From 4afe7cbe151c1e28b25b4fdd83b2245cf807ff8e Mon Sep 17 00:00:00 2001 From: Christian Elberfeld <christian.elberfeld@adesso.de> Date: Sun, 3 Feb 2019 07:15:05 +0100 Subject: [PATCH] Vorbereitung LDAP sync auf zwei server --- .../docker_ldap/tasks/main.yml | 5 +-- .../docker_ldap/templates/docker-compose.yml | 38 ++++++++++++++++++ .../includes/verwaltung-ldap.warpzone.ms | 4 ++ group_vars/prod | 10 ++++- group_vars/test | 3 +- host_vars/verwaltung | 1 + host_vars/warpsrvint | 3 +- warpsrvint/main.yml | 2 +- warpsrvint/nginx/includes/ldap | 13 +++++++ webserver-test/main.yml | 2 +- webserver/docker_gitlab/tasks/main.yml | 1 - .../docker_ldap/templates/docker-compose.yml | 39 ------------------- webserver/main.yml | 2 +- 13 files changed, 73 insertions(+), 50 deletions(-) rename {webserver => common}/docker_ldap/tasks/main.yml (74%) create mode 100644 common/docker_ldap/templates/docker-compose.yml create mode 100644 common/nginx/includes/verwaltung-ldap.warpzone.ms create mode 100644 warpsrvint/nginx/includes/ldap delete mode 100644 webserver/docker_ldap/templates/docker-compose.yml diff --git a/webserver/docker_ldap/tasks/main.yml b/common/docker_ldap/tasks/main.yml similarity index 74% rename from webserver/docker_ldap/tasks/main.yml rename to common/docker_ldap/tasks/main.yml index 9e266a16..c2da4149 100644 --- a/webserver/docker_ldap/tasks/main.yml +++ b/common/docker_ldap/tasks/main.yml @@ -2,9 +2,8 @@ - include_tasks: ../functions/get_secret.yml with_items: - - { path: /srv/ldap/ldap_admin_pass, length: 24 } - - { path: /srv/ldap/ldap_config_pass, length: 24 } - - { path: /srv/ldap/ldap_readonly_pass, length: 24 } + - { path: /srv/ldap/secret/ldap_admin_pass, length: 24 } + - { path: /srv/ldap/secret/ldap_readonly_pass, length: 24 } - name: create folder struct for ldap file: diff --git a/common/docker_ldap/templates/docker-compose.yml b/common/docker_ldap/templates/docker-compose.yml new file mode 100644 index 00000000..41e4326d --- /dev/null +++ b/common/docker_ldap/templates/docker-compose.yml @@ -0,0 +1,38 @@ + +version: "3" + +services: + + openldap: + image: osixia/openldap:1.2.2 + restart: always + command: --loglevel debug + network_mode: host + volumes: + - /srv/ldap/database:/var/lib/ldap + - /srv/ldap/config:/etc/ldap/slapd.d + environment: + - HOSTNAME={{ int_ip4 }} + - LDAP_BACKEND=hdb + - LDAP_ORGANISATION={{ ldap_org }} + - LDAP_DOMAIN={{ ldap_domain }} + - LDAP_ADMIN_PASSWORD={{ ldap_admin_pass }} + - LDAP_CONFIG_PASSWORD={{ ldap_admin_pass }} + - LDAP_READONLY_USER=true + - LDAP_READONLY_USER_USERNAME=readonly + - LDAP_READONLY_USER_PASSWORD={{ ldap_readonly_pass }} + - LDAP_TLS_VERIFY_CLIENT=never + - LDAP_REPLICATION=true + - LDAP_REPLICATION_HOSTS=#PYTHON2BASH:['ldap://{{ hostvars['webserver'].int_ip4 }}','ldap://{{ hostvars['warpsrvint'].int_ip4 }}'] + + phpldapadmin: + image: osixia/phpldapadmin:0.7.2 + restart: always + depends_on: + - openldap + ports: + - 127.0.0.1:42004:80 + environment: + - PHPLDAPADMIN_LDAP_HOSTS={{ int_ip4 }} + - PHPLDAPADMIN_HTTPS=false + - PHPLDAPADMIN_TRUST_PROXY_SSL=true diff --git a/common/nginx/includes/verwaltung-ldap.warpzone.ms b/common/nginx/includes/verwaltung-ldap.warpzone.ms new file mode 100644 index 00000000..d4ef0db9 --- /dev/null +++ b/common/nginx/includes/verwaltung-ldap.warpzone.ms @@ -0,0 +1,4 @@ + + location / { + rewrite ^(.*) https://ldap.warpzone.ms$1; + } diff --git a/group_vars/prod b/group_vars/prod index ce6d6ce3..156d26d4 100644 --- a/group_vars/prod +++ b/group_vars/prod @@ -6,9 +6,9 @@ ldap_port_secure: 636 # IP Adresse des LDAP Servers # Extern läuft auf dem webserver -ldap_ip_ext: 10.0.20.2 +ldap_ip_ext: 10.42.1.1 # int ist noch ungenutzt / später replikation in der Zone -ldap_ip_int: 10.0.20.2 +ldap_ip_int: 10.42.1.1 # Basis-Informationen der LDAP Konfiguration @@ -19,6 +19,12 @@ ldap_admin_bind_dn: cn=admin,dc=warpzone,dc=ms ldap_readonly_bind_dn: cn=readonly,dc=warpzone,dc=ms +# SMTP Settings +smtp_host: smtp.warpzone.ms +smtp_port: 25 +noreply_email_user: noreply@warpzone.ms + + # Zentrale InfluxDb für Systemmonitoring influxdb_sysmon: url: "http://192.168.0.201:18086" diff --git a/group_vars/test b/group_vars/test index abde386c..acff2065 100644 --- a/group_vars/test +++ b/group_vars/test @@ -21,4 +21,5 @@ ldap_readonly_bind_dn: cn=readonly,dc=warpzone-test,dc=ms # SMTP Settings smtp_host: smtp.warpzone.ms smtp_port: 25 -noreply_email_user: noreply@warpzone.ms +noreply_email_user: test-noreply-test@warpzone.ms + diff --git a/host_vars/verwaltung b/host_vars/verwaltung index 6b6fedb4..1fef3bf4 100644 --- a/host_vars/verwaltung +++ b/host_vars/verwaltung @@ -33,6 +33,7 @@ host_type: "vm" webserver_domains: - "verwaltung.warpzone.ms" - "verwaltung-git.warpzone.ms" + - "verwaltung-ldap.warpzone.ms" #OpenVPN Konfigurationen diff --git a/host_vars/warpsrvint b/host_vars/warpsrvint index 92756249..aba465f7 100644 --- a/host_vars/warpsrvint +++ b/host_vars/warpsrvint @@ -24,7 +24,7 @@ debian_keys_url: # Primäre IP Adressen des Hosts #ext_ip4: <keine> #ext_ip6: <keine> -int_ip4: 10.42.3.1 +int_ip4: 192.168.0.201 # Art des Hosts: physical, vm, docker @@ -34,6 +34,7 @@ host_type: "physical" webserver_domains: - "infra" - "infra-test" + - "ldap" administratorenteam: - "void" diff --git a/warpsrvint/main.yml b/warpsrvint/main.yml index 796cbd87..27b789fd 100644 --- a/warpsrvint/main.yml +++ b/warpsrvint/main.yml @@ -7,6 +7,7 @@ - { role: ../common/borgserver, tags: borgserver } - { role: ../common/docker, tags: docker } - { role: ../common/telegraf, tags: telegraf } + - { role: ../common/docker_ldap, tags: ldap } - { role: nginx, tags: nginx } - { role: docker_grafana, tags: grafana } - { role: docker_influx, tags: influx } @@ -14,7 +15,6 @@ - { role: docker_kapacitor, tags: kapacitor } - { role: docker_librenms, tags: librenms } - { role: docker_l4z0r, tags: l4z0r } -# - { role: docker_ldap, tags: ldap } - { role: docker_matestatdb, tags: matestatdb } - { role: docker_mqtt, tags: mqtt } - { role: docker_nodered, tags: nodered } diff --git a/warpsrvint/nginx/includes/ldap b/warpsrvint/nginx/includes/ldap new file mode 100644 index 00000000..d37146d7 --- /dev/null +++ b/warpsrvint/nginx/includes/ldap @@ -0,0 +1,13 @@ + + + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + + proxy_pass http://127.0.0.1:42004/; + proxy_redirect off; + + } + + diff --git a/webserver-test/main.yml b/webserver-test/main.yml index 74f0f15e..12dcc535 100644 --- a/webserver-test/main.yml +++ b/webserver-test/main.yml @@ -5,7 +5,7 @@ roles: - { role: ../common/docker, tags: docker } - { role: ../common/nginx, tags: nginx } - - { role: ../webserver/docker_ldap, tags: ldap } +# - { role: ../webserver/docker_ldap, tags: ldap } - { role: ../webserver/docker_wordpress, tags: wordpress } # - { role: docker_mail, tags: mail } diff --git a/webserver/docker_gitlab/tasks/main.yml b/webserver/docker_gitlab/tasks/main.yml index b321d09b..c9b45df1 100644 --- a/webserver/docker_gitlab/tasks/main.yml +++ b/webserver/docker_gitlab/tasks/main.yml @@ -10,7 +10,6 @@ slurp: src={{ item }} with_items: - /srv/shared/noreply_email_pass - - /srv/ldap/secret/ldap_readonly_pass register: gitlab_secrets - name: get secrets from server 2 diff --git a/webserver/docker_ldap/templates/docker-compose.yml b/webserver/docker_ldap/templates/docker-compose.yml deleted file mode 100644 index e72b2350..00000000 --- a/webserver/docker_ldap/templates/docker-compose.yml +++ /dev/null @@ -1,39 +0,0 @@ - -version: "3" - -services: - - openldap: - image: osixia/openldap:1.1.10 - restart: always - hostname: "{{ ldap_ip_ext }}" - ports: - - "{{ ldap_ip_ext }}:{{ ldap_port_default }}:389" - - "{{ ldap_ip_ext }}:{{ ldap_port_secure }}:636" - volumes: - - /srv/ldap/database:/var/lib/ldap - - /srv/ldap/config:/etc/ldap/slapd.d - environment: - - LDAP_ORGANISATION="{{ ldap_org }}" - - LDAP_DOMAIN="{{ ldap_domain }}" - - LDAP_ADMIN_PASSWORD="{{ ldap_admin_pass }}" - - LDAP_CONFIG_PASSWORD="{{ ldap_config_pass }}" - - LDAP_READONLY_USER=true - - LDAP_READONLY_USER_USERNAME=readonly - - LDAP_READONLY_USER_PASSWORD="{{ ldap_readonly_pass }}" - - LDAP_REPLICATION=true - - LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://{{ ldap_ip_ext }}:{{ ldap_port_default }}']" - -# - LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://{{ ldap_ip_ext }}:{{ ldap_port_default }}','ldap://{{ ldap_ip_int }}:{{ ldap_port_default }}']" - - phpldapadmin: - image: osixia/phpldapadmin:0.7.1 - restart: always - depends_on: - - openldap - ports: - - 127.0.0.1:42004:80 - environment: - - PHPLDAPADMIN_LDAP_HOSTS=openldap - - PHPLDAPADMIN_HTTPS=false - - PHPLDAPADMIN_TRUST_PROXY_SSL=true diff --git a/webserver/main.yml b/webserver/main.yml index e640968d..fc65aac3 100644 --- a/webserver/main.yml +++ b/webserver/main.yml @@ -8,13 +8,13 @@ - { role: ../common/telegraf, tags: telegraf } - { role: ../common/nginx, tags: nginx } - { role: ../common/openvpn, tags: openvpn } + - { role: ../common/docker_ldap, tags: ldap } - { role: docker_alerta, tags: alerta } - { role: docker_dokuwiki, tags: dokuwiki } - { role: docker_etherpad, tags: etherpad } - { role: docker_gitlab, tags: gitlab } - { role: docker_hackmd, tags: hackmd } - { role: docker_jabber, tags: jabber } - - { role: docker_ldap, tags: ldap } - { role: docker_keycloak, tags: keycloak } - { role: docker_matterbridge, tags: matterbridge } - { role: docker_warpinfra, tags: warpinfra } -- GitLab