From 3e38718677b10faca8970d9b1cc8edc215cce798 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 7 Jul 2014 20:12:28 +0200 Subject: Fix race condition when generating cerificates for slapd. The SyncProv won't start if the file olcTLSCACertificateFile points to doesn't exist. --- roles/common-LDAP/tasks/main.yml | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) (limited to 'roles/common-LDAP') diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml index 3b8b36c..85ad831 100644 --- a/roles/common-LDAP/tasks/main.yml +++ b/roles/common-LDAP/tasks/main.yml @@ -32,6 +32,8 @@ tags: - genkey +# XXX: It's ugly to list all roles here, and to prunes them with a +# conditional... - name: Generate a private key and a X.509 certificate for slapd # XXX: GnuTLS (libgnutls26 2.12.20-8+deb7u2, found in Wheezy) doesn't # support ECDSA; and slapd doesn't seem to support DHE (!?) so @@ -75,9 +77,25 @@ dest=/etc/ldap/ssl/ldap.fripost.org.pem owner=root group=root mode=0644 + when: "'LDAP-provider' not in group_names" + tags: + - genkey + +- name: Copy the SyncRepls's client certificates + assemble: src=certs/ldap + remote_src=no + dest=/etc/ldap/ssl/clients.pem + owner=root group=root + mode=0644 + when: "'LDAP-provider' in group_names" tags: - genkey - when: "'LDAP-provider' not in group_names" + +- name: Start slapd + service: name=slapd state=started + when: not (r1.changed or r2.changed) + +- meta: flush_handlers - name: Copy fripost & amavis' schema copy: src=etc/ldap/schema/{{ item }} @@ -108,9 +126,3 @@ - name: Configure the LDAP database openldap: target=etc/ldap/database.ldif.j2 local=template state=present - -- name: Start slapd - service: name=slapd state=started - when: not (r1.changed or r2.changed) - -- meta: flush_handlers -- cgit v1.2.3