Commit af06ad3e authored by Birin Sanchez's avatar Birin Sanchez

ldh_ldap role: Add TLS support.

Signed-off-by: Birin Sanchez's avatarBirin Sanchez <birin.sanchez@puri.sm>
parent 623c7443
Pipeline #4257 passed with stage
in 1 minute and 14 seconds
......@@ -11,3 +11,13 @@
# If dont declare this variable ansible_domain will be used if
# available. If not example.com will be used instead.
ldh_ldap_domain: freedom.test
# TLS support variables
ldh_ldap_enable_tls: true
ldh_ldap_tls_src_cert_key_file: cert_keys/ldap.freedom.test.key
ldh_ldap_tls_cert_key_file: /etc/ldap/ssl/ldap.freedom.test.key
ldh_ldap_tls_src_cert_file: certs/ldap.freedom.test.crt
ldh_ldap_tls_cert_file: /etc/ldap/ssl/ldap.freedom.test.crt
ldh_ldap_tls_src_ca_cert_file: certs/ca.crt
ldh_ldap_tls_ca_cert_file: /etc/ldap/ssl/ca.crt
......@@ -6,7 +6,11 @@ This role configures OpenLDAP server with basic functionality neede for Keel/LDH
Requirements
------------
This role has only been tested with Ansible 2.7.1
This role has only been tested with Ansible 2.7.1.
If you enable TLS you need to provide certificate and private key
files storing them in directories `certs` and `cert_keys`
respectively. See `ldh_ldap_tls_*` variables description below.
Role Variables
--------------
......@@ -15,13 +19,55 @@ Role Variables
The password that will be used by Debian package manager for the
LDAP adminstrator Default value: `verylongpassword`
* `ldh_ldap_domain`
A line that appears below the title line on the main page.
Default value: The value of `ansible_domain` or `example.com` if
`ansible_domain` is empty.
* `ldh_ldap_enable_tls`
Setting this variable to `True` will configure Slapd to offer
ldaps://. Default value: `False`.
* `ldh_ldap_tls_src_cert_key_file`
Location of the certificate private key that Ansible will copy to
the host. Default value: `cert_keys/ldap.exmaple.com.key`. This is
`cert_keys` directory relative to playbooks directory.
* `ldh_ldap_tls_cert_key_file`
Location on the target host used by Ansible to copy the
certificate private key. Default value:
`/etc/ldap/ssl/ldap.exmaple.com.key`.
* `ldh_ldap_tls_src_cert_file`
Location of the certificate that Ansible will copy to the
host. Default value: `certs/ldap.exmaple.com.crt`. This is `certs`
directory relative to playbooks directory.
* `ldh_ldap_tls_cert_file`
Location on the target host used by Ansible to copy the
certificate. Default value: `/etc/ldap/ssl/ldap.exmaple.com.crt`.
* `ldh_ldap_tls_src_ca_cert_file`
Location of the CA certificate that Ansible will copy to the
host. This variable is **not** defined by default. If your host
certificates were issued by a known CA (already included in
`/etc/ca-certificates.conf`) you don't need this variable nor
`ldh_ldap_tls_ca_cert_file`.
* `ldh_ldap_tls_ca_cert_file`
Location on the target host used by Ansible to copy the CA
certificate. This variable is **not** defined by default. See
`ldh_ldap_tls_src_ca_cert_file` variable description.
Dependencies
------------
......
......@@ -8,3 +8,11 @@ ldh_ldap_admin_password: verylongpassword
ldh_ldap_domain: "{{ ansible_domain | default('example.com', true) }}"
# base_dn is created spliting domain name by the dot and appending ',dc='
ldh_ldap_base_dn: "dc={{ ldh_ldap_domain.split('.') | join(',dc=') }}"
# TLS support variables
ldh_ldap_enable_tls: False
ldh_ldap_tls_src_cert_key_file: cert_keys/ldap.exmaple.com.key
ldh_ldap_tls_cert_key_file: /etc/ldap/ssl/ldap.exmaple.com.key
ldh_ldap_tls_src_cert_file: certs/ldap.exmaple.com.crt
ldh_ldap_tls_cert_file: /etc/ldap/ssl/ldap.exmaple.com.crt
---
# handlers file for ldh_ldap
\ No newline at end of file
# handlers file for ldh_ldap
- name: restart slapd
service:
name: slapd
state: restarted
galaxy_info:
author: your name
description: your description
company: your company (optional)
author: Purism SPC
description: Basic LDAP role for LDH development.
company: Purism SPC
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
license: AGPL-3.0-or-later
# Some suggested licenses:
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: license (GPLv2, CC-BY, etc)
min_ansible_version: 2.7.1
min_ansible_version: 2.4
platforms:
- name: Debian
versions:
- 9
# If this a Container Enabled role, provide the minimum Ansible Container version.
# min_ansible_container_version:
# Optionally specify the branch Galaxy will use when accessing the GitHub
# repo for this role. During role install, if no tags are available,
# Galaxy will use this branch. During import Galaxy will access files on
# this branch. If Travis integration is configured, only notifications for this
# branch will be accepted. Otherwise, in all cases, the repo's default branch
# (usually master) will be used.
#github_branch:
#
# Provide a list of supported platforms, and for each platform a list of versions.
# If you don't wish to enumerate all versions for a particular platform, use 'all'.
# To view available platforms and versions (or releases), visit:
# https://galaxy.ansible.com/api/v1/platforms/
#
# platforms:
# - name: Fedora
# versions:
# - all
# - 25
# - name: SomePlatform
# versions:
# - all
# - 1.0
# - 7
# - 99.99
galaxy_tags: []
# List tags for your role here, one per line. A tag is a keyword that describes
# and categorizes the role. Users find roles by searching for tags. Be sure to
# remove the '[]' above, if you add tags to this list.
#
# NOTE: A tag is limited to a single word comprised of alphanumeric characters.
# Maximum 20 tags per role.
galaxy_tags:
- ldap
- openldap
- slapd
dependencies: []
# List your role dependencies here, one per line. Be sure to remove the '[]' above,
# if you add dependencies to this list.
\ No newline at end of file
# if you add dependencies to this list.
---
# Enable TLS for slapd
- name: Create dir for certificates.
file:
path: /etc/ldap/ssl
state: directory
owner: openldap
group: openldap
mode: 0700
- name: Copy cert and key.
copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: openldap
group: openldap
mode: 0600
loop:
- { src: "{{ ldh_ldap_tls_src_cert_key_file }}",
dest: "{{ ldh_ldap_tls_cert_key_file }}" }
- { src: "{{ ldh_ldap_tls_src_cert_file }}",
dest: "{{ ldh_ldap_tls_cert_file }}" }
- name: Copy CA cert.
copy:
src: "{{ ldh_ldap_tls_src_ca_cert_file }}"
dest: "{{ ldh_ldap_tls_ca_cert_file }}"
owner: openldap
group: openldap
mode: 0600
when: ldh_ldap_tls_src_ca_cert_file is defined
# Slapd expect to receive both attributes (key and cert) in one LDAP
# operation but Ansible sends only attribute per connection... so the
# first one fails and we ignore it. The second one succeeds. See:
# https://github.com/ansible/ansible/issues/25665
- name: Config TLS parameters. First try expected to fail!
ldap_attr:
dn: cn=config
name: "{{ item.key }}"
values: "{{ item.value }}"
state: exact
with_dict:
olcTLSCertificateFile: "{{ ldh_ldap_tls_cert_file }}"
olcTLSCertificateKeyFile: "{{ ldh_ldap_tls_cert_key_file }}"
ignore_errors: True
- name: Config TLS parameters. Second time should be successful!
ldap_attr:
dn: cn=config
name: "{{ item.key }}"
values: "{{ item.value }}"
state: exact
with_dict:
olcTLSCertificateFile: "{{ ldh_ldap_tls_cert_file }}"
olcTLSCertificateKeyFile: "{{ ldh_ldap_tls_cert_key_file }}"
- name: Config TLS CA parameter.
ldap_attr:
dn: cn=config
name: olcTLSCACertificateFile
values: "{{ ldh_ldap_tls_ca_cert_file }}"
state: exact
when: ldh_ldap_tls_ca_cert_file is defined
- name: Configure slapd to listen on port 636
lineinfile:
path: /etc/default/slapd
regexp: '^SLAPD_SERVICES='
line: 'SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"'
notify: restart slapd
......@@ -31,3 +31,7 @@
loop:
- groups
- people
- name: Enable TLS
include: ldap_tls.yml
when: ldh_ldap_enable_tls
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment