I'm trying to setup a slapd service on an Ubuntu 16 machine using Ansible and debops.slapd but cannot get a working authentication up and running.
My playbook file looks like this:
---
- hosts: "{{hosts}}"
become: true
become_user: root
roles:
- role: debops.slapd
slapd_domain: 'development.local'
slapd_pki: false
slapd_config_admin_password: 'passwords/ldap-admin.password'
slapd_basedn_admin_password: 'passwords/ldap-admin.password'
slapd_ldapscripts: true
slapd_ldap_security_default: []
slapd_anonymous_bind: true
The passwords/ldap-admin.password file:
yoh7eQue9Ki0aitee5uquaichuteo0ti
When I launch Ansible via the command line ansible-playbook install-devserver-ubuntu.yml --ask-sudo-pass --extra-vars "hosts=ubuntu" the installation proceeds correctly and slapd is correctly installed on the target machine:
PLAY [ubuntu] ************************************************************************************************
TASK [Gathering Facts] ***************************************************************************************
ok: [ubuntu]
TASK [debops.secret : Create secret directories on Ansible Controller] ***************************************
TASK [debops.slapd : Configure domain for OpenLDAP in debconf] ***********************************************
changed: [ubuntu] => (item=slapd/domain)
changed: [ubuntu] => (item=shared/organization)
TASK [debops.slapd : Configure database backend for OpenLDAP in debconf] *************************************
changed: [ubuntu]
TASK [debops.slapd : Install OpenLDAP packages] **************************************************************
changed: [ubuntu] => (item=[u'slapd', u'ldap-utils', u'python-ldap'])
TASK [debops.slapd : Install helper scripts] *****************************************************************
ok: [ubuntu]
TASK [debops.slapd : Copy custom LDAP schema files] **********************************************************
ok: [ubuntu]
TASK [debops.slapd : Load custom LDAP schema files] **********************************************************
changed: [ubuntu] => (item=/usr/local/etc/ldap/schema/ldapns.ldif)
changed: [ubuntu] => (item=/usr/local/etc/ldap/schema/openssh-lpk.ldif)
TASK [debops.slapd : Check if administrator password hash exists] ********************************************
ok: [ubuntu -> localhost]
TASK [debops.slapd : Read hash of config administrator password] *********************************************
ok: [ubuntu]
TASK [debops.slapd : Generate config administrator password] *************************************************
skipping: [ubuntu]
TASK [debops.slapd : Save hash of config administrator password] *********************************************
skipping: [ubuntu]
TASK [debops.slapd : Set config administrator password] ******************************************************
changed: [ubuntu] => (item=(censored due to no_log))
changed: [ubuntu] => (item=(censored due to no_log))
TASK [debops.slapd : Check if BaseDN administrator password hash exists] *************************************
ok: [ubuntu -> localhost]
TASK [debops.slapd : Read hash of BaseDN administrator password] *********************************************
ok: [ubuntu]
TASK [debops.slapd : Generate BaseDN administrator password] *************************************************
skipping: [ubuntu]
TASK [debops.slapd : Save hash of BaseDN administrator password] *********************************************
skipping: [ubuntu]
TASK [debops.slapd : Set BaseDN administrator] ***************************************************************
ok: [ubuntu] => (item=(censored due to no_log))
changed: [ubuntu] => (item=(censored due to no_log))
TASK [debops.slapd : Create path to LDAP password file in secrets] *******************************************
ok: [ubuntu]
TASK [debops.slapd : Save BaseDN administrator password for Ansible] *****************************************
changed: [ubuntu -> localhost]
TASK [debops.slapd : Add OpenLDAP system user to additional groups] ******************************************
skipping: [ubuntu]
TASK [debops.slapd : Check if TLS certificate is configured] *************************************************
ok: [ubuntu]
TASK [debops.slapd : Create random temporary directory for ldif file] ****************************************
skipping: [ubuntu]
TASK [debops.slapd : Prepare temporary ldif file] ************************************************************
skipping: [ubuntu]
TASK [debops.slapd : Restart slapd (first time only)] ********************************************************
skipping: [ubuntu]
TASK [debops.slapd : Configure TLS certificates (first time only)] *******************************************
skipping: [ubuntu]
TASK [debops.slapd : Configure TLS certificates] *************************************************************
skipping: [ubuntu] => (item={'key': u'olcTLSCipherSuite', 'value': u'SECURE256:-VERS-SSL3.0'})
skipping: [ubuntu] => (item={'key': u'olcTLSCertificateFile', 'value': u'/etc/pki/system/default.crt'})
skipping: [ubuntu] => (item={'key': u'olcTLSDHParamFile', 'value': u''})
skipping: [ubuntu] => (item={'key': u'olcTLSCertificateKeyFile', 'value': u'/etc/pki/system/default.key'})
skipping: [ubuntu] => (item={'key': u'olcTLSCACertificateFile', 'value': u'/etc/pki/system/CA.crt'})
TASK [debops.slapd : Allow anonymous bind] *******************************************************************
ok: [ubuntu] => (item={'key': u'olcDisallows', 'value': u'bind_anon'})
ok: [ubuntu] => (item={'key': u'olcRequires', 'value': u'authc'})
TASK [debops.slapd : Allow anonymous bind (frontend)] ********************************************************
ok: [ubuntu] => (item={'key': u'olcRequires', 'value': u'authc'})
TASK [debops.slapd : Deny anonymous bind, require authentication] ********************************************
skipping: [ubuntu] => (item={'key': u'olcDisallows', 'value': u'bind_anon'})
skipping: [ubuntu] => (item={'key': u'olcRequires', 'value': u'authc'})
TASK [debops.slapd : Deny anonymous bind, require authentication (frontend)] *********************************
skipping: [ubuntu] => (item={'key': u'olcRequires', 'value': u'authc'})
TASK [debops.slapd : Configure LDAP connection security] *****************************************************
ok: [ubuntu]
TASK [debops.slapd : Configure LDAP indices] *****************************************************************
changed: [ubuntu]
TASK [debops.slapd : Configure LDAP Access Control List] *****************************************************
changed: [ubuntu]
TASK [debops.slapd : Set slapd log level] ********************************************************************
ok: [ubuntu] => (item={'key': u'olcLogLevel', 'value': u'none'})
TASK [debops.slapd : Configure enabled services] *************************************************************
changed: [ubuntu]
TASK [debops.slapd : Install ldapscripts packages] ***********************************************************
ok: [ubuntu] => (item=[u'ldapscripts', u'ldap-utils', u'pwgen'])
TASK [debops.slapd : Configure ldapscripts] ******************************************************************
ok: [ubuntu]
TASK [debops.slapd : Configure ldapscripts password] *********************************************************
changed: [ubuntu]
TASK [debops.slapd : Create snapshot task in cron] ***********************************************************
ok: [ubuntu]
RUNNING HANDLER [debops.slapd : Restart slapd] ***************************************************************
changed: [ubuntu]
PLAY RECAP ***************************************************************************************************
ubuntu : ok=28 changed=12 unreachable=0 failed=0
So far, so good but I can't connect to the LDAP directory using the admin user and admin password that has been set as parameters. To test this I have installed a phpldapadmin installation on the same machine:
Entering the password yoh7eQue9Ki0aitee5uquaichuteo0ti (which is the same as the one in the password file) will always result in "Invalid credentials".
Running slapcat shows that the administrator account itself has been created:
dn: dc=development,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: development.local
dc: development
structuralObjectClass: organization
entryUUID: 2b111f1a-058f-1037-9bc1-01ccfd85f1f8
creatorsName: cn=admin,dc=development,dc=local
createTimestamp: 20170725141325Z
entryCSN: 20170725141325.508993Z#000000#000#000000
modifiersName: cn=admin,dc=development,dc=local
modifyTimestamp: 20170725141325Z
dn: cn=admin,dc=development,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9S1haVEUvbVQ1U0tBSEU1RXhVYVVhMDM4UGVoSS9ZNVA=
structuralObjectClass: organizationalRole
entryUUID: 2b114558-058f-1037-9bc2-01ccfd85f1f8
creatorsName: cn=admin,dc=development,dc=local
createTimestamp: 20170725141325Z
entryCSN: 20170725141325.510040Z#000000#000#000000
modifiersName: cn=admin,dc=development,dc=local
modifyTimestamp: 20170725141325Z
Any ideas why the authentication fails? Did I use the correct mechanism to pass the password to debops.slapd?
The
debops.slapdrole might not be in a working state at the moment; it hasn't been touched for almost a year.However, DebOps roles usually provide a set of sane default values. Did you try running the role without setting custom values in your own first? The role has an example playbook included, you could try that one and see if the service is configured properly.
To help with debugging,you could use Apache Directory Studio as a low-level LDAP client. The
debops.slapdrole uses the X.509 certificates maintained by thedebops.pkirole; if you use that, you might need to add the Root CA certificate to the ADS certificate store.