Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for LDAP with STARTTLS #11

Open
wants to merge 17 commits into
base: master
Choose a base branch
from
Open

Add support for LDAP with STARTTLS #11

wants to merge 17 commits into from

Conversation

actionjack
Copy link

What

The version of the bennojoy/openldap_server role that we use does not support the following:

  • LDAP with STARTTLS
  • Using your own Certificate Authority signed SSL certificates
  • Using a custom version of a CA Certificate file bundle

This PR intends to fix that

How this PR should be reviewed

This PR has been crafted with the aid of dainty white mice wearing pink slippers to be reviewed with the following narrative:

  • I want to:
    • Support all types of LDAP connection rather than just LDAPI and LDAPS (which has been deprecated)
    • Remove long and difficult to read lines of code and also make certain options like the hostname & expiry date overrideable
    • Parameterise the default SSL key size since the default is quite low by today's standards
    • Optionally use my own SSL private key
    • Optionally use my own SSL certificate
    • Optionally download a valid CA certificate bundle
    • Optionally use a TLSCACertificateFile on my LDAP server, so I can supply a valid CA certificate chain file if I ever want to use a valid SSL certificate
    • Update the documentation with new variables and fix any mistakes in the previous ones
    • Add a vagrant environment so I can test my changes in a disposal environment rather than on the live server
    • Invoke The Boy Scout Rule and remove all the white space littered around the campground

How to test this PR

A vagrant box has been provided for local testing, simply just:

vagrant up

You modify the site.yml to test the variables and run:

vagrant provision

actionjack and others added 17 commits November 4, 2015 10:41
@actionjack
Support all types of LDAP connection
a69cc92 
Support LDAP with plain LDAP and LDAP with STARTTLS
@actionjack
This line is fairly long and fairly opinionated
cfe11ce 
The creation and signing shell command is quite long and difficult to
read so I have split over a number of lines.
It is also fairly opinionated i.e. in that the:

* Common Name will always be the servers `ansible_hostname` so
  I have made it a overridable parameter.
* The SSL certifate expiry date is forcible set to 10 years
@actionjack
Parameterise the default SSL key size
76b8a26 
The default ssl keylength is quite low by todays standards.
@actionjack
We may want to provide our own private key
1e12a54 
We may want to provide our own private key rather than have one
generated on the first run.
@actionjack
We may want to provide our own SSL certificate
d4f0436 
We may want to use a SSL certificate that is not self-signed.
@actionjack
Download an official CA certificate file
e38741a 
Download an official Certificate Authority certificate chain file.
@actionjack
Use TLSCACertificateFile if defined
42a46fe
@actionjack
Update the documentation with new variables
b212a2a
@actionjack
Add vagrant environment for easy testing
310c90f
@actionjack
Boy Scout Rule - cleaning up white space
11ce8d9
@actionjack
Change hardcoded cacert bundle into parameter
737bc9c 
The current cacert bundle is hardcoded and we may want to download our
own version of the cacert bundle.
@actionjack
Add GlobalSign root and DomainSSL certificate
b50f227 
Adding the following GlobalSign certificates:

* [R1 GlobalSign Root Certificate](https://support.globalsign.com/customer/en/portal/articles/1426602-globalsign-root-certificates)
* [DomainSSL SHA-256 R1 Intermediate Certificates](https://support.globalsign.com/customer/portal/articles/1464460-domainssl-intermediate-certificates)
@actionjack
The Boyscout Rule act 1 - Fix hard to read lines
2a16bd5 
This command was quite hard to read/review.
@actionjack
The Boyscout Rule act 2 - Removing white space
b6e32f3
@keymon
Merge pull request #1 from alphagov/107033028_fix_openldap_tls_certif…
a0405a7 
…icates_for_the_apcera_test

[#107033028] Add support for LDAP with STARTTLS
Remove GlobalSign CA Bundle
9cbbb99 
This file belongs in the ldap-server-ansible repo, not here.
@saliceti
Merge pull request #2 from alphagov/107033028_parameterise_ca_cert_do…
3e8ff61 
…wnload_url

[#107033028] Parameterising CA Cert download URL
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@actionjack @keymon @saliceti