RONCC
/
Dell-Omnia-Clusters-HPC-AI


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219
							#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
#
#  Licensed under the Apache License, Version 2.0 (the "License");
#  you may not use this file except in compliance with the License.
#  You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS,
#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#  See the License for the specific language governing permissions and
#  limitations under the License.
---

- name: Initialize ds389_status
  set_fact:
    ds389_status: false

- name: Fetch hostname
  command: hostname
  register: new_serv_hostname
  changed_when: false

- name: Fetch the short hostname
  command: hostname -s
  register: short_hostname
  changed_when: false

- name: Set fact for server hostname
  set_fact:
    server_hostname_fqdn: "{{ new_serv_hostname.stdout }}"
    server_hostname_short: "{{ short_hostname.stdout }}"
    directory_manager_password: "{{ hostvars['127.0.0.1']['directory_manager_password'] }}"
    kerberos_admin_password: "{{ hostvars['127.0.0.1']['kerberos_admin_password'] }}"
    domain_name: "{{ hostvars['127.0.0.1']['domain_name'] }}"
    realm_name: "{{ hostvars['127.0.0.1']['realm_name'] }}"

- name: Check ldap instance is running or not
  command: dsctl {{ ldap_instance }} status
  changed_when: false
  failed_when: false
  register: ldap1_status

- name: Check ds389_status admin authentication
  shell: set -o pipefail && echo {{ kerberos_admin_password }} | kinit {{ ipa_admin_username }}
  changed_when: false
  failed_when: false
  no_log: true
  register: ds389_status_authentication
 
- name: Modify ds389_status
  set_fact:
    ds389_status: true
  when: 
    - ds389_status_authentication.rc == 0
    - ldap1_install_search_key in ldap1_status.stdout.split(' ')[3]

- block:
    - name: Install 389-ds
      zypper:
        name: "{{ ds389_packages }}"
        state: present 

    - name: Create the ldap1.inf file
      copy:
        src: "{{ role_path }}/files/temp_ldap1.inf"
        dest: "{{ ldap1_config_path }}"
        mode: "{{ file_mode }}"       

    - name: Configure ldap1.inf with domain name
      lineinfile:
        path: "{{ ldap1_config_path }}"
        regexp: "^suffix = dc=omnia,dc=test"
        line: "suffix = dc={{ domain_name.split('.')[0] }},dc={{ domain_name.split('.')[1] }}"

    - name: Configure ldap1.inf with directory manager password
      lineinfile:
        path: "{{ ldap1_config_path }}"
        regexp: "^root_password = password"
        line: "root_password = {{ directory_manager_password }}"  

    - name: Check ldap instance is running or not
      command: dsctl {{ ldap_instance }} status
      changed_when: false
      failed_when: false
      register: ldap1_status

    - name: Creating 389 directory server instance
      shell: dscreate -v from-file {{ ldap1_config_path }} | tee {{ ldap1_output_path }}
      changed_when: true
      when: ldap1_search_key in ldap1_status.stdout
      
    - name: Remove the ldap1.inf
      file:
        path: "{{ ldap1_config_path }}"
        state: absent

    - name: Start dirsrv service
      systemd:
        name: "dirsrv@{{ ldap_instance }}.service"
        state: started
        enabled: yes

    - name: Create the dsrc file
      copy:
        src: "{{ role_path }}/files/temp_dsrc"
        dest: "{{ dsrc_path }}"
        mode: "{{ file_mode }}"

    - name: Configure dsrc file with domain name
      lineinfile:
        path: "{{ dsrc_path }}"
        regexp: "^basedn = dc=omnia,dc=test"
        line: "basedn = dc={{ domain_name.split('.')[0] }},dc={{ domain_name.split('.')[1] }}"

    - name: Start and enable firewalld
      service:
        name: firewalld
        state: started
        enabled: yes

    - name: Permit traffic in default zone for ldap and ldaps service
      firewalld:
        service: "{{ item }}"
        permanent: yes
        state: enabled
      with_items: "{{ ldap_services }}"

    - name: Reload firewalld
      command: firewall-cmd --reload
      changed_when: true

    - name: Stop and disable firewalld
      service:
        name: firewalld
        state: stopped
        enabled: no

    - name: Install kerberos packages
      zypper:
        name: "{{ kerberos_packages }}"
        state: present 

    - name: Check kerberos principal is created or not
      stat:
        path: "{{ kerberos_principal_path }}"
      register: principal_status

    - name: Create the kerberos conf file
      copy:
        src: "{{ role_path }}/files/temp_krb5.conf"
        dest: "{{ kerberos_conf_path }}"
        mode: "{{ file_mode }}"

    - name: Configure kerberos conf file with domain name
      replace:
        path: "{{ kerberos_conf_path }}"
        regexp: "omnia.test"
        replace: "{{ domain_name }}"

    - name: Configure kerberos conf file with realm name
      replace:
        path: "{{ kerberos_conf_path }}"
        regexp: "OMNIA.TEST"
        replace: "{{ realm_name }}"

    - name: Configure kerberos conf file with hostname
      replace:
        path: "{{ kerberos_conf_path }}"
        regexp: "hostname"
        replace: "{{ server_hostname_short }}"

    - block:
        - name: Setting up the kerberos database
          command: "kdb5_util -r {{ realm_name }} -P {{ directory_manager_password }} create -s"
          no_log: true
          changed_when: true
          register: setting_database
          environment:
            PATH: "{{ ansible_env.PATH }}:{{ kerberos_env_path }}"
          when: not principal_status.stat.exists
      rescue:
        - name: Setting up the kerberos database failed
          fail:
            msg: "Error: {{ setting_database.stderr }}"

    - name: Start krb5kdc and kadmind services
      systemd:
        name: "{{ item }}"
        state: started
        enabled: yes
      with_items:
        - krb5kdc
        - kadmind

    - block:
        - name: Create admin principal
          command: kadmin.local -q "ank -pw {{ kerberos_admin_password }} {{ ipa_admin_username }}"
          no_log: true
          changed_when: true
          register: create_admin_principal
          environment:
            PATH: "{{ ansible_env.PATH }}:{{ kerberos_env_path }}"
      rescue:
        - name: Create admin principal failed
          fail:
            msg: "Error: {{ create_admin_principal.stderr }}"

    - name: Authenticate as admin
      shell: set -o pipefail && echo {{ kerberos_admin_password }} | kinit {{ ipa_admin_username }}
      no_log: true
      changed_when: false
  when: not ds389_status

- name: Configure password policy in 389-ds
  command: dsconf -w {{ directory_manager_password }} -D "cn=Directory Manager" ldap://{{ server_hostname_fqdn }} pwpolicy set --pwdlockoutduration {{ hostvars['127.0.0.1']['lockout_duration'] }} --pwdmaxfailures {{ hostvars['127.0.0.1']['max_failures'] }} --pwdresetfailcount {{ hostvars['127.0.0.1']['failure_reset_interval'] }}
  changed_when: true
  when: hostvars['127.0.0.1']['enable_secure_login_node']