diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2024-09-08 20:30:20 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2024-09-08 20:54:00 +0200 |
commit | 6b7ad809bbefc32216bac22547241ed402a570c8 (patch) | |
tree | 21b18d5268ecf4c2d86864832d384cc79de78b4d /roles/common-LDAP | |
parent | ab26418d9e59314d88ebf4f0885659114a919961 (diff) |
Also, switch from rsa4096 to ed25519 and use a separate key for each
syncrepl.
Diffstat (limited to 'roles/common-LDAP')
-rw-r--r-- | roles/common-LDAP/tasks/main.yml | 34 | ||||
-rw-r--r-- | roles/common-LDAP/templates/etc/ldap/database.ldif.j2 | 2 |
2 files changed, 22 insertions, 14 deletions
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml index 37edb0b..e17bc3a 100644 --- a/roles/common-LDAP/tasks/main.yml +++ b/roles/common-LDAP/tasks/main.yml @@ -30,19 +30,13 @@ tags: - genkey -# XXX: It's ugly to list all roles here, and to prunes them with a -# conditional... - name: Generate a private key and a X.509 certificate for slapd - # XXX: GnuTLS (libgnutls26 2.12.20-8+deb7u2, found in Wheezy) doesn't - # support ECDSA; and slapd doesn't seem to support DHE (!?) so - # we're stuck with "plain RSA" Key-Exchange. Also, there is a bug with - # SHA-512. command: genkeypair.sh x509 --pubkey=/etc/ldap/ssl/{{ item.name }}.pem --privkey=/etc/ldap/ssl/{{ item.name }}.key --ou=LDAP {{ item.ou }} --cn={{ item.name }} - --usage=digitalSignature,keyEncipherment,keyCertSign - -t rsa -b 4096 -h sha256 + --usage=digitalSignature,keyEncipherment + -t ed25519 --owner=root --group=openldap --mode=0640 register: r2 changed_when: r2.rc == 0 @@ -52,6 +46,18 @@ - { group: 'MX', name: mx, ou: --ou=SyncRepl } - { group: 'lists', name: lists, ou: --ou=SyncRepl } when: "item.group in group_names" + notify: + - Restart slapd + tags: + - genkey + +- name: Fetch the SyncProv's X.509 certificate + # Ensure we don't fetch private data + become: False + fetch_cmd: cmd="openssl x509" + stdin=/etc/ldap/ssl/ldap.fripost.org.pem + dest=certs/ldap/ldap.fripost.org.pem + when: "'LDAP_provider' in group_names" tags: - genkey @@ -60,9 +66,8 @@ become: False fetch_cmd: cmd="openssl x509" stdin=/etc/ldap/ssl/{{ item.name }}.pem - dest=certs/ldap/{{ item.name }}.pem + dest=certs/ldap/syncrepl/{{ item.name }}@{{ inventory_hostname_short }}.pem with_items: - - { group: 'LDAP_provider', name: ldap.fripost.org } - { group: 'MX', name: mx } - { group: 'lists', name: lists } when: "item.group in group_names" @@ -79,17 +84,20 @@ - genkey - name: Copy the SyncRepls's client certificates - assemble: src=certs/ldap remote_src=no - dest=/etc/ldap/ssl/clients.pem + assemble: src=certs/ldap/syncrepl remote_src=no + dest=/etc/ldap/ssl/syncrepl.pem owner=root group=root mode=0644 when: "'LDAP_provider' in group_names" tags: - genkey + register: r3 + notify: + - Restart slapd - name: Start slapd service: name=slapd state=started - when: not (r1.changed or r2.changed) + when: not (r1.changed or r2.changed or r3.changed) - meta: flush_handlers diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index 2c0db0b..a0ac705 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -34,7 +34,7 @@ olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.fripost.org.key # terminate the connection. Not providing a certificate is fine for # TLS-protected simple binds, though. olcTLSVerifyClient: try -olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem +olcTLSCACertificateFile: /etc/ldap/ssl/syncrepl.pem olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$" "dn.exact:$1,dc=fripost,dc=org" olcSaslSecProps: minssf=128,noanonymous,noplain,nodict |