Start configuring StartTLS
This commit is contained in:
parent
204ada2707
commit
17575509dd
|
@ -1,5 +1,19 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
# Role ansible-role-certbot : defina auto renew, schedule, ...
|
||||||
|
# WARNING: you need to open the port 80 (iptables)
|
||||||
|
certbot_auto_renew: true
|
||||||
|
certbot_auto_renew_user: "root"
|
||||||
|
certbot_auto_renew_hour: "5"
|
||||||
|
certbot_auto_renew_minute: "0"
|
||||||
|
certbot_auto_renew_options: "--quiet --no-self-upgrade --deploy-hook 'cp -pf /etc/letsencrypt/live/{{ inventory_hostname }}/*.pem /etc/ldap/sasl2/ && chown openldap: /etc/ldap/sasl2/*.pem && systemctl restart slapd'"
|
||||||
|
certbot_create_if_missing: true
|
||||||
|
certbot_create_method: standalone
|
||||||
|
certbot_create_standalone_stop_services: []
|
||||||
|
certbot_certs:
|
||||||
|
- domains:
|
||||||
|
- "{{ inventory_hostname }}"
|
||||||
|
|
||||||
openldap_schemas:
|
openldap_schemas:
|
||||||
- core
|
- core
|
||||||
- cosine
|
- cosine
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
---
|
---
|
||||||
- hosts: ldap_server
|
- hosts: ldap_server
|
||||||
roles:
|
roles:
|
||||||
|
- geerlingguy.certbot
|
||||||
- ldap_server
|
- ldap_server
|
||||||
|
|
29
roles/ldap_server/tasks/cert.yml
Normal file
29
roles/ldap_server/tasks/cert.yml
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: check if key and cert already present in ldap configuration folder
|
||||||
|
stat:
|
||||||
|
path: "{{ openldap_confdir }}/sasl2/privkey.pem"
|
||||||
|
register: privkey_exist
|
||||||
|
|
||||||
|
- name: if key and cert not already present, copy them
|
||||||
|
shell: "cp -pf /etc/letsencrypt/live/l01.wirebrass.fr/*.pem {{ openldap_confdir }}/sasl2/"
|
||||||
|
when: not privkey_exist.stat.exists
|
||||||
|
|
||||||
|
- name: if key and cert not already present, fix permissions
|
||||||
|
shell: "chown openldap: {{ openldap_confdir }}/sasl2/*.pem"
|
||||||
|
when: not privkey_exist.stat.exists
|
||||||
|
|
||||||
|
- name: link to ca-certificates created
|
||||||
|
file:
|
||||||
|
src: /etc/ssl/certs/ca-certificates.crt
|
||||||
|
dest: "{{ openldap_confdir }}/sasl2/ca-certificates.crt"
|
||||||
|
state: link
|
||||||
|
|
||||||
|
- name: OpenLDAP DH Parameters generated
|
||||||
|
openssl_dhparam:
|
||||||
|
path: "{{ openldap_confdir }}/sasl2/slapd.dh.params"
|
||||||
|
size: 2048
|
||||||
|
owner: openldap
|
||||||
|
group: openldap
|
||||||
|
mode: 0600
|
||||||
|
|
|
@ -6,6 +6,7 @@
|
||||||
name: cn
|
name: cn
|
||||||
values: "{{ item.cn }}"
|
values: "{{ item.cn }}"
|
||||||
state: exact
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_admin_user_password }}"
|
bind_pw: "{{ ldap_admin_user_password }}"
|
||||||
|
@ -18,6 +19,7 @@
|
||||||
name: loginShell
|
name: loginShell
|
||||||
values: "/bin/bash"
|
values: "/bin/bash"
|
||||||
state: exact
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_admin_user_password }}"
|
bind_pw: "{{ ldap_admin_user_password }}"
|
||||||
|
@ -30,6 +32,7 @@
|
||||||
name: homeDirectory
|
name: homeDirectory
|
||||||
values: "/home/{{ item.uid }}"
|
values: "/home/{{ item.uid }}"
|
||||||
state: exact
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_admin_user_password }}"
|
bind_pw: "{{ ldap_admin_user_password }}"
|
||||||
|
@ -42,6 +45,7 @@
|
||||||
name: uidNumber
|
name: uidNumber
|
||||||
values: "{{ item.uidNumber }}"
|
values: "{{ item.uidNumber }}"
|
||||||
state: exact
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_admin_user_password }}"
|
bind_pw: "{{ ldap_admin_user_password }}"
|
||||||
|
@ -54,6 +58,7 @@
|
||||||
name: gidNumber
|
name: gidNumber
|
||||||
values: "{{ item.gidNumber }}"
|
values: "{{ item.gidNumber }}"
|
||||||
state: exact
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_admin_user_password }}"
|
bind_pw: "{{ ldap_admin_user_password }}"
|
||||||
|
@ -66,6 +71,7 @@
|
||||||
name: gidNumber
|
name: gidNumber
|
||||||
values: "{{ item.gidNumber }}"
|
values: "{{ item.gidNumber }}"
|
||||||
state: exact
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_admin_user_password }}"
|
bind_pw: "{{ ldap_admin_user_password }}"
|
||||||
|
@ -78,6 +84,7 @@
|
||||||
name: description
|
name: description
|
||||||
values: "{{ item.description }}"
|
values: "{{ item.description }}"
|
||||||
state: exact
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_admin_user_password }}"
|
bind_pw: "{{ ldap_admin_user_password }}"
|
||||||
|
@ -90,6 +97,7 @@
|
||||||
name: memberUid
|
name: memberUid
|
||||||
values: "{{ item.memberUid }}"
|
values: "{{ item.memberUid }}"
|
||||||
state: exact
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_admin_user_password }}"
|
bind_pw: "{{ ldap_admin_user_password }}"
|
||||||
|
@ -102,6 +110,7 @@
|
||||||
name: description
|
name: description
|
||||||
values: "{{ item.description }}"
|
values: "{{ item.description }}"
|
||||||
state: exact
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_admin_user_password }}"
|
bind_pw: "{{ ldap_admin_user_password }}"
|
||||||
|
@ -112,6 +121,7 @@
|
||||||
ldap_passwd:
|
ldap_passwd:
|
||||||
dn: "cn={{ item.cn }},ou=accounts,{{ ldap_root_dn }}"
|
dn: "cn={{ item.cn }},ou=accounts,{{ ldap_root_dn }}"
|
||||||
passwd: "{{ item.userPassword }}"
|
passwd: "{{ item.userPassword }}"
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_admin_user_password }}"
|
bind_pw: "{{ ldap_admin_user_password }}"
|
||||||
|
|
|
@ -6,6 +6,7 @@
|
||||||
name: olcDisallows
|
name: olcDisallows
|
||||||
values: bind_anon
|
values: bind_anon
|
||||||
state: exact
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_config_admin_user_password }}"
|
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||||
|
@ -16,6 +17,7 @@
|
||||||
name: olcRequires
|
name: olcRequires
|
||||||
values: authc
|
values: authc
|
||||||
state: exact
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_config_admin_user_password }}"
|
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||||
|
@ -26,6 +28,7 @@
|
||||||
name: olcRequires
|
name: olcRequires
|
||||||
values: authc
|
values: authc
|
||||||
state: exact
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_config_admin_user_password }}"
|
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||||
|
@ -36,6 +39,7 @@
|
||||||
name: olcRequires
|
name: olcRequires
|
||||||
values: authc
|
values: authc
|
||||||
state: exact
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_config_admin_user_password }}"
|
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||||
|
@ -46,6 +50,7 @@
|
||||||
name: olcRequires
|
name: olcRequires
|
||||||
values: authc
|
values: authc
|
||||||
state: exact
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_config_admin_user_password }}"
|
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||||
|
@ -58,6 +63,7 @@
|
||||||
- "{0}to attrs=userPassword by self write by anonymous auth by * none"
|
- "{0}to attrs=userPassword by self write by anonymous auth by * none"
|
||||||
- "{1}to attrs=shadowLastChange by self write by * read"
|
- "{1}to attrs=shadowLastChange by self write by * read"
|
||||||
state: exact
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_config_admin_user_password }}"
|
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||||
|
|
|
@ -8,6 +8,7 @@
|
||||||
- organization
|
- organization
|
||||||
attributes:
|
attributes:
|
||||||
o: "{{ ldap_domain }}"
|
o: "{{ ldap_domain }}"
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_admin_user_password }}"
|
bind_pw: "{{ ldap_admin_user_password }}"
|
||||||
|
@ -17,6 +18,7 @@
|
||||||
dn: "ou=people,{{ ldap_root_dn }}"
|
dn: "ou=people,{{ ldap_root_dn }}"
|
||||||
objectClass:
|
objectClass:
|
||||||
- organizationalUnit
|
- organizationalUnit
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_admin_user_password }}"
|
bind_pw: "{{ ldap_admin_user_password }}"
|
||||||
|
@ -26,6 +28,7 @@
|
||||||
dn: "ou=groups,{{ ldap_root_dn }}"
|
dn: "ou=groups,{{ ldap_root_dn }}"
|
||||||
objectClass:
|
objectClass:
|
||||||
- organizationalUnit
|
- organizationalUnit
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_admin_user_password }}"
|
bind_pw: "{{ ldap_admin_user_password }}"
|
||||||
|
@ -35,6 +38,7 @@
|
||||||
dn: "ou=accounts,{{ ldap_root_dn }}"
|
dn: "ou=accounts,{{ ldap_root_dn }}"
|
||||||
objectClass:
|
objectClass:
|
||||||
- organizationalUnit
|
- organizationalUnit
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_admin_user_password }}"
|
bind_pw: "{{ ldap_admin_user_password }}"
|
||||||
|
@ -44,6 +48,7 @@
|
||||||
dn: "ou=applications,{{ ldap_root_dn }}"
|
dn: "ou=applications,{{ ldap_root_dn }}"
|
||||||
objectClass:
|
objectClass:
|
||||||
- organizationalUnit
|
- organizationalUnit
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_admin_user_password }}"
|
bind_pw: "{{ ldap_admin_user_password }}"
|
||||||
|
@ -62,6 +67,7 @@
|
||||||
homeDirectory: "/home/{{ item.uid }}"
|
homeDirectory: "/home/{{ item.uid }}"
|
||||||
uidNumber: "{{ item.uidNumber }}"
|
uidNumber: "{{ item.uidNumber }}"
|
||||||
gidNumber: "{{ item.gidNumber }}"
|
gidNumber: "{{ item.gidNumber }}"
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_admin_user_password }}"
|
bind_pw: "{{ ldap_admin_user_password }}"
|
||||||
|
@ -77,6 +83,7 @@
|
||||||
cn: "{{ item.cn }}"
|
cn: "{{ item.cn }}"
|
||||||
description: "{{ item.description }}"
|
description: "{{ item.description }}"
|
||||||
gidNumber: "{{ item.gidNumber }}"
|
gidNumber: "{{ item.gidNumber }}"
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_admin_user_password }}"
|
bind_pw: "{{ ldap_admin_user_password }}"
|
||||||
|
@ -93,6 +100,7 @@
|
||||||
cn: "{{ item.cn }}"
|
cn: "{{ item.cn }}"
|
||||||
description: "{{ item.description }}"
|
description: "{{ item.description }}"
|
||||||
userPassword: "{{ item.userPassword }}"
|
userPassword: "{{ item.userPassword }}"
|
||||||
|
start_tls: yes
|
||||||
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
bind_dn: "{{ ldap_admin_user_dn }}"
|
bind_dn: "{{ ldap_admin_user_dn }}"
|
||||||
bind_pw: "{{ ldap_admin_user_password }}"
|
bind_pw: "{{ ldap_admin_user_password }}"
|
||||||
|
|
124
roles/ldap_server/tasks/ldap_tls.yml
Normal file
124
roles/ldap_server/tasks/ldap_tls.yml
Normal file
|
@ -0,0 +1,124 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: olcTLSCACertificateFile configured (cn=config)
|
||||||
|
ldap_attr:
|
||||||
|
dn: "cn=config"
|
||||||
|
name: olcTLSCACertificateFile
|
||||||
|
values: "{{ openldap_confdir }}/sasl2/fullchain.pem"
|
||||||
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
|
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||||
|
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||||
|
notify: "restart slapd"
|
||||||
|
|
||||||
|
- name: olcTLSCACertificateFile configured (cn=config)
|
||||||
|
ldap_attr:
|
||||||
|
dn: "cn=config"
|
||||||
|
name: olcTLSCertificateKeyFile
|
||||||
|
values: "{{ openldap_confdir }}/sasl2/privkey.pem"
|
||||||
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
|
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||||
|
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||||
|
notify: "restart slapd"
|
||||||
|
|
||||||
|
- name: olcTLSCertificateFile configured (cn=config)
|
||||||
|
ldap_attr:
|
||||||
|
dn: "cn=config"
|
||||||
|
name: olcTLSCertificateFile
|
||||||
|
values: "{{ openldap_confdir }}/sasl2/cert.pem"
|
||||||
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
|
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||||
|
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||||
|
notify: "restart slapd"
|
||||||
|
|
||||||
|
- name: olcTLSProtocolMin configured (cn=config)
|
||||||
|
ldap_attr:
|
||||||
|
dn: "cn=config"
|
||||||
|
name: olcTLSProtocolMin
|
||||||
|
values: "3.3"
|
||||||
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
|
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||||
|
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||||
|
notify: "restart slapd"
|
||||||
|
|
||||||
|
- name: olcSecurity configured (cn=config)
|
||||||
|
ldap_attr:
|
||||||
|
dn: "cn=config"
|
||||||
|
name: olcSecurity
|
||||||
|
values: "tls=1"
|
||||||
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
|
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||||
|
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||||
|
notify: "restart slapd"
|
||||||
|
|
||||||
|
- name: TLS required (olcDatabase={-1}frontend,cn=config)
|
||||||
|
ldap_attr:
|
||||||
|
dn: "olcDatabase={-1}frontend,cn=config"
|
||||||
|
name: olcSecurity
|
||||||
|
values: "tls=1"
|
||||||
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
|
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||||
|
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||||
|
notify: "restart slapd"
|
||||||
|
|
||||||
|
- name: TLS required (olcDatabase={0}config,cn=config)
|
||||||
|
ldap_attr:
|
||||||
|
dn: "olcDatabase={0}config,cn=config"
|
||||||
|
name: olcSecurity
|
||||||
|
values: "tls=1"
|
||||||
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
|
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||||
|
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||||
|
notify: "restart slapd"
|
||||||
|
|
||||||
|
- name: TLS required (olcDatabase={1}mdb,cn=config)
|
||||||
|
ldap_attr:
|
||||||
|
dn: "olcDatabase={1}mdb,cn=config"
|
||||||
|
name: olcSecurity
|
||||||
|
values: "tls=1"
|
||||||
|
state: exact
|
||||||
|
start_tls: yes
|
||||||
|
server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
|
||||||
|
bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||||
|
bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||||
|
notify: "restart slapd"
|
||||||
|
|
||||||
|
#- name: olcTLSCipherSuite configured (cn=config)
|
||||||
|
# ldap_attr:
|
||||||
|
# dn: "cn=config"
|
||||||
|
# name: olcTLSCipherSuite
|
||||||
|
# #values: "ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL"
|
||||||
|
# values: "ALL:!NULL"
|
||||||
|
# # values: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
|
||||||
|
# state: exact
|
||||||
|
# start_tls: yes
|
||||||
|
# bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||||
|
# bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||||
|
# notify: "restart slapd"
|
||||||
|
#
|
||||||
|
#- name: olcTLSDHParamFile configured (cn=config)
|
||||||
|
# ldap_attr:
|
||||||
|
# dn: "cn=config"
|
||||||
|
# name: olcTLSDHParamFile
|
||||||
|
# values: "{{ openldap_confdir }}/sasl2/slapd.dh.params"
|
||||||
|
# state: exact
|
||||||
|
# start_tls: yes
|
||||||
|
# bind_dn: "{{ ldap_config_admin_user_dn }}"
|
||||||
|
# bind_pw: "{{ ldap_config_admin_user_password }}"
|
||||||
|
# notify: "restart slapd"
|
||||||
|
|
||||||
|
- name: Force all notified handlers to run at this point, not waiting for normal sync points
|
||||||
|
meta: flush_handlers
|
|
@ -5,6 +5,8 @@
|
||||||
|
|
||||||
- include_tasks: package.yml
|
- include_tasks: package.yml
|
||||||
- include_tasks: service.yml
|
- include_tasks: service.yml
|
||||||
|
- include_tasks: cert.yml
|
||||||
|
- include_tasks: ldap_tls.yml
|
||||||
- include_tasks: ldap_entries.yml
|
- include_tasks: ldap_entries.yml
|
||||||
- include_tasks: ldap_attributes.yml
|
- include_tasks: ldap_attributes.yml
|
||||||
- include_tasks: ldap_config.yml
|
- include_tasks: ldap_config.yml
|
||||||
|
|
Loading…
Reference in a new issue