Start configuring StartTLS

3 years ago · 17575509dd
8 changed files with 194 additions and 0 deletions
--- a/inventory_template/group_vars/ldap_server.yml
+++ b/inventory_template/group_vars/ldap_server.yml
@ -1,5 +1,19 @@
 ---

+# Role ansible-role-certbot : defina auto renew, schedule, ...
+# WARNING: you need to open the port 80 (iptables)
+certbot_auto_renew: true
+certbot_auto_renew_user: "root"
+certbot_auto_renew_hour: "5"
+certbot_auto_renew_minute: "0"
+certbot_auto_renew_options: "--quiet --no-self-upgrade --deploy-hook 'cp -pf /etc/letsencrypt/live/{{ inventory_hostname }}/*.pem /etc/ldap/sasl2/ && chown openldap: /etc/ldap/sasl2/*.pem && systemctl restart slapd'"
+certbot_create_if_missing: true
+certbot_create_method: standalone
+certbot_create_standalone_stop_services: []
+certbot_certs:
+  - domains:
+    - "{{ inventory_hostname }}"
+
 openldap_schemas:
  - core
  - cosine
--- a/playbook_ldap_deploy.yml
+++ b/playbook_ldap_deploy.yml
@ -1,4 +1,5 @@
 ---
 - hosts: ldap_server
  roles:
+    - geerlingguy.certbot
    - ldap_server
--- a/roles/ldap_server/tasks/cert.yml
+++ b/roles/ldap_server/tasks/cert.yml
@ -0,0 +1,29 @@
+---
+
+- name: check if key and cert already present in ldap configuration folder
+  stat:
+    path: "{{ openldap_confdir }}/sasl2/privkey.pem"
+  register: privkey_exist
+
+- name: if key and cert not already present, copy them
+  shell: "cp -pf /etc/letsencrypt/live/l01.wirebrass.fr/*.pem {{ openldap_confdir }}/sasl2/"
+  when: not privkey_exist.stat.exists
+
+- name: if key and cert not already present, fix permissions
+  shell: "chown openldap: {{ openldap_confdir }}/sasl2/*.pem"
+  when: not privkey_exist.stat.exists
+
+- name: link to ca-certificates created
+  file:
+    src: /etc/ssl/certs/ca-certificates.crt
+    dest: "{{ openldap_confdir }}/sasl2/ca-certificates.crt"
+    state: link
+
+- name: OpenLDAP DH Parameters generated
+  openssl_dhparam:
+    path: "{{ openldap_confdir }}/sasl2/slapd.dh.params"
+    size: 2048
+    owner: openldap
+    group: openldap
+    mode: 0600
+
--- a/roles/ldap_server/tasks/ldap_attributes.yml
+++ b/roles/ldap_server/tasks/ldap_attributes.yml
@ -6,6 +6,7 @@
    name: cn
    values: "{{ item.cn }}"
    state: exact
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_admin_user_dn }}"
    bind_pw: "{{ ldap_admin_user_password }}"
@ -18,6 +19,7 @@
    name: loginShell
    values: "/bin/bash"
    state: exact
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_admin_user_dn }}"
    bind_pw: "{{ ldap_admin_user_password }}"
@ -30,6 +32,7 @@
    name: homeDirectory
    values: "/home/{{ item.uid }}"
    state: exact
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_admin_user_dn }}"
    bind_pw: "{{ ldap_admin_user_password }}"
@ -42,6 +45,7 @@
    name: uidNumber
    values: "{{ item.uidNumber }}"
    state: exact
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_admin_user_dn }}"
    bind_pw: "{{ ldap_admin_user_password }}"
@ -54,6 +58,7 @@
    name: gidNumber
    values: "{{ item.gidNumber }}"
    state: exact
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_admin_user_dn }}"
    bind_pw: "{{ ldap_admin_user_password }}"
@ -66,6 +71,7 @@
    name: gidNumber
    values: "{{ item.gidNumber }}"
    state: exact
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_admin_user_dn }}"
    bind_pw: "{{ ldap_admin_user_password }}"
@ -78,6 +84,7 @@
    name: description
    values: "{{ item.description }}"
    state: exact
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_admin_user_dn }}"
    bind_pw: "{{ ldap_admin_user_password }}"
@ -90,6 +97,7 @@
    name: memberUid
    values: "{{ item.memberUid }}"
    state: exact
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_admin_user_dn }}"
    bind_pw: "{{ ldap_admin_user_password }}"
@ -102,6 +110,7 @@
    name: description
    values: "{{ item.description }}"
    state: exact
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_admin_user_dn }}"
    bind_pw: "{{ ldap_admin_user_password }}"
@ -112,6 +121,7 @@
  ldap_passwd:
    dn: "cn={{ item.cn }},ou=accounts,{{ ldap_root_dn }}"
    passwd: "{{ item.userPassword }}"
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_admin_user_dn }}"
    bind_pw: "{{ ldap_admin_user_password }}"
--- a/roles/ldap_server/tasks/ldap_config.yml
+++ b/roles/ldap_server/tasks/ldap_config.yml
@ -6,6 +6,7 @@
    name: olcDisallows
    values: bind_anon
    state: exact
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_config_admin_user_dn }}"
    bind_pw: "{{ ldap_config_admin_user_password }}"
@ -16,6 +17,7 @@
    name: olcRequires
    values: authc
    state: exact
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_config_admin_user_dn }}"
    bind_pw: "{{ ldap_config_admin_user_password }}"
@ -26,6 +28,7 @@
    name: olcRequires
    values: authc
    state: exact
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_config_admin_user_dn }}"
    bind_pw: "{{ ldap_config_admin_user_password }}"
@ -36,6 +39,7 @@
    name: olcRequires
    values: authc
    state: exact
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_config_admin_user_dn }}"
    bind_pw: "{{ ldap_config_admin_user_password }}"
@ -46,6 +50,7 @@
    name: olcRequires
    values: authc
    state: exact
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_config_admin_user_dn }}"
    bind_pw: "{{ ldap_config_admin_user_password }}"
@ -58,6 +63,7 @@
      - "{0}to attrs=userPassword by self write by anonymous auth by * none"
      - "{1}to attrs=shadowLastChange by self write by * read"
    state: exact
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_config_admin_user_dn }}"
    bind_pw: "{{ ldap_config_admin_user_password }}"
--- a/roles/ldap_server/tasks/ldap_entries.yml
+++ b/roles/ldap_server/tasks/ldap_entries.yml
@ -8,6 +8,7 @@
      - organization
    attributes:
      o: "{{ ldap_domain }}"
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_admin_user_dn }}"
    bind_pw: "{{ ldap_admin_user_password }}"
@ -17,6 +18,7 @@
    dn: "ou=people,{{ ldap_root_dn }}"
    objectClass:
      - organizationalUnit
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_admin_user_dn }}"
    bind_pw: "{{ ldap_admin_user_password }}"
@ -26,6 +28,7 @@
    dn: "ou=groups,{{ ldap_root_dn }}"
    objectClass:
      - organizationalUnit
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_admin_user_dn }}"
    bind_pw: "{{ ldap_admin_user_password }}"
@ -35,6 +38,7 @@
    dn: "ou=accounts,{{ ldap_root_dn }}"
    objectClass:
      - organizationalUnit
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_admin_user_dn }}"
    bind_pw: "{{ ldap_admin_user_password }}"
@ -44,6 +48,7 @@
    dn: "ou=applications,{{ ldap_root_dn }}"
    objectClass:
      - organizationalUnit
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_admin_user_dn }}"
    bind_pw: "{{ ldap_admin_user_password }}"
@ -62,6 +67,7 @@
      homeDirectory: "/home/{{ item.uid }}"
      uidNumber: "{{ item.uidNumber }}"
      gidNumber: "{{ item.gidNumber }}"
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_admin_user_dn }}"
    bind_pw: "{{ ldap_admin_user_password }}"
@ -77,6 +83,7 @@
      cn: "{{ item.cn }}"
      description: "{{ item.description }}"
      gidNumber: "{{ item.gidNumber }}"
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_admin_user_dn }}"
    bind_pw: "{{ ldap_admin_user_password }}"
@ -93,6 +100,7 @@
      cn: "{{ item.cn }}"
      description: "{{ item.description }}"
      userPassword: "{{ item.userPassword }}"
+    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_admin_user_dn }}"
    bind_pw: "{{ ldap_admin_user_password }}"
--- a/roles/ldap_server/tasks/ldap_tls.yml
+++ b/roles/ldap_server/tasks/ldap_tls.yml
@ -0,0 +1,124 @@
+---
+
+- name: olcTLSCACertificateFile configured (cn=config)
+  ldap_attr:
+    dn: "cn=config"
+    name: olcTLSCACertificateFile
+    values: "{{ openldap_confdir }}/sasl2/fullchain.pem"
+    state: exact
+    start_tls: yes
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_config_admin_user_dn }}"
+    bind_pw: "{{ ldap_config_admin_user_password }}"
+  notify: "restart slapd"
+
+- name: olcTLSCACertificateFile configured (cn=config)
+  ldap_attr:
+    dn: "cn=config"
+    name: olcTLSCertificateKeyFile
+    values: "{{ openldap_confdir }}/sasl2/privkey.pem"
+    state: exact
+    start_tls: yes
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_config_admin_user_dn }}"
+    bind_pw: "{{ ldap_config_admin_user_password }}"
+  notify: "restart slapd"
+
+- name: olcTLSCertificateFile configured (cn=config)
+  ldap_attr:
+    dn: "cn=config"
+    name: olcTLSCertificateFile
+    values: "{{ openldap_confdir }}/sasl2/cert.pem"
+    state: exact
+    start_tls: yes
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_config_admin_user_dn }}"
+    bind_pw: "{{ ldap_config_admin_user_password }}"
+  notify: "restart slapd"
+
+- name: olcTLSProtocolMin configured (cn=config)
+  ldap_attr:
+    dn: "cn=config"
+    name: olcTLSProtocolMin
+    values: "3.3"
+    state: exact
+    start_tls: yes
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_config_admin_user_dn }}"
+    bind_pw: "{{ ldap_config_admin_user_password }}"
+  notify: "restart slapd"
+
+- name: olcSecurity configured (cn=config)
+  ldap_attr:
+    dn: "cn=config"
+    name: olcSecurity
+    values: "tls=1"
+    state: exact
+    start_tls: yes
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_config_admin_user_dn }}"
+    bind_pw: "{{ ldap_config_admin_user_password }}"
+  notify: "restart slapd"
+
+- name: TLS required (olcDatabase={-1}frontend,cn=config)
+  ldap_attr:
+    dn: "olcDatabase={-1}frontend,cn=config"
+    name: olcSecurity
+    values: "tls=1"
+    state: exact
+    start_tls: yes
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_config_admin_user_dn }}"
+    bind_pw: "{{ ldap_config_admin_user_password }}"
+  notify: "restart slapd"
+
+- name: TLS required (olcDatabase={0}config,cn=config)
+  ldap_attr:
+    dn: "olcDatabase={0}config,cn=config"
+    name: olcSecurity
+    values: "tls=1"
+    state: exact
+    start_tls: yes
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_config_admin_user_dn }}"
+    bind_pw: "{{ ldap_config_admin_user_password }}"
+  notify: "restart slapd"
+
+- name: TLS required (olcDatabase={1}mdb,cn=config)
+  ldap_attr:
+    dn: "olcDatabase={1}mdb,cn=config"
+    name: olcSecurity
+    values: "tls=1"
+    state: exact
+    start_tls: yes
+    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
+    bind_dn: "{{ ldap_config_admin_user_dn }}"
+    bind_pw: "{{ ldap_config_admin_user_password }}"
+  notify: "restart slapd"
+
+#- name: olcTLSCipherSuite configured (cn=config)
+#  ldap_attr:
+#    dn: "cn=config"
+#    name: olcTLSCipherSuite
+#    #values: "ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL"
+#    values: "ALL:!NULL"
+#  #  values: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
+#    state: exact
+#    start_tls: yes
+#    bind_dn: "{{ ldap_config_admin_user_dn }}"
+#    bind_pw: "{{ ldap_config_admin_user_password }}"
+#  notify: "restart slapd"
+#
+#- name: olcTLSDHParamFile configured (cn=config)
+#  ldap_attr:
+#    dn: "cn=config"
+#    name: olcTLSDHParamFile
+#    values: "{{ openldap_confdir }}/sasl2/slapd.dh.params"
+#    state: exact
+#    start_tls: yes
+#    bind_dn: "{{ ldap_config_admin_user_dn }}"
+#    bind_pw: "{{ ldap_config_admin_user_password }}"
+#  notify: "restart slapd"
+
+- name: Force all notified handlers to run at this point, not waiting for normal sync points
+  meta: flush_handlers
--- a/roles/ldap_server/tasks/main.yml
+++ b/roles/ldap_server/tasks/main.yml
@ -5,6 +5,8 @@

 - include_tasks: package.yml
 - include_tasks: service.yml
+- include_tasks: cert.yml
+- include_tasks: ldap_tls.yml
 - include_tasks: ldap_entries.yml
 - include_tasks: ldap_attributes.yml
 - include_tasks: ldap_config.yml