forked from CCCHH/ansible-infra
93 lines
3.4 KiB
YAML
93 lines
3.4 KiB
YAML
---
|
|
# Copyright (C) 2019 Maciej Delmanowski <drybjed@gmail.com>
|
|
# Copyright (C) 2019 DebOps <https://debops.org/>
|
|
# SPDX-License-Identifier: GPL-3.0-only
|
|
|
|
- name: Import custom Ansible plugins
|
|
ansible.builtin.import_role:
|
|
name: 'ansible_plugins'
|
|
|
|
- name: Import DebOps global handlers
|
|
ansible.builtin.import_role:
|
|
name: 'global_handlers'
|
|
|
|
- name: Import DebOps secret role
|
|
ansible.builtin.import_role:
|
|
name: 'secret'
|
|
|
|
- name: Take note of the current LDAP configuration
|
|
ansible.builtin.set_fact:
|
|
|
|
# Track the changes in the configuration state
|
|
# between role executions in the same play.
|
|
ldap__fact_configured: '{{ ldap__configured }}'
|
|
|
|
# Re-instantiate dependent variables to evaluate variables that use them.
|
|
# Without this, dependent variables may contain outdated configuration.
|
|
ldap__fact_dependent_tasks: '{{ ldap__dependent_tasks }}'
|
|
tags: [ 'role::ldap:tasks', 'skip::ldap:tasks' ]
|
|
|
|
- name: Install packages required for LDAP support
|
|
ansible.builtin.package:
|
|
name: '{{ q("flattened", ldap__base_packages + ldap__packages) }}'
|
|
state: 'present'
|
|
register: ldap__register_packages
|
|
until: ldap__register_packages is succeeded
|
|
when: ldap__enabled | bool and not ldap__dependent_play | bool
|
|
|
|
- name: Divert original LDAP client configuration
|
|
debops.debops.dpkg_divert:
|
|
path: '/etc/ldap/ldap.conf'
|
|
when: ldap__enabled | bool and not ldap__dependent_play | bool
|
|
|
|
- name: Generate system-wide LDAP configuration
|
|
ansible.builtin.template:
|
|
src: 'etc/ldap/ldap.conf.j2'
|
|
dest: '/etc/ldap/ldap.conf'
|
|
mode: '0644'
|
|
notify: [ 'Refresh host facts' ]
|
|
when: ldap__enabled | bool and not ldap__dependent_play | bool
|
|
|
|
- name: Make sure that Ansible local facts directory exists
|
|
ansible.builtin.file:
|
|
path: '/etc/ansible/facts.d'
|
|
state: 'directory'
|
|
mode: '0755'
|
|
when: ldap__enabled | bool and not ldap__dependent_play | bool
|
|
|
|
- name: Save LDAP client local facts
|
|
ansible.builtin.template:
|
|
src: 'etc/ansible/facts.d/ldap.fact.j2'
|
|
dest: '/etc/ansible/facts.d/ldap.fact'
|
|
mode: '0755'
|
|
notify: [ 'Refresh host facts' ]
|
|
when: ldap__enabled | bool and not ldap__dependent_play | bool
|
|
tags: [ 'meta::facts' ]
|
|
|
|
- name: Update Ansible facts if they were modified
|
|
ansible.builtin.meta: 'flush_handlers'
|
|
|
|
- name: Check if LDAP admin password is available
|
|
ansible.builtin.set_fact:
|
|
ldap__fact_admin_bindpw: '{{ ldap__admin_bindpw }}'
|
|
become: '{{ ldap__admin_become }}'
|
|
become_user: '{{ ldap__admin_become_user }}'
|
|
delegate_to: '{{ ldap__admin_delegate_to }}'
|
|
run_once: True
|
|
tags: [ 'role::ldap:tasks', 'skip::ldap:tasks' ]
|
|
|
|
- name: Perform LDAP tasks
|
|
ansible.builtin.include_tasks: 'ldap_tasks.yml'
|
|
loop: '{{ q("flattened", ldap__combined_tasks) | debops.debops.parse_kv_items }}'
|
|
loop_control:
|
|
label: '{{ {"state": item.state,
|
|
"dn": item.dn,
|
|
"attributes": item.attributes | d({})} }}'
|
|
when: ldap__enabled | bool and ldap__admin_enabled | bool and
|
|
item.name | d() and item.dn | d() and
|
|
item.state | d('present') not in [ 'init', 'ignore' ]
|
|
tags: [ 'role::ldap:tasks', 'skip::ldap:tasks' ]
|
|
no_log: '{{ debops__no_log | d(item.no_log | d(True
|
|
if ("userPassword" in (item.attributes | d({})).keys() or
|
|
"olcRootPW" in (item.attributes | d({})).keys())
|
|
else False)) }}'
|