From 4afe7cbe151c1e28b25b4fdd83b2245cf807ff8e Mon Sep 17 00:00:00 2001
From: Christian Elberfeld <christian.elberfeld@adesso.de>
Date: Sun, 3 Feb 2019 07:15:05 +0100
Subject: [PATCH] Vorbereitung LDAP sync auf zwei server

---
 .../docker_ldap/tasks/main.yml                |  5 +--
 .../docker_ldap/templates/docker-compose.yml  | 38 ++++++++++++++++++
 .../includes/verwaltung-ldap.warpzone.ms      |  4 ++
 group_vars/prod                               | 10 ++++-
 group_vars/test                               |  3 +-
 host_vars/verwaltung                          |  1 +
 host_vars/warpsrvint                          |  3 +-
 warpsrvint/main.yml                           |  2 +-
 warpsrvint/nginx/includes/ldap                | 13 +++++++
 webserver-test/main.yml                       |  2 +-
 webserver/docker_gitlab/tasks/main.yml        |  1 -
 .../docker_ldap/templates/docker-compose.yml  | 39 -------------------
 webserver/main.yml                            |  2 +-
 13 files changed, 73 insertions(+), 50 deletions(-)
 rename {webserver => common}/docker_ldap/tasks/main.yml (74%)
 create mode 100644 common/docker_ldap/templates/docker-compose.yml
 create mode 100644 common/nginx/includes/verwaltung-ldap.warpzone.ms
 create mode 100644 warpsrvint/nginx/includes/ldap
 delete mode 100644 webserver/docker_ldap/templates/docker-compose.yml

diff --git a/webserver/docker_ldap/tasks/main.yml b/common/docker_ldap/tasks/main.yml
similarity index 74%
rename from webserver/docker_ldap/tasks/main.yml
rename to common/docker_ldap/tasks/main.yml
index 9e266a16..c2da4149 100644
--- a/webserver/docker_ldap/tasks/main.yml
+++ b/common/docker_ldap/tasks/main.yml
@@ -2,9 +2,8 @@
 
 - include_tasks: ../functions/get_secret.yml
   with_items:
-   - { path: /srv/ldap/ldap_admin_pass,  length: 24 }
-   - { path: /srv/ldap/ldap_config_pass,  length: 24 }
-   - { path: /srv/ldap/ldap_readonly_pass,  length: 24 }
+   - { path: /srv/ldap/secret/ldap_admin_pass,  length: 24 }
+   - { path: /srv/ldap/secret/ldap_readonly_pass,  length: 24 }
 
 - name: create folder struct for ldap
   file:
diff --git a/common/docker_ldap/templates/docker-compose.yml b/common/docker_ldap/templates/docker-compose.yml
new file mode 100644
index 00000000..41e4326d
--- /dev/null
+++ b/common/docker_ldap/templates/docker-compose.yml
@@ -0,0 +1,38 @@
+
+version: "3"
+
+services:
+
+  openldap:
+    image: osixia/openldap:1.2.2
+    restart: always
+    command: --loglevel debug 
+    network_mode: host
+    volumes:
+      - /srv/ldap/database:/var/lib/ldap
+      - /srv/ldap/config:/etc/ldap/slapd.d
+    environment:
+      - HOSTNAME={{ int_ip4 }}
+      - LDAP_BACKEND=hdb 
+      - LDAP_ORGANISATION={{ ldap_org }}
+      - LDAP_DOMAIN={{ ldap_domain }}
+      - LDAP_ADMIN_PASSWORD={{ ldap_admin_pass }}
+      - LDAP_CONFIG_PASSWORD={{ ldap_admin_pass }}
+      - LDAP_READONLY_USER=true
+      - LDAP_READONLY_USER_USERNAME=readonly
+      - LDAP_READONLY_USER_PASSWORD={{ ldap_readonly_pass }}
+      - LDAP_TLS_VERIFY_CLIENT=never
+      - LDAP_REPLICATION=true
+      - LDAP_REPLICATION_HOSTS=#PYTHON2BASH:['ldap://{{ hostvars['webserver'].int_ip4 }}','ldap://{{ hostvars['warpsrvint'].int_ip4 }}']
+
+  phpldapadmin:
+    image: osixia/phpldapadmin:0.7.2
+    restart: always
+    depends_on:
+      - openldap
+    ports:
+      - 127.0.0.1:42004:80
+    environment:
+      - PHPLDAPADMIN_LDAP_HOSTS={{ int_ip4 }}
+      - PHPLDAPADMIN_HTTPS=false
+      - PHPLDAPADMIN_TRUST_PROXY_SSL=true
diff --git a/common/nginx/includes/verwaltung-ldap.warpzone.ms b/common/nginx/includes/verwaltung-ldap.warpzone.ms
new file mode 100644
index 00000000..d4ef0db9
--- /dev/null
+++ b/common/nginx/includes/verwaltung-ldap.warpzone.ms
@@ -0,0 +1,4 @@
+
+    location / {
+      rewrite     ^(.*)   https://ldap.warpzone.ms$1;
+    }
diff --git a/group_vars/prod b/group_vars/prod
index ce6d6ce3..156d26d4 100644
--- a/group_vars/prod
+++ b/group_vars/prod
@@ -6,9 +6,9 @@ ldap_port_secure: 636
 
 # IP Adresse des LDAP Servers
 # Extern läuft auf dem webserver
-ldap_ip_ext: 10.0.20.2
+ldap_ip_ext: 10.42.1.1
 # int ist noch ungenutzt / später replikation in der Zone
-ldap_ip_int: 10.0.20.2
+ldap_ip_int: 10.42.1.1
 
 
 # Basis-Informationen der LDAP Konfiguration 
@@ -19,6 +19,12 @@ ldap_admin_bind_dn: cn=admin,dc=warpzone,dc=ms
 ldap_readonly_bind_dn: cn=readonly,dc=warpzone,dc=ms
 
 
+# SMTP Settings 
+smtp_host: smtp.warpzone.ms
+smtp_port: 25 
+noreply_email_user: noreply@warpzone.ms
+
+
 # Zentrale InfluxDb für Systemmonitoring  
 influxdb_sysmon:
   url: "http://192.168.0.201:18086"
diff --git a/group_vars/test b/group_vars/test
index abde386c..acff2065 100644
--- a/group_vars/test
+++ b/group_vars/test
@@ -21,4 +21,5 @@ ldap_readonly_bind_dn: cn=readonly,dc=warpzone-test,dc=ms
 # SMTP Settings 
 smtp_host: smtp.warpzone.ms
 smtp_port: 25 
-noreply_email_user: noreply@warpzone.ms
+noreply_email_user: test-noreply-test@warpzone.ms
+
diff --git a/host_vars/verwaltung b/host_vars/verwaltung
index 6b6fedb4..1fef3bf4 100644
--- a/host_vars/verwaltung
+++ b/host_vars/verwaltung
@@ -33,6 +33,7 @@ host_type: "vm"
 webserver_domains: 
   - "verwaltung.warpzone.ms"
   - "verwaltung-git.warpzone.ms"
+  - "verwaltung-ldap.warpzone.ms"
 
 
 #OpenVPN Konfigurationen 
diff --git a/host_vars/warpsrvint b/host_vars/warpsrvint
index 92756249..aba465f7 100644
--- a/host_vars/warpsrvint
+++ b/host_vars/warpsrvint
@@ -24,7 +24,7 @@ debian_keys_url:
 # Primäre IP Adressen des Hosts 
 #ext_ip4: <keine>
 #ext_ip6: <keine>
-int_ip4: 10.42.3.1
+int_ip4: 192.168.0.201
 
 
 # Art des Hosts: physical, vm, docker 
@@ -34,6 +34,7 @@ host_type: "physical"
 webserver_domains: 
   - "infra"
   - "infra-test"
+  - "ldap"
 
 administratorenteam:
   - "void"
diff --git a/warpsrvint/main.yml b/warpsrvint/main.yml
index 796cbd87..27b789fd 100644
--- a/warpsrvint/main.yml
+++ b/warpsrvint/main.yml
@@ -7,6 +7,7 @@
     - { role: ../common/borgserver, tags: borgserver }
     - { role: ../common/docker, tags: docker }
     - { role: ../common/telegraf, tags: telegraf }
+    - { role: ../common/docker_ldap, tags: ldap }
     - { role: nginx, tags: nginx }
     - { role: docker_grafana, tags: grafana }
     - { role: docker_influx, tags: influx }
@@ -14,7 +15,6 @@
     - { role: docker_kapacitor, tags: kapacitor }
     - { role: docker_librenms, tags: librenms }
     - { role: docker_l4z0r, tags: l4z0r }
-#    - { role: docker_ldap, tags: ldap }
     - { role: docker_matestatdb, tags: matestatdb }
     - { role: docker_mqtt, tags: mqtt }
     - { role: docker_nodered, tags: nodered }
diff --git a/warpsrvint/nginx/includes/ldap b/warpsrvint/nginx/includes/ldap
new file mode 100644
index 00000000..d37146d7
--- /dev/null
+++ b/warpsrvint/nginx/includes/ldap
@@ -0,0 +1,13 @@
+
+
+
+    location /  {
+        	proxy_set_header        Host $host;
+        	proxy_set_header        X-Real-IP $remote_addr;
+
+	        proxy_pass      http://127.0.0.1:42004/;
+        	proxy_redirect  off;
+
+    }
+
+
diff --git a/webserver-test/main.yml b/webserver-test/main.yml
index 74f0f15e..12dcc535 100644
--- a/webserver-test/main.yml
+++ b/webserver-test/main.yml
@@ -5,7 +5,7 @@
   roles:
     - { role: ../common/docker, tags: docker }
     - { role: ../common/nginx, tags: nginx }
-    - { role: ../webserver/docker_ldap, tags: ldap }
+#    - { role: ../webserver/docker_ldap, tags: ldap }
     - { role: ../webserver/docker_wordpress, tags: wordpress }
 
 #    - { role: docker_mail, tags: mail }
diff --git a/webserver/docker_gitlab/tasks/main.yml b/webserver/docker_gitlab/tasks/main.yml
index b321d09b..c9b45df1 100644
--- a/webserver/docker_gitlab/tasks/main.yml
+++ b/webserver/docker_gitlab/tasks/main.yml
@@ -10,7 +10,6 @@
   slurp: src={{ item }}
   with_items:
     - /srv/shared/noreply_email_pass
-    - /srv/ldap/secret/ldap_readonly_pass
   register: gitlab_secrets
 
 - name: get secrets from server 2
diff --git a/webserver/docker_ldap/templates/docker-compose.yml b/webserver/docker_ldap/templates/docker-compose.yml
deleted file mode 100644
index e72b2350..00000000
--- a/webserver/docker_ldap/templates/docker-compose.yml
+++ /dev/null
@@ -1,39 +0,0 @@
-
-version: "3"
-
-services:
-
-  openldap:
-    image: osixia/openldap:1.1.10
-    restart: always
-    hostname: "{{ ldap_ip_ext }}"
-    ports:
-      - "{{ ldap_ip_ext }}:{{ ldap_port_default }}:389"
-      - "{{ ldap_ip_ext }}:{{ ldap_port_secure }}:636"
-    volumes:
-      - /srv/ldap/database:/var/lib/ldap
-      - /srv/ldap/config:/etc/ldap/slapd.d
-    environment:
-      - LDAP_ORGANISATION="{{ ldap_org }}"
-      - LDAP_DOMAIN="{{ ldap_domain }}"
-      - LDAP_ADMIN_PASSWORD="{{ ldap_admin_pass }}"
-      - LDAP_CONFIG_PASSWORD="{{ ldap_config_pass }}"  
-      - LDAP_READONLY_USER=true
-      - LDAP_READONLY_USER_USERNAME=readonly
-      - LDAP_READONLY_USER_PASSWORD="{{ ldap_readonly_pass }}"
-      - LDAP_REPLICATION=true
-      - LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://{{ ldap_ip_ext }}:{{ ldap_port_default }}']"
-
-#      - LDAP_REPLICATION_HOSTS="#PYTHON2BASH:['ldap://{{ ldap_ip_ext }}:{{ ldap_port_default }}','ldap://{{ ldap_ip_int }}:{{ ldap_port_default }}']"
-
-  phpldapadmin:
-    image: osixia/phpldapadmin:0.7.1
-    restart: always
-    depends_on:
-      - openldap
-    ports:
-      - 127.0.0.1:42004:80
-    environment:
-      - PHPLDAPADMIN_LDAP_HOSTS=openldap
-      - PHPLDAPADMIN_HTTPS=false
-      - PHPLDAPADMIN_TRUST_PROXY_SSL=true
diff --git a/webserver/main.yml b/webserver/main.yml
index e640968d..fc65aac3 100644
--- a/webserver/main.yml
+++ b/webserver/main.yml
@@ -8,13 +8,13 @@
     - { role: ../common/telegraf, tags: telegraf }
     - { role: ../common/nginx, tags: nginx }
     - { role: ../common/openvpn, tags: openvpn }
+    - { role: ../common/docker_ldap, tags: ldap }
     - { role: docker_alerta, tags: alerta }
     - { role: docker_dokuwiki, tags: dokuwiki }
     - { role: docker_etherpad, tags: etherpad }
     - { role: docker_gitlab, tags: gitlab }
     - { role: docker_hackmd, tags: hackmd }
     - { role: docker_jabber, tags: jabber }
-    - { role: docker_ldap, tags: ldap }
     - { role: docker_keycloak, tags: keycloak }
     - { role: docker_matterbridge, tags: matterbridge }
     - { role: docker_warpinfra, tags: warpinfra }
-- 
GitLab