From 17575509dd3cb6f05acc0c04460c672d0e7db2df Mon Sep 17 00:00:00 2001 From: Nemo Date: Sun, 9 Aug 2020 11:37:21 +0200 Subject: [PATCH] Start configuring StartTLS --- inventory_template/group_vars/ldap_server.yml | 14 ++ playbook_ldap_deploy.yml | 1 + roles/ldap_server/tasks/cert.yml | 29 ++++ roles/ldap_server/tasks/ldap_attributes.yml | 10 ++ roles/ldap_server/tasks/ldap_config.yml | 6 + roles/ldap_server/tasks/ldap_entries.yml | 8 ++ roles/ldap_server/tasks/ldap_tls.yml | 124 ++++++++++++++++++ roles/ldap_server/tasks/main.yml | 2 + 8 files changed, 194 insertions(+) create mode 100644 roles/ldap_server/tasks/cert.yml create mode 100644 roles/ldap_server/tasks/ldap_tls.yml diff --git a/inventory_template/group_vars/ldap_server.yml b/inventory_template/group_vars/ldap_server.yml index 6e62d47..7eec19f 100644 --- a/inventory_template/group_vars/ldap_server.yml +++ b/inventory_template/group_vars/ldap_server.yml @@ -1,5 +1,19 @@ --- +# Role ansible-role-certbot : defina auto renew, schedule, ... +# WARNING: you need to open the port 80 (iptables) +certbot_auto_renew: true +certbot_auto_renew_user: "root" +certbot_auto_renew_hour: "5" +certbot_auto_renew_minute: "0" +certbot_auto_renew_options: "--quiet --no-self-upgrade --deploy-hook 'cp -pf /etc/letsencrypt/live/{{ inventory_hostname }}/*.pem /etc/ldap/sasl2/ && chown openldap: /etc/ldap/sasl2/*.pem && systemctl restart slapd'" +certbot_create_if_missing: true +certbot_create_method: standalone +certbot_create_standalone_stop_services: [] +certbot_certs: + - domains: + - "{{ inventory_hostname }}" + openldap_schemas: - core - cosine diff --git a/playbook_ldap_deploy.yml b/playbook_ldap_deploy.yml index 509f632..e55f565 100644 --- a/playbook_ldap_deploy.yml +++ b/playbook_ldap_deploy.yml @@ -1,4 +1,5 @@ --- - hosts: ldap_server roles: + - geerlingguy.certbot - ldap_server diff --git a/roles/ldap_server/tasks/cert.yml b/roles/ldap_server/tasks/cert.yml new file mode 100644 index 0000000..6247666 --- /dev/null +++ b/roles/ldap_server/tasks/cert.yml @@ -0,0 +1,29 @@ +--- + +- name: check if key and cert already present in ldap configuration folder + stat: + path: "{{ openldap_confdir }}/sasl2/privkey.pem" + register: privkey_exist + +- name: if key and cert not already present, copy them + shell: "cp -pf /etc/letsencrypt/live/l01.wirebrass.fr/*.pem {{ openldap_confdir }}/sasl2/" + when: not privkey_exist.stat.exists + +- name: if key and cert not already present, fix permissions + shell: "chown openldap: {{ openldap_confdir }}/sasl2/*.pem" + when: not privkey_exist.stat.exists + +- name: link to ca-certificates created + file: + src: /etc/ssl/certs/ca-certificates.crt + dest: "{{ openldap_confdir }}/sasl2/ca-certificates.crt" + state: link + +- name: OpenLDAP DH Parameters generated + openssl_dhparam: + path: "{{ openldap_confdir }}/sasl2/slapd.dh.params" + size: 2048 + owner: openldap + group: openldap + mode: 0600 + diff --git a/roles/ldap_server/tasks/ldap_attributes.yml b/roles/ldap_server/tasks/ldap_attributes.yml index 68c6af5..8476a64 100644 --- a/roles/ldap_server/tasks/ldap_attributes.yml +++ b/roles/ldap_server/tasks/ldap_attributes.yml @@ -6,6 +6,7 @@ name: cn values: "{{ item.cn }}" state: exact + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_admin_user_dn }}" bind_pw: "{{ ldap_admin_user_password }}" @@ -18,6 +19,7 @@ name: loginShell values: "/bin/bash" state: exact + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_admin_user_dn }}" bind_pw: "{{ ldap_admin_user_password }}" @@ -30,6 +32,7 @@ name: homeDirectory values: "/home/{{ item.uid }}" state: exact + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_admin_user_dn }}" bind_pw: "{{ ldap_admin_user_password }}" @@ -42,6 +45,7 @@ name: uidNumber values: "{{ item.uidNumber }}" state: exact + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_admin_user_dn }}" bind_pw: "{{ ldap_admin_user_password }}" @@ -54,6 +58,7 @@ name: gidNumber values: "{{ item.gidNumber }}" state: exact + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_admin_user_dn }}" bind_pw: "{{ ldap_admin_user_password }}" @@ -66,6 +71,7 @@ name: gidNumber values: "{{ item.gidNumber }}" state: exact + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_admin_user_dn }}" bind_pw: "{{ ldap_admin_user_password }}" @@ -78,6 +84,7 @@ name: description values: "{{ item.description }}" state: exact + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_admin_user_dn }}" bind_pw: "{{ ldap_admin_user_password }}" @@ -90,6 +97,7 @@ name: memberUid values: "{{ item.memberUid }}" state: exact + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_admin_user_dn }}" bind_pw: "{{ ldap_admin_user_password }}" @@ -102,6 +110,7 @@ name: description values: "{{ item.description }}" state: exact + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_admin_user_dn }}" bind_pw: "{{ ldap_admin_user_password }}" @@ -112,6 +121,7 @@ ldap_passwd: dn: "cn={{ item.cn }},ou=accounts,{{ ldap_root_dn }}" passwd: "{{ item.userPassword }}" + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_admin_user_dn }}" bind_pw: "{{ ldap_admin_user_password }}" diff --git a/roles/ldap_server/tasks/ldap_config.yml b/roles/ldap_server/tasks/ldap_config.yml index f603f83..b1ac1c0 100644 --- a/roles/ldap_server/tasks/ldap_config.yml +++ b/roles/ldap_server/tasks/ldap_config.yml @@ -6,6 +6,7 @@ name: olcDisallows values: bind_anon state: exact + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_config_admin_user_dn }}" bind_pw: "{{ ldap_config_admin_user_password }}" @@ -16,6 +17,7 @@ name: olcRequires values: authc state: exact + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_config_admin_user_dn }}" bind_pw: "{{ ldap_config_admin_user_password }}" @@ -26,6 +28,7 @@ name: olcRequires values: authc state: exact + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_config_admin_user_dn }}" bind_pw: "{{ ldap_config_admin_user_password }}" @@ -36,6 +39,7 @@ name: olcRequires values: authc state: exact + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_config_admin_user_dn }}" bind_pw: "{{ ldap_config_admin_user_password }}" @@ -46,6 +50,7 @@ name: olcRequires values: authc state: exact + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_config_admin_user_dn }}" bind_pw: "{{ ldap_config_admin_user_password }}" @@ -58,6 +63,7 @@ - "{0}to attrs=userPassword by self write by anonymous auth by * none" - "{1}to attrs=shadowLastChange by self write by * read" state: exact + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_config_admin_user_dn }}" bind_pw: "{{ ldap_config_admin_user_password }}" diff --git a/roles/ldap_server/tasks/ldap_entries.yml b/roles/ldap_server/tasks/ldap_entries.yml index fe5ee3f..1108c76 100644 --- a/roles/ldap_server/tasks/ldap_entries.yml +++ b/roles/ldap_server/tasks/ldap_entries.yml @@ -8,6 +8,7 @@ - organization attributes: o: "{{ ldap_domain }}" + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_admin_user_dn }}" bind_pw: "{{ ldap_admin_user_password }}" @@ -17,6 +18,7 @@ dn: "ou=people,{{ ldap_root_dn }}" objectClass: - organizationalUnit + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_admin_user_dn }}" bind_pw: "{{ ldap_admin_user_password }}" @@ -26,6 +28,7 @@ dn: "ou=groups,{{ ldap_root_dn }}" objectClass: - organizationalUnit + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_admin_user_dn }}" bind_pw: "{{ ldap_admin_user_password }}" @@ -35,6 +38,7 @@ dn: "ou=accounts,{{ ldap_root_dn }}" objectClass: - organizationalUnit + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_admin_user_dn }}" bind_pw: "{{ ldap_admin_user_password }}" @@ -44,6 +48,7 @@ dn: "ou=applications,{{ ldap_root_dn }}" objectClass: - organizationalUnit + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_admin_user_dn }}" bind_pw: "{{ ldap_admin_user_password }}" @@ -62,6 +67,7 @@ homeDirectory: "/home/{{ item.uid }}" uidNumber: "{{ item.uidNumber }}" gidNumber: "{{ item.gidNumber }}" + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_admin_user_dn }}" bind_pw: "{{ ldap_admin_user_password }}" @@ -77,6 +83,7 @@ cn: "{{ item.cn }}" description: "{{ item.description }}" gidNumber: "{{ item.gidNumber }}" + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_admin_user_dn }}" bind_pw: "{{ ldap_admin_user_password }}" @@ -93,6 +100,7 @@ cn: "{{ item.cn }}" description: "{{ item.description }}" userPassword: "{{ item.userPassword }}" + start_tls: yes server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" bind_dn: "{{ ldap_admin_user_dn }}" bind_pw: "{{ ldap_admin_user_password }}" diff --git a/roles/ldap_server/tasks/ldap_tls.yml b/roles/ldap_server/tasks/ldap_tls.yml new file mode 100644 index 0000000..0fec2d1 --- /dev/null +++ b/roles/ldap_server/tasks/ldap_tls.yml @@ -0,0 +1,124 @@ +--- + +- name: olcTLSCACertificateFile configured (cn=config) + ldap_attr: + dn: "cn=config" + name: olcTLSCACertificateFile + values: "{{ openldap_confdir }}/sasl2/fullchain.pem" + state: exact + start_tls: yes + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_config_admin_user_dn }}" + bind_pw: "{{ ldap_config_admin_user_password }}" + notify: "restart slapd" + +- name: olcTLSCACertificateFile configured (cn=config) + ldap_attr: + dn: "cn=config" + name: olcTLSCertificateKeyFile + values: "{{ openldap_confdir }}/sasl2/privkey.pem" + state: exact + start_tls: yes + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_config_admin_user_dn }}" + bind_pw: "{{ ldap_config_admin_user_password }}" + notify: "restart slapd" + +- name: olcTLSCertificateFile configured (cn=config) + ldap_attr: + dn: "cn=config" + name: olcTLSCertificateFile + values: "{{ openldap_confdir }}/sasl2/cert.pem" + state: exact + start_tls: yes + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_config_admin_user_dn }}" + bind_pw: "{{ ldap_config_admin_user_password }}" + notify: "restart slapd" + +- name: olcTLSProtocolMin configured (cn=config) + ldap_attr: + dn: "cn=config" + name: olcTLSProtocolMin + values: "3.3" + state: exact + start_tls: yes + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_config_admin_user_dn }}" + bind_pw: "{{ ldap_config_admin_user_password }}" + notify: "restart slapd" + +- name: olcSecurity configured (cn=config) + ldap_attr: + dn: "cn=config" + name: olcSecurity + values: "tls=1" + state: exact + start_tls: yes + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_config_admin_user_dn }}" + bind_pw: "{{ ldap_config_admin_user_password }}" + notify: "restart slapd" + +- name: TLS required (olcDatabase={-1}frontend,cn=config) + ldap_attr: + dn: "olcDatabase={-1}frontend,cn=config" + name: olcSecurity + values: "tls=1" + state: exact + start_tls: yes + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_config_admin_user_dn }}" + bind_pw: "{{ ldap_config_admin_user_password }}" + notify: "restart slapd" + +- name: TLS required (olcDatabase={0}config,cn=config) + ldap_attr: + dn: "olcDatabase={0}config,cn=config" + name: olcSecurity + values: "tls=1" + state: exact + start_tls: yes + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_config_admin_user_dn }}" + bind_pw: "{{ ldap_config_admin_user_password }}" + notify: "restart slapd" + +- name: TLS required (olcDatabase={1}mdb,cn=config) + ldap_attr: + dn: "olcDatabase={1}mdb,cn=config" + name: olcSecurity + values: "tls=1" + state: exact + start_tls: yes + server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/" + bind_dn: "{{ ldap_config_admin_user_dn }}" + bind_pw: "{{ ldap_config_admin_user_password }}" + notify: "restart slapd" + +#- name: olcTLSCipherSuite configured (cn=config) +# ldap_attr: +# dn: "cn=config" +# name: olcTLSCipherSuite +# #values: "ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL" +# values: "ALL:!NULL" +# # values: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 +# state: exact +# start_tls: yes +# bind_dn: "{{ ldap_config_admin_user_dn }}" +# bind_pw: "{{ ldap_config_admin_user_password }}" +# notify: "restart slapd" +# +#- name: olcTLSDHParamFile configured (cn=config) +# ldap_attr: +# dn: "cn=config" +# name: olcTLSDHParamFile +# values: "{{ openldap_confdir }}/sasl2/slapd.dh.params" +# state: exact +# start_tls: yes +# bind_dn: "{{ ldap_config_admin_user_dn }}" +# bind_pw: "{{ ldap_config_admin_user_password }}" +# notify: "restart slapd" + +- name: Force all notified handlers to run at this point, not waiting for normal sync points + meta: flush_handlers diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml index d733864..001b8d6 100644 --- a/roles/ldap_server/tasks/main.yml +++ b/roles/ldap_server/tasks/main.yml @@ -5,6 +5,8 @@ - include_tasks: package.yml - include_tasks: service.yml +- include_tasks: cert.yml +- include_tasks: ldap_tls.yml - include_tasks: ldap_entries.yml - include_tasks: ldap_attributes.yml - include_tasks: ldap_config.yml