[re2o-ldap-replica] Support LDAPS
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>certbot_on_virtu
parent
05c641fa7e
commit
741a13b402
GPG Key ID:
3A75C55819C8CF85
|
|
@ -6,3 +6,5 @@ glob_re2o_ldap_replica:
|
||||||
suffix: dc=crans,dc=org
|
suffix: dc=crans,dc=org
|
||||||
url: "ldaps://{{ query('ldap', 'ip', 're2o-ldap', 'adm') | ipv4 | first }}:636"
|
url: "ldaps://{{ query('ldap', 'ip', 're2o-ldap', 'adm') | ipv4 | first }}:636"
|
||||||
root_password_hash: "{{ vault.ldap_master_password_hash }}"
|
root_password_hash: "{{ vault.ldap_master_password_hash }}"
|
||||||
|
certificate: "{{ vault.ldap_re2o_certificate }}"
|
||||||
|
private_key: "{{ vault.ldap_re2o_private_key }}"
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,5 @@
|
||||||
|
---
|
||||||
|
- name: Restart slapd
|
||||||
|
service:
|
||||||
|
name: slapd.service
|
||||||
|
state: restarted
|
||||||
|
|
@ -42,10 +42,10 @@
|
||||||
- /etc/ldap/slapd.d
|
- /etc/ldap/slapd.d
|
||||||
- /var/lib/ldap
|
- /var/lib/ldap
|
||||||
|
|
||||||
- name: Copy ldiff files
|
- name: Copy ldif files
|
||||||
template:
|
template:
|
||||||
src: 'ldap/{{ item }}.ldiff.j2'
|
src: 'ldap/{{ item }}.ldif.j2'
|
||||||
dest: '/tmp/{{ item }}.ldiff'
|
dest: '/tmp/{{ item }}.ldif'
|
||||||
owner: openldap
|
owner: openldap
|
||||||
group: openldap
|
group: openldap
|
||||||
mode: 0600
|
mode: 0600
|
||||||
|
|
@ -53,15 +53,16 @@
|
||||||
- db
|
- db
|
||||||
- schema
|
- schema
|
||||||
- consumer_simple_sync
|
- consumer_simple_sync
|
||||||
|
- certinfo
|
||||||
|
|
||||||
- name: Initialize re2o-ldap schema
|
- name: Initialize re2o-ldap schema
|
||||||
when: not installation.stat.exists
|
when: not installation.stat.exists
|
||||||
shell: slapadd -n 0 -l /tmp/schema.ldiff -F /etc/ldap/slapd.d/
|
shell: slapadd -n 0 -l /tmp/schema.ldif -F /etc/ldap/slapd.d/
|
||||||
become_user: openldap
|
become_user: openldap
|
||||||
|
|
||||||
- name: Initialize re2o-ldap database
|
- name: Initialize re2o-ldap database
|
||||||
when: not installation.stat.exists
|
when: not installation.stat.exists
|
||||||
shell: slapadd -n 1 -l /tmp/db.ldiff
|
shell: slapadd -n 1 -l /tmp/db.ldif
|
||||||
become_user: openldap
|
become_user: openldap
|
||||||
|
|
||||||
- name: Start slapd
|
- name: Start slapd
|
||||||
|
|
@ -72,7 +73,30 @@
|
||||||
|
|
||||||
- name: Enable data replication
|
- name: Enable data replication
|
||||||
when: not installation.stat.exists
|
when: not installation.stat.exists
|
||||||
shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/consumer_simple_sync.ldiff
|
shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/consumer_simple_sync.ldif
|
||||||
|
|
||||||
|
- name: Copy TLS certificate
|
||||||
|
template:
|
||||||
|
src: "ldap/{{ item }}.j2"
|
||||||
|
dest: "/etc/ldap/{{ item }}"
|
||||||
|
owner: openldap
|
||||||
|
group: openldap
|
||||||
|
mode: 0600
|
||||||
|
loop:
|
||||||
|
- ldap.pem
|
||||||
|
- ldap.key
|
||||||
|
|
||||||
|
- name: Load TLS certificates
|
||||||
|
when: not installation.stat.exists
|
||||||
|
shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif
|
||||||
|
|
||||||
|
- name: Enable LDAPS
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/default/slapd
|
||||||
|
regexp: '^SLAPD_SERVICES='
|
||||||
|
line: 'SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"'
|
||||||
|
notify: Restart slapd
|
||||||
|
check_mode: no
|
||||||
|
|
||||||
- name: Touch installation marker
|
- name: Touch installation marker
|
||||||
when: not installation.stat.exists
|
when: not installation.stat.exists
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,6 @@
|
||||||
|
dn: cn=config
|
||||||
|
add: olcTLSCertificateFile
|
||||||
|
olcTLSCertificateFile: /etc/ldap/ldap.pem
|
||||||
|
-
|
||||||
|
add: olcTLSCertificateKeyFile
|
||||||
|
olcTLSCertificateKeyFile: /etc/ldap/ldap.key
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ re2o_ldap_replica.private_key }}
|
||||||
|
|
@ -0,0 +1 @@
|
||||||
|
{{ re2o_ldap_replica.certificate }}
|
||||||
Loading…
Reference in New Issue