LDAP: Rotate soon-to-be expired key material.

Also, switch from rsa4096 to ed25519 and use a separate key for each syncrepl.
author: Guilhem Moulin <guilhem@fripost.org> 2024-09-08 20:30:20 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2024-09-08 20:54:00 +0200
commit: 6b7ad809bbefc32216bac22547241ed402a570c8 (patch)
tree: 21b18d5268ecf4c2d86864832d384cc79de78b4d /roles/common-LDAP
parent: ab26418d9e59314d88ebf4f0885659114a919961 (diff)
2 files changed, 22 insertions, 14 deletions
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 37edb0b..e17bc3a 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -13,100 +13,108 @@
     - libnet-ldap-perl
     - libauthen-sasl-perl
 
 - name: Configure slapd
   template: src=etc/default/slapd.j2
             dest=/etc/default/slapd
             owner=root group=root
             mode=0644
   register: r1
   notify:
     - Restart slapd
 
 - name: Create directory /etc/ldap/ssl
   file: path=/etc/ldap/ssl
         state=directory
         owner=root group=root
         mode=0755
   tags:
     - genkey
 
-# XXX: It's ugly to list all roles here, and to prunes them with a
-# conditional...
 - name: Generate a private key and a X.509 certificate for slapd
-  # XXX: GnuTLS (libgnutls26 2.12.20-8+deb7u2, found in Wheezy) doesn't
-  # support ECDSA; and slapd doesn't seem to support DHE (!?) so
-  # we're stuck with "plain RSA" Key-Exchange. Also, there is a bug with
-  # SHA-512.
   command: genkeypair.sh x509
                          --pubkey=/etc/ldap/ssl/{{ item.name }}.pem
                          --privkey=/etc/ldap/ssl/{{ item.name }}.key
                          --ou=LDAP {{ item.ou }} --cn={{ item.name }}
-                         --usage=digitalSignature,keyEncipherment,keyCertSign
-                         -t rsa -b 4096 -h sha256
+                         --usage=digitalSignature,keyEncipherment
+                         -t ed25519
                          --owner=root --group=openldap --mode=0640
   register: r2
   changed_when: r2.rc == 0
   failed_when: r2.rc > 1
   with_items:
     - { group: 'LDAP_provider', name: ldap.fripost.org, ou:               }
     - { group: 'MX',            name: mx,               ou: --ou=SyncRepl }
     - { group: 'lists',         name: lists,            ou: --ou=SyncRepl }
   when: "item.group in group_names"
+  notify:
+    - Restart slapd
+  tags:
+    - genkey
+
+- name: Fetch the SyncProv's X.509 certificate
+  # Ensure we don't fetch private data
+  become: False
+  fetch_cmd: cmd="openssl x509"
+             stdin=/etc/ldap/ssl/ldap.fripost.org.pem
+             dest=certs/ldap/ldap.fripost.org.pem
+  when: "'LDAP_provider' in group_names"
   tags:
     - genkey
 
 - name: Fetch slapd's X.509 certificate
   # Ensure we don't fetch private data
   become: False
   fetch_cmd: cmd="openssl x509"
              stdin=/etc/ldap/ssl/{{ item.name }}.pem
-             dest=certs/ldap/{{ item.name }}.pem
+             dest=certs/ldap/syncrepl/{{ item.name }}@{{ inventory_hostname_short }}.pem
   with_items:
-    - { group: 'LDAP_provider', name: ldap.fripost.org }
     - { group: 'MX',            name: mx               }
     - { group: 'lists',         name: lists            }
   when: "item.group in group_names"
   tags:
     - genkey
 
 - name: Copy the SyncProv's server certificate
   copy: src=certs/ldap/ldap.fripost.org.pem
         dest=/etc/ldap/ssl/ldap.fripost.org.pem
         owner=root group=root
         mode=0644
   when: "'LDAP_provider' not in group_names"
   tags:
     - genkey
 
 - name: Copy the SyncRepls's client certificates
-  assemble: src=certs/ldap remote_src=no
-            dest=/etc/ldap/ssl/clients.pem
+  assemble: src=certs/ldap/syncrepl remote_src=no
+            dest=/etc/ldap/ssl/syncrepl.pem
             owner=root group=root
             mode=0644
   when: "'LDAP_provider' in group_names"
   tags:
     - genkey
+  register: r3
+  notify:
+    - Restart slapd
 
 - name: Start slapd
   service: name=slapd state=started
-  when: not (r1.changed or r2.changed)
+  when: not (r1.changed or r2.changed or r3.changed)
 
 - meta: flush_handlers
 
 - name: Copy fripost & amavis' schema
   copy: src=etc/ldap/schema/{{ item }}
         dest=/etc/ldap/schema/{{ item }}
         owner=root group=root
         mode=0644
   # It'd certainly be nicer if we didn't have to deploy amavis' schema
   # everywhere, but we need the 'objectClass' in our replicates, hence
   # they need to be aware of the 'amavisAccount' class.
   with_items:
     - fripost.ldif
     - amavis.schema
   tags:
     - amavis
 
 - name: Load amavis' schema
   openldap: target=/etc/ldap/schema/amavis.schema
             format=slapd.conf name=amavis
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 2c0db0b..a0ac705 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -17,41 +17,41 @@
 dn: cn=config
 objectClass: olcGlobal
 cn: config
 olcArgsFile: /run/slapd/slapd.args
 olcPidFile: /run/slapd/slapd.pid
 olcLogLevel: none
 olcToolThreads: 1
 {% if ansible_processor_vcpus > 4 %}
 olcThreads: {{ 2 * ansible_processor_vcpus }}
 {% else %}
 olcThreads: 8
 {% endif %}
 {% if 'LDAP_provider' in group_names %}
 olcTLSCertificateFile: /etc/ldap/ssl/ldap.fripost.org.pem
 olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.fripost.org.key
 # If we are being offered a client cert, it has to be trusted (in which
 # case we map the X.509 subject to a DN in our namespace), or we
 # terminate the connection.  Not providing a certificate is fine for
 # TLS-protected simple binds, though.
 olcTLSVerifyClient: try
-olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem
+olcTLSCACertificateFile: /etc/ldap/ssl/syncrepl.pem
 olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$"
                 "dn.exact:$1,dc=fripost,dc=org"
 olcSaslSecProps: minssf=128,noanonymous,noplain,nodict
 olcTLSCipherSuite: PFS:%LATEST_RECORD_VERSION:!CIPHER-ALL:+AES-128-GCM:+AES-256-GCM:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1
 olcTLSDHParamFile: /etc/ssl/dhparams.pem
 {% endif %}
 olcLocalSSF: 128
 # /!\ This is not portable! But we only use glibc's crypt(3), which
 # supports (salted, streched) SHA512
 olcPasswordHash: {CRYPT}
 olcPasswordCryptSaltFormat: $6$%s
 
 
 dn: olcDatabase=monitor,cn=config
 objectClass: olcDatabaseConfig
 objectClass: olcMonitorConfig
 olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 olcAccess: to dn.subtree="cn=monitor"
     by dn.exact="username=munin,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" read
     by * =0
author	Guilhem Moulin <guilhem@fripost.org>	2024-09-08 20:30:20 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2024-09-08 20:54:00 +0200
commit	6b7ad809bbefc32216bac22547241ed402a570c8 (patch)
tree	21b18d5268ecf4c2d86864832d384cc79de78b4d /roles/common-LDAP
parent	ab26418d9e59314d88ebf4f0885659114a919961 (diff)