summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2024-09-08 20:30:20 +0200
committerGuilhem Moulin <guilhem@fripost.org>2024-09-08 20:54:00 +0200
commit6b7ad809bbefc32216bac22547241ed402a570c8 (patch)
tree21b18d5268ecf4c2d86864832d384cc79de78b4d /roles
parentab26418d9e59314d88ebf4f0885659114a919961 (diff)
LDAP: Rotate soon-to-be expired key material.HEADmaster
Also, switch from rsa4096 to ed25519 and use a separate key for each syncrepl.
Diffstat (limited to 'roles')
-rw-r--r--roles/common-LDAP/tasks/main.yml34
-rw-r--r--roles/common-LDAP/templates/etc/ldap/database.ldif.j22
-rwxr-xr-xroles/common/files/usr/local/bin/genkeypair.sh10
3 files changed, 28 insertions, 18 deletions
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 37edb0b..e17bc3a 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -30,19 +30,13 @@
tags:
- genkey
-# XXX: It's ugly to list all roles here, and to prunes them with a
-# conditional...
- name: Generate a private key and a X.509 certificate for slapd
- # XXX: GnuTLS (libgnutls26 2.12.20-8+deb7u2, found in Wheezy) doesn't
- # support ECDSA; and slapd doesn't seem to support DHE (!?) so
- # we're stuck with "plain RSA" Key-Exchange. Also, there is a bug with
- # SHA-512.
command: genkeypair.sh x509
--pubkey=/etc/ldap/ssl/{{ item.name }}.pem
--privkey=/etc/ldap/ssl/{{ item.name }}.key
--ou=LDAP {{ item.ou }} --cn={{ item.name }}
- --usage=digitalSignature,keyEncipherment,keyCertSign
- -t rsa -b 4096 -h sha256
+ --usage=digitalSignature,keyEncipherment
+ -t ed25519
--owner=root --group=openldap --mode=0640
register: r2
changed_when: r2.rc == 0
@@ -52,6 +46,18 @@
- { group: 'MX', name: mx, ou: --ou=SyncRepl }
- { group: 'lists', name: lists, ou: --ou=SyncRepl }
when: "item.group in group_names"
+ notify:
+ - Restart slapd
+ tags:
+ - genkey
+
+- name: Fetch the SyncProv's X.509 certificate
+ # Ensure we don't fetch private data
+ become: False
+ fetch_cmd: cmd="openssl x509"
+ stdin=/etc/ldap/ssl/ldap.fripost.org.pem
+ dest=certs/ldap/ldap.fripost.org.pem
+ when: "'LDAP_provider' in group_names"
tags:
- genkey
@@ -60,9 +66,8 @@
become: False
fetch_cmd: cmd="openssl x509"
stdin=/etc/ldap/ssl/{{ item.name }}.pem
- dest=certs/ldap/{{ item.name }}.pem
+ dest=certs/ldap/syncrepl/{{ item.name }}@{{ inventory_hostname_short }}.pem
with_items:
- - { group: 'LDAP_provider', name: ldap.fripost.org }
- { group: 'MX', name: mx }
- { group: 'lists', name: lists }
when: "item.group in group_names"
@@ -79,17 +84,20 @@
- genkey
- name: Copy the SyncRepls's client certificates
- assemble: src=certs/ldap remote_src=no
- dest=/etc/ldap/ssl/clients.pem
+ assemble: src=certs/ldap/syncrepl remote_src=no
+ dest=/etc/ldap/ssl/syncrepl.pem
owner=root group=root
mode=0644
when: "'LDAP_provider' in group_names"
tags:
- genkey
+ register: r3
+ notify:
+ - Restart slapd
- name: Start slapd
service: name=slapd state=started
- when: not (r1.changed or r2.changed)
+ when: not (r1.changed or r2.changed or r3.changed)
- meta: flush_handlers
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 2c0db0b..a0ac705 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -34,7 +34,7 @@ olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.fripost.org.key
# terminate the connection. Not providing a certificate is fine for
# TLS-protected simple binds, though.
olcTLSVerifyClient: try
-olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem
+olcTLSCACertificateFile: /etc/ldap/ssl/syncrepl.pem
olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$"
"dn.exact:$1,dc=fripost,dc=org"
olcSaslSecProps: minssf=128,noanonymous,noplain,nodict
diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh
index ad65aef..72102f4 100755
--- a/roles/common/files/usr/local/bin/genkeypair.sh
+++ b/roles/common/files/usr/local/bin/genkeypair.sh
@@ -119,14 +119,16 @@ done
case "$type" in
# XXX: genrsa and dsaparam have been deprecated in favor of genpkey.
# genpkey can also create explicit EC parameters, but not named.
- rsa) genkey=genrsa; genkeyargs="-f4 ${bits:-2048}";;
- dsa) genkey=dsaparam; genkeyargs="-noout -genkey ${bits:-1024}";;
+ rsa) genkey=genrsa; genkeyargs="-rand /dev/urandom -f4 ${bits:-2048}";;
+ dsa) genkey=dsaparam; genkeyargs="-rand /dev/urandom -noout -genkey ${bits:-1024}";;
# See 'openssl ecparam -list_curves' for the list of supported
# curves. StrongSwan doesn't support explicit curve parameters
# (however explicit parameters might be required to make exotic
# curves work with some clients.)
ecdsa) genkey=ecparam
- genkeyargs="-noout -name ${bits:-secp224r1} -param_enc named_curve -genkey";;
+ genkeyargs="-rand /dev/urandom -noout -name ${bits:-secp224r1} -param_enc named_curve -genkey";;
+ x25519|x448|ed25519|ed448) genkey=genpkey
+ genkeyargs="-algorithm $type";;
*) echo "Unrecognized key type: $type" >&2; exit 2
esac
@@ -173,7 +175,7 @@ if [ -s "$privkey" -a $force -eq 0 ]; then
exit 1
elif [ ! -s "$privkey" -o $force -ge 2 ]; then
install --mode="${mode:-0600}" ${owner:+--owner="$owner"} ${group:+--group="$group"} /dev/null "$privkey" || exit 2
- openssl $genkey -rand /dev/urandom $genkeyargs >"$privkey" || exit 2
+ openssl $genkey $genkeyargs >"$privkey" || exit 2
[ "$cmd" = dkim ] && exit
fi