Configure SyncRepl (OpenLDAP replication) and related ACLs.

The clients are identified using their certificate, and connect securely
to the SyncProv.

There are a few workarounds (XXX) in the ACLs due to Postfix not
supporting SASL binds in Wheezy.
Overview:
  - Authentication (XXX: strong authentication) is required prior to any DIT
    operation (see 'olcRequires').
  - We force a Security Strength Factor of 128 or above for all operations (see
    'olcSecurity'), meaning one must use either a local connection (eg,
    ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
    least 128 bits of security.
  - XXX: Services may not simple bind other than locally on a ldapi:// socket.
    If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
    socket whenever possible (if the service itself supports SASL binds).
    If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
    socket, and their identity should be derived from the CN of the client
    certificate only (hence services may not simple bind).
  - Admins have restrictions similar to that of the services.
  - User access is only restricted by our global 'olcSecurity' attribute.

1 files changed, 56 insertions, 1 deletions

diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 5aa8a2e..43c6bfb 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -43,6 +43,61 @@
     # Not sure if required
     - Restart slapd
 
+- name: Create directory /etc/ldap/ssl
+  file: path=/etc/ldap/ssl
+        state=directory
+        owner=root group=root
+        mode=0755
+  tags:
+    - genkey
+
+- name: Generate a private key and a X.509 certificate for slapd
+  # XXX: GnuTLS (libgnutls26 2.12.20-8+deb7u2, found in Wheezy) doesn't
+  # support ECDSA; and slapd doesn't seem to support DHE (!?) so
+  # we're stuck with "plain RSA" Key-Exchange. Also, there is a bug with
+  # SHA-512.
+  command: genkeypair.sh x509
+                         --pubkey=/etc/ldap/ssl/{{ item.name }}.pem
+                         --privkey=/etc/ldap/ssl/{{ item.name }}.key
+                         --ou=LDAP {{ item.ou }} --cn={{ item.name }}
+                         --usage=digitalSignature,keyEncipherment
+                         -t rsa -b 4096 -h sha256
+                         --chown="root:openldap" --chmod=0640
+  register: r3
+  changed_when: r3.rc == 0
+  failed_when: r3.rc > 1
+  with_items:
+    - { group: 'LDAP-provider', name: ldap.fripost.org, ou:               }
+    - { group: 'MX',            name: mx,               ou: --ou=SyncRepl }
+    - { group: 'lists',         name: lists,            ou: --ou=SyncRepl }
+  when: "item.group in group_names"
+  tags:
+    - genkey
+
+- name: Fetch slapd's X.509 certificate
+  # Ensure we don't fetch private data
+  sudo: False
+  fetch: src=/etc/ldap/ssl/{{ item.name }}.pem
+         dest=certs/ldap/
+         fail_on_missing=yes
+         flat=yes
+  with_items:
+    - { group: 'LDAP-provider', name: ldap.fripost.org }
+    - { group: 'MX',            name: mx               }
+    - { group: 'lists',         name: lists            }
+  when: "item.group in group_names"
+  tags:
+    - genkey
+
+- name: Copy the SyncProv's server certificate
+  copy: src=certs/ldap/ldap.fripost.org.pem
+        dest=/etc/ldap/ssl/ldap.fripost.org.pem
+        owner=root group=root
+        mode=0644
+  tags:
+    - genkey
+  when: "'LDAP-provider' not in group_names"
+
 - name: Copy fripost & amavis' schema
   copy: src=etc/ldap/schema/{{ item }}
         dest=/etc/ldap/schema/{{ item }}
@@ -74,6 +129,6 @@
 
 - name: Start slapd
   service: name=slapd state=started
-  when: not (r1.changed or r2.changed)
+  when: not (r1.changed or r2.changed or r3.changed)
 
 - meta: flush_handlers