LILiK
/
lilik_playbook


								- apt:

								    pkg: 'openssl'

								    state: 'present'

								  tags:

								    - 'packages'


								- name: 'create slapd private key'

								  shell:

								    cmd: >

								      openssl genpkey

								      -algorithm ED25519

								      -out /etc/ldap/slapd.key

								    creates: '/etc/ldap/slapd.key'

								  tags:

								    - 'tls_int'


								- name: 'set private key ownership'

								  file:

								    path: '/etc/ldap/slapd.key'

								    owner: 'openldap'

								    group: 'openldap'

								    mode: '600'


								- name: 'update tls ca'

								  copy:

								    content: '{{ tls_root_ca }}'

								    dest: '/etc/ldap/root_ca.crt'

								  tags:

								    - 'tls_int'


								- name: 'check slapd cert status'

								  command: >

								    openssl verify

								    -CAfile /etc/ldap/root_ca.crt

								    -untrusted /etc/ldap/slapd.crt

								    /etc/ldap/slapd.crt

								  register: slapd_cert_is_valid

								  changed_when: false

								  failed_when: false

								  tags:

								    - 'tls_int'


								- name: 'create slapd cert request'

								  shell:

								    cmd: >

								      openssl req

								      -new

								      -subj "{{ x509_subject_prefix }}/OU=Server/CN={{ server_fqdn }}"

								      -key /etc/ldap/slapd.key

								      -out /etc/ldap/slapd.csr

								  when: slapd_cert_is_valid.rc != 0

								  tags:

								    - 'tls_int'


								- import_tasks: 'ca-signing-request.yaml'

								  vars:

								    host: '{{ server_fqdn }}'

								    request_path: '/etc/ldap/slapd.csr'

								    output_path: '/etc/ldap/slapd.crt'

								  when: slapd_cert_is_valid.rc != 0

								  tags:

								    - 'tls_int'


								# !BUG! Fixed in Ansible dev using ldap_attrs instead of ldap_attr

								# Setting the parameters twice in a row fix the problem.

								# Ref: https://github.com/ansible/ansible/issues/25665

								# **ToDO: Find the right combination, is still failing at the first run

								# but works on the second iteration

								- name: 'configuring TLS options (workaround)'

								  ldap_attr:

								    dn: 'cn=config'

								    name: '{{ item.name }}'

								    values: '{{ item.value }}'

								  loop:

								    - { name: 'olcTLSCertificateFile', value: '/etc/ldap/slapd.crt' }

								    - { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' }

								    - { name: 'olcTLSCACertificateFile', value: '/etc/ldap/root_ca.crt' }

								  failed_when: false

								  tags:

								    - 'tls_int'


								- name: 'configuring TLS options'

								  ldap_attr:

								    dn: 'cn=config'

								    name: '{{ item.name }}'

								    values: '{{ item.value }}'

								    state: 'exact'

								  loop:

								    - { name: 'olcTLSCACertificateFile', value: '/etc/ldap/root_ca.crt' }

								    - { name: 'olcTLSCertificateFile', value: '/etc/ldap/slapd.crt' }

								    - { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' }

								    - { name: 'olcTLSVerifyClient', value: 'try' }  # TLS Client Auth

								    - { name: 'olcTLSCipherSuite', value: 'SECURE:-VERS-ALL:+VERS-TLS1.3' } # TLSv1.3 Only

								  tags:

								    - 'tls_int'


								- name: 'configuring slapd service'

								  lineinfile:

								    line: 'SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"'

								    regexp: '^SLAPD_SERVICES='

								    path: '/etc/default/slapd'

								  notify: 'restart slapd'

								  tags:

								    - 'tls_int'