diff options
Diffstat (limited to 'roles/common-LDAP')
| -rw-r--r-- | roles/common-LDAP/tasks/main.yml | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml index aff0e58..5b7143f 100644 --- a/roles/common-LDAP/tasks/main.yml +++ b/roles/common-LDAP/tasks/main.yml @@ -25,41 +25,41 @@ file: path=/etc/ldap/ssl state=directory owner=root group=root mode=0755 tags: - genkey # XXX: It's ugly to list all roles here, and to prunes them with a # conditional... - name: Generate a private key and a X.509 certificate for slapd # XXX: GnuTLS (libgnutls26 2.12.20-8+deb7u2, found in Wheezy) doesn't # support ECDSA; and slapd doesn't seem to support DHE (!?) so # we're stuck with "plain RSA" Key-Exchange. Also, there is a bug with # SHA-512. command: genkeypair.sh x509 --pubkey=/etc/ldap/ssl/{{ item.name }}.pem --privkey=/etc/ldap/ssl/{{ item.name }}.key --ou=LDAP {{ item.ou }} --cn={{ item.name }} --usage=digitalSignature,keyEncipherment,keyCertSign -t rsa -b 4096 -h sha256 - --chown="root:openldap" --chmod=0640 + --owner=root --group=openldap --mode=0640 register: r2 changed_when: r2.rc == 0 failed_when: r2.rc > 1 with_items: - { group: 'LDAP-provider', name: ldap.fripost.org, ou: } - { group: 'MX', name: mx, ou: --ou=SyncRepl } - { group: 'lists', name: lists, ou: --ou=SyncRepl } when: "item.group in group_names" tags: - genkey - name: Fetch slapd's X.509 certificate # Ensure we don't fetch private data sudo: False fetch: src=/etc/ldap/ssl/{{ item.name }}.pem dest=certs/ldap/ fail_on_missing=yes flat=yes with_items: - { group: 'LDAP-provider', name: ldap.fripost.org } |