it-team/lmn-client
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Implement self signed certificate for slapd.

Browse source
This commit is contained in:
Andreas B. Mundt 2021-04-03 23:10:24 +02:00 committed by Andreas B. Mundt
parent cef622fa33
commit 51f01858c1
3 changed files with 44 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
roles/ldap/defaults/main.yml
View file

@ -1,6 +1,8 @@
ldap_admin_pwd: "{{ lookup('password', '/tmp/ldap_admin.pwd chars=ascii_letters,digits length=32') }}" ldap_admin_pwd: "{{ lookup('password', '/tmp/ldap_admin.pwd chars=ascii_letters,digits length=32') }}"
ldap_admin_pwd_file: "/root/ldap-admin.pwd" ldap_admin_pwd_file: "/root/ldap-admin.pwd"
basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}" basedn: "{{ 'dc=' + ( ansible_domain | replace('^.','') | replace('.$','') | replace('.',',dc=')) }}"
TLSCertificateFile: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
TLSCertificateKeyFile: "/etc/ssl/private/ssl-cert-snakeoil.key"
lan_homes: /home/lan lan_homes: /home/lan
min_id: 10000 min_id: 10000
max_id: 20000 max_id: 20000

33
roles/ldap/tasks/main.yml
View file

@ -39,19 +39,37 @@
no_log: true no_log: true
when: not slapd.stat.exists when: not slapd.stat.exists
- name: install slapd, ldap-utils, ldapvi and python3-ldap - name: install packages for LDAP
apt: apt:
name: name:
- slapd - slapd
- ldap-utils - ldap-utils
- ldapvi - ldapvi
- python3-ldap - python3-ldap
- ssl-cert
state: latest state: latest
- name: add openldap to the ssl-cert group
user:
name: openldap
groups: ssl-cert
append: yes
register: ssl_cert_group
- name: restart slapd
systemd: name=slapd state=restarted
when: ssl_cert_group.changed
- name: make initial slapd configuration available - name: make initial slapd configuration available
copy: copy:
src: slapd-config.ldif src: slapd-config.ldif
dest: /etc/ldap/slapd.d/slapd-config.ldif dest: /etc/ldap/slapd.d/
when: not slapd.stat.exists
- name: make slapd TLS configuration available
template:
src: slapd-TLS.ldif
dest: /etc/ldap/slapd.d/
when: not slapd.stat.exists when: not slapd.stat.exists
- name: activate ppolicy schema - name: activate ppolicy schema
@ -62,6 +80,10 @@
command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-config.ldif command: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-config.ldif
when: not slapd.stat.exists when: not slapd.stat.exists
- name: configure LDAP TLS
command: ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/slapd.d/slapd-TLS.ldif
when: not slapd.stat.exists
- name: "make 'ldap' an alias hostname resolvable from the LAN" - name: "make 'ldap' an alias hostname resolvable from the LAN"
replace: replace:
path: /etc/hosts path: /etc/hosts
@ -81,6 +103,13 @@
line: "BASE {{ basedn }}" line: "BASE {{ basedn }}"
insertafter: "#BASE.*" insertafter: "#BASE.*"
- name: check against self signed certificate
replace:
path: /etc/ldap/ldap.conf
regexp: "^(TLS_CACERT\\s+/etc/ssl/certs/ca-certificates.crt)$"
replace: '#\1\nTLS_CACERT\t{{ TLSCertificateFile }}'
when: not slapd.stat.exists
####################################################################################### #######################################################################################
## Use the admin password saved to file from now on (available also after installation): ## Use the admin password saved to file from now on (available also after installation):
- name: slurp admin password - name: slurp admin password

9
roles/ldap/templates/slapd-TLS.ldif Normal file
View file

@ -0,0 +1,9 @@
#### ENABLE LDAP TLS ####
dn: cn=config
changetype: modify
add: olcTLSCertificateFile
olcTLSCertificateFile: {{ TLSCertificateFile }}
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: {{ TLSCertificateKeyFile }}
-