reallyenglish.cyrus-sasl

ansible-role-cyrus-sasl

This role installs cyrus-sasl, saslauthd, and sets up users in the SASL database file. It only supports local SASL database and saslauthd. If you need other types of back-end systems, this role won't work for you.

`sasl_check_pw`

This role includes a Python script that checks a user's password. The script is placed in /usr/local/bin across all platforms. Since there's no way to verify if a password defined in a role variable matches the password in the database, the script reads the cyrus_sasl_sasldb_file to find the user and their password. It expects the cyrus_sasl_sasldb_file to be in dbm format.

sasl_check_pw path user domain

Here, path is the location of the cyrus_sasl_sasldb_file, user is the username in that file, and domain is the user's domain name. You should set the password to check in an environment variable called userPassword. If the password matches the one in the database, the script will print matched to the standard output. If it does not match, it will print does not match. The script needs to be run by a user who has read access to the cyrus_sasl_sasldb_file.

Requirements

No specific requirements.

Role Variables

Variable	Description	Default
`cyrus_sasl_package`	The package name of `cyrus-sasl`	`{{ __cyrus_sasl_package }}`
`cyrus_sasl_saslauthd_service`	The service name of `saslauthd`	`{{ __cyrus_sasl_saslauthd_service }}`
`cyrus_sasl_saslauthd_enable`	Set to yes to enable `saslauthd`	yes
`cyrus_sasl_saslauthd_flags`	Dictionary of service variables and their values	`{}`
`cyrus_sasl_saslauthd_flags_default`	Default values for service variables	`{{ __cyrus_sasl_saslauthd_flags_default }}`
`cyrus_sasl_plugin_dir`	Directory for plugin configurations	`{{ __cyrus_sasl_plugin_dir }}`
`cyrus_sasl_saslpassword_command`	Command to manage user passwords	`{{ __cyrus_sasl_saslpassword_command }}`
`cyrus_sasl_sasldblistusers_command`	Command to list users in the database	`{{ __cyrus_sasl_sasldblistusers_command }}`
`cyrus_sasl_sasldb_file`	Path to the SASL database file	`{{ __cyrus_sasl_sasldb_file }}`
`cyrus_sasl_sasldb_owner`	Owner of the SASL database file	`root`
`cyrus_sasl_sasldb_group`	Group for the SASL database file	`{{ __cyrus_sasl_sasldb_group }}`
`cyrus_sasl_sasldb_file_permission`	File permissions for the SASL database file	`{{ __cyrus_sasl_sasldb_file_permission }}`
`cyrus_sasl_config`	Dictionary of application configurations	`{}`
`cyrus_sasl_user`	Dictionary of users in the SASL database	`{}`

`cyrus_sasl_saslauthd_flags`

This variable is a dictionary of configuration variables for startup files like those found under /etc/default, /etc/sysconfig, and /etc/rc.conf.d. It assumes these files are read by the startup system using sh(1). Each key in the dictionary is a variable name in the file, and its value is the corresponding value. The variable combines with another variable with the same name but ending with _default (explained below) to create the startup configuration file.

For OpenBSD, only the key flags is valid, and its value goes to daemon_flags in rc.conf(5), where daemon is the name of a script that controls an rc.d(8) daemon.

`cyrus_sasl_saslauthd_flags_default`

This variable contains default key-value pairs from the upstream configuration and should remain constant unless absolutely necessary to change. By default, the role creates a startup configuration file for each platform based on this variable, identical to the default settings.

For OpenBSD, this variable only has a single key, flags, with an empty string as its value.

`cyrus_sasl_config`

The key represents the application name. The value is a dictionary where each key is a variable name and its value is the corresponding value. Example:

cyrus_sasl_config:
    myapp:
        pwcheck_method: saslauthd

`cyrus_sasl_user`

The key is the username, and its value is a dictionary.

Key	Value
`domain`	The user's domain
`password`	The user's password
`appname`	The application name for the user
`state`	Either `present` (to create the user) or `absent` (to delete the user)

Example:

cyrus_sasl_user:
  foo:
    domain: reallyenglish.com
    password: password
    appname: argus
    state: present

Debian-Specific Variables

Variable	Default
`__cyrus_sasl_package`	`libsasl2-2`
`__cyrus_sasl_saslauthd_service`	`saslauthd`
`__cyrus_sasl_saslauthd_flags_default`	`{"MECHANISMS"=>"pam", "MECH_OPTIONS"=>"", "THREADS"=>5, "OPTIONS"=>"-c -m /var/run/saslauthd"}`
`__cyrus_sasl_plugin_dir`	`/usr/lib/sasl2`
`__cyrus_sasl_saslpassword_command`	`saslpasswd2`
`__cyrus_sasl_sasldblistusers_command`	`sasldblistusers2`
`__cyrus_sasl_sasldb_file`	`/etc/sasldb2`
`__cyrus_sasl_sasldb_file_permission`	`0660`
`__cyrus_sasl_sasldb_group`	`root`

FreeBSD-Specific Variables

Variable	Default
`__cyrus_sasl_package`	`cyrus-sasl`
`__cyrus_sasl_saslauthd_service`	`saslauthd`
`__cyrus_sasl_saslauthd_flags_default`	`{}`
`__cyrus_sasl_plugin_dir`	`/usr/local/lib/sasl2`
`__cyrus_sasl_saslpassword_command`	`saslpasswd2`
`__cyrus_sasl_sasldblistusers_command`	`sasldblistusers2`
`__cyrus_sasl_sasldb_file`	`/usr/local/etc/sasldb2`
`__cyrus_sasl_sasldb_file_permission`	`600`
`__cyrus_sasl_sasldb_group`	`wheel`

OpenBSD-Specific Variables

Variable	Default
`__cyrus_sasl_package`	`cyrus-sasl--`
`__cyrus_sasl_saslauthd_service`	`saslauthd`
`__cyrus_sasl_saslauthd_flags_default`	`{"flags"=>"-a getpwent"}`
`__cyrus_sasl_plugin_dir`	`/usr/local/lib/sasl2`
`__cyrus_sasl_saslpassword_command`	`saslpasswd2`
`__cyrus_sasl_sasldblistusers_command`	`sasldblistusers2`
`__cyrus_sasl_sasldb_file`	`/etc/sasldb2`
`__cyrus_sasl_sasldb_file_permission`	`600`
`__cyrus_sasl_sasldb_group`	`wheel`

RedHat-Specific Variables

Variable	Default
`__cyrus_sasl_package`	`cyrus-sasl`
`__cyrus_sasl_saslauthd_service`	`saslauthd`
`__cyrus_sasl_saslauthd_flags_default`	`{"SOCKETDIR"=>"/run/saslauthd", "MECH"=>"pam", "FLAGS"=>""}`
`__cyrus_sasl_plugin_dir`	`/usr/lib64/sasl2`
`__cyrus_sasl_saslpassword_command`	`saslpasswd2`
`__cyrus_sasl_sasldblistusers_command`	`sasldblistusers2`
`__cyrus_sasl_sasldb_file`	`/etc/sasldb2`
`__cyrus_sasl_sasldb_file_permission`	`0640`
`__cyrus_sasl_sasldb_group`	`root`

Dependencies

No dependencies.

Example Playbook

- hosts: localhost
  roles:
    - ansible-role-cyrus-sasl
  vars:
    cyrus_sasl_user:
      foo:
        domain: reallyenglish.com
        password: password
        appname: argus
        state: present
    cyrus_sasl_config:
      myapp:
        pwcheck_method: saslauthd
      argus:
        pwcheck_method: auxprop
        auxprop_plugin: sasldb
        mech_list: DIGEST-MD5
    cyrus_sasl_sasldb_group: "{% if ansible_os_family == 'Debian' %}nogroup{% else %}nobody{% endif %}"
    cyrus_sasl_sasldb_file_permission: "0640"

    extra_variables_debian:
      THREADS: 6
    extra_variables_redhat:
      FLAGS: -n 6
    extra_variables_freebsd:
      saslauthd_flags: -a pam -n 6
    extra_variables_openbsd:
      flags: -a getpwent -n 6
    cyrus_sasl_saslauthd_flags: "{% if ansible_os_family == 'Debian' %}{{ extra_variables_debian }}{% elif ansible_os_family == 'RedHat' %}{{ extra_variables_redhat }}{% elif ansible_os_family == 'FreeBSD' %}{{ extra_variables_freebsd }}{% elif ansible_os_family == 'OpenBSD' %}{{ extra_variables_openbsd }}{% endif %}"

License

Copyright (c) 2017 Tomoyuki Sakurai <[email protected]>

You can use, copy, modify, and share this software for any purpose, for free, as long as you include this copyright and permission notice in any copies. 

THE SOFTWARE IS PROVIDED "AS IS", AND THE AUTHOR DISCLAIMS ALL WARRANTIES. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DAMAGES RESULTING FROM THE USE OF THIS SOFTWARE.

Author Information

Tomoyuki Sakurai tomoyukis@reallyenglish.com

This README was created by qansible

Informazioni sul progetto

Configures cyrus-sasl and users in SASL DB file

role system

Installa

ansible-galaxy install reallyenglish.cyrus-sasl

GitHub repository

1 stelle

1 fork

3 problemi aperti

Licenza

isc

Download

17.2k

Proprietario

EdulinX