LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Playbooks to a new Lilik
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
463 Commits
12 Branches
967 KiB
 
 
 
 
Tree: a76d3c0d44
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'a76d3c0d44'
${ noResults }
lilik_playbook/roles/ldap/tasks/4_setup_tls.yaml

72 lines
2.1 KiB
Raw Blame History

---
- name: 'install openssl'
apt:
pkg: 'openssl'
state: 'present'
update_cache: true
cache_valid_time: 3600
tags:
- 'install'
- 'role:ldap::install'
- name: 'update tls server ca'
copy:
content: '{{ ldap_tls_server_ca }}{{ tls_root_ca }}'
dest: '/etc/ldap/server_ca.crt'
- name: 'update tls user ca'
copy:
content: '{{ ldap_tls_user_ca }}{{ tls_root_ca }}'
dest: '/etc/ldap/user_ca.crt'
- name: 'generete and sign slapd tls certificate'
import_role: name='ca_cert'
vars:
ca_cert_common_name: '{{ host_fqdn }}'
ca_cert_proto: 'tls'
ca_cert_tls_ca_path: '/etc/ldap/server_ca.crt'
ca_cert_tls_key_path: '/etc/ldap/slapd.key'
ca_cert_tls_cert_path: '/etc/ldap/slapd.crt'
ca_cert_tls_csr_path: '/etc/ldap/slapd.csr'
- name: 'set private key ownership'
file:
path: '/etc/ldap/slapd.key'
owner: 'openldap'
group: 'openldap'
mode: '600'
## BROKEN! WAITING FOR ANSIBLE 2.10 ldap_attrs
## Currently you have to run 2-3 times to get proper configuration.
- name: 'configuring TLS options'
## Remove after update to Ansible 2.10 --->
ldap_attr:
dn: 'cn=config'
name: '{{ item.name }}'
values: '{{ item.value }}'
state: 'exact'
loop:
- { name: 'olcTLSCACertificateFile', value: '/etc/ldap/user_ca.crt' }
- { name: 'olcTLSCertificateFile', value: '/etc/ldap/slapd.crt' }
- { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' }
- { name: 'olcTLSVerifyClient', value: 'try' } # TLS Client Auth
- { name: 'olcTLSCipherSuite', value: 'SECURE:-VERS-ALL:+VERS-TLS1.3' } # TLSv1.3 Only
## <---
## Uncomment after update to Ansible 2.10 --->
# ldap_attrs:
# dn: 'cn=config'
# attributes:
# olcTLSCACertificateFile: '/etc/ldap/user_ca.crt'
# olcTLSCertificateFile: '/etc/ldap/slapd.crt'
# olcTLSCertificateKeyFile: '/etc/ldap/slapd.key'
# olcTLSVerifyClient: 'try'
# olcTLSCipherSuite: 'SECURE:-VERS-ALL:+VERS-TLS1.3'
## <---
- name: 'configuring slapd service'
lineinfile:
line: 'SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"'
regexp: '^SLAPD_SERVICES='
path: '/etc/default/slapd'
notify: 'restart slapd'
...