资源引擎>> 389ds>> 返回
项目作者: hthaller

项目描述 :
Ansible role for the installation and configuration of a 389 directory server on CentOS8/RHEL8 systems
高级语言: Jinja
项目地址: git://github.com/hthaller/389ds.git
创建时间: 2020-10-21T08:11:39Z
项目社区:https://github.com/hthaller/389ds
开源协议:GNU General Public License v3.0
下载


389ds

This role installs the 389 Directory Server (389ds) on RedHat or CentOS servers.

Features

  • Installation of
    • Standalone LDAP servers
    • Supplier nodes (incl. multi master configurations)
    • Consumer nodes
  • Setup of TLS and encryption settings
    • Management of supported ciphers
    • Enforce minimal and maximal TLS version
    • Interface for certificate requests and renewals
  • Support for multiple nsslapd instances per server
  • Support for multiple suffixes per instance
  • Management of any plugin (configure plugin attributes, enable/disable plugin on all or some named hosts)
  • Add custom schema files
  • LDAP settings under in these containers are Ansible managed:
    • cn=config
    • cn=config,cn=ldbm database,cn=plugins,cn=config
    • cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
  • Creation of LDAP indexes
  • Creation of VLV indexes
  • Management of replication topology

Requirements

  • Ansible 2.9 or newer
  • CentOS 8.3 or RHEL 8.3

Example

Note: You should consider to embed the 389ds role in your own host_ldap role, which contains the company specific configuration (e.g. schema files, certificate scripts and your tested 389ds configuration). 

  1. # this variable defines the list of ldap supplier nodes
  2. # it is used in the ds_app variable and not by the role itself 
  3. host_ldap_supplier:
  4.   - name: 'master1.example.com'
  5.     replicaid: 1
  6.     initialmaster: true
  7.   - name: 'master2.example.com'
  8.     replicaid: 2
  9.   - name: 'master3.example.com'
  10.     replicaid: 3
  12. # this variable holds the whole configuration
  13. ds_app:
  14.   # DN for directory manager
  15.   dm_dn: 'cn=directory manager'
  17.   # Password for directory manager
  18.   dm_pasword: 'my_secret'
  20.   # Here you can define one or more 389ds instances
  21.   instance:
  22.     # Instance name
  23.     - name: 'example'
  25.       # Overwrites the password for this instance
  26.       dm_password: 'my_secret_for_this_instance'
  28.       # Password for the replication manager account (not necessary for standalone LDAP servers)
  29.       initial_replication_manager_password: 'repl_pw'
  30.       secure_port: 636
  31.       port: 389
  32.       tls: 'on'
  34.       encryption:
  35.         selfsigned_certs: false
  36.         ca_files:
  37.           - '{{ host_ldap_role_path }}/templates/certs/ca_files/MyCompanyRootCA.cer'
  39.         request_certscript: '{{ host_ldap_role_path }}/templates/certs/bin/request_cert.sh'
  40.         get_certscript: ''{{ host_ldap_role_path }}/templates/certs/bin/get_cert.sh'
  42.         directory_certs: '{{ host_ldap_role_path }}/templates/certs/hosts'
  44.         certificate:
  45.           alternates:
  46.             - "{{ inventory_hostname.split('.', 1)[0] }}"
  47.             - "ldap1.example.com"
  48.             - "{{ inventory_hostname }}"
  50.           subject: 'CN={{ inventory_hostname }},O=My Company,L=Klagenfurt,ST=Kärnten,C=AT'
  51.           renew_before_exp_days: "180"
  54.         attributes:
  55.           nsSSL3Ciphers: '+all,-fortezza_null,-fortezza,-rsa_null_sha,-fortezza_rc4_128_sha,-rsa_null_md5,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256'
  56.           sslVersionMin: 'TLS1.0'
  57.           nsSSLClientAuth: 'allowed'
  58.           nsTLS1: 'on'
  60.       # Schema files for this instance
  61.       custom_schema_files:
  62.         - '{{ host_ldap_role_path }}/templates/schema/94ssh.ldif'
  63.         - '{{ host_ldap_role_path }}/templates/schema/98kerberos.ldif'
  65.       # settings for cn=config
  66.       config:
  67.         nsslapd-ssl-check-hostname: 'on'
  68.         nsslapd-maxdescriptors: 16384
  69.         #nsslapd-sizelimit: -1
  70.         #nsslapd-pagedsizelimit: 0
  71.         nsslapd-sizelimit: "{{ nsslapd_sizelimit | default(1000) }}"
  72.         nsslapd-pagedsizelimit: "{{ nsslapd_pagedsizelimit | default(1001) }}"
  73.         nsslapd-timelimit: -1
  74.         nsslapd-idletimeout: 3600
  75.         nsslapd-ndn-cache-max-size: 209715200
  76.         nsslapd-auditlog-logging-enabled: 'on'
  77.         nsslapd-errorlog-logging-enabled: 'on'
  78.         nsslapd-accesslog-logging-enabled: 'on'
  79.         nsslapd-auditlog-maxlogsperdir: 10
  80.         nsslapd-auditlog-logexpirationtime: 4
  81.         nsslapd-auditlog-logmaxdiskspace: 1000
  82.         nsslapd-auditlog-logminfreediskspace: 500
  83.         nsslapd-errorlog-level: 16384
  84.         nsslapd-errorlog-maxlogsperdir: 10
  85.         nsslapd-errorlog-logexpirationtime: 4
  86.         nsslapd-errorlog-logmaxdiskspace: 1000
  87.         nsslapd-errorlog-logminfreediskspace: 500
  88.         nsslapd-accesslog-maxlogsperdir: 10
  89.         nsslapd-accesslog-logexpirationtime: 4
  90.         nsslapd-accesslog-logmaxdiskspace: 1000
  91.         nsslapd-accesslog-logminfreediskspace: 500
  92.         nsslapd-pwpolicy-local: 'on'
  93.         passwordLockout: 'on'
  94.         passwordExp: 'on'
  95.         passwordHistory: 'on'
  96.         passwordCheckSyntax: 'on'
  97.         passwordMaxAge: 31536000
  98.         passwordMinLength: 15
  99.         passwordWarning: 0
  100.         passwordInHistory: 5
  101.         passwordMinCategories: 4
  102.         passwordLockoutDuration: 1800
  103.         passwordMaxFailure: 10
  105.       # settings for cn=config,cn=ldbm database,cn=plugins,cn=config
  106.       ldbm_database:
  107.         config:
  108.           nsslapd-lookthroughlimit: -1
  109.           nsslapd-idlistscanlimit: 25000
  110.         # settings for cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
  111.         bdb:
  112.           # see RH ticket #02857953  
  113.           nsslapd-db-locks: 100000
  114.           nsslapd-import-cache-autosize: 20
  116.       # Plugin configuration. The name must match the plugin name in 389ds
  117.       plugin:
  118.         - name: 'Retro Changelog Plugin'
  119.           attributes:
  120.             nsslapd-changelogmaxage: '7d'
  121.           status:
  122.             enabled: "{{ host_ldap_supplier | map(attribute='name') | list }}"
  123.             disabled: []
  125.         - name: 'MemberOf Plugin'
  126.           attributes:
  127.             memberofgroupattr: uniqueMember
  128.             memberofattr: memberOf
  129.             memberOfEntryScope: 'dc=example,dc=com'
  130.           status:
  131.             enabled: "{{ host_ldap_supplier | map(attribute='name') | list }}"
  133.       # suffix configuration for the instance
  134.       suffix:
  135.         - name: 'dc=example,dc=com'
  137.           replication:
  138.             supplier:
  139.               server: "{{ host_ldap_supplier }}"
  140.               excluded_attrs:
  141.                 - memberOf
  142.                 - accountUnlockTime
  143.                 - passwordRetryCount
  144.                 - retryCountResetTime
  145.               changelogmaxage: '30d'
  146.             consumer:
  147.               inventorygroup: ldapreplicas
  148.               excluded_attrs:
  149.                 - accountUnlockTime
  150.                 - passwordRetryCount
  151.                 - retryCountResetTime
  152.             replicapurgedelay: 604800
  154.           db:
  155.             # database name for the suffix
  156.             # at the moment this role supports only one database for a suffix
  157.             - name: userroot
  159.               # Here you can specify additional indexes
  160.               index:
  161.                 - name: automountinformation
  162.                   type:
  163.                     - eq
  164.                     - pres
  165.                     - sub
  167.                 - name: homedirectory
  168.                   type:
  169.                     - eq
  170.                     - pres
  172.                 - name: ipserviceport
  173.                   type:
  174.                     - eq
  175.                     - pres
  177.                 - name: automountmapname
  178.                   type:
  179.                     - eq
  180.                     - pres
  182.                 - name: sudouser
  183.                   type:
  184.                     - eq
  185.                     - pres
  186.                     - sub
  188.               # also VLV indexes are allowed
  189.               # make sure, that the index base exists
  190.               vlv_index:
  191.                 - name: objectclass
  192.                   filter: '(objectClass=*)'
  193.                   base: 'dc=example,dc=com'
  194.                   scope: 1
  195.                   index:
  196.                   - name: getobjectclass
  197.                     sort: 'cn'
  199.                 - name: hosts
  200.                   filter: '(objectClass=ipHost)'
  201.                   base: 'ou=hosts,{{ host_ldap_basedn }}'
  202.                   scope: 1
  203.                   index:
  204.                   - name: gethostent
  205.                     sort: 'cn uid'
  207.                 - name: networks
  208.                   base: 'ou=networks,{{ host_ldap_basedn }}'
  209.                   scope: 1
  210.                   filter: '(objectClass=ipNetwork)'
  211.                   index:
  212.                     - name: getnetent
  213.                       sort: 'cn uid'
  215.                 - name: group
  216.                   base: 'ou=group,{{ host_ldap_basedn }}'
  217.                   scope: 1
  218.                   filter: '(objectClass=posixGroup)'
  219.                   index:
  220.                     - name: getgrent
  221.                       sort: 'cn uid'
  223.                 - name: passwd
  224.                   base: 'ou=people,{{ host_ldap_basedn }}'
  225.                   scope: 1
  226.                   filter: '(objectClass=posixAccount)'
  227.                   index:
  228.                     - name: getpwent.uid
  229.                       sort: uid
  230.                     - name: getpwent
  231.                       sort: 'cn uid'

Dependencies

License

GNU General Public License v3.0

Author Information

Maintainer: Horst Thaller