From ff8d0e2135ae27e910b66a89310c3a680c863c09 Mon Sep 17 00:00:00 2001
From: David Coutadeur <david.coutadeur@worteks.com>
Date: Wed, 11 Dec 2024 11:13:24 +0100
Subject: [PATCH] add a playbook for SASL deployment (#20)

---
 README.md                                     |  7 ++
 .../usr/lib64/sasl2/slapd.conf                |  2 +
 playbook/credentials-vault.yml                | 64 ++++++-------
 playbook/group_vars/prod.yml                  |  4 +
 playbook/sasl.yml                             | 13 +++
 tasks/sasl.yml                                | 90 +++++++++++++++++++
 templates/etc/saslauthd.conf.j2               | 29 ++++++
 7 files changed, 178 insertions(+), 31 deletions(-)
 create mode 100644 files/ldaptoolbox.oldap/usr/lib64/sasl2/slapd.conf
 create mode 100644 playbook/sasl.yml
 create mode 100644 tasks/sasl.yml
 create mode 100644 templates/etc/saslauthd.conf.j2

diff --git a/README.md b/README.md
index b8eb292..ea26196 100644
--- a/README.md
+++ b/README.md
@@ -92,6 +92,13 @@ Run the corresponding task with:
 ansible-playbook playbook/monitoring.yml -i playbook/inventory
 ```
 
+Give a look to `playbook/sasl.yml` for an example of playbook that install and deploy sasl for OpenLDAP to delegate authentication to another directory.
+
+Run the corresponding playbook with:
+
+```
+ansible-playbook playbook/sasl.yml -i playbook/inventory --vault-password-file .vault_pass
+```
 
 License
 -------
diff --git a/files/ldaptoolbox.oldap/usr/lib64/sasl2/slapd.conf b/files/ldaptoolbox.oldap/usr/lib64/sasl2/slapd.conf
new file mode 100644
index 0000000..b41f31e
--- /dev/null
+++ b/files/ldaptoolbox.oldap/usr/lib64/sasl2/slapd.conf
@@ -0,0 +1,2 @@
+pwcheck_method: saslauthd
+saslauthd_path: /var/run/saslauthd/mux
diff --git a/playbook/credentials-vault.yml b/playbook/credentials-vault.yml
index f4ba74c..1cfecd3 100644
--- a/playbook/credentials-vault.yml
+++ b/playbook/credentials-vault.yml
@@ -1,32 +1,34 @@
 $ANSIBLE_VAULT;1.1;AES256
-37346662633864343863613765313565646332363862653762336333653463613935356139623466
-6662616236333863363635623861646337373762623863380a313665623265353730363838303464
-33613665656335353063363431643530623261363938353735623561353839303266643739373239
-6230333536383634330a393337393865346464623632303461393433636165643131373166643361
-32313938666335623835316539643166666336373764336264306365653466333639363066386562
-32663864373166643664343137363463376631616363646137643535623931366631323739363265
-34313533353164616261373332643835666662373862633161306663323461626338613338313062
-30316163366434656664373830316366653065363438333431633162653237613939626465626534
-30356237346339633530373662313465303130303133363561303234373466326531313062653139
-35333161613038376266316333393363393736356539633363393864373766656232323033653931
-38343863643066376435346539633161393266313232356261646563356530366164316462633331
-61376361353730666635336631343265656331303966666364363637623237626466363239313066
-61323664386661396261343832633261623462613661343463346639343265626539623332613531
-66366561666134313361633461383138623737316161653539313131653266653332323633323563
-39613365306638316535613331323836366631633065393666643565633662616635623031373939
-35376366663237636237346235653135626630356133643135656433633732666135333337336664
-66613765303934666163656430643163306530626361306364353165313830666261393766363162
-36313239396230303763346334633737323666313466613336616238616537313462663963333239
-30386361626137386635626363396363366564643534316133643339303838313566376536353730
-38303565326136363665303030396239373066613764326364353130653864633534363634376238
-39616466393637393639613064346538636139386636373430626237633838316433613335356533
-32383162356337323032343231356336643966333739313333336531626537353333366264373163
-38353734313965353135373164636633613335323166386633613836326464376134663231626565
-30623866313662623565326463646264653638356336366563663161346464623232383563376237
-33396563616638306436636164386537323437626533393334393138396533663930333531663039
-65646438626239313166363465356536616666323838353938303632323430623330316339613766
-34336632643735326563376138343731643734363332646338663536613038666166353532333231
-35646338663333383035646233353139666163616265353831363463653937373833643832386165
-65366336633361366534336163313534646263363333613732363161663962643339373665663730
-63346135316534326463303865373137383939393633623261333566343733313864333965656531
-333164333263326366343466323234333837
+63353366613939393534366162323832303064623762393530653764623965356565333766303166
+3961386566386663343038393130303062666637396139640a643438663637613535313037303634
+31663236333437373532633964383964636638613135613165333062333962313263663433373932
+3465396238613833380a373232356332333666613966326236643762643230333463383839366233
+38336664613439626436343762663764313636366663353732623831653130386537343264623335
+34303636306261373736363963373234303864393931383935383263653538346333313866366236
+37653034383235366133666466346335646263386462616538653737653833633339653138366363
+32376637626536326262613138396165636130373233396164646434646264613938666463663838
+38363435663261643634343861383061643061393839663366656365326264303633666231336432
+64643533323866663861666564633137353136393333363638303035363961303732636532313761
+31613638356533373331626364333064326664376262633039363038363135393437376536343761
+39666530306136646132653030656133626435613439643339633262653763333961643261353333
+34363932663335613835343266303263643763656464336339336664313465616433373337633033
+64636236326464373738616534303932656234626237663661366562343465613265653965383332
+66626235396566316535393030613765643039346464393663653935376465626133626136643036
+38653730356139363930303435326136613139393462346466386466346530623434343233663038
+63373033343766323037393638613035333732396230656166346631303863633533356632363239
+66666563316535306663663963356233303765666137353134363562613361386539616665626134
+63636631646165323830666636386435393465356162313131303035336564623361663937393163
+31613233393038633937663063623062353538653732323736666261323730303366646463333630
+62613961386365333533353237313932386166613733343533333839613331353437643636663933
+34666461333134306165346230376431356635653636323865643136386532636138326465396438
+66636331653634653935346138313534383462313032326339666631383463343539653635616330
+38396534666630306235613935373835346561366164643230373232653034383263343764626336
+30396138373331326166666164613037663662663039363666616561393131366432383537346231
+36663330323363383533613338336362333163343464383565386230313462393538313737346666
+32396366643261353138623930306661343339346461346632363331643330626432353061333231
+35646539333262663430646135643466333732383532313464313863383532616236396662336563
+37623935333438396631616537366231613066623030633961353164623461653264386430353836
+61343361666663323631646530653939393939316365613434646439643362306162336366366239
+30323534303532623633613934326633323065326536336663363764343331343438306134393931
+39656131396438363733616461383761373134386637356632353064633361353934363133643362
+31356430623236333265666337333838633432326130666632323436333134653066
diff --git a/playbook/group_vars/prod.yml b/playbook/group_vars/prod.yml
index 3d580d0..0129594 100644
--- a/playbook/group_vars/prod.yml
+++ b/playbook/group_vars/prod.yml
@@ -43,3 +43,7 @@ ldaptoolbox_openldap_syncrepl:
       tls_crlcheck: "none"
       filter: "(objectclass=*)"
       schemachecking: "on"
+ldaptoolbox_openldap_suffix: "dc=my-organization,dc=com"
+ldaptoolbox_openldap_sasl_servers: "ldap://localhost"
+ldaptoolbox_openldap_sasl_binddn: "cn=saslaccount,dc=my-domain,dc=com"
+ldaptoolbox_openldap_sasl_bindpw: "{{ ldaptoolbox_openldap_sasl_bindpw_vault }}"
diff --git a/playbook/sasl.yml b/playbook/sasl.yml
new file mode 100644
index 0000000..fdda52e
--- /dev/null
+++ b/playbook/sasl.yml
@@ -0,0 +1,13 @@
+########################################################################################################
+# example of playbook for installing and configuring SASL
+########################################################################################################
+---
+- hosts: prod
+  remote_user: root
+  vars_files:
+    - credentials-vault.yml
+  tasks:
+    - name: Installing and configuring SASL for OpenLDAP
+      include_role:
+        name: ansible-role-ldaptoolbox-openldap
+        tasks_from: sasl
diff --git a/tasks/sasl.yml b/tasks/sasl.yml
new file mode 100644
index 0000000..cc69bc7
--- /dev/null
+++ b/tasks/sasl.yml
@@ -0,0 +1,90 @@
+
+- name: install cyrus sasl packages for red-hat
+  package:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - cyrus-sasl
+    - cyrus-sasl-ldap
+  when: ( ansible_os_family == "RedHat" )
+
+- name: install cyrus sasl packages for debian
+  package:
+    name: "{{ item }}"
+    state: present
+  loop:
+    - libsasl2-modules-ldap
+    - sasl2-bin
+  when: ansible_os_family == "Debian"
+
+- name: Configure ldap mode in sasl startup options for red-hat
+  ansible.builtin.lineinfile:
+    path: /etc/sysconfig/saslauthd
+    regexp: '^MECH='
+    line: MECH=ldap
+  when: ( ansible_os_family == "RedHat" )
+
+- name: Configure saslauthd.conf in sasl startup options for red-hat
+  ansible.builtin.lineinfile:
+    path: /etc/sysconfig/saslauthd
+    regexp: '^FLAGS='
+    line: FLAGS="-O /etc/saslauthd.conf"
+  when: ( ansible_os_family == "RedHat" )
+
+- name: Configure ldap mode in sasl startup options for debian
+  ansible.builtin.lineinfile:
+    path: /etc/default/saslauthd
+    regexp: '^MECHANISMS='
+    line: MECHANISMS=ldap
+  when: ansible_os_family == "Debian"
+
+- name: Configure saslauthd.conf in sasl startup options for debian
+  ansible.builtin.lineinfile:
+    path: /etc/default/saslauthd
+    regexp: '^MECH_OPTIONS='
+    line: MECH_OPTIONS="/etc/saslauthd.conf"
+  when: ansible_os_family == "Debian"
+
+- name: Configure general sasl startup options for debian
+  ansible.builtin.lineinfile:
+    path: /etc/default/saslauthd
+    regexp: '^OPTIONS='
+    line: OPTIONS="-r -c -m /var/run/saslauthd"
+  when: ansible_os_family == "Debian"
+
+- name: Enable saslauthd at startup
+  ansible.builtin.systemd_service:
+    name: saslauthd
+    enabled: true
+
+- name: deploy saslauthd.conf template
+  ansible.builtin.template:
+    src: "./etc/saslauthd.conf.j2"
+    dest: "/etc/saslauthd.conf"
+    owner: "root"
+    group: "root"
+    mode: "640"
+
+- name: deploy slapd.conf sasl file
+  ansible.builtin.copy:
+    src: "./ldaptoolbox.oldap/usr/lib64/sasl2/slapd.conf"
+    dest: "/usr/lib64/sasl2/slapd.conf"
+    owner: "root"
+    group: "root"
+    mode: "644"
+
+- name: Adding user ldap to group saslauth
+  ansible.builtin.user:
+    name: "ldap"
+    groups: "saslauth"
+    append: "yes"
+
+- name: Restart saslauthd
+  ansible.builtin.systemd_service:
+    name: "saslauthd"
+    state: restarted
+
+- name: Restart slapd-ltb
+  ansible.builtin.systemd_service:
+    name: "slapd-ltb"
+    state: restarted
diff --git a/templates/etc/saslauthd.conf.j2 b/templates/etc/saslauthd.conf.j2
new file mode 100644
index 0000000..3f25604
--- /dev/null
+++ b/templates/etc/saslauthd.conf.j2
@@ -0,0 +1,29 @@
+# #############################################
+#     CONFIGURATION SASL
+# #############################################
+
+# Liste des serveurs AD disponibles
+# ----------------------------------
+# ldap_servers: ldaps://spar-pont-01.afp.local ldap://spar-ctrl-02.afp.local ldap://spar-ctrl-01.afp.local
+ldap_servers: {{ ldaptoolbox_openldap_sasl_servers }}
+
+# Parametres de recherche sur AD 
+# ----------------------------------
+ldap_timeout: 10
+ldap_search_base: {{ ldaptoolbox_openldap_suffix }}
+ldap_filter: sAMAccountName=%u
+
+# Utilisateur pour se connecter a l'AD
+# ----------------------------------
+ldap_bind_dn: {{ ldaptoolbox_openldap_sasl_binddn }}
+ldap_password: {{ ldaptoolbox_openldap_sasl_bindpw }}
+
+# Autre ...
+# ----------------------------------
+ldap_deref: never
+ldap_restart: yes
+ldap_scope: sub
+ldap_use_sasl: no
+ldap_start_tls: no
+ldap_version: 3
+ldap_auth_method: bind