From: Frank Brehm Date: Mon, 9 Dec 2024 17:10:29 +0000 (+0100) Subject: Start configuring 389ds account policy plugin. X-Git-Url: https://git.uhu-banane.org/?a=commitdiff_plain;h=5074625fce4eea8f1b028c416b8e5b1a886f1dd5;p=pixelpark%2Fpp-admin-tools.git Start configuring 389ds account policy plugin. --- diff --git a/filter_plugins/cfg_389ds_to_dict.py b/filter_plugins/cfg_389ds_to_dict.py index b13430d..dfaea51 100644 --- a/filter_plugins/cfg_389ds_to_dict.py +++ b/filter_plugins/cfg_389ds_to_dict.py @@ -59,8 +59,12 @@ class FilterModule(object): return float(value) if value.lower() == 'on': return True + if value.lower() == 'yes': + return True if value.lower() == 'off': return False + if value.lower() == 'no': + return False return value diff --git a/filter_plugins/compare_lc_list.py b/filter_plugins/compare_lc_list.py index 7d1db78..fe6f98c 100644 --- a/filter_plugins/compare_lc_list.py +++ b/filter_plugins/compare_lc_list.py @@ -23,6 +23,7 @@ class FilterModule(object): return { 'compare_lc_list': self.compare_lc_list, 'bool_to_on_off': self.bool_to_on_off, + 'bool_to_yes_no': self.bool_to_yes_no, } # ------------------ @@ -59,6 +60,13 @@ class FilterModule(object): return 'on' return 'off' + # ------------------ + def bool_to_yes_no(self, value): + """Translate the given value to yes or no respective.""" + if value: + return 'yes' + return 'no' + # ============================================================================= diff --git a/inventory/dpx-ldap-dev1.yaml b/inventory/dpx-ldap-dev1.yaml index 7c31f20..1bce799 100644 --- a/inventory/dpx-ldap-dev1.yaml +++ b/inventory/dpx-ldap-dev1.yaml @@ -62,4 +62,11 @@ all: ensure: absent + # Tempporary + ds389_logging_config: false + ds389_plugin_memberof_config: false + ds389_plugin_referint_config: false + ds389_plugin_attr_uniq_config: false + + # vim: filetype=yaml diff --git a/inventory/spk-ldap-stage.yaml b/inventory/spk-ldap-stage.yaml index cbe8ee6..c5bb4a5 100644 --- a/inventory/spk-ldap-stage.yaml +++ b/inventory/spk-ldap-stage.yaml @@ -32,5 +32,6 @@ all: across_all_subtrees: false subtrees: - 'dc=spk,dc=pixelpark,dc=net' + ds389_plugin_account_policy_config: false # vim: filetype=yaml diff --git a/playbooks/configure-ldap-servers.yaml b/playbooks/configure-ldap-servers.yaml index cb7a56c..3873630 100644 --- a/playbooks/configure-ldap-servers.yaml +++ b/playbooks/configure-ldap-servers.yaml @@ -13,6 +13,7 @@ - name: "Configure logging for 389ds LDAP server." include_role: name: 389ds-config-logging + when: ( ds389_logging_config | bool ) == true - name: "Configure all necessay plugins of the 389ds LDAP server." include_role: diff --git a/roles/389ds-config-logging/defaults/main.yaml b/roles/389ds-config-logging/defaults/main.yaml index acdd7d7..758f9ca 100644 --- a/roles/389ds-config-logging/defaults/main.yaml +++ b/roles/389ds-config-logging/defaults/main.yaml @@ -1,6 +1,8 @@ --- base_logdir: '/var/log/dirsrv' +ds389_logging_config: true + logging: access: logfile: access.log diff --git a/roles/389ds-config-plugins/defaults/main.yaml b/roles/389ds-config-plugins/defaults/main.yaml index 32d5881..78ba8b5 100644 --- a/roles/389ds-config-plugins/defaults/main.yaml +++ b/roles/389ds-config-plugins/defaults/main.yaml @@ -66,6 +66,20 @@ ds389_plugin_attr_uniq_attributes_default: top_entry_oc: ~ subtree_entries_oc: ~ +############################### +# Plugin account policy + +ds389_plugin_account_policy_config: true +ds389_plugin_account_policy_enable: true +ds389_plugin_account_policy_always_record_login: true +ds389_plugin_account_policy_alt_state_attr: '1.1' +ds389_plugin_account_policy_always_record_login_attr: ~ +ds389_plugin_account_policy_limit_attr: 'accountInactivityLimit' +ds389_plugin_account_policy_spec_attr: 'acctPolicySubentry' +ds389_plugin_account_policy_state_attr: 'lastLoginTime' +ds389_plugin_account_policy_login_history_size: ~ +ds389_plugin_account_policy_check_all_state_attrs: ~ + base_logdir: '/var/log/dirsrv' # vim: filetype=yaml diff --git a/roles/389ds-config-plugins/tasks/account-policy.yaml b/roles/389ds-config-plugins/tasks/account-policy.yaml new file mode 100644 index 0000000..9f9cd68 --- /dev/null +++ b/roles/389ds-config-plugins/tasks/account-policy.yaml @@ -0,0 +1,120 @@ +--- + +- name: 'Get the current configuration of the account-policy Plugin.' + ansible.builtin.shell: "dsconf {{ slapd_instance | quote }} plugin account-policy show | \ + grep -P -i '^(nsslapd-pluginEnabled|nsslapd-pluginarg0)' | \ + sed -e 's/nsslapd-plugin//i' -e 's/Enabled/enabled/i' | sort || true" + register: get_plugin_account_policy + changed_when: false + check_mode: false + +- name: 'Show raw account-policy attribute config.' + debug: + var: get_plugin_account_policy + verbosity: 2 + +- name: "Set variable plugin_account_policy_config" + set_fact: + plugin_account_policy_config: "{{ get_plugin_account_policy.stdout_lines | cfg_389ds_to_dict }}" + +- name: "Set variable acc_plugin_entry." + set_fact: + acc_plugin_entry: "{{ plugin_account_policy_config['arg0'] }}" + +- name: "The account-policy Plugin entry:" + debug: + var: acc_plugin_entry + verbosity: 1 + +- name: 'Get the current configuration entry of the account-policy Plugin.' + ansible.builtin.shell: "dsconf {{ slapd_instance | quote }} plugin account-policy config-entry show \ + {{ plugin_account_policy_config['arg0'] | quote }} | \ + grep -P -v -i '^([cd]n|objectClass):' | grep -v -P '^\\s*$' | sort -i || true" + register: get_plugin_account_policy_entry + changed_when: false + check_mode: false + +- name: 'Show raw account-policy attribute config entry.' + debug: + var: get_plugin_account_policy_entry + verbosity: 2 + +- name: "Set variable plugin_account_policy_config_entry" + set_fact: + plugin_account_policy_config_entry: "{{ get_plugin_account_policy_entry.stdout_lines | cfg_389ds_to_dict }}" + +- name: "Set variable acc_plugin_cfg" + set_fact: + acc_plugin_cfg: "{{ plugin_account_policy_config | ansible.builtin.combine(plugin_account_policy_config_entry, list_merge='append_rp', recursive=true) }}" + +- name: "The account-policy Plugin configuration:" + debug: + var: acc_plugin_cfg + verbosity: 0 + +- name: 'Predefine variables' + set_fact: + exec_set: false + attrs_remove: [] + +- name: 'Check for alwaysrecordlogin' + set_fact: + exec_set: true + when: "('alwaysrecordlogin' not in acc_plugin_cfg) or (acc_plugin_cfg['alwaysrecordlogin'] != ds389_plugin_account_policy_always_record_login)" + +- name: 'Check for alt-state-attr for vanishing' + set_fact: + attrs_remove: "{{ alt-state-attr + ['altstateattrname']" + when: "('altstateattrname' in acc_plugin_cfg) and (ds389_plugin_account_policy_alt-state-attr == None or ds389_plugin_account_policy_alt-state-attr == '')" + +- name: 'Check for alt-state-attr' + set_fact: + exec_set: true + when: "ds389_plugin_account_policy_alt_state_attr != None and ds389_plugin_account_policy_alt_state_attr != '' and ('altstateattrname' not in acc_plugin_cfg or (acc_plugin_cfg['altstateattrname'] != ds389_plugin_account_policy_alt_state_attr))" + +- name: 'Check for always-record-login-attr for vanishing' + set_fact: + attrs_remove: "{{ always-record-login-attr + ['alwaysrecordloginattr']" + when: "('alwaysrecordloginattr' in acc_plugin_cfg) and (ds389_plugin_account_policy_always-record-login-attr == None or ds389_plugin_account_policy_always-record-login-attr == '')" + +- name: 'Check for always-record-login-attr' + set_fact: + exec_set: true + when: "ds389_plugin_account_policy_always_record_login_attr != None and ds389_plugin_account_policy_always_record_login_attr != '' and ('alwaysrecordloginattr' not in acc_plugin_cfg or (acc_plugin_cfg['alwaysrecordloginattr'] != ds389_plugin_account_policy_always_record_login_attr))" + +# Failing: --limit-attr --spec-attr --state-attr --login-history-size --check-all-state-attrs + +- name: 'Setting new configuration for account-policy Plugin' + when: exec_set == true + block: + + - name: "Init + set var plugin_acc_policy_cmd + restart_389ds." + set_fact: + plugin_acc_policy_cmd: "dsconf {{ slapd_instance | quote }} plugin account-policy config-entry set" + restart_389ds: true + + - name: "Add --always-record-login to command." + set_fact: + plugin_acc_policy_cmd: "{{ plugin_acc_policy_cmd }} --always-record-login {{ ds389_plugin_account_policy_always_record_login | bool_to_yes_no }}" + + - name: "Add --alt-state-attr to command." + set_fact: + plugin_acc_policy_cmd: "{{ plugin_acc_policy_cmd }} --alt-state-attr {{ ds389_plugin_account_policy_alt_state_attr | quote }}" + when: ds389_plugin_account_policy_alt_state_attr != None and ds389_plugin_account_policy_alt_state_attr != '' + + - name: "Add --always-record-login-attr to command." + set_fact: + plugin_acc_policy_cmd: "{{ plugin_acc_policy_cmd }} --always-record-login-attr {{ ds389_plugin_account_policy_always_record_login_attr | quote }}" + when: ds389_plugin_account_policy_always_record_login_attr != None and ds389_plugin_account_policy_always_record_login_attr != '' + + - name: "Add config DN to plugin_acc_policy_cmd." + set_fact: + plugin_acc_policy_cmd: "{{ plugin_acc_policy_cmd }} {{ acc_plugin_entry | quote }}" + + - name: "Show the command to execute:" + debug: + var: plugin_acc_policy_cmd + verbosity: 0 + + +# vim: filetype=yaml diff --git a/roles/389ds-config-plugins/tasks/main.yaml b/roles/389ds-config-plugins/tasks/main.yaml index cc9b468..892844e 100644 --- a/roles/389ds-config-plugins/tasks/main.yaml +++ b/roles/389ds-config-plugins/tasks/main.yaml @@ -12,4 +12,8 @@ include_tasks: 'attr-uniq.yaml' when: (ds389_plugin_attr_uniq_config | bool) == true +- name: "Configuring the 389ds account-policy-Plugin." + include_tasks: 'account-policy.yaml' + when: (ds389_plugin_account_policy_config | bool) == true + # vim: filetype=yaml