summaryrefslogtreecommitdiffstats
path: root/roles/common-LDAP/tasks
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2014-07-07 05:16:53 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:52:34 +0200
commit7c01a383fae4d84727d6a036d93117c761b98e10 (patch)
tree453fb77e9758ea29729fa4e65633bb3261e71345 /roles/common-LDAP/tasks
parentf9fa7026603a298c46aea77d753e0a8121e5d71b (diff)
Configure SyncRepl (OpenLDAP replication) and related ACLs.
The clients are identified using their certificate, and connect securely to the SyncProv. There are a few workarounds (XXX) in the ACLs due to Postfix not supporting SASL binds in Wheezy. Overview: - Authentication (XXX: strong authentication) is required prior to any DIT operation (see 'olcRequires'). - We force a Security Strength Factor of 128 or above for all operations (see 'olcSecurity'), meaning one must use either a local connection (eg, ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at least 128 bits of security. - XXX: Services may not simple bind other than locally on a ldapi:// socket. If no remote access is needed, they should use SASL/EXTERNAL on a ldapi:// socket whenever possible (if the service itself supports SASL binds). If remote access is needed, they should use SASL/EXTERNAL on a ldaps:// socket, and their identity should be derived from the CN of the client certificate only (hence services may not simple bind). - Admins have restrictions similar to that of the services. - User access is only restricted by our global 'olcSecurity' attribute.
Diffstat (limited to 'roles/common-LDAP/tasks')
-rw-r--r--roles/common-LDAP/tasks/main.yml57
1 files changed, 56 insertions, 1 deletions
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 5aa8a2e..43c6bfb 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -43,6 +43,61 @@
# Not sure if required
- Restart slapd
+- name: Create directory /etc/ldap/ssl
+ file: path=/etc/ldap/ssl
+ state=directory
+ owner=root group=root
+ mode=0755
+ tags:
+ - genkey
+
+- name: Generate a private key and a X.509 certificate for slapd
+ # XXX: GnuTLS (libgnutls26 2.12.20-8+deb7u2, found in Wheezy) doesn't
+ # support ECDSA; and slapd doesn't seem to support DHE (!?) so
+ # we're stuck with "plain RSA" Key-Exchange. Also, there is a bug with
+ # SHA-512.
+ command: genkeypair.sh x509
+ --pubkey=/etc/ldap/ssl/{{ item.name }}.pem
+ --privkey=/etc/ldap/ssl/{{ item.name }}.key
+ --ou=LDAP {{ item.ou }} --cn={{ item.name }}
+ --usage=digitalSignature,keyEncipherment
+ -t rsa -b 4096 -h sha256
+ --chown="root:openldap" --chmod=0640
+ register: r3
+ changed_when: r3.rc == 0
+ failed_when: r3.rc > 1
+ with_items:
+ - { group: 'LDAP-provider', name: ldap.fripost.org, ou: }
+ - { group: 'MX', name: mx, ou: --ou=SyncRepl }
+ - { group: 'lists', name: lists, ou: --ou=SyncRepl }
+ when: "item.group in group_names"
+ tags:
+ - genkey
+
+- name: Fetch slapd's X.509 certificate
+ # Ensure we don't fetch private data
+ sudo: False
+ fetch: src=/etc/ldap/ssl/{{ item.name }}.pem
+ dest=certs/ldap/
+ fail_on_missing=yes
+ flat=yes
+ with_items:
+ - { group: 'LDAP-provider', name: ldap.fripost.org }
+ - { group: 'MX', name: mx }
+ - { group: 'lists', name: lists }
+ when: "item.group in group_names"
+ tags:
+ - genkey
+
+- name: Copy the SyncProv's server certificate
+ copy: src=certs/ldap/ldap.fripost.org.pem
+ dest=/etc/ldap/ssl/ldap.fripost.org.pem
+ owner=root group=root
+ mode=0644
+ tags:
+ - genkey
+ when: "'LDAP-provider' not in group_names"
+
- name: Copy fripost & amavis' schema
copy: src=etc/ldap/schema/{{ item }}
dest=/etc/ldap/schema/{{ item }}
@@ -74,6 +129,6 @@
- name: Start slapd
service: name=slapd state=started
- when: not (r1.changed or r2.changed)
+ when: not (r1.changed or r2.changed or r3.changed)
- meta: flush_handlers