我試圖在使用Ansible和debops.slapd
的Ubuntu 16計算機上設置slapd
服務,但無法啓動正在運行的身份驗證。通過Ansible設置slapd debops.slapd
我的劇本文件看起來像這樣:
---
- hosts: "{{hosts}}"
become: true
become_user: root
roles:
- role: debops.slapd
slapd_domain: 'development.local'
slapd_pki: false
slapd_config_admin_password: 'passwords/ldap-admin.password'
slapd_basedn_admin_password: 'passwords/ldap-admin.password'
slapd_ldapscripts: true
slapd_ldap_security_default: []
slapd_anonymous_bind: true
的passwords/ldap-admin.password
文件:
yoh7eQue9Ki0aitee5uquaichuteo0ti
當我通過命令行啓動Ansible ansible-playbook install-devserver-ubuntu.yml --ask-sudo-pass --extra-vars "hosts=ubuntu"
繼續進行安裝正確和slapd
是正確安裝在目標機器上:
PLAY [ubuntu] ************************************************************************************************
TASK [Gathering Facts] ***************************************************************************************
ok: [ubuntu]
TASK [debops.secret : Create secret directories on Ansible Controller] ***************************************
TASK [debops.slapd : Configure domain for OpenLDAP in debconf] ***********************************************
changed: [ubuntu] => (item=slapd/domain)
changed: [ubuntu] => (item=shared/organization)
TASK [debops.slapd : Configure database backend for OpenLDAP in debconf] *************************************
changed: [ubuntu]
TASK [debops.slapd : Install OpenLDAP packages] **************************************************************
changed: [ubuntu] => (item=[u'slapd', u'ldap-utils', u'python-ldap'])
TASK [debops.slapd : Install helper scripts] *****************************************************************
ok: [ubuntu]
TASK [debops.slapd : Copy custom LDAP schema files] **********************************************************
ok: [ubuntu]
TASK [debops.slapd : Load custom LDAP schema files] **********************************************************
changed: [ubuntu] => (item=/usr/local/etc/ldap/schema/ldapns.ldif)
changed: [ubuntu] => (item=/usr/local/etc/ldap/schema/openssh-lpk.ldif)
TASK [debops.slapd : Check if administrator password hash exists] ********************************************
ok: [ubuntu -> localhost]
TASK [debops.slapd : Read hash of config administrator password] *********************************************
ok: [ubuntu]
TASK [debops.slapd : Generate config administrator password] *************************************************
skipping: [ubuntu]
TASK [debops.slapd : Save hash of config administrator password] *********************************************
skipping: [ubuntu]
TASK [debops.slapd : Set config administrator password] ******************************************************
changed: [ubuntu] => (item=(censored due to no_log))
changed: [ubuntu] => (item=(censored due to no_log))
TASK [debops.slapd : Check if BaseDN administrator password hash exists] *************************************
ok: [ubuntu -> localhost]
TASK [debops.slapd : Read hash of BaseDN administrator password] *********************************************
ok: [ubuntu]
TASK [debops.slapd : Generate BaseDN administrator password] *************************************************
skipping: [ubuntu]
TASK [debops.slapd : Save hash of BaseDN administrator password] *********************************************
skipping: [ubuntu]
TASK [debops.slapd : Set BaseDN administrator] ***************************************************************
ok: [ubuntu] => (item=(censored due to no_log))
changed: [ubuntu] => (item=(censored due to no_log))
TASK [debops.slapd : Create path to LDAP password file in secrets] *******************************************
ok: [ubuntu]
TASK [debops.slapd : Save BaseDN administrator password for Ansible] *****************************************
changed: [ubuntu -> localhost]
TASK [debops.slapd : Add OpenLDAP system user to additional groups] ******************************************
skipping: [ubuntu]
TASK [debops.slapd : Check if TLS certificate is configured] *************************************************
ok: [ubuntu]
TASK [debops.slapd : Create random temporary directory for ldif file] ****************************************
skipping: [ubuntu]
TASK [debops.slapd : Prepare temporary ldif file] ************************************************************
skipping: [ubuntu]
TASK [debops.slapd : Restart slapd (first time only)] ********************************************************
skipping: [ubuntu]
TASK [debops.slapd : Configure TLS certificates (first time only)] *******************************************
skipping: [ubuntu]
TASK [debops.slapd : Configure TLS certificates] *************************************************************
skipping: [ubuntu] => (item={'key': u'olcTLSCipherSuite', 'value': u'SECURE256:-VERS-SSL3.0'})
skipping: [ubuntu] => (item={'key': u'olcTLSCertificateFile', 'value': u'/etc/pki/system/default.crt'})
skipping: [ubuntu] => (item={'key': u'olcTLSDHParamFile', 'value': u''})
skipping: [ubuntu] => (item={'key': u'olcTLSCertificateKeyFile', 'value': u'/etc/pki/system/default.key'})
skipping: [ubuntu] => (item={'key': u'olcTLSCACertificateFile', 'value': u'/etc/pki/system/CA.crt'})
TASK [debops.slapd : Allow anonymous bind] *******************************************************************
ok: [ubuntu] => (item={'key': u'olcDisallows', 'value': u'bind_anon'})
ok: [ubuntu] => (item={'key': u'olcRequires', 'value': u'authc'})
TASK [debops.slapd : Allow anonymous bind (frontend)] ********************************************************
ok: [ubuntu] => (item={'key': u'olcRequires', 'value': u'authc'})
TASK [debops.slapd : Deny anonymous bind, require authentication] ********************************************
skipping: [ubuntu] => (item={'key': u'olcDisallows', 'value': u'bind_anon'})
skipping: [ubuntu] => (item={'key': u'olcRequires', 'value': u'authc'})
TASK [debops.slapd : Deny anonymous bind, require authentication (frontend)] *********************************
skipping: [ubuntu] => (item={'key': u'olcRequires', 'value': u'authc'})
TASK [debops.slapd : Configure LDAP connection security] *****************************************************
ok: [ubuntu]
TASK [debops.slapd : Configure LDAP indices] *****************************************************************
changed: [ubuntu]
TASK [debops.slapd : Configure LDAP Access Control List] *****************************************************
changed: [ubuntu]
TASK [debops.slapd : Set slapd log level] ********************************************************************
ok: [ubuntu] => (item={'key': u'olcLogLevel', 'value': u'none'})
TASK [debops.slapd : Configure enabled services] *************************************************************
changed: [ubuntu]
TASK [debops.slapd : Install ldapscripts packages] ***********************************************************
ok: [ubuntu] => (item=[u'ldapscripts', u'ldap-utils', u'pwgen'])
TASK [debops.slapd : Configure ldapscripts] ******************************************************************
ok: [ubuntu]
TASK [debops.slapd : Configure ldapscripts password] *********************************************************
changed: [ubuntu]
TASK [debops.slapd : Create snapshot task in cron] ***********************************************************
ok: [ubuntu]
RUNNING HANDLER [debops.slapd : Restart slapd] ***************************************************************
changed: [ubuntu]
PLAY RECAP ***************************************************************************************************
ubuntu : ok=28 changed=12 unreachable=0 failed=0
到目前爲止,這麼好,但我無法使用已設置爲參數的admin用戶和管理員密碼連接到LDAP目錄。爲了驗證這一點,我已經安裝了一個phpldapadmin
安裝在同一臺機器上:
輸入密碼yoh7eQue9Ki0aitee5uquaichuteo0ti
(這是一樣的人在密碼文件)總是導致「無效憑證」。
運行slapcat
顯示管理員帳戶本身已經建立:
dn: dc=development,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: development.local
dc: development
structuralObjectClass: organization
entryUUID: 2b111f1a-058f-1037-9bc1-01ccfd85f1f8
creatorsName: cn=admin,dc=development,dc=local
createTimestamp: 20170725141325Z
entryCSN: 20170725141325.508993Z#000000#000#000000
modifiersName: cn=admin,dc=development,dc=local
modifyTimestamp: 20170725141325Z
dn: cn=admin,dc=development,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9S1haVEUvbVQ1U0tBSEU1RXhVYVVhMDM4UGVoSS9ZNVA=
structuralObjectClass: organizationalRole
entryUUID: 2b114558-058f-1037-9bc2-01ccfd85f1f8
creatorsName: cn=admin,dc=development,dc=local
createTimestamp: 20170725141325Z
entryCSN: 20170725141325.510040Z#000000#000#000000
modifiersName: cn=admin,dc=development,dc=local
modifyTimestamp: 20170725141325Z
爲什麼驗證失敗的任何想法?我是否使用了正確的機制將密碼傳遞給debops.slapd
?
感謝您的建議。現在仍然存在的問題是:如果我沒有手動輸入管理員密碼,那麼我可以在哪裏檢索在安裝過程中自動生成的密碼? Plus:如果'debops.slapd'角色不處於工作狀態:您能否在建立目標環境中的LDAP服務器時提出任何其他建議? – perdian
自動生成的密碼存儲在您的Ansible庫存目錄旁邊的'secret /'目錄中。這是由'debops.secret'角色管理的,你可以查看它的文檔中的細節。 不幸的是,我不知道任何好的替代'slapd'角色。你可以看看'debops.slapd'中有什麼不起作用,並且在需要的時候發佈帶有修補程序的PR。目前,角色缺乏一些重要的功能,如LDAP數據庫複製,這是計劃在未來。 – drybjed