From dc35709d862bf63f67025958c1f12d4697d28861 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Sat, 8 Aug 2020 14:57:43 +0200
Subject: [PATCH] [slapd] Deploy LDAP certificate

---
 plays/root.yml                           |  3 +++
 roles/slapd/tasks/main.yml               | 10 +++++++---
 roles/slapd/templates/ldap/ldap.key.j2   |  1 +
 roles/slapd/templates/ldap/ldap.pem.j2   |  1 +
 roles/slapd/templates/ldap/slapd.conf.j2 |  5 ++---
 5 files changed, 14 insertions(+), 6 deletions(-)
 create mode 100644 roles/slapd/templates/ldap/ldap.key.j2
 create mode 100644 roles/slapd/templates/ldap/ldap.pem.j2

diff --git a/plays/root.yml b/plays/root.yml
index aa4b9b81..2e82cc8a 100755
--- a/plays/root.yml
+++ b/plays/root.yml
@@ -28,6 +28,9 @@
 - hosts: slapd
   vars:
     slapd: '{{ glob_slapd | combine(loc_slapd | default({})) }}'
+    ldap:
+      private_key: "{{ vault_ldap_private_key }}"
+      certificate: "{{ vault_ldap_certificate }}"
   roles:
     - slapd
 
diff --git a/roles/slapd/tasks/main.yml b/roles/slapd/tasks/main.yml
index 84599aa2..f377a77e 100644
--- a/roles/slapd/tasks/main.yml
+++ b/roles/slapd/tasks/main.yml
@@ -15,11 +15,15 @@
 
 - name: Deploy slapd configuration
   template:
-    src: ldap/slapd.conf.j2
-    dest: /etc/ldap/slapd.conf
-    mode: 0600
+    src: "ldap/{{ item.dest }}.j2"
+    dest: "/etc/ldap/{{ item.dest }}"
+    mode: "{{ item.mode }}"
     owner: openldap
     group: openldap
+  loop:
+    - { dest: slapd.conf, mode: "0600" }
+    - { dest: ldap.key, mode: "0600" }
+    - { dest: ldap.pem, mode: "0644" }
   notify: Restart slapd
 
 - name: Deploy ldap services
diff --git a/roles/slapd/templates/ldap/ldap.key.j2 b/roles/slapd/templates/ldap/ldap.key.j2
new file mode 100644
index 00000000..926db60f
--- /dev/null
+++ b/roles/slapd/templates/ldap/ldap.key.j2
@@ -0,0 +1 @@
+{{ ldap.private_key }}
diff --git a/roles/slapd/templates/ldap/ldap.pem.j2 b/roles/slapd/templates/ldap/ldap.pem.j2
new file mode 100644
index 00000000..ed4f7a5c
--- /dev/null
+++ b/roles/slapd/templates/ldap/ldap.pem.j2
@@ -0,0 +1 @@
+{{ ldap.certificate }}
diff --git a/roles/slapd/templates/ldap/slapd.conf.j2 b/roles/slapd/templates/ldap/slapd.conf.j2
index 762756b8..5c6cccab 100644
--- a/roles/slapd/templates/ldap/slapd.conf.j2
+++ b/roles/slapd/templates/ldap/slapd.conf.j2
@@ -35,9 +35,8 @@ moduleload 		syncprov
 # TODO FAIRE LES CERTIFICATS
 # TLS Certificates
 #TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3
-#TLSCACertificateFile /etc/ssl/certs/ServENS.crt
-#TLSCertificateFile /etc/ldap/ldap.pem
-#TLSCertificateKeyFile /etc/ldap/ldap.key
+TLSCertificateFile /etc/ldap/ldap.pem
+TLSCertificateKeyFile /etc/ldap/ldap.key
 
 # The maximum number of entries that is returned for a search operation
 sizelimit 500