Deploying OpenLDAP w/ Ansible

Requirements

  • Physical or VPN connection to the VT network
  • Local installation of Ansible 2.7 or newer
  • Local installation of Git 2.13 or newer
  • Local installation of OpenSSH client (ssh)
  • VT Username (PID) with Duo MFA
  • An account with the ability to sudo su - openldap and sudo su - appsadm on each LDAP server to be managed.

Overview

The OpenLDAP software is deployed by the Middleware/neo-ldap Ansible playbook.

Some advice about tags

This Ansible playbook is flexible enough to address multiple deployment and maintenance scenarios through different combinations of tags, which also means it is possible to produce undesired results through incorrect use of tags. Here is a summary of the available tags, and some recommended combinations for common scenarios.

  • openldap
  • certs
  • fetch-provider-syncrepl
  • dump
  • load
  • tests
  • start
  • stop

Tag usage examples

Update the InCommon web server certificate on the provider

ansible-playbook -i ansible_hosts tasks/main.yml --tags stop,certs,start --limit hostname[,hostname]

Update OpenLDAP to a new version or apply a change to cn=config

ansible-playbook -i ansible_hosts tasks/main.yml --tags openldap,dump,load,start --limit hostname[,hostname]

Perform a fresh install of a consumer node with a full replication sync from the provider

ansible-playbook -i ansible_hosts tasks/main.yml --tags openldap,fetch-provider-syncrepl,start --limit hostname[,hostname]

Upgrading OpenLDAP

Upgrade a host by updating the openldap_active_version varable in the host_vars/hostname file and run the playbook with the proper tags. The dump and load tags are used to export and import the directory data during OpenLDAP version upgrades, and can also be used independently for ad-hoc logical backup and restore operations if desired.

ansible-playbook -i ansible_hosts tasks/main.yml --tags dump,openldap,fetch-provider-syncrepl,load --limit hostname[,hostname]

Stripping sensitive data from production data exports

When setting up new dev and pprd instances, passwords and secrets should be redacted from LDIF backups of the production directory:

sed -i "s/userPassword:: .\+/userPassword:: `echo somegarbagepasswordthatdoesnotwork | base64 -`/g" backup/o_vt.ldif
sed -i "s/radiusClientSecret: .\+/radiusClientSecret: somegarbagesecretthatdoesnotwork/g" backup/o_vt.ldif

or simply replaced inline when exporting data for that specific purpose:

slapcat -b o=vt -F /apps/openldap/openldap/etc/openldap/slapd.d \
| sed "s/userPassword:: .\+/userPassword:: `echo somegarbagepasswordthatdoesnotwork | base64 -`/g" \
| sed "s/radiusClientSecret: .\+/radiusClientSecret: somegarbagesecretthatdoesnotwork/g" > backup/o_vt_exported.ldif