Update to 2023-10-13 15:00

2025-07-30 19:25:36 +02:00 · 2023-10-13 15:00:23 +02:00
parent 5956dad4fd
commit e823a08de2
32 changed files with 163 additions and 142 deletions
--- a/roles/ldap2pg/defaults/main.yml
+++ b/roles/ldap2pg/defaults/main.yml
@@ -1,5 +1,14 @@
 ---

+# The version of ldap2pg to deploy
+ldap2pg_version: 6.0
+
+# The URL where the ldap2pg archive can be fetched
+ldap2pg_archive_url: https://github.com/dalibo/ldap2pg/releases/download/v{{ ldap2pg_version }}/ldap2pg_{{ ldap2pg_version }}_linux_amd64.tar.gz
+
+# The expected sha256 checksum of the archive
+ldap2pg_archive_sha256: 0f587cb6a6e4953820fabcaba46bbfbe9acdffe79c42b1f53e789f5d7215d26b
+
 # How often ldap2pg will sync (eg hourly, '*:0:15', systemd timer syntaxe)
 ldap2pg_sync_freq: hourly

@@ -10,88 +19,64 @@ ldap2pg_user: postgres
 # Set dry mode to False to actually do the sync
 ldap2pg_dry_mode: True

+ldap2pg_env:
+  PGHOST: /var/run/postgresql
+  LDAPTLS_REQCERT: hard
+#  LDAPURI: "{{ ldap_uri | default('ldap://ldap.' ~ ansible_domain) }}"
+#  LDAPBINDDN: CN=Postgres,OU=Apps,{{ (ad_auth | default(False) | ternary('DC=' ~ ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\.',',DC='), 'dc=' ~ ansible_domain | regex_replace('\.',',dc='))) }}
+#  LDAPPASSWORD: XXX
+
 ldap2pg_base_conf:
-  version: 5  
-  ldap:
-    uri: "{{ ldap_uri | default('ldap://ldap.' ~ ansible_domain) }}"
-    binddn: CN=Postgres,OU=Apps,{{ (ad_auth | default(False) | ternary('DC=' ~ ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\.',',DC='), 'dc=' ~ ansible_domain | regex_replace('\.',',dc='))) }}
-    password: XXX
-    starttls: True
+  version: 6
  postgres:
-    dsn: postgres://%2Fvar%2Frun%2Fpostgresql/
    databases_query: |
      SELECT datname
      FROM pg_catalog.pg_database
-      WHERE datallowconn IS TRUE AND datname NOT IN ('postgres', 'template0', 'template1');
-  
-    # Only roles member of the special ldap_roles group can be dropped
+      WHERE datallowconn IS TRUE AND datname NOT IN ('template0', 'template1');
+
+    # Only roles member of the special managed_roles group can be dropped
    # other role (created manually or outside of ldap2pg scope) will never be dropped
    managed_roles_query: |
-      SELECT DISTINCT role.rolname
-      FROM pg_roles AS role
-      LEFT OUTER JOIN pg_auth_members AS ms ON ms.member = role.oid
-      LEFT OUTER JOIN pg_roles AS ldap_roles
-        ON ldap_roles.rolname = 'ldap_roles' AND ldap_roles.oid = ms.roleid
-      WHERE ldap_roles.oid IS NOT NULL
+      VALUES
+        ('managed_roles')
+      UNION
+        SELECT DISTINCT role.rolname
+          FROM pg_roles AS role
+          JOIN pg_auth_members AS ms
+            ON ms.member = role.oid
+          JOIN pg_roles AS parent
+            ON parent.rolname = 'managed_roles' AND parent.oid = ms.roleid
      ORDER BY 1;
  
-    # Exclude information_schema, pg_catalog, pg_toast, and other system schemas
-    # from privilege management.
-    schemas_query: |
-      SELECT nspname FROM pg_catalog.pg_namespace
-      WHERE nspname NOT LIKE 'pg_%' AND nspname <> 'information_schema'
-      ORDER BY 1;
-
  privileges:
    ro:
      - __connect__
      - __select_on_tables__
      - __select_on_sequences__
      - __usage_on_schemas__
-      - __usage_on_types__
-  
+      - __usage_on_sequences__
+
    rw:
+      - ro
      - __temporary__
-      - __all_on_tables__
-      - __all_on_sequences__
-  
-    ddl:
-      - __create_on_schemas__
+      - __insert_on_tables__
+      - __update_on_tables__
+      - __delete__on_tables__
+      - __update_on_sequences__
+      - __execute_on_functions__
+      - __trigger_on_tables__

    full:
      - rw
-      - __all_on_schemas__
+      - __create_on_schemas__
+      - __truncate_on_tables__

-  sync_map:
-    - description: "Create the ldap_roles group"
+  rules:
+    - description: "Create static roles"
      roles:
-        - name: ldap_roles
+        - name: managed_roles
          options: NOLOGIN
  
-    - description: "Create static ldap groups"
-      roles:
-        - names:
-            - support_ro
-            - support_rw
-          parent:
-            - ldap_roles
-          options: NOLOGIN
-  
-      grant:
-        - privilege: ro
-          roles:
-            - support_ro
-            - support_rw
-  
-        - privilege: rw
-          roles:
-            - support_rw
-  
-        - privilege: ddl
-          roles:
-            - support_rw
-  
-  
 #    - description: "Query LDAP to populate support_ro role"
 #      ldapsearch:
 #        base: OU=People,DC=example,DC=org
@@ -101,7 +86,7 @@ ldap2pg_base_conf:
 #        options: LOGIN
 #        parent:
 #          - support_ro
-#          - ldap_roles
+#          - managed_roles
 #        comment: "From LDAP account {dn}"
 #  
 #  
@@ -114,7 +99,7 @@ ldap2pg_base_conf:
 #        options: LOGIN
 #        parent:
 #          - support_rw
-#          - ldap_roles
+#          - managed_roles
 #        comment: 'From LDAP account {dn}'

 ldap2pg_extra_conf: {}
--- a/roles/ldap2pg/meta/main.yml
+++ b/roles/ldap2pg/meta/main.yml
@@ -2,4 +2,3 @@

 dependencies:
  - role: mkdir
-  - role: repo_dalibolabs
--- a/roles/ldap2pg/tasks/conf.yml
+++ b/roles/ldap2pg/tasks/conf.yml
@@ -1,5 +1,9 @@
 ---

+- name: Deploy env file
+  template: src=ldap2pg.env.j2 dest=/etc/sysconfig/ldap2pg owner=root group=postgres mode=640
+  tags: pg
+
 - name: Deploy ldap2pg configuration
  block:
    - name: Render config template
@@ -15,10 +19,11 @@
        - restart ldap2pg.timer

    - name: Validate new configuration
-      command: /bin/ldap2pg --config /etc/ldap2pg.yml --dry
+      command: /usr/local/bin/ldap2pg --config /etc/ldap2pg.yml
      changed_when: False
      become_user: "{{ ldap2pg_user }}"
      register: ldap2pg_conf_validation
+      environment: "{{ ldap2pg_env }}"

  rescue:
    - name: Rollback previous configuration
@@ -35,6 +40,7 @@

 - name: Fails if new configuration isn't validated
  fail:
-    msg: "Failed to validate /etc/ldap2pg: {{ ldap2pg_conf_validation.stdout }}"
+    msg: "Failed to validate /etc/ldap2pg.yml: {{ ldap2pg_conf_validation.stdout }}"
  when: ldap2pg_conf_validation.rc != 0
  tags: pg
+
--- a/roles/ldap2pg/tasks/facts.yml
+++ b/roles/ldap2pg/tasks/facts.yml
@@ -1,10 +1,27 @@
 ---

-# Load distribution specific variables
- include_vars: "{{ item }}"
-  with_first_found:
-    - "{{ role_path }}/vars/{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yml"
-    - "{{ role_path }}/vars/{{ ansible_os_family }}-{{ ansible_distribution_major_version }}.yml"
-    - "{{ role_path }}/vars/{{ ansible_distribution }}.yml"
-    - "{{ role_path }}/vars/{{ ansible_os_family }}.yml"
+- name: Set default install mode
+  set_fact: ldap2pg_install_mode='none'
+  tags: pg
+
+- name: Check if ldap2pg is installed
+  stat: path=/usr/local/bin/ldap2pg
+  register: ldap2pg_bin
+  tags: pg
+
+- name: Check installed version
+  shell: ldap2pg -V | head -1 | sed -E 's/ldap2pg v(\d+)/\1/'
+  register: ldap2pg_current_version
+  when: ldap2pg_bin.stat.exists
+  changed_when: False
+  tags: pg
+
+- name: Set install mode
+  set_fact: ldap2pg_install_mode='install'
+  when: not ldap2pg_bin.stat.exists
+  tags: pg
+
+- name: Set install_mode to upgrade
+  set_fact: ldap2pg_install_mode='upgrade'
+  when: ldap2pg_bin.stat.exists and ldap2pg_current_version.stdout != ldap2pg_version
  tags: pg
--- a/roles/ldap2pg/tasks/install.yml
+++ b/roles/ldap2pg/tasks/install.yml
@@ -1,20 +1,28 @@
 ---

- name: Install packages
-  package: name={{ ldap2pg_packages }}
+- name: Ensure ldap2pg package is removed
+  package: name=ldap2pg state=absent
  tags: pg

- when: ansible_os_family == 'RedHat' and ansible_distribution_major_version is version('8', '<')
+- when: ldap2pg_install_mode != 'none'
  block:
-    - name: Check if ldap2Pg is built with python 2 or 3
-      stat: path=/usr/lib/python3.6/site-packages/ldap2pg/ldap.py
-      register: ldap2pg_py
+    - name: Download ldap2pg binary
+      get_url:
+        url: "{{ ldap2pg_archive_url }}"
+        dest: /tmp/ldap2pg.tar.gz
+        checksum: "sha256:{{ ldap2pg_archive_sha256 }}"

-    - name: Set ldap.py path
-      set_fact: ldap_py_ver={{ ldap2pg_py.stat.exists | ternary('3.6', '2.7') }}
+    - name: Extract ldap2pg archive
+      unarchive:
+        src: /tmp/ldap2pg.tar.gz
+        dest: /usr/local/bin
+        include:
+          - ldap2pg
+        owner: root
+        group: root
+        mode: 755
+        remote_src: True

-    - name: Patch ldap2pg to specify global cacert
-      patch: src=ldap2pg_cacert.diff dest=/usr/lib/python{{ ldap_py_ver }}/site-packages/ldap2pg/ldap.py
  tags: pg

 - name: Install systemd unit
--- a/roles/ldap2pg/templates/ldap2pg.env.j2
+++ b/roles/ldap2pg/templates/ldap2pg.env.j2
@@ -0,0 +1,3 @@
+{% for env in ldap2pg_env.keys() | list %}
+{{ env }}={{ ldap2pg_env[env] }}
+{% endfor %}
--- a/roles/ldap2pg/templates/ldap2pg.service.j2
+++ b/roles/ldap2pg/templates/ldap2pg.service.j2
@@ -4,7 +4,8 @@ Description=Sync postgres role from LDAP
 [Service]
 Type=oneshot
 PrivateTmp=yes
+EnvironmentFile=/etc/sysconfig/ldap2pg
 User={{ ldap2pg_user }}
 Group={{ ldap2pg_user }}
-ExecStart=/bin/ldap2pg -c /etc/ldap2pg.yml --{{ ldap2pg_dry_mode | ternary('dry', 'real') }}
+ExecStart=/usr/local/bin/ldap2pg -c /etc/ldap2pg.yml {{ ldap2pg_dry_mode | ternary('', '--real') }}
 TimeoutSec=30m
--- a/roles/ldap2pg/vars/RedHat-7.yml
+++ b/roles/ldap2pg/vars/RedHat-7.yml
@@ -1,6 +0,0 @@
---
-
-ldap2pg_packages:
-  - ldap2pg
-  - python-setuptools
-  - patch
--- a/roles/ldap2pg/vars/RedHat-8.yml
+++ b/roles/ldap2pg/vars/RedHat-8.yml
@@ -1,4 +0,0 @@
---
-
-ldap2pg_packages:
-  - ldap2pg
--- a/roles/ldap2pg/vars/RedHat-9.yml
+++ b/roles/ldap2pg/vars/RedHat-9.yml
@@ -1,4 +0,0 @@
---
-
-ldap2pg_packages:
-  - ldap2pg