Browse Source

Start configuring StartTLS

master
Nemo 3 years ago
parent
commit
17575509dd
  1. 14
      inventory_template/group_vars/ldap_server.yml
  2. 1
      playbook_ldap_deploy.yml
  3. 29
      roles/ldap_server/tasks/cert.yml
  4. 10
      roles/ldap_server/tasks/ldap_attributes.yml
  5. 6
      roles/ldap_server/tasks/ldap_config.yml
  6. 8
      roles/ldap_server/tasks/ldap_entries.yml
  7. 124
      roles/ldap_server/tasks/ldap_tls.yml
  8. 2
      roles/ldap_server/tasks/main.yml

14
inventory_template/group_vars/ldap_server.yml

@ -1,5 +1,19 @@
---
# Role ansible-role-certbot : defina auto renew, schedule, ...
# WARNING: you need to open the port 80 (iptables)
certbot_auto_renew: true
certbot_auto_renew_user: "root"
certbot_auto_renew_hour: "5"
certbot_auto_renew_minute: "0"
certbot_auto_renew_options: "--quiet --no-self-upgrade --deploy-hook 'cp -pf /etc/letsencrypt/live/{{ inventory_hostname }}/*.pem /etc/ldap/sasl2/ && chown openldap: /etc/ldap/sasl2/*.pem && systemctl restart slapd'"
certbot_create_if_missing: true
certbot_create_method: standalone
certbot_create_standalone_stop_services: []
certbot_certs:
- domains:
- "{{ inventory_hostname }}"
openldap_schemas:
- core
- cosine

1
playbook_ldap_deploy.yml

@ -1,4 +1,5 @@
---
- hosts: ldap_server
roles:
- geerlingguy.certbot
- ldap_server

29
roles/ldap_server/tasks/cert.yml

@ -0,0 +1,29 @@
---
- name: check if key and cert already present in ldap configuration folder
stat:
path: "{{ openldap_confdir }}/sasl2/privkey.pem"
register: privkey_exist
- name: if key and cert not already present, copy them
shell: "cp -pf /etc/letsencrypt/live/l01.wirebrass.fr/*.pem {{ openldap_confdir }}/sasl2/"
when: not privkey_exist.stat.exists
- name: if key and cert not already present, fix permissions
shell: "chown openldap: {{ openldap_confdir }}/sasl2/*.pem"
when: not privkey_exist.stat.exists
- name: link to ca-certificates created
file:
src: /etc/ssl/certs/ca-certificates.crt
dest: "{{ openldap_confdir }}/sasl2/ca-certificates.crt"
state: link
- name: OpenLDAP DH Parameters generated
openssl_dhparam:
path: "{{ openldap_confdir }}/sasl2/slapd.dh.params"
size: 2048
owner: openldap
group: openldap
mode: 0600

10
roles/ldap_server/tasks/ldap_attributes.yml

@ -6,6 +6,7 @@
name: cn
values: "{{ item.cn }}"
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_admin_user_dn }}"
bind_pw: "{{ ldap_admin_user_password }}"
@ -18,6 +19,7 @@
name: loginShell
values: "/bin/bash"
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_admin_user_dn }}"
bind_pw: "{{ ldap_admin_user_password }}"
@ -30,6 +32,7 @@
name: homeDirectory
values: "/home/{{ item.uid }}"
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_admin_user_dn }}"
bind_pw: "{{ ldap_admin_user_password }}"
@ -42,6 +45,7 @@
name: uidNumber
values: "{{ item.uidNumber }}"
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_admin_user_dn }}"
bind_pw: "{{ ldap_admin_user_password }}"
@ -54,6 +58,7 @@
name: gidNumber
values: "{{ item.gidNumber }}"
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_admin_user_dn }}"
bind_pw: "{{ ldap_admin_user_password }}"
@ -66,6 +71,7 @@
name: gidNumber
values: "{{ item.gidNumber }}"
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_admin_user_dn }}"
bind_pw: "{{ ldap_admin_user_password }}"
@ -78,6 +84,7 @@
name: description
values: "{{ item.description }}"
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_admin_user_dn }}"
bind_pw: "{{ ldap_admin_user_password }}"
@ -90,6 +97,7 @@
name: memberUid
values: "{{ item.memberUid }}"
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_admin_user_dn }}"
bind_pw: "{{ ldap_admin_user_password }}"
@ -102,6 +110,7 @@
name: description
values: "{{ item.description }}"
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_admin_user_dn }}"
bind_pw: "{{ ldap_admin_user_password }}"
@ -112,6 +121,7 @@
ldap_passwd:
dn: "cn={{ item.cn }},ou=accounts,{{ ldap_root_dn }}"
passwd: "{{ item.userPassword }}"
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_admin_user_dn }}"
bind_pw: "{{ ldap_admin_user_password }}"

6
roles/ldap_server/tasks/ldap_config.yml

@ -6,6 +6,7 @@
name: olcDisallows
values: bind_anon
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_config_admin_user_dn }}"
bind_pw: "{{ ldap_config_admin_user_password }}"
@ -16,6 +17,7 @@
name: olcRequires
values: authc
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_config_admin_user_dn }}"
bind_pw: "{{ ldap_config_admin_user_password }}"
@ -26,6 +28,7 @@
name: olcRequires
values: authc
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_config_admin_user_dn }}"
bind_pw: "{{ ldap_config_admin_user_password }}"
@ -36,6 +39,7 @@
name: olcRequires
values: authc
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_config_admin_user_dn }}"
bind_pw: "{{ ldap_config_admin_user_password }}"
@ -46,6 +50,7 @@
name: olcRequires
values: authc
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_config_admin_user_dn }}"
bind_pw: "{{ ldap_config_admin_user_password }}"
@ -58,6 +63,7 @@
- "{0}to attrs=userPassword by self write by anonymous auth by * none"
- "{1}to attrs=shadowLastChange by self write by * read"
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_config_admin_user_dn }}"
bind_pw: "{{ ldap_config_admin_user_password }}"

8
roles/ldap_server/tasks/ldap_entries.yml

@ -8,6 +8,7 @@
- organization
attributes:
o: "{{ ldap_domain }}"
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_admin_user_dn }}"
bind_pw: "{{ ldap_admin_user_password }}"
@ -17,6 +18,7 @@
dn: "ou=people,{{ ldap_root_dn }}"
objectClass:
- organizationalUnit
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_admin_user_dn }}"
bind_pw: "{{ ldap_admin_user_password }}"
@ -26,6 +28,7 @@
dn: "ou=groups,{{ ldap_root_dn }}"
objectClass:
- organizationalUnit
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_admin_user_dn }}"
bind_pw: "{{ ldap_admin_user_password }}"
@ -35,6 +38,7 @@
dn: "ou=accounts,{{ ldap_root_dn }}"
objectClass:
- organizationalUnit
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_admin_user_dn }}"
bind_pw: "{{ ldap_admin_user_password }}"
@ -44,6 +48,7 @@
dn: "ou=applications,{{ ldap_root_dn }}"
objectClass:
- organizationalUnit
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_admin_user_dn }}"
bind_pw: "{{ ldap_admin_user_password }}"
@ -62,6 +67,7 @@
homeDirectory: "/home/{{ item.uid }}"
uidNumber: "{{ item.uidNumber }}"
gidNumber: "{{ item.gidNumber }}"
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_admin_user_dn }}"
bind_pw: "{{ ldap_admin_user_password }}"
@ -77,6 +83,7 @@
cn: "{{ item.cn }}"
description: "{{ item.description }}"
gidNumber: "{{ item.gidNumber }}"
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_admin_user_dn }}"
bind_pw: "{{ ldap_admin_user_password }}"
@ -93,6 +100,7 @@
cn: "{{ item.cn }}"
description: "{{ item.description }}"
userPassword: "{{ item.userPassword }}"
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_admin_user_dn }}"
bind_pw: "{{ ldap_admin_user_password }}"

124
roles/ldap_server/tasks/ldap_tls.yml

@ -0,0 +1,124 @@
---
- name: olcTLSCACertificateFile configured (cn=config)
ldap_attr:
dn: "cn=config"
name: olcTLSCACertificateFile
values: "{{ openldap_confdir }}/sasl2/fullchain.pem"
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_config_admin_user_dn }}"
bind_pw: "{{ ldap_config_admin_user_password }}"
notify: "restart slapd"
- name: olcTLSCACertificateFile configured (cn=config)
ldap_attr:
dn: "cn=config"
name: olcTLSCertificateKeyFile
values: "{{ openldap_confdir }}/sasl2/privkey.pem"
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_config_admin_user_dn }}"
bind_pw: "{{ ldap_config_admin_user_password }}"
notify: "restart slapd"
- name: olcTLSCertificateFile configured (cn=config)
ldap_attr:
dn: "cn=config"
name: olcTLSCertificateFile
values: "{{ openldap_confdir }}/sasl2/cert.pem"
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_config_admin_user_dn }}"
bind_pw: "{{ ldap_config_admin_user_password }}"
notify: "restart slapd"
- name: olcTLSProtocolMin configured (cn=config)
ldap_attr:
dn: "cn=config"
name: olcTLSProtocolMin
values: "3.3"
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_config_admin_user_dn }}"
bind_pw: "{{ ldap_config_admin_user_password }}"
notify: "restart slapd"
- name: olcSecurity configured (cn=config)
ldap_attr:
dn: "cn=config"
name: olcSecurity
values: "tls=1"
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_config_admin_user_dn }}"
bind_pw: "{{ ldap_config_admin_user_password }}"
notify: "restart slapd"
- name: TLS required (olcDatabase={-1}frontend,cn=config)
ldap_attr:
dn: "olcDatabase={-1}frontend,cn=config"
name: olcSecurity
values: "tls=1"
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_config_admin_user_dn }}"
bind_pw: "{{ ldap_config_admin_user_password }}"
notify: "restart slapd"
- name: TLS required (olcDatabase={0}config,cn=config)
ldap_attr:
dn: "olcDatabase={0}config,cn=config"
name: olcSecurity
values: "tls=1"
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_config_admin_user_dn }}"
bind_pw: "{{ ldap_config_admin_user_password }}"
notify: "restart slapd"
- name: TLS required (olcDatabase={1}mdb,cn=config)
ldap_attr:
dn: "olcDatabase={1}mdb,cn=config"
name: olcSecurity
values: "tls=1"
state: exact
start_tls: yes
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
bind_dn: "{{ ldap_config_admin_user_dn }}"
bind_pw: "{{ ldap_config_admin_user_password }}"
notify: "restart slapd"
#- name: olcTLSCipherSuite configured (cn=config)
# ldap_attr:
# dn: "cn=config"
# name: olcTLSCipherSuite
# #values: "ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL"
# values: "ALL:!NULL"
# # values: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
# state: exact
# start_tls: yes
# bind_dn: "{{ ldap_config_admin_user_dn }}"
# bind_pw: "{{ ldap_config_admin_user_password }}"
# notify: "restart slapd"
#
#- name: olcTLSDHParamFile configured (cn=config)
# ldap_attr:
# dn: "cn=config"
# name: olcTLSDHParamFile
# values: "{{ openldap_confdir }}/sasl2/slapd.dh.params"
# state: exact
# start_tls: yes
# bind_dn: "{{ ldap_config_admin_user_dn }}"
# bind_pw: "{{ ldap_config_admin_user_password }}"
# notify: "restart slapd"
- name: Force all notified handlers to run at this point, not waiting for normal sync points
meta: flush_handlers

2
roles/ldap_server/tasks/main.yml

@ -5,6 +5,8 @@
- include_tasks: package.yml
- include_tasks: service.yml
- include_tasks: cert.yml
- include_tasks: ldap_tls.yml
- include_tasks: ldap_entries.yml
- include_tasks: ldap_attributes.yml
- include_tasks: ldap_config.yml

Loading…
Cancel
Save