Update to 2022-03-17 09:00

roles/ldap2pg/defaults/main.yml

@@ -0,0 +1,115 @@
+---
+
+# How often ldap2pg will sync (eg hourly, '*:0:15', systemd timer syntaxe)
+# A value of never will disable automatic sync (you can still fire the ldap2pg service manually)
+ldap2pg_sync_freq: never
+
+# Under which account will ldap2pg run
+# Default is under the local postgres account which is fine for managing a local postgres instance
+ldap2pg_user: postgres
+
+ldap2pg_base_conf:
+  version: 5  
+  ldap:
+    uri: "{{ ldap_uri | default('ldap://ldap.' ~ ansible_domain) }}"
+    binddn: CN=Postgres,OU=Apps,{{ (ad_auth | default(False) | ternary('DC=' ~ ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\.',',DC='), 'dc=' ~ ansible_domain | regex_replace('\.',',dc='))) }}
+    password: XXX
+    starttls: True
+  postgres:
+    dsn: postgres://%2Fvar%2Frun%2Fpostgresql/
+    databases_query: |
+      SELECT datname
+      FROM pg_catalog.pg_database
+      WHERE datallowconn IS TRUE AND datname NOT IN ('postgres', 'template0', 'template1');
+  
+    # Only roles member of the special ldap_roles group can be dropped
+    # other role (created manually or outside of ldap2pg scope) will never be dropped
+    managed_roles_query: |
+      SELECT DISTINCT role.rolname
+      FROM pg_roles AS role
+      LEFT OUTER JOIN pg_auth_members AS ms ON ms.member = role.oid
+      LEFT OUTER JOIN pg_roles AS ldap_roles
+        ON ldap_roles.rolname = 'ldap_roles' AND ldap_roles.oid = ms.roleid
+      WHERE ldap_roles.oid IS NOT NULL
+      ORDER BY 1;
+  
+    # Exclude information_schema, pg_catalog, pg_toast, and other system schemas
+    # from privilege management.
+    schemas_query: |
+      SELECT nspname FROM pg_catalog.pg_namespace
+      WHERE nspname NOT LIKE 'pg_%' AND nspname <> 'information_schema'
+      ORDER BY 1;
+
+  privileges:
+    ro:
+      - __connect__
+      - __select_on_tables__
+      - __select_on_sequences__
+      - __usage_on_schemas__
+      - __usage_on_types__
+  
+    rw:
+      - __temporary__
+      - __all_on_tables__
+      - __all_on_sequences__
+  
+    ddl:
+      - __create_on_schemas__
+
+  sync_map:
+    - description: "Create the ldap_roles group"
+      roles:
+        - name: ldap_roles
+          options: NOLOGIN
+  
+    - description: "Create static ldap groups"
+      roles:
+        - names:
+            - support_ro
+            - support_rw
+          parent:
+            - ldap_roles
+          options: NOLOGIN
+  
+      grant:
+        - privilege: ro
+          roles:
+            - support_ro
+            - support_rw
+  
+        - privilege: rw
+          roles:
+            - support_rw
+  
+        - privilege: ddl
+          roles:
+            - support_rw
+  
+  
+#    - description: "Query LDAP to populate support_ro role"
+#      ldapsearch:
+#        base: OU=People,DC=example,DC=org
+#        filter: "(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=Role_Support_RO,OU=Roles,DC=example,DC=org))"
+#      role:
+#        name: '{sAMAccountName}'
+#        options: LOGIN
+#        parent:
+#          - support_ro
+#          - ldap_roles
+#        comment: "From LDAP account {dn}"
+#  
+#  
+#    - description: "Query LDAP to populate support_rw role"
+#      ldapsearch:
+#        base: OU=People,DC=lapiole,DC=org
+#        filter: "(&(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))(memberOf:1.2.840.113556.1.4.1941:=CN=Role_Support_RW,OU=Roles,DC=example,DC=org))"
+#      role:
+#        name: '{sAMAccountName}'
+#        options: LOGIN
+#        parent:
+#          - support_rw
+#          - ldap_roles
+#        comment: 'From LDAP account {dn}'
+
+ldap2pg_extra_conf: {}
+ldap2pg_conf: "{{ ldap2pg_base_conf | combine(ldap2pg_extra_conf, recursive=True) }}"

roles/ldap2pg/handlers/main.yml

@@ -0,0 +1,9 @@
+---
+
+- name: restart ldap2pg.service
+  systemd: name=ldap2pg.service state=restarted
+  when: ldap2pg_sync_freq != 'never'
+
+- name: restart ldap2pg.timer
+  systemd: name=ldap2pg.service state=restarted
+  when: ldap2pg_sync_freq != 'never'

roles/ldap2pg/meta/main.yml

@@ -0,0 +1,5 @@
+---
+
+dependencies:
+  - role: mkdir
+  - role: repo_dalibolabs

roles/ldap2pg/tasks/conf.yml

@@ -0,0 +1,40 @@
+---
+
+- name: Deploy ldap2pg configuration
+  block:
+    - name: Render config template
+      template:
+        src: ldap2pg.yml.j2
+        dest: "/etc/ldap2pg.yml"
+        owner: "{{ ldap2pg_user }}"
+        group: "{{ ldap2pg_user }}"
+        mode: 0600
+        backup: True
+      register: ldap2pg_rendered_conf
+      notify:
+        - restart ldap2pg.timer
+
+    - name: Validate new configuration
+      command: /bin/ldap2pg --config /etc/ldap2pg.yml --dry
+      changed_when: False
+      become_user: "{{ ldap2pg_user }}"
+      register: ldap2pg_conf_validation
+
+  rescue:
+    - name: Rollback previous configuration
+      copy:
+        src: "{{ ldap2pg_rendered_conf.backup_file }}"
+        dest: /etc/ldap2pg.yml
+        remote_src: True
+        owner: "{{ ldap2pg_user }}"
+        group: "{{ ldap2pg_user }}"
+        mode: 0600
+      when: ldap2pg_rendered_conf.backup_file is defined
+
+  tags: pg
+
+- name: Fails if new configuration isn't validated
+  fail:
+    msg: "Failed to validate /etc/ldap2pg: {{ ldap2pg_conf_validation.stdout }}"
+  when: ldap2pg_conf_validation.rc != 0
+  tags: pg

roles/ldap2pg/tasks/facts.yml

@@ -0,0 +1,10 @@
+---
+
+# Load distribution specific variables
+- include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_distribution }}.yml"
+    - "{{ role_path }}/vars/{{ ansible_os_family }}.yml"
+  tags: pg

roles/ldap2pg/tasks/install.yml

@@ -0,0 +1,15 @@
+---
+
+- name: Install packages
+  package: name={{ ldap2pg_packages }}
+  tags: pg
+
+- name: Install systemd unit
+  template: src=ldap2pg.{{ item }}.j2 dest=/etc/systemd/system/ldap2pg.{{ item }}
+  loop:
+    - service
+    - timer
+  notify:
+    - restart ldap2pg.service
+    - restart ldap2pg.timer
+  tags: pg

roles/ldap2pg/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+
+- include_tasks: user.yml
+  tags: always
+
+- include_tasks: facts.yml
+  tags: always
+
+- include_tasks: install.yml
+  tags: always
+
+- include_tasks: conf.yml
+  tags: always
+
+- include_tasks: services.yml
+  tags: always

roles/ldap2pg/tasks/services.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Handle ldap2pg timer
+  systemd: name=ldap2pg.timer state={{ (ldap2pg_sync_freq == 'never') | ternary('stopped', 'started') }} enabled={{ (ldap2pg_sync_freq == 'never') | ternary(False, True) }}
+  tags: pg

roles/ldap2pg/tasks/user.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Create ldap2pg user
+  user: name={{ ldap2pg_user }}
+  register: ldap2pg_user_info
+  tags: pg

roles/ldap2pg/templates/ldap2pg.service.j2

@@ -0,0 +1,10 @@
+[Unit]
+Description=Sync postgres role from LDAP
+
+[Service]
+Type=oneshot
+PrivateTmp=yes
+User={{ ldap2pg_user }}
+Group={{ ldap2pg_user }}
+ExecStart=/bin/ldap2pg -c {{ ldap2pg_user_info.home }}/ldap2pg.yml --real
+TimeoutSec=30m

roles/ldap2pg/templates/ldap2pg.timer.j2

@@ -0,0 +1,9 @@
+[Unit]
+Description=Sync postgres role from LDAP
+
+[Timer]
+OnCalendar={{ (ldap2pg_sync_freq == 'never') | ternary('daily', ldap2pg_sync_freq) }}
+
+[Install]
+WantedBy=timers.target
+

roles/ldap2pg/templates/ldap2pg.yml.j2

@@ -0,0 +1 @@
+{{ ldap2pg_conf | to_nice_yaml(indent=4) }}

roles/ldap2pg/vars/RedHat.yml

@@ -0,0 +1,4 @@
+---
+
+ldap2pg_packages:
+  - ldap2pg