From 86f6bd478178af018220c431cbcfeb7bc796d396 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Thu, 17 Mar 2022 19:00:06 +0100
Subject: [PATCH] Update to 2022-03-17 19:00

---
 roles/ldap2pg/defaults/main.yml                 |  6 ++++--
 roles/ldap2pg/files/ldap2pg_cacert.diff         | 10 ++++++++++
 roles/ldap2pg/tasks/install.yml                 |  9 ++++++++-
 roles/ldap2pg/tasks/services.yml                |  2 +-
 roles/ldap2pg/templates/ldap2pg.service.j2      |  2 +-
 roles/ldap2pg/templates/ldap2pg.timer.j2        |  3 ++-
 roles/ldap2pg/vars/RedHat-7.yml                 |  6 ++++++
 roles/ldap2pg/vars/{RedHat.yml => RedHat-8.yml} |  0
 8 files changed, 32 insertions(+), 6 deletions(-)
 create mode 100644 roles/ldap2pg/files/ldap2pg_cacert.diff
 create mode 100644 roles/ldap2pg/vars/RedHat-7.yml
 rename roles/ldap2pg/vars/{RedHat.yml => RedHat-8.yml} (100%)

diff --git a/roles/ldap2pg/defaults/main.yml b/roles/ldap2pg/defaults/main.yml
index 2a1065f..9cf613d 100644
--- a/roles/ldap2pg/defaults/main.yml
+++ b/roles/ldap2pg/defaults/main.yml
@@ -1,13 +1,15 @@
 ---
 
 # How often ldap2pg will sync (eg hourly, '*:0:15', systemd timer syntaxe)
-# A value of never will disable automatic sync (you can still fire the ldap2pg service manually)
-ldap2pg_sync_freq: never
+ldap2pg_sync_freq: hourly
 
 # Under which account will ldap2pg run
 # Default is under the local postgres account which is fine for managing a local postgres instance
 ldap2pg_user: postgres
 
+# Set dry mode to False to actually do the sync
+ldap2pg_dry_mode: True
+
 ldap2pg_base_conf:
   version: 5  
   ldap:
diff --git a/roles/ldap2pg/files/ldap2pg_cacert.diff b/roles/ldap2pg/files/ldap2pg_cacert.diff
new file mode 100644
index 0000000..db678a7
--- /dev/null
+++ b/roles/ldap2pg/files/ldap2pg_cacert.diff
@@ -0,0 +1,10 @@
+--- /usr/lib/python2.7/site-packages/ldap2pg/ldap.py.orig	2022-03-17 14:52:58.974806660 +0100
++++ /usr/lib/python2.7/site-packages/ldap2pg/ldap.py	2022-03-17 15:03:47.449618132 +0100
+@@ -293,6 +293,7 @@
+ 
+     if options.get('STARTTLS'):
+         logger.debug("Sending STARTTLS.")
++        conn.set_option(ldap.OPT_X_TLS_CACERTFILE, '/etc/pki/tls/cert.pem')
+         conn.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
+         conn.start_tls_s()
+ 
diff --git a/roles/ldap2pg/tasks/install.yml b/roles/ldap2pg/tasks/install.yml
index e1ff7dc..4b31021 100644
--- a/roles/ldap2pg/tasks/install.yml
+++ b/roles/ldap2pg/tasks/install.yml
@@ -4,6 +4,13 @@
   package: name={{ ldap2pg_packages }}
   tags: pg
 
+- name: Patch ldap2pg to specify global cacert
+  patch: src=ldap2pg_cacert.diff dest=/usr/lib/python2.7/site-packages/ldap2pg/ldap.py
+  when:
+    - ansible_os_family == 'RedHat'
+    - ansible_distribution_major_version is version('8', '<')
+  tags: pg
+
 - name: Install systemd unit
   template: src=ldap2pg.{{ item }}.j2 dest=/etc/systemd/system/ldap2pg.{{ item }}
   loop:
@@ -17,5 +24,5 @@
 
 - name: Reload systemd
   systemd: daemon_reload=True
-  when: ldap2Pg_units.results | selectattr('changed','equalto',True) | list | length > 0
+  when: ldap2pg_units.results | selectattr('changed','equalto',True) | list | length > 0
   tags: pg
diff --git a/roles/ldap2pg/tasks/services.yml b/roles/ldap2pg/tasks/services.yml
index a8f9b1e..374edbc 100644
--- a/roles/ldap2pg/tasks/services.yml
+++ b/roles/ldap2pg/tasks/services.yml
@@ -1,5 +1,5 @@
 ---
 
 - name: Handle ldap2pg timer
-  systemd: name=ldap2pg.timer state={{ (ldap2pg_sync_freq == 'never') | ternary('stopped', 'started') }} enabled={{ (ldap2pg_sync_freq == 'never') | ternary(False, True) }}
+  systemd: name=ldap2pg.timer state={{ ldap2pg_dry_mode | ternary('stopped', 'started') }} enabled={{ ldap2pg_dry_mode | ternary(False, True) }}
   tags: pg
diff --git a/roles/ldap2pg/templates/ldap2pg.service.j2 b/roles/ldap2pg/templates/ldap2pg.service.j2
index f254fa9..4edf356 100644
--- a/roles/ldap2pg/templates/ldap2pg.service.j2
+++ b/roles/ldap2pg/templates/ldap2pg.service.j2
@@ -6,5 +6,5 @@ Type=oneshot
 PrivateTmp=yes
 User={{ ldap2pg_user }}
 Group={{ ldap2pg_user }}
-ExecStart=/bin/ldap2pg -c /etc/ldap2pg.yml --real
+ExecStart=/bin/ldap2pg -c /etc/ldap2pg.yml --{{ ldap2pg_dry_mode | ternary('dry', 'real') }}
 TimeoutSec=30m
diff --git a/roles/ldap2pg/templates/ldap2pg.timer.j2 b/roles/ldap2pg/templates/ldap2pg.timer.j2
index 31c01d4..55712ad 100644
--- a/roles/ldap2pg/templates/ldap2pg.timer.j2
+++ b/roles/ldap2pg/templates/ldap2pg.timer.j2
@@ -2,7 +2,8 @@
 Description=Sync postgres role from LDAP
 
 [Timer]
-OnCalendar={{ (ldap2pg_sync_freq == 'never') | ternary('daily', ldap2pg_sync_freq) }}
+OnCalendar={{ ldap2pg_sync_freq }}
+RandomizedDelaySec=5m
 
 [Install]
 WantedBy=timers.target
diff --git a/roles/ldap2pg/vars/RedHat-7.yml b/roles/ldap2pg/vars/RedHat-7.yml
new file mode 100644
index 0000000..74757fb
--- /dev/null
+++ b/roles/ldap2pg/vars/RedHat-7.yml
@@ -0,0 +1,6 @@
+---
+
+ldap2pg_packages:
+  - ldap2pg
+  - python-setuptools
+  - patch
diff --git a/roles/ldap2pg/vars/RedHat.yml b/roles/ldap2pg/vars/RedHat-8.yml
similarity index 100%
rename from roles/ldap2pg/vars/RedHat.yml
rename to roles/ldap2pg/vars/RedHat-8.yml