convert existing UNIX users to LDAP

suhancz · Mar 9, 2024 · 90ea922 · 90ea922
1 parent ebcf4ef
commit 90ea922
Show file tree

Hide file tree

Showing 5 changed files with 167 additions and 15 deletions.
diff --git a/files/ldap/extract_user_data_to_migrate.sh b/files/ldap/extract_user_data_to_migrate.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+# idea taken from https://www.cyberciti.biz/faq/howto-move-migrate-user-accounts-old-to-new-server/
+export UGIDLIMIT=1000
+awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534)' /etc/passwd > /var/tmp/passwd.mig
+awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534)' /etc/group > /var/tmp/group.mig
+awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534) {print $1}' /etc/passwd | tee - |egrep -f - /etc/shadow > /var/tmp/shadow.mig
+cp /etc/gshadow /var/tmp/gshadow.mig
diff --git a/tasks/convert_user_to_ldif.yml b/tasks/convert_user_to_ldif.yml
@@ -0,0 +1,81 @@
+---
+- name: Select passwd line
+  ansible.builtin.command: 'grep "^{{ user_data_item.name }}:" /var/tmp/passwd.mig'
+  register: passwd_mig_content
+  changed_when: passwd_mig_content.rc == 0
+  failed_when: (passwd_mig_content.rc != 0) and (passwd_mig_content.stderr | length > 0)
+- name: "Migrate already existing user {{ user_data_item.name }}"
+  when: passwd_mig_content.changed
+  block:
+    - name: Set passwd line
+      ansible.builtin.copy:
+        content: "{{ passwd_mig_content.stdout }}"
+        dest: "/var/tmp/{{ user_data_item.name }}.mig"
+        mode: u=rw,og=r
+        backup: yes
+        owner: root
+        group: root
+    - name: "Convert to LDIF: {{ user_data_item.name }}"
+      ansible.builtin.command: "/usr/share/migrationtools/migrate_passwd.pl /var/tmp/{{ user_data_item.name }}.mig /var/tmp/{{ user_data_item.name }}.ldif"
+      environment:
+        DEFAULT_MAIL_DOMAIN: "{{ mailserver_domain }}"
+        DEFAULT_MAIL_HOST: "{{ mailserver_domain }}"
+        LDAP_BASEDN: "dc={{ mailserver_domain | split('.') | join(',dc=') }}"
+        LDAPHOST: "{{ mailserver_domain }}"
+        LDAP_BINDDN: "cn=Directory Manager"
+        LDAP_BINDCRED: "{{ ldap_admin_password }}"
+        LDAP_PROFILE: "yes"
+    - name: Define unique values in LDIF
+      ansible.builtin.lineinfile:
+        path: "/var/tmp/{{ user_data_item.name }}.ldif"
+        line: "{{ ldif_unique_value }}"
+        regex: "^{{ ldif_unique_value | split(':') | first }}: .*"
+        state: present
+        backup: yes
+      loop:
+        - "dn: uid={{ user_data_item.name }},ou=aliases,dc={{ mailserver_domain | split('.') | join(',dc=') }}"
+        - 'sn: {{ user_data_item.surname | default(default_surname) }}'
+        - 'mailAlternateAddress: {{ user_data_item.old_imap_mail.user }}'
+        - 'loginShell: /bin/bash'
+        - 'preferredLanguage: en_US'
+        - 'cn: {{ user_data_item.firstname | default(user_data_item.name) }} {{ user_data_item.surname | default(default_surname) }}'
+        - 'displayName: {{ user_data_item.name }}'
+        - 'mail: {{ user_data_item.name }}@{{ mailserver_domain }}'
+        - 'uid: {{ user_data_item.name }}'
+      loop_control:
+        loop_var: ldif_unique_value
+    - name: "Add extra fields to {{ user_data_item.name }}.ldif"
+      ansible.builtin.lineinfile:
+        path: "/var/tmp/{{ user_data_item.name }}.ldif"
+        line: "{{ ldif_item }}"
+        state: present
+        backup: yes
+      loop:
+        - 'objectClass: top'
+        - 'objectClass: kolabinetorgperson'
+        - 'objectClass: inetorgperson'
+        - 'objectClass: kolabinetorgperson'
+        - 'objectClass: mailrecipient'
+        - 'objectClass: organizationalperson'
+        - 'objectClass: person'
+      loop_control:
+        loop_var: ldif_item
+    - name: "Add aliases to {{ user_data_item.name }}.ldif"
+      ansible.builtin.lineinfile:
+        path: "/var/tmp/{{ user_data_item.name }}.ldif"
+        line: "alias: {{ alias_item }}"
+        state: present
+        backup: yes
+      loop: "{{ user_data_item.aliases }}"
+      loop_control:
+        loop_var: alias_item
+    - name: "Clear empty lines from {{ user_data_item.name }}.ldif"
+      ansible.builtin.lineinfile:
+        path: "/var/tmp/{{ user_data_item.name }}.ldif"
+        regex: '^$'
+        state: absent
+        backup: yes
+    - name: "Update LDAP entries: {{ user_data_item.name }}"
+      ansible.builtin.command: '{{ ldapadd_command }} /var/tmp/{{ user_data_item.name }}.ldif'
+      register: add_user_to_ldap
+      changed_when: add_user_to_ldap.rc != 0 and 'Already exists' in add_user_to_ldap.stderr
diff --git a/tasks/kolab.yml b/tasks/kolab.yml
@@ -10,8 +10,6 @@
   failed_when: kolab_setup.rc != 0 and "existing" not in kolab_setup.stderr
   changed_when: kolab_setup.rc == 0
   no_log: true
-  tags:
-    - configuration
 
 # Disable version info
 - name: Add config httpd.conf
@@ -56,8 +54,6 @@
     - /etc/opt/remi/php74/php.ini
   notify: 
     - Restart httpd
-  tags:
-    - configuration
 
 - name: Configure kolab.conf
   community.general.ini_file:
@@ -84,7 +80,6 @@
   notify: 
     - Restart kolab
   tags:
-    - configuration
     - users
 
 # Kolab Patch for Multidomains

diff --git a/tasks/ldap.yml b/tasks/ldap.yml
@@ -70,11 +70,18 @@
   notify:
     - Restart nscd
     - Restart sssd
+- name: Add sudoers to nsswitch.conf if not there yet
+  ansible.builtin.lineinfile:
+    path: /etc/nsswitch.conf
+    line: 'sudoers: files sss'
+    regex: "^sudoers: .*"
+    state: present
+    backup: yes
 - name: Configure nsswitch.conf
   ansible.builtin.lineinfile:
     path: /etc/nsswitch.conf
     line: '\1 sss'
-    regex: "^({{ nsswitch_item }}: .*$)"
+    regex: "^({{ nsswitch_item }}: .*(?<! sss)$)"
     backrefs: yes
     state: present
     backup: yes
@@ -132,10 +139,47 @@
     state: present
     backup: yes
   notify: Restart sssd
+
 - name: Migrate OS data to LDAP
-  ansible.builtin.command: /usr/share/migrationtools/migrate_all_online.sh
-  environment:
-    LDAP_BASEDN: "dc={{ mailserver_domain | split('.') | join(',dc=') }}"
-    LDAPHOST: "{{ mailserver_domain }}"
-    LDAP_BINDDN: "cn=Directory Manager"
-    LDAP_BINDCRED: "{{ ldap_admin_password }}"
+  block:
+#   ansible.builtin.command: /usr/share/migrationtools/migrate_all_online.sh
+#   environment:
+#     DEFAULT_MAIL_DOMAIN: "{{ mailserver_domain }}"
+#     DEFAULT_MAIL_HOST: "{{ mailserver_domain }}"
+#     LDAP_BASEDN: "dc={{ mailserver_domain | split('.') | join(',dc=') }}"
+#     LDAPHOST: "{{ mailserver_domain }}"
+#     LDAP_BINDDN: "cn=Directory Manager"
+#     LDAP_BINDCRED: "{{ ldap_admin_password }}"
+#     LDAP_PROFILE: "yes"
+    - name: Clean up former migration attempts
+      file:
+        path: "/var/tmp/{{ migration_file }}"
+        state: absent
+      loop:
+        - passwd.mig
+        - group.mig
+        - shadow.mig
+        - gshadow.mig
+        - group.ldif
+        - passwd.ldif
+      loop_control:
+        loop_var: migration_file
+    - name: Set variable for ldapadd command parameters
+      set_fact:
+        ldapadd_command: 'ldapadd -c -x -h {{ mailserver_domain }} -D "cn=Directory Manager" -w "{{ ldap_admin_password }}" -f '
+    - name: Deploy user data extraction script
+      ansible.builtin.copy:
+        src: files/ldap/extract_user_data_to_migrate.sh
+        dest: /var/tmp/
+        mode: u=rwx,og=rx
+        backup: yes
+        force: yes
+        owner: root
+        group: root
+    - name: Extract user data from the OS
+      ansible.builtin.command: /var/tmp/extract_user_data_to_migrate.sh
+    - name: "Update LDAP entries: {{ user_data_item }}"
+      ansible.builtin.include_tasks: convert_user_to_ldif.yml
+      loop: "{{ users }}"
+      loop_control:
+        loop_var: user_data_item
diff --git a/tasks/packages.yml b/tasks/packages.yml
@@ -226,9 +226,30 @@
   loop:
     - "@389ds/389-directory-server"
     - "eclipseo/golang-ng custom-1-x86_64"
-    - "suhanc/MigrationTools"
+    # - "suhanc/MigrationTools"
   register: enable_copr_repo
   changed_when: enable_copr_repo.rc == 0
+- name: Set CentOS 7 repo for MigrationTools
+  tags:
+    - ldap
+  ansible.builtin.blockinfile:
+    path: /etc/yum.repos.d/CentOS-Base.repo
+    marker: "# {mark} ANSIBLE MANAGED BLOCK CentOS 7 repository"
+    block: |
+      [CentOS-Base]
+      name=CentOS-Base
+      mirrorlist=http://mirrorlist.centos.org/?release=7&arch=$basearch&repo=os&infra=$infra
+      #baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
+      gpgcheck=1
+      gpgkey=http://mirror.centos.org/centos/7/os/x86_64/RPM-GPG-KEY-CentOS-7
+      exclude=cloud-utils-growpart
+      enabled=0
+    mode: u=rw,og=r
+    owner: root
+    group: root
+    state: present
+    backup: yes
+    create: yes
 - name: Enable the php:remi-7.4 DNF module
   tags:
     # - horde
@@ -389,8 +410,8 @@
       # - libsss_sudo
       # - symas-openldap-clients
       # - symas-openldap-servers
+      - openldap-servers
       - nss-pam-ldapd
-      - migrationtools
       # - php56-php-bcmath
       # - php56-php-channel-horde
       # - php56-php-horde-horde-lz4
@@ -575,12 +596,16 @@
 #     enabled: yes
 #     state: restarted
 - name: Install EL7 packages
+  tags: ldap
   ansible.builtin.dnf:
     name:
       - wiredtiger
       - wiredtiger-devel
       - getmail
-    enablerepo: epel-el7
+      - migrationtools
+    enablerepo:
+      - CentOS-Base
+      - epel-el7
     state: latest # noqa package-latest I do prefer fresh stuff ;)
 - name: Enable WireGuard kernel module
   tags: wireguard