- - apt:
- pkg: 'openssl'
- state: 'present'
- tags:
- - 'packages'
-
- - name: 'create slapd private key'
- shell:
- cmd: >
- openssl genpkey
- -algorithm ED25519
- -out /etc/ldap/slapd.key
- creates: '/etc/ldap/slapd.key'
- tags:
- - 'tls_int'
-
- - name: 'set private key ownership'
- file:
- path: '/etc/ldap/slapd.key'
- owner: 'openldap'
- group: 'openldap'
- mode: '600'
-
- - name: 'update tls ca'
- copy:
- content: '{{ tls_root_ca }}'
- dest: '/etc/ldap/root_ca.crt'
- tags:
- - 'tls_int'
-
- - name: 'check slapd cert status'
- command: >
- openssl verify
- -CAfile /etc/ldap/root_ca.crt
- -untrusted /etc/ldap/slapd.crt
- /etc/ldap/slapd.crt
- register: slapd_cert_is_valid
- changed_when: false
- failed_when: false
- tags:
- - 'tls_int'
-
- - name: 'create slapd cert request'
- shell:
- cmd: >
- openssl req
- -new
- -subj "{{ x509_subject_prefix }}/OU=Server/CN={{ server_fqdn }}"
- -key /etc/ldap/slapd.key
- -out /etc/ldap/slapd.csr
- when: slapd_cert_is_valid.rc != 0
- tags:
- - 'tls_int'
-
- - import_tasks: 'ca-signing-request.yaml'
- vars:
- host: '{{ server_fqdn }}'
- request_path: '/etc/ldap/slapd.csr'
- output_path: '/etc/ldap/slapd.crt'
- when: slapd_cert_is_valid.rc != 0
- tags:
- - 'tls_int'
-
- # !BUG! Fixed in Ansible dev using ldap_attrs instead of ldap_attr
- # Setting the parameters twice in a row fix the problem.
- # Ref: https://github.com/ansible/ansible/issues/25665
- # **ToDO: Find the right combination, is still failing at the first run
- # but works on the second iteration
- - name: 'configuring TLS options (workaround)'
- ldap_attr:
- dn: 'cn=config'
- name: '{{ item.name }}'
- values: '{{ item.value }}'
- loop:
- - { name: 'olcTLSCertificateFile', value: '/etc/ldap/slapd.crt' }
- - { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' }
- - { name: 'olcTLSCACertificateFile', value: '/etc/ldap/root_ca.crt' }
- failed_when: false
- tags:
- - 'tls_int'
-
- - name: 'configuring TLS options'
- ldap_attr:
- dn: 'cn=config'
- name: '{{ item.name }}'
- values: '{{ item.value }}'
- state: 'exact'
- loop:
- - { name: 'olcTLSCACertificateFile', value: '/etc/ldap/root_ca.crt' }
- - { name: 'olcTLSCertificateFile', value: '/etc/ldap/slapd.crt' }
- - { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' }
- - { name: 'olcTLSVerifyClient', value: 'try' } # TLS Client Auth
- - { name: 'olcTLSCipherSuite', value: 'SECURE:-VERS-ALL:+VERS-TLS1.3' } # TLSv1.3 Only
- tags:
- - 'tls_int'
-
- - name: 'configuring slapd service'
- lineinfile:
- line: 'SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"'
- regexp: '^SLAPD_SERVICES='
- path: '/etc/default/slapd'
- notify: 'restart slapd'
- tags:
- - 'tls_int'
|
