Deploying LDAP environments can vary in complexity. It can be as easy as installing OpenLDAP through yum or apt and loading the database or as difficult as bringing up multiple replicated instances of OpenLDAP with integrations for SASL alongside other modules. In such cases deploying new LDAP instances can prove very time consuming. This is where ansible comes in.

Ansible is an open source software provisioning, configuration, and deployment tool. Over at Rex Consulting we have recently started leveraging ansible’s awesome automation capabilities to deploy custom LDAP environments. In this series of articles we will walk you through some the playbooks we came up with.

Custom OpenLDAP Compilation

Variables

All our variables are defined within vars/main.yml. Any environment specific arguments should be placed here. A lot of the variables here may be unnecessary if your use case does not involve compiling OpenLDAP with specific flags. The only variables you most likely will need to change is src_dir which by default is set to /appl/src/

Tasks

We can divide our deployment into 3 sections:

1. Checking dependencies
2. Copying external dependencies (UnixODB, SASL, etc…)
3. Installing OpenLDAP

Further we can partition each section into a different ansible task, all called by the following main.yml:

- import_tasks: check_dependencies.yml
  tags:
    - check:dependencies

- import_tasks: copy_dependencies.yml
  tags:
    - copy:dependencies

- import_tasks: install_openldap.yml
  tags:
    - install:all

Tagging each subsection is useful in case there is a need to rerun a certain subtask. You can specify the subtask by using the -t flag of the ansible-playbook command. We make use of the colon scheme for our tag naming convention but each tag is essentially a single string so the colon does not have a special meaning.

Checking Dependencies

Dependencies may vary based on your environment but typically you will need to have the libtool-ltdl-devel package installed. You can add any additional dependencies to the dependencies list in the vars/main.yml file.

We can install any dependencies using the yum module:

- name: Check and install dependencies
  yum:
    name: "{{ dependencies }}"
    state: present
  become: yes
  become_method: su
  become_exe: "{{ sudo_cmd }}"
  become_flags: ""

If you want an up to date list of installed packages you can run the package_facts module:

- name: Gather the rpm package facts
  package_facts:
    manager: auto

Copying Dependencies

This step is straightforward. We stick any dependencies inside of the files/ directory. Typically they are compressed tar files (tgz) where we can use the unarchive module to extract the file from the source server into a directory in all the target servers:

- name: Decompress openldap
  unarchive:
    src: openldap-{{ openldap_version }}.tgz
    dest: "{{ src_dir }}"

Installing OpenLDAP and Dependencies

If custom flags are needed for compilation you can modify the corresponding args variable. For example, for our default configuration we have the followings openldap args set as follows:

openldap_config_args: --prefix={{ openldap_install_dir }} --disable-bdb --disable-hdb --enable-ldap --enable-meta --enable-sql --enable-overlays --enable-spasswd --enable-modules --with-cyrus-sasl --with-tls=openssl

This allows us to remove certain modules we have no use for. We can then use the openldap_config_args variable for the configure script flag:

- name: Compile OpenLDAP
  environment: "{{ working_env }}"
  shell: |
    make distclean
    ./configure {{ openldap_config_args }}
    make depend
    make
    make install
  args:
    chdir: "{{ src_dir }}openldap-{{ openldap_version }}"
  register: result
  tags:
    - install:openldap

Notice that the actual compilation happens within the shell module but now we can call on the flags we specified in the openldap_config_args variable.

You can find the complete code over at our github page.

Ansible LDAP OpenLDAP