lilik_playbook/roles/ldap/tasks/4_setup_tls.yaml

---
- name: 'install openssl'
  apt:
    pkg: 'openssl'
    state: 'present'
    update_cache: true
    cache_valid_time: 3600
  tags:
    - 'install'
    - 'role:ldap::install'

- name: 'update tls server ca'
  copy:
    content: '{{ ldap_tls_server_ca }}{{ tls_root_ca }}'
    dest: '/etc/ldap/server_ca.crt'

- name: 'update tls user ca'
  copy:
    content: '{{ ldap_tls_user_ca }}{{ tls_root_ca }}'
    dest: '/etc/ldap/user_ca.crt'

- name: 'generete and sign slapd tls certificate'
  import_role: name='ca_cert'
  vars:
    ca_cert_common_name: '{{ host_fqdn }}'
    ca_cert_proto: 'tls'
    ca_cert_tls_ca_path: '/etc/ldap/server_ca.crt'
    ca_cert_tls_key_path: '/etc/ldap/slapd.key'
    ca_cert_tls_cert_path: '/etc/ldap/slapd.crt'
    ca_cert_tls_csr_path: '/etc/ldap/slapd.csr'

- name: 'set private key ownership'
  file:
    path: '/etc/ldap/slapd.key'
    owner: 'openldap'
    group: 'openldap'
    mode: '600'

## BROKEN! WAITING FOR ANSIBLE 2.10 ldap_attrs
## Currently you have to run 2-3 times to get proper configuration.
- name: 'configuring TLS options'
## Remove after update to Ansible 2.10 --->
  ldap_attr:
    dn: 'cn=config'
    name: '{{ item.name }}'
    values: '{{ item.value }}'
    state: 'exact'
  loop:
    - { name: 'olcTLSCACertificateFile', value: '/etc/ldap/user_ca.crt' }
    - { name: 'olcTLSCertificateFile', value: '/etc/ldap/slapd.crt' }
    - { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' }
    - { name: 'olcTLSVerifyClient', value: 'try' }  # TLS Client Auth
    - { name: 'olcTLSCipherSuite', value: 'SECURE:-VERS-ALL:+VERS-TLS1.3' } # TLSv1.3 Only
## <---
## Uncomment after update to Ansible 2.10 --->
#  ldap_attrs:
#    dn: 'cn=config'
#    attributes:
#      olcTLSCACertificateFile: '/etc/ldap/user_ca.crt'
#      olcTLSCertificateFile: '/etc/ldap/slapd.crt'
#      olcTLSCertificateKeyFile: '/etc/ldap/slapd.key'
#      olcTLSVerifyClient: 'try'
#      olcTLSCipherSuite: 'SECURE:-VERS-ALL:+VERS-TLS1.3'
## <---

- name: 'configuring slapd service'
  lineinfile:
    line: 'SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"'
    regexp: '^SLAPD_SERVICES='
    path: '/etc/default/slapd'
  notify: 'restart slapd'
...