8 changed files with 194 additions and 0 deletions
@ -1,4 +1,5 @@
|
||||
--- |
||||
- hosts: ldap_server |
||||
roles: |
||||
- geerlingguy.certbot |
||||
- ldap_server |
||||
|
@ -0,0 +1,29 @@
|
||||
--- |
||||
|
||||
- name: check if key and cert already present in ldap configuration folder |
||||
stat: |
||||
path: "{{ openldap_confdir }}/sasl2/privkey.pem" |
||||
register: privkey_exist |
||||
|
||||
- name: if key and cert not already present, copy them |
||||
shell: "cp -pf /etc/letsencrypt/live/l01.wirebrass.fr/*.pem {{ openldap_confdir }}/sasl2/" |
||||
when: not privkey_exist.stat.exists |
||||
|
||||
- name: if key and cert not already present, fix permissions |
||||
shell: "chown openldap: {{ openldap_confdir }}/sasl2/*.pem" |
||||
when: not privkey_exist.stat.exists |
||||
|
||||
- name: link to ca-certificates created |
||||
file: |
||||
src: /etc/ssl/certs/ca-certificates.crt |
||||
dest: "{{ openldap_confdir }}/sasl2/ca-certificates.crt" |
||||
state: link |
||||
|
||||
- name: OpenLDAP DH Parameters generated |
||||
openssl_dhparam: |
||||
path: "{{ openldap_confdir }}/sasl2/slapd.dh.params" |
||||
size: 2048 |
||||
owner: openldap |
||||
group: openldap |
||||
mode: 0600 |
||||
|
@ -0,0 +1,124 @@
|
||||
--- |
||||
|
||||
- name: olcTLSCACertificateFile configured (cn=config) |
||||
ldap_attr: |
||||
dn: "cn=config" |
||||
name: olcTLSCACertificateFile |
||||
values: "{{ openldap_confdir }}/sasl2/fullchain.pem" |
||||
state: exact |
||||
start_tls: yes |
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" |
||||
bind_dn: "{{ ldap_config_admin_user_dn }}" |
||||
bind_pw: "{{ ldap_config_admin_user_password }}" |
||||
notify: "restart slapd" |
||||
|
||||
- name: olcTLSCACertificateFile configured (cn=config) |
||||
ldap_attr: |
||||
dn: "cn=config" |
||||
name: olcTLSCertificateKeyFile |
||||
values: "{{ openldap_confdir }}/sasl2/privkey.pem" |
||||
state: exact |
||||
start_tls: yes |
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" |
||||
bind_dn: "{{ ldap_config_admin_user_dn }}" |
||||
bind_pw: "{{ ldap_config_admin_user_password }}" |
||||
notify: "restart slapd" |
||||
|
||||
- name: olcTLSCertificateFile configured (cn=config) |
||||
ldap_attr: |
||||
dn: "cn=config" |
||||
name: olcTLSCertificateFile |
||||
values: "{{ openldap_confdir }}/sasl2/cert.pem" |
||||
state: exact |
||||
start_tls: yes |
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" |
||||
bind_dn: "{{ ldap_config_admin_user_dn }}" |
||||
bind_pw: "{{ ldap_config_admin_user_password }}" |
||||
notify: "restart slapd" |
||||
|
||||
- name: olcTLSProtocolMin configured (cn=config) |
||||
ldap_attr: |
||||
dn: "cn=config" |
||||
name: olcTLSProtocolMin |
||||
values: "3.3" |
||||
state: exact |
||||
start_tls: yes |
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" |
||||
bind_dn: "{{ ldap_config_admin_user_dn }}" |
||||
bind_pw: "{{ ldap_config_admin_user_password }}" |
||||
notify: "restart slapd" |
||||
|
||||
- name: olcSecurity configured (cn=config) |
||||
ldap_attr: |
||||
dn: "cn=config" |
||||
name: olcSecurity |
||||
values: "tls=1" |
||||
state: exact |
||||
start_tls: yes |
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" |
||||
bind_dn: "{{ ldap_config_admin_user_dn }}" |
||||
bind_pw: "{{ ldap_config_admin_user_password }}" |
||||
notify: "restart slapd" |
||||
|
||||
- name: TLS required (olcDatabase={-1}frontend,cn=config) |
||||
ldap_attr: |
||||
dn: "olcDatabase={-1}frontend,cn=config" |
||||
name: olcSecurity |
||||
values: "tls=1" |
||||
state: exact |
||||
start_tls: yes |
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" |
||||
bind_dn: "{{ ldap_config_admin_user_dn }}" |
||||
bind_pw: "{{ ldap_config_admin_user_password }}" |
||||
notify: "restart slapd" |
||||
|
||||
- name: TLS required (olcDatabase={0}config,cn=config) |
||||
ldap_attr: |
||||
dn: "olcDatabase={0}config,cn=config" |
||||
name: olcSecurity |
||||
values: "tls=1" |
||||
state: exact |
||||
start_tls: yes |
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" |
||||
bind_dn: "{{ ldap_config_admin_user_dn }}" |
||||
bind_pw: "{{ ldap_config_admin_user_password }}" |
||||
notify: "restart slapd" |
||||
|
||||
- name: TLS required (olcDatabase={1}mdb,cn=config) |
||||
ldap_attr: |
||||
dn: "olcDatabase={1}mdb,cn=config" |
||||
name: olcSecurity |
||||
values: "tls=1" |
||||
state: exact |
||||
start_tls: yes |
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" |
||||
bind_dn: "{{ ldap_config_admin_user_dn }}" |
||||
bind_pw: "{{ ldap_config_admin_user_password }}" |
||||
notify: "restart slapd" |
||||
|
||||
#- name: olcTLSCipherSuite configured (cn=config) |
||||
# ldap_attr: |
||||
# dn: "cn=config" |
||||
# name: olcTLSCipherSuite |
||||
# #values: "ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL" |
||||
# values: "ALL:!NULL" |
||||
# # values: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 |
||||
# state: exact |
||||
# start_tls: yes |
||||
# bind_dn: "{{ ldap_config_admin_user_dn }}" |
||||
# bind_pw: "{{ ldap_config_admin_user_password }}" |
||||
# notify: "restart slapd" |
||||
# |
||||
#- name: olcTLSDHParamFile configured (cn=config) |
||||
# ldap_attr: |
||||
# dn: "cn=config" |
||||
# name: olcTLSDHParamFile |
||||
# values: "{{ openldap_confdir }}/sasl2/slapd.dh.params" |
||||
# state: exact |
||||
# start_tls: yes |
||||
# bind_dn: "{{ ldap_config_admin_user_dn }}" |
||||
# bind_pw: "{{ ldap_config_admin_user_password }}" |
||||
# notify: "restart slapd" |
||||
|
||||
- name: Force all notified handlers to run at this point, not waiting for normal sync points |
||||
meta: flush_handlers |
Loading…
Reference in new issue