ansible.builtin.service: enabled: false name: wazuh-agent state: stopped - when: ldapserver_to_disable == ansible_nodename + when: ldapserver_to_disable == ansible_fqdn - name: "Retrieve all backends from '{{ ldapserver_to_disable }}'." ansible.builtin.shell: "dsconf '{{ slapd_instance }}' backend suffix list" @@ -120,20 +121,33 @@ verbosity: 0 - name: "Setting all backends to readonly." - when: ldapserver_to_disable == ansible_nodename + include_tasks: '../includes/set-389ds-backend-readonly.yaml' + when: ldapserver_to_disable == ansible_fqdn loop: "{{ suffixes | dict2items }}" loop_control: loop_var: backend - include_tasks: '../includes/set-389ds-backend-readonly.yaml' - - name: "Removing replication agreements" - include_tasks: '../includes/del-389ds-backend-repl-agmts.yaml' + - name: "Removing replication agreements on host to disable." + include_tasks: '../includes/del-389ds-backend-repl-agmts-target.yaml' + when: ldapserver_to_disable == ansible_fqdn vars: suffix: "{{ item[0].key }}" target: "{{ item[1] }}" loop: "{{ suffixes | dict2items | product( ansible_play_batch ) | list }}" + - name: "Removing replication agreements on hosts to keep." + include_tasks: '../includes/del-389ds-backend-repl-agmts-src.yaml' + when: ldapserver_to_disable != ansible_fqdn + vars: + suffix: "{{ item[0].key }}" + target: "{{ item[1] }}" + loop: "{{ suffixes | dict2items | product( ansible_play_batch ) | list }}" -# vim: filetype=yaml + - name: "Disabling replication on all suffixes." + when: ldapserver_to_disable == ansible_fqdn + include_tasks: '../includes/disable-389ds-replication.yaml' + vars: + suffix: "{{ item[0].key }}" + loop: "{{ suffixes | dict2items | product( ansible_play_batch ) | list }}" # vim: filetype=yaml -- 2.39.5