- apt:
|
|
pkg: 'openssl'
|
|
state: 'present'
|
|
tags:
|
|
- 'packages'
|
|
|
|
- name: 'create slapd private key'
|
|
shell:
|
|
cmd: >
|
|
openssl genpkey
|
|
-algorithm ED25519
|
|
-out /etc/ldap/slapd.key
|
|
creates: '/etc/ldap/slapd.key'
|
|
tags:
|
|
- 'tls_int'
|
|
|
|
- name: 'set private key ownership'
|
|
file:
|
|
path: '/etc/ldap/slapd.key'
|
|
owner: 'openldap'
|
|
group: 'openldap'
|
|
mode: '600'
|
|
|
|
- name: 'update tls ca'
|
|
copy:
|
|
content: '{{ tls_root_ca }}'
|
|
dest: '/etc/ldap/root_ca.crt'
|
|
tags:
|
|
- 'tls_int'
|
|
|
|
- name: 'check slapd cert status'
|
|
command: >
|
|
openssl verify
|
|
-CAfile /etc/ldap/root_ca.crt
|
|
-untrusted /etc/ldap/slapd.crt
|
|
/etc/ldap/slapd.crt
|
|
register: slapd_cert_is_valid
|
|
changed_when: false
|
|
failed_when: false
|
|
tags:
|
|
- 'tls_int'
|
|
|
|
- name: 'create slapd cert request'
|
|
shell:
|
|
cmd: >
|
|
openssl req
|
|
-new
|
|
-subj "{{ x509_subject_prefix }}/OU=Server/CN={{ server_fqdn }}"
|
|
-key /etc/ldap/slapd.key
|
|
-out /etc/ldap/slapd.csr
|
|
when: slapd_cert_is_valid.rc != 0
|
|
tags:
|
|
- 'tls_int'
|
|
|
|
- import_tasks: 'ca-signing-request.yaml'
|
|
vars:
|
|
host: '{{ server_fqdn }}'
|
|
request_path: '/etc/ldap/slapd.csr'
|
|
output_path: '/etc/ldap/slapd.crt'
|
|
when: slapd_cert_is_valid.rc != 0
|
|
tags:
|
|
- 'tls_int'
|
|
|
|
# !BUG! Fixed in Ansible dev using ldap_attrs instead of ldap_attr
|
|
# Setting the parameters twice in a row fix the problem.
|
|
# Ref: https://github.com/ansible/ansible/issues/25665
|
|
# **ToDO: Find the right combination, is still failing at the first run
|
|
# but works on the second iteration
|
|
- name: 'configuring TLS options (workaround)'
|
|
ldap_attr:
|
|
dn: 'cn=config'
|
|
name: '{{ item.name }}'
|
|
values: '{{ item.value }}'
|
|
loop:
|
|
- { name: 'olcTLSCertificateFile', value: '/etc/ldap/slapd.crt' }
|
|
- { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' }
|
|
- { name: 'olcTLSCACertificateFile', value: '/etc/ldap/root_ca.crt' }
|
|
failed_when: false
|
|
tags:
|
|
- 'tls_int'
|
|
|
|
- name: 'configuring TLS options'
|
|
ldap_attr:
|
|
dn: 'cn=config'
|
|
name: '{{ item.name }}'
|
|
values: '{{ item.value }}'
|
|
state: 'exact'
|
|
loop:
|
|
- { name: 'olcTLSCACertificateFile', value: '/etc/ldap/root_ca.crt' }
|
|
- { name: 'olcTLSCertificateFile', value: '/etc/ldap/slapd.crt' }
|
|
- { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' }
|
|
- { name: 'olcTLSVerifyClient', value: 'try' } # TLS Client Auth
|
|
- { name: 'olcTLSCipherSuite', value: 'SECURE:-VERS-ALL:+VERS-TLS1.3' } # TLSv1.3 Only
|
|
tags:
|
|
- 'tls_int'
|
|
|
|
- name: 'configuring slapd service'
|
|
lineinfile:
|
|
line: 'SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"'
|
|
regexp: '^SLAPD_SERVICES='
|
|
path: '/etc/default/slapd'
|
|
notify: 'restart slapd'
|
|
tags:
|
|
- 'tls_int'
|