ansible-base/roles/ldap_server/tasks/ldap_tls.yml

---

- name: olcTLSCACertificateFile configured (cn=config)
  ldap_attr:
    dn: "cn=config"
    name: olcTLSCACertificateFile
    values: "{{ openldap_confdir }}/sasl2/fullchain.pem"
    state: exact
    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_config_admin_user_dn }}"
    bind_pw: "{{ ldap_config_admin_user_password }}"
  notify: "restart slapd"

- name: olcTLSCACertificateFile configured (cn=config)
  ldap_attr:
    dn: "cn=config"
    name: olcTLSCertificateKeyFile
    values: "{{ openldap_confdir }}/sasl2/privkey.pem"
    state: exact
    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_config_admin_user_dn }}"
    bind_pw: "{{ ldap_config_admin_user_password }}"
  notify: "restart slapd"

- name: olcTLSCertificateFile configured (cn=config)
  ldap_attr:
    dn: "cn=config"
    name: olcTLSCertificateFile
    values: "{{ openldap_confdir }}/sasl2/cert.pem"
    state: exact
    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_config_admin_user_dn }}"
    bind_pw: "{{ ldap_config_admin_user_password }}"
  notify: "restart slapd"

- name: olcTLSProtocolMin configured (cn=config)
  ldap_attr:
    dn: "cn=config"
    name: olcTLSProtocolMin
    values: "3.3"
    state: exact
    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_config_admin_user_dn }}"
    bind_pw: "{{ ldap_config_admin_user_password }}"
  notify: "restart slapd"

- name: olcSecurity configured (cn=config)
  ldap_attr:
    dn: "cn=config"
    name: olcSecurity
    values: "tls=1"
    state: exact
    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_config_admin_user_dn }}"
    bind_pw: "{{ ldap_config_admin_user_password }}"
  notify: "restart slapd"

- name: TLS required (olcDatabase={-1}frontend,cn=config)
  ldap_attr:
    dn: "olcDatabase={-1}frontend,cn=config"
    name: olcSecurity
    values: "tls=1"
    state: exact
    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_config_admin_user_dn }}"
    bind_pw: "{{ ldap_config_admin_user_password }}"
  notify: "restart slapd"

- name: TLS required (olcDatabase={0}config,cn=config)
  ldap_attr:
    dn: "olcDatabase={0}config,cn=config"
    name: olcSecurity
    values: "tls=1"
    state: exact
    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_config_admin_user_dn }}"
    bind_pw: "{{ ldap_config_admin_user_password }}"
  notify: "restart slapd"

- name: TLS required (olcDatabase={1}mdb,cn=config)
  ldap_attr:
    dn: "olcDatabase={1}mdb,cn=config"
    name: olcSecurity
    values: "tls=1"
    state: exact
    start_tls: yes
    server_uri: "ldap://{{ ldap_host }}:{{ ldap_port }}/"
    bind_dn: "{{ ldap_config_admin_user_dn }}"
    bind_pw: "{{ ldap_config_admin_user_password }}"
  notify: "restart slapd"

#- name: olcTLSCipherSuite configured (cn=config)
#  ldap_attr:
#    dn: "cn=config"
#    name: olcTLSCipherSuite
#    #values: "ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!EXP:!SSLV2:!eNULL"
#    values: "ALL:!NULL"
#  #  values: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
#    state: exact
#    start_tls: yes
#    bind_dn: "{{ ldap_config_admin_user_dn }}"
#    bind_pw: "{{ ldap_config_admin_user_password }}"
#  notify: "restart slapd"
#
#- name: olcTLSDHParamFile configured (cn=config)
#  ldap_attr:
#    dn: "cn=config"
#    name: olcTLSDHParamFile
#    values: "{{ openldap_confdir }}/sasl2/slapd.dh.params"
#    state: exact
#    start_tls: yes
#    bind_dn: "{{ ldap_config_admin_user_dn }}"
#    bind_pw: "{{ ldap_config_admin_user_password }}"
#  notify: "restart slapd"

- name: Force all notified handlers to run at this point, not waiting for normal sync points
  meta: flush_handlers