Start configuring StartTLS
parent
204ada2707
commit
17575509dd
@ -1,4 +1,5 @@
|
||||
---
|
||||
- hosts: ldap_server
|
||||
roles:
|
||||
- geerlingguy.certbot
|
||||
- ldap_server
|
||||
|
@ -0,0 +1,29 @@
|
||||
---
|
||||
|
||||
- name: check if key and cert already present in ldap configuration folder
|
||||
stat:
|
||||
path: "{{ openldap_confdir }}/sasl2/privkey.pem"
|
||||
register: privkey_exist
|
||||
|
||||
- name: if key and cert not already present, copy them
|
||||
shell: "cp -pf /etc/letsencrypt/live/l01.wirebrass.fr/*.pem {{ openldap_confdir }}/sasl2/"
|
||||
when: not privkey_exist.stat.exists
|
||||
|
||||
- name: if key and cert not already present, fix permissions
|
||||
shell: "chown openldap: {{ openldap_confdir }}/sasl2/*.pem"
|
||||
when: not privkey_exist.stat.exists
|
||||
|
||||
- name: link to ca-certificates created
|
||||
file:
|
||||
src: /etc/ssl/certs/ca-certificates.crt
|
||||
dest: "{{ openldap_confdir }}/sasl2/ca-certificates.crt"
|
||||
state: link
|
||||
|
||||
- name: OpenLDAP DH Parameters generated
|
||||
openssl_dhparam:
|
||||
path: "{{ openldap_confdir }}/sasl2/slapd.dh.params"
|
||||
size: 2048
|
||||
owner: openldap
|
||||
group: openldap
|
||||
mode: 0600
|
||||
|
@ -0,0 +1,124 @@
|
||||
---
|
||||
|
||||
- name: olcTLSCACertificateFile configured (cn=config)
|
||||
ldap_attr:
|
||||
dn: "cn=config"
|
||||
name: olcTLSCACertificateFile
|
||||
values: "{{ openldap_confdir }}/sasl2/fullchain.pem"
|
||||
state: exact
|
||||
start_tls: yes
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||
notify: "restart slapd"
|
||||
|
||||
- name: olcTLSCACertificateFile configured (cn=config)
|
||||
ldap_attr:
|
||||
dn: "cn=config"
|
||||
name: olcTLSCertificateKeyFile
|
||||
values: "{{ openldap_confdir }}/sasl2/privkey.pem"
|
||||
state: exact
|
||||
start_tls: yes
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||
notify: "restart slapd"
|
||||
|
||||
- name: olcTLSCertificateFile configured (cn=config)
|
||||
ldap_attr:
|
||||
dn: "cn=config"
|
||||
name: olcTLSCertificateFile
|
||||
values: "{{ openldap_confdir }}/sasl2/cert.pem"
|
||||
state: exact
|
||||
start_tls: yes
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||
notify: "restart slapd"
|
||||
|
||||
- name: olcTLSProtocolMin configured (cn=config)
|
||||
ldap_attr:
|
||||
dn: "cn=config"
|
||||
name: olcTLSProtocolMin
|
||||
values: "3.3"
|
||||
state: exact
|
||||
start_tls: yes
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||
notify: "restart slapd"
|
||||
|
||||
- name: olcSecurity configured (cn=config)
|
||||
ldap_attr:
|
||||
dn: "cn=config"
|
||||
name: olcSecurity
|
||||
values: "tls=1"
|
||||
state: exact
|
||||
start_tls: yes
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||
notify: "restart slapd"
|
||||
|
||||
- name: TLS required (olcDatabase={-1}frontend,cn=config)
|
||||
ldap_attr:
|
||||
dn: "olcDatabase={-1}frontend,cn=config"
|
||||
name: olcSecurity
|
||||
values: "tls=1"
|
||||
state: exact
|
||||
start_tls: yes
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||
notify: "restart slapd"
|
||||
|
||||
- name: TLS required (olcDatabase={0}config,cn=config)
|
||||
ldap_attr:
|
||||
dn: "olcDatabase={0}config,cn=config"
|
||||
name: olcSecurity
|
||||
values: "tls=1"
|
||||
state: exact
|
||||
start_tls: yes
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||
notify: "restart slapd"
|
||||
|
||||
- name: TLS required (olcDatabase={1}mdb,cn=config)
|
||||
ldap_attr:
|
||||
dn: "olcDatabase={1}mdb,cn=config"
|
||||
name: olcSecurity
|
||||
values: "tls=1"
|
||||
state: exact
|
||||
start_tls: yes
|
||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||
notify: "restart slapd"
|
||||
|
||||
#- name: olcTLSCipherSuite configured (cn=config)
|
||||
# ldap_attr:
|
||||
# dn: "cn=config"
|
||||
# name: olcTLSCipherSuite
|
||||
# #values: "ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL"
|
||||
# values: "ALL:!NULL"
|
||||
# # values: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||||
# state: exact
|
||||
# start_tls: yes
|
||||
# bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||
# bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||
# notify: "restart slapd"
|
||||
#
|
||||
#- name: olcTLSDHParamFile configured (cn=config)
|
||||
# ldap_attr:
|
||||
# dn: "cn=config"
|
||||
# name: olcTLSDHParamFile
|
||||
# values: "{{ openldap_confdir }}/sasl2/slapd.dh.params"
|
||||
# state: exact
|
||||
# start_tls: yes
|
||||
# bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||
# bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||
# notify: "restart slapd"
|
||||
|
||||
- name: Force all notified handlers to run at this point, not waiting for normal sync points
|
||||
meta: flush_handlers
|
Loading…
Reference in New Issue