3 files changed, 45 insertions, 26 deletions
diff --git a/roles/common-LDAP/files/usr/local/sbin/slapcat-all.sh b/roles/common-LDAP/files/usr/local/sbin/slapcat-all.sh
index cd5abd9..db128c9 100755
--- a/roles/common-LDAP/files/usr/local/sbin/slapcat-all.sh
+++ b/roles/common-LDAP/files/usr/local/sbin/slapcat-all.sh
@@ -1,20 +1,31 @@
 #!/bin/sh
 
 # Usage: slapcat-all.sh DIR
-# Save all LDAP databases in DIR: DIR/0.ldif, DIR/1.ldif, ...
+# Save all LDAP databases in DIR: DIR/SUFFIX0.ldif, DIR/SUFFIX1.ldif, ...
 
 set -ue
-PATH=/usr/sbin:/sbin:/usr/bin:/bin
+PATH="/usr/bin:/bin"
+export PATH
 
-target="$1"
+TARGET="$1"
 umask 0077
 
-prefix=slapcat-
-slapcat -n0 -l"$target/${prefix}0.ldif"
-n=$(grep -Ec '^dn:\s+olcDatabase={[1-9][0-9]*}' "$target/${prefix}0.ldif")
+ldapsearch() {
+    command ldapsearch -H "ldapi://" -QY EXTERNAL "$@"
+}
 
-while [ $n -gt 0 ]; do
-    # the Monitor backend can't be slapcat(8)'ed
-    grep -qE "^dn:\s+olcDatabase=\{$n\}monitor,cn=config$" "$target/${prefix}0.ldif" || slapcat -n$n -l"$target/${prefix}$n.ldif"
-    n=$(( $n - 1 ))
-done
+backup_database() {
+    local base="$1"
+    ldapsearch -b "$base" \+ \* >"$TARGET/$base.ldif"
+}
+
+backup_database "cn=config"
+
+SUFFIXES="$TARGET/slapd-suffixes"
+ldapsearch -LLL -oldif-wrap="no" -b "cn=config" "(&(objectClass=olcDatabaseConfig)(objectClass=olcMdbConfig))" "olcSuffix" >"$SUFFIXES"
+sed -n -i "s/^olcSuffix:\\s*//p" "$SUFFIXES"
+
+while IFS= read -r b; do
+    [ "${b%,dc=fripost-test,dc=org}" = "$b" ] || continue
+    backup_database "$b"
+done <"$SUFFIXES"
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 89dd1d8..e17bc3a 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -8,7 +8,7 @@
     - ldap-utils
     - ldapvi
     - db-util
-    - python-ldap
+    - python3-ldap
     # for the 'slapd2' munin plugin
     - libnet-ldap-perl
     - libauthen-sasl-perl
@@ -30,19 +30,13 @@
   tags:
     - genkey
 
-# XXX: It's ugly to list all roles here, and to prunes them with a
-# conditional...
 - name: Generate a private key and a X.509 certificate for slapd
-  # XXX: GnuTLS (libgnutls26 2.12.20-8+deb7u2, found in Wheezy) doesn't
-  # support ECDSA; and slapd doesn't seem to support DHE (!?) so
-  # we're stuck with "plain RSA" Key-Exchange. Also, there is a bug with
-  # SHA-512.
   command: genkeypair.sh x509
                          --pubkey=/etc/ldap/ssl/{{ item.name }}.pem
                          --privkey=/etc/ldap/ssl/{{ item.name }}.key
                          --ou=LDAP {{ item.ou }} --cn={{ item.name }}
-                         --usage=digitalSignature,keyEncipherment,keyCertSign
-                         -t rsa -b 4096 -h sha256
+                         --usage=digitalSignature,keyEncipherment
+                         -t ed25519
                          --owner=root --group=openldap --mode=0640
   register: r2
   changed_when: r2.rc == 0
@@ -52,6 +46,18 @@
     - { group: 'MX',            name: mx,               ou: --ou=SyncRepl }
     - { group: 'lists',         name: lists,            ou: --ou=SyncRepl }
   when: "item.group in group_names"
+  notify:
+    - Restart slapd
+  tags:
+    - genkey
+
+- name: Fetch the SyncProv's X.509 certificate
+  # Ensure we don't fetch private data
+  become: False
+  fetch_cmd: cmd="openssl x509"
+             stdin=/etc/ldap/ssl/ldap.fripost.org.pem
+             dest=certs/ldap/ldap.fripost.org.pem
+  when: "'LDAP_provider' in group_names"
   tags:
     - genkey
 
@@ -60,9 +66,8 @@
   become: False
   fetch_cmd: cmd="openssl x509"
              stdin=/etc/ldap/ssl/{{ item.name }}.pem
-             dest=certs/ldap/{{ item.name }}.pem
+             dest=certs/ldap/syncrepl/{{ item.name }}@{{ inventory_hostname_short }}.pem
   with_items:
-    - { group: 'LDAP_provider', name: ldap.fripost.org }
     - { group: 'MX',            name: mx               }
     - { group: 'lists',         name: lists            }
   when: "item.group in group_names"
@@ -79,17 +84,20 @@
     - genkey
 
 - name: Copy the SyncRepls's client certificates
-  assemble: src=certs/ldap remote_src=no
-            dest=/etc/ldap/ssl/clients.pem
+  assemble: src=certs/ldap/syncrepl remote_src=no
+            dest=/etc/ldap/ssl/syncrepl.pem
             owner=root group=root
             mode=0644
   when: "'LDAP_provider' in group_names"
   tags:
     - genkey
+  register: r3
+  notify:
+    - Restart slapd
 
 - name: Start slapd
   service: name=slapd state=started
-  when: not (r1.changed or r2.changed)
+  when: not (r1.changed or r2.changed or r3.changed)
 
 - meta: flush_handlers
 
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 2c0db0b..a0ac705 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -34,7 +34,7 @@ olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.fripost.org.key
 # terminate the connection.  Not providing a certificate is fine for
 # TLS-protected simple binds, though.
 olcTLSVerifyClient: try
-olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem
+olcTLSCACertificateFile: /etc/ldap/ssl/syncrepl.pem
 olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$"
                 "dn.exact:$1,dc=fripost,dc=org"
 olcSaslSecProps: minssf=128,noanonymous,noplain,nodict