From 51f01858c1abf8520d66377b0353acaad08c9826 Mon Sep 17 00:00:00 2001
From: "Andreas B. Mundt" <andi@debian.org>
Date: Sat, 3 Apr 2021 23:10:24 +0200
Subject: [PATCH] Implement self signed certificate for slapd.

---
 roles/ldap/defaults/main.yml        |  2 ++
 roles/ldap/tasks/main.yml           | 37 +++++++++++++++++++++++++----
 roles/ldap/templates/slapd-TLS.ldif |  9 +++++++
 3 files changed, 44 insertions(+), 4 deletions(-)
 create mode 100644 roles/ldap/templates/slapd-TLS.ldif

diff --git a/roles/ldap/defaults/main.yml b/roles/ldap/defaults/main.yml
index d383ca2..e126f1e 100644
--- a/roles/ldap/defaults/main.yml
+++ b/roles/ldap/defaults/main.yml
@@ -1,6 +1,8 @@
 ldap_admin_pwd: "{{ lookup('password', '/tmp/ldap_admin.pwd chars=ascii_letters,digits length=32') }}"
 ldap_admin_pwd_file: "/root/ldap-admin.pwd"
 basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
+TLSCertificateFile: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+TLSCertificateKeyFile: "/etc/ssl/private/ssl-cert-snakeoil.key"
 lan_homes:  /home/lan
 min_id: 10000
 max_id: 20000
diff --git a/roles/ldap/tasks/main.yml b/roles/ldap/tasks/main.yml
index 589b07c..6e88311 100644
--- a/roles/ldap/tasks/main.yml
+++ b/roles/ldap/tasks/main.yml
@@ -39,27 +39,49 @@
   no_log: true
   when: not slapd.stat.exists
 
-- name: install slapd, ldap-utils, ldapvi and python3-ldap
+- name: install packages for LDAP
   apt:
     name:
       - slapd
       - ldap-utils
       - ldapvi
       - python3-ldap
+      - ssl-cert
     state: latest
 
+- name: add openldap to the ssl-cert group
+  user:
+    name: openldap
+    groups: ssl-cert
+    append: yes
+  register: ssl_cert_group
+
+- name: restart slapd
+  systemd: name=slapd state=restarted
+  when: ssl_cert_group.changed
+
 - name: make initial slapd configuration available
   copy:
     src: slapd-config.ldif
-    dest: /etc/ldap/slapd.d/slapd-config.ldif
+    dest: /etc/ldap/slapd.d/
+  when: not slapd.stat.exists
+
+- name: make slapd TLS configuration available
+  template:
+    src: slapd-TLS.ldif
+    dest: /etc/ldap/slapd.d/
   when: not slapd.stat.exists
 
 - name: activate ppolicy schema
-  command: ldapadd  -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
+  command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
   when: not slapd.stat.exists
 
 - name: initialize slapd if it has just been installed
-  command: ldapadd  -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-config.ldif
+  command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-config.ldif
+  when: not slapd.stat.exists
+
+- name: configure LDAP TLS
+  command: ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-TLS.ldif
   when: not slapd.stat.exists
 
 - name: "make 'ldap' an alias hostname resolvable from the LAN"
@@ -81,6 +103,13 @@
     line: "BASE {{ basedn }}"
     insertafter: "#BASE.*"
 
+- name: check against self signed certificate
+  replace:
+    path: /etc/ldap/ldap.conf
+    regexp: "^(TLS_CACERT\\s+/etc/ssl/certs/ca-certificates.crt)$"
+    replace: '#\1\nTLS_CACERT\t{{ TLSCertificateFile }}'
+  when: not slapd.stat.exists
+
 #######################################################################################
 ## Use the admin password saved to file from now on (available also after installation):
 - name: slurp admin password
diff --git a/roles/ldap/templates/slapd-TLS.ldif b/roles/ldap/templates/slapd-TLS.ldif
new file mode 100644
index 0000000..e94216f
--- /dev/null
+++ b/roles/ldap/templates/slapd-TLS.ldif
@@ -0,0 +1,9 @@
+#### ENABLE LDAP TLS ####
+dn: cn=config
+changetype: modify
+add: olcTLSCertificateFile
+olcTLSCertificateFile: {{ TLSCertificateFile }}
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: {{ TLSCertificateKeyFile }}
+-