Start configuring 389ds account policy plugin.

author Frank Brehm <frank.brehm@pixelpark.com>

Mon, 9 Dec 2024 17:10:29 +0000 (18:10 +0100)

committer Frank Brehm <frank.brehm@pixelpark.com>

Mon, 9 Dec 2024 17:10:29 +0000 (18:10 +0100)
author Frank Brehm <frank.brehm@pixelpark.com>
Mon, 9 Dec 2024 17:10:29 +0000 (18:10 +0100)
committer Frank Brehm <frank.brehm@pixelpark.com>
Mon, 9 Dec 2024 17:10:29 +0000 (18:10 +0100)
diff --git a/filter_plugins/cfg_389ds_to_dict.py b/filter_plugins/cfg_389ds_to_dict.py

index b13430d137d885958426c35f37f518b4f21431fe..dfaea5111212dcecd123051af154a330c244722b 100644 (file)
--- a/filter_plugins/cfg_389ds_to_dict.py
+++ b/filter_plugins/cfg_389ds_to_dict.py
@@ -59,8 +59,12 @@ class FilterModule(object):
              return float(value)
          if value.lower() == 'on':
              return True
+        if value.lower() == 'yes':
+            return True
          if value.lower() == 'off':
              return False
+        if value.lower() == 'no':
+            return False
          return value
  
  
diff --git a/filter_plugins/compare_lc_list.py b/filter_plugins/compare_lc_list.py

index 7d1db783d7857bfb8b5d169d002c70dd0d970533..fe6f98cc3d6457b4721548957f9feb94615a2d0f 100644 (file)
--- a/filter_plugins/compare_lc_list.py
+++ b/filter_plugins/compare_lc_list.py
@@ -23,6 +23,7 @@ class FilterModule(object):
          return {
              'compare_lc_list': self.compare_lc_list,
              'bool_to_on_off': self.bool_to_on_off,
+            'bool_to_yes_no': self.bool_to_yes_no,
          }
  
      # ------------------
@@ -59,6 +60,13 @@ class FilterModule(object):
              return 'on'
          return 'off'
  
+    # ------------------
+    def bool_to_yes_no(self, value):
+        """Translate the given value to yes or no respective."""
+        if value:
+            return 'yes'
+        return 'no'
+
  
  # =============================================================================
  
diff --git a/inventory/dpx-ldap-dev1.yaml b/inventory/dpx-ldap-dev1.yaml

index 7c31f2049f18b9cf59d602e2edbabc1edf8a107d..1bce7993a0c1ee47e1f2b0fb0bb165c8126397ec 100644 (file)
--- a/inventory/dpx-ldap-dev1.yaml
+++ b/inventory/dpx-ldap-dev1.yaml
@@ -62,4 +62,11 @@ all:
          ensure: absent
  
  
+    # Tempporary
+    ds389_logging_config: false
+    ds389_plugin_memberof_config: false
+    ds389_plugin_referint_config: false
+    ds389_plugin_attr_uniq_config: false
+
+
  # vim: filetype=yaml
diff --git a/inventory/spk-ldap-stage.yaml b/inventory/spk-ldap-stage.yaml

index cbe8ee6e3c8e7905a173b5f19314923c5f2c63e1..c5bb4a53bb0d1c18034ec675313632da45ef168e 100644 (file)
--- a/inventory/spk-ldap-stage.yaml
+++ b/inventory/spk-ldap-stage.yaml
@@ -32,5 +32,6 @@ all:
          across_all_subtrees: false
          subtrees:
            - 'dc=spk,dc=pixelpark,dc=net'
+    ds389_plugin_account_policy_config: false
  
  # vim: filetype=yaml
diff --git a/playbooks/configure-ldap-servers.yaml b/playbooks/configure-ldap-servers.yaml

index cb7a56c022ac9159e4fbd5c29caa935bac50e454..3873630578af9884746bf4f1645bb98489fbba40 100644 (file)
--- a/playbooks/configure-ldap-servers.yaml
+++ b/playbooks/configure-ldap-servers.yaml
@@ -13,6 +13,7 @@
      - name: "Configure logging for 389ds LDAP server."
        include_role:
          name: 389ds-config-logging
+      when: ( ds389_logging_config | bool ) == true
  
      - name: "Configure all necessay plugins of the 389ds LDAP server."
        include_role:
diff --git a/roles/389ds-config-logging/defaults/main.yaml b/roles/389ds-config-logging/defaults/main.yaml

index acdd7d7e5a73725e4507089a0ee60fbc45c7e278..758f9ca40b613b4a2188726e788c38962ad3dece 100644 (file)
--- a/roles/389ds-config-logging/defaults/main.yaml
+++ b/roles/389ds-config-logging/defaults/main.yaml
@@ -1,6 +1,8 @@
  ---
  base_logdir: '/var/log/dirsrv'
  
+ds389_logging_config: true
+
  logging:
    access:
      logfile: access.log
diff --git a/roles/389ds-config-plugins/defaults/main.yaml b/roles/389ds-config-plugins/defaults/main.yaml

index 32d5881bde31ada1f1de12e68a3429c9db3c89bb..78ba8b50961441956abbc2991f5445fcd1e29a7b 100644 (file)
--- a/roles/389ds-config-plugins/defaults/main.yaml
+++ b/roles/389ds-config-plugins/defaults/main.yaml
@@ -66,6 +66,20 @@ ds389_plugin_attr_uniq_attributes_default:
      top_entry_oc: ~
      subtree_entries_oc: ~
  
+###############################
+# Plugin account policy
+
+ds389_plugin_account_policy_config: true
+ds389_plugin_account_policy_enable: true
+ds389_plugin_account_policy_always_record_login: true
+ds389_plugin_account_policy_alt_state_attr: '1.1'
+ds389_plugin_account_policy_always_record_login_attr: ~
+ds389_plugin_account_policy_limit_attr: 'accountInactivityLimit'
+ds389_plugin_account_policy_spec_attr: 'acctPolicySubentry'
+ds389_plugin_account_policy_state_attr: 'lastLoginTime'
+ds389_plugin_account_policy_login_history_size: ~
+ds389_plugin_account_policy_check_all_state_attrs: ~
+
  base_logdir: '/var/log/dirsrv'
  
  # vim: filetype=yaml
diff --git a/roles/389ds-config-plugins/tasks/account-policy.yaml b/roles/389ds-config-plugins/tasks/account-policy.yaml

new file mode 100644 (file)

index 0000000..9f9cd68
--- /dev/null
+++ b/roles/389ds-config-plugins/tasks/account-policy.yaml
@@ -0,0 +1,120 @@
+---
+
+- name: 'Get the current configuration of the account-policy Plugin.'
+  ansible.builtin.shell: "dsconf {{ slapd_instance | quote }} plugin account-policy show | \
+    grep -P -i '^(nsslapd-pluginEnabled|nsslapd-pluginarg0)' | \
+    sed -e 's/nsslapd-plugin//i' -e 's/Enabled/enabled/i' | sort || true"
+  register: get_plugin_account_policy
+  changed_when: false
+  check_mode: false
+
+- name: 'Show raw account-policy attribute config.'
+  debug:
+    var: get_plugin_account_policy
+    verbosity: 2
+
+- name: "Set variable plugin_account_policy_config"
+  set_fact:
+    plugin_account_policy_config: "{{ get_plugin_account_policy.stdout_lines | cfg_389ds_to_dict }}"
+
+- name: "Set variable acc_plugin_entry."
+  set_fact:
+    acc_plugin_entry: "{{ plugin_account_policy_config['arg0'] }}"
+
+- name: "The account-policy Plugin entry:"
+  debug:
+    var: acc_plugin_entry
+    verbosity: 1
+
+- name: 'Get the current configuration entry of the account-policy Plugin.'
+  ansible.builtin.shell: "dsconf {{ slapd_instance | quote }} plugin account-policy config-entry show \
+    {{ plugin_account_policy_config['arg0'] | quote }} | \
+    grep -P -v -i '^([cd]n|objectClass):' | grep -v -P '^\\s*$' | sort -i || true"
+  register: get_plugin_account_policy_entry
+  changed_when: false
+  check_mode: false
+
+- name: 'Show raw account-policy attribute config entry.'
+  debug:
+    var: get_plugin_account_policy_entry
+    verbosity: 2
+
+- name: "Set variable plugin_account_policy_config_entry"
+  set_fact:
+    plugin_account_policy_config_entry: "{{ get_plugin_account_policy_entry.stdout_lines | cfg_389ds_to_dict }}"
+
+- name: "Set variable acc_plugin_cfg"
+  set_fact:
+    acc_plugin_cfg: "{{ plugin_account_policy_config | ansible.builtin.combine(plugin_account_policy_config_entry, list_merge='append_rp', recursive=true) }}"
+
+- name: "The account-policy Plugin configuration:"
+  debug:
+    var: acc_plugin_cfg
+    verbosity: 0
+
+- name: 'Predefine variables'
+  set_fact:
+    exec_set: false
+    attrs_remove: []
+
+- name: 'Check for alwaysrecordlogin'
+  set_fact:
+    exec_set: true
+  when: "('alwaysrecordlogin' not in acc_plugin_cfg) or (acc_plugin_cfg['alwaysrecordlogin'] != ds389_plugin_account_policy_always_record_login)"
+
+- name: 'Check for alt-state-attr for vanishing'
+  set_fact:
+    attrs_remove: "{{ alt-state-attr + ['altstateattrname']"
+  when: "('altstateattrname' in acc_plugin_cfg) and (ds389_plugin_account_policy_alt-state-attr == None or ds389_plugin_account_policy_alt-state-attr == '')"
+
+- name: 'Check for alt-state-attr'
+  set_fact:
+    exec_set: true
+  when: "ds389_plugin_account_policy_alt_state_attr != None and ds389_plugin_account_policy_alt_state_attr != '' and ('altstateattrname' not in acc_plugin_cfg or (acc_plugin_cfg['altstateattrname'] != ds389_plugin_account_policy_alt_state_attr))"
+
+- name: 'Check for always-record-login-attr for vanishing'
+  set_fact:
+    attrs_remove: "{{ always-record-login-attr + ['alwaysrecordloginattr']"
+  when: "('alwaysrecordloginattr' in acc_plugin_cfg) and (ds389_plugin_account_policy_always-record-login-attr == None or ds389_plugin_account_policy_always-record-login-attr == '')"
+
+- name: 'Check for always-record-login-attr'
+  set_fact:
+    exec_set: true
+  when: "ds389_plugin_account_policy_always_record_login_attr != None and ds389_plugin_account_policy_always_record_login_attr != '' and ('alwaysrecordloginattr' not in acc_plugin_cfg or (acc_plugin_cfg['alwaysrecordloginattr'] != ds389_plugin_account_policy_always_record_login_attr))"
+
+# Failing: --limit-attr --spec-attr --state-attr --login-history-size --check-all-state-attrs
+
+- name: 'Setting new configuration for account-policy Plugin'
+  when: exec_set == true
+  block:
+
+    - name: "Init + set var plugin_acc_policy_cmd + restart_389ds."
+      set_fact:
+        plugin_acc_policy_cmd: "dsconf {{ slapd_instance | quote }} plugin account-policy config-entry set"
+        restart_389ds: true
+
+    - name: "Add --always-record-login to command."
+      set_fact:
+        plugin_acc_policy_cmd: "{{ plugin_acc_policy_cmd }} --always-record-login {{ ds389_plugin_account_policy_always_record_login | bool_to_yes_no }}"
+
+    - name: "Add --alt-state-attr to command."
+      set_fact:
+        plugin_acc_policy_cmd: "{{ plugin_acc_policy_cmd }} --alt-state-attr {{ ds389_plugin_account_policy_alt_state_attr | quote }}"
+      when: ds389_plugin_account_policy_alt_state_attr != None and ds389_plugin_account_policy_alt_state_attr != ''
+
+    - name: "Add --always-record-login-attr to command."
+      set_fact:
+        plugin_acc_policy_cmd: "{{ plugin_acc_policy_cmd }} --always-record-login-attr {{ ds389_plugin_account_policy_always_record_login_attr | quote }}"
+      when: ds389_plugin_account_policy_always_record_login_attr != None and ds389_plugin_account_policy_always_record_login_attr != ''
+
+    - name: "Add config DN to plugin_acc_policy_cmd."
+      set_fact:
+        plugin_acc_policy_cmd: "{{ plugin_acc_policy_cmd }} {{ acc_plugin_entry | quote }}"
+
+    - name: "Show the command to execute:"
+      debug:
+        var: plugin_acc_policy_cmd
+        verbosity: 0
+
+
+# vim: filetype=yaml
diff --git a/roles/389ds-config-plugins/tasks/main.yaml b/roles/389ds-config-plugins/tasks/main.yaml

index cc9b46808acc2eed94ab9776e5756ee7c15e1eda..892844e63a1923227072212dc9936e478d70c222 100644 (file)
--- a/roles/389ds-config-plugins/tasks/main.yaml
+++ b/roles/389ds-config-plugins/tasks/main.yaml
@@ -12,4 +12,8 @@
    include_tasks: 'attr-uniq.yaml'
    when: (ds389_plugin_attr_uniq_config | bool) == true
  
+- name: "Configuring the 389ds account-policy-Plugin."
+  include_tasks: 'account-policy.yaml'
+  when: (ds389_plugin_account_policy_config | bool) == true
+
  # vim: filetype=yaml
author	Frank Brehm <frank.brehm@pixelpark.com>
	Mon, 9 Dec 2024 17:10:29 +0000 (18:10 +0100)
committer	Frank Brehm <frank.brehm@pixelpark.com>
	Mon, 9 Dec 2024 17:10:29 +0000 (18:10 +0100)
filter_plugins/cfg_389ds_to_dict.py		patch \| blob \| history
filter_plugins/compare_lc_list.py		patch \| blob \| history
inventory/dpx-ldap-dev1.yaml		patch \| blob \| history
inventory/spk-ldap-stage.yaml		patch \| blob \| history
playbooks/configure-ldap-servers.yaml		patch \| blob \| history
roles/389ds-config-logging/defaults/main.yaml		patch \| blob \| history
roles/389ds-config-plugins/defaults/main.yaml		patch \| blob \| history
roles/389ds-config-plugins/tasks/account-policy.yaml	[new file with mode: 0644]	patch \| blob
roles/389ds-config-plugins/tasks/main.yaml		patch \| blob \| history