diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8000dd9 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.vagrant diff --git a/README.md b/README.md index 081cbe1..7d96b6f 100644 --- a/README.md +++ b/README.md @@ -16,14 +16,20 @@ Role Variables The variables that can be passed to this role and a brief description about them are as follows: - openldap_serverdomain_name: example.com # The domain prefix for ldap - openldap_serverrootpw: passme # This is the password for admin for openldap - openldap_serverenable_ssl: true # To enable/disable ssl for the ldap - openldap_servercountry: US # The self signed ssl certificate parameters - openldap_serverstate: Oregon - openldap_serverlocation: Portland - openldap_serverorganization: IT - + openldap_server_hostname: ldap.example.com # The hostname for ldap + openldap_server_domain_name: example.com # The domain prefix for ldap + openldap_server_rootpw: passme # This is the password for admin for openldap + openldap_server_enable_ssl: true # To enable/disable ssl for the ldap + openldap_server_country: US # The self signed ssl certificate parameters + openldap_server_ca_cert_url: # Download URL CA certificate bundle + openldap_server_state: Oregon + openldap_server_location: Portland + openldap_server_organization: IT + openldap_server_tlscacertificatefile: /etc/openldap/certs/cacert.pem + openldap_server_certificate_expiry_days: 365 + openldap_server_ssl_keylength: 2048 # SSL Keylength + openldap_server_ssl_private_key: # Private Key + openldap_server_ssl_certificate: # SSL Certificate Examples -------- @@ -37,7 +43,7 @@ Examples openldap_server_domain_name: example.com openldap_server_rootpw: passme openldap_server_enable_ssl: false - + 2) Configure an OpenLDAP server with SSL: - hosts: all @@ -66,5 +72,3 @@ Author Information ------------------ Benno Joy - - diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 0000000..8133ba5 --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,25 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +MEMORY_DEFAULT = 512 + +Vagrant.configure(2) do |config| + config.vm.box = "ubuntu/trusty64" + config.vm.hostname = "openldap" + + config.vm.provider :virtualbox do |v| + v.memory = MEMORY_DEFAULT + end + + config.vm.provider :vmware_fusion do |v| + v.vmx["memsize"] = MEMORY_DEFAULT + end + + config.vm.network :private_network, ip: "33.33.33.11" + + config.vm.provision :shell, inline: "apt-get purge -qq -y --auto-remove chef puppet" + config.vm.provision :ansible do |ansible| + ansible.playbook = "site.yml" + ansible.verbose = "v" + end +end diff --git a/defaults/main.yml b/defaults/main.yml index 51738ad..c611b8a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -11,6 +11,9 @@ openldap_server_country: US openldap_server_state: oregon openldap_server_location: portland openldap_server_organization: IT +openldap_server_certificate_expiry_days: 3650 +openldap_server_hostname: "{{ ansible_hostname }}" +openldap_server_ssl_keylength: 1024 openldap_server_enable_ssl: true diff --git a/files/ldap b/files/ldap index c2894fe..20b2a9c 100644 --- a/files/ldap +++ b/files/ldap @@ -5,7 +5,7 @@ # # Run slapd with -h "... ldap:/// ..." # yes/no, default: yes -SLAPD_LDAP=no +SLAPD_LDAP=yes # Run slapd with -h "... ldapi:/// ..." # yes/no, default: yes diff --git a/files/slapd b/files/slapd index 9337b16..acc293c 100644 --- a/files/slapd +++ b/files/slapd @@ -21,7 +21,7 @@ SLAPD_PIDFILE= # sockets. # Example usage: # SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" -SLAPD_SERVICES="ldaps:/// ldapi:///" +SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///" # If SLAPD_NO_START is set, the init script will not start or restart # slapd (but stop will still work). Uncomment this if you are diff --git a/files/slapd_fedora b/files/slapd_fedora index 311e354..966d27f 100644 --- a/files/slapd_fedora +++ b/files/slapd_fedora @@ -6,7 +6,7 @@ # (use SASL with EXTERNAL mechanism for authentication) # - default: ldapi:/// ldap:/// # - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:/// -SLAPD_URLS="ldapi:/// ldaps:///" +SLAPD_URLS="ldap:/// ldapi:/// ldaps:///" # Any custom options #SLAPD_OPTIONS="" diff --git a/site.yml b/site.yml new file mode 100644 index 0000000..be96dca --- /dev/null +++ b/site.yml @@ -0,0 +1,8 @@ +--- +- hosts: all + sudo: yes + vars: + openldap_server_ca_cert_url: https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt + openldap_server_tlscacertificatefile: /etc/ldap/certs/cacert.pem + roles: + - . diff --git a/tasks/configure_ldap.yml b/tasks/configure_ldap.yml index 12929d6..de7e53b 100644 --- a/tasks/configure_ldap.yml +++ b/tasks/configure_ldap.yml @@ -7,41 +7,73 @@ file: path={{ openldap_server_app_path }}/certs/ state=directory owner={{ openldap_server_user }} group={{ openldap_server_user }} - name: Generate the private key for certificate request - shell: openssl genrsa -des3 -passout pass:password -out my1.key 1024 chdir={{ openldap_server_app_path }}/certs/ + shell: openssl genrsa -des3 -passout pass:password -out my1.key {{ openldap_server_ssl_keylength }} chdir={{ openldap_server_app_path }}/certs/ creates={{ openldap_server_app_path }}/certs/my1.key + when: openldap_server_ssl_private_key is undefined -- name: Strip the passphrase from the key - shell: openssl rsa -in my1.key -passin pass:password -out my.key chdir={{ openldap_server_app_path }}/certs/ +- name: Strip the passphrase from the key + shell: openssl rsa -in my1.key -passin pass:password -out my.key chdir={{ openldap_server_app_path }}/certs/ creates={{ openldap_server_app_path }}/certs/my.key + when: openldap_server_ssl_private_key is undefined -- name: Create and sign the the new certificate - shell: openssl req -new -x509 -subj '/C={{ openldap_server_country }}/ST={{ openldap_server_state }}/L={{ openldap_server_location }}/O={{ openldap_server_organization }}/CN={{ ansible_hostname }}/' -days 3650 -key my.key -out cert.crt -extensions v3_ca chdir={{ openldap_server_app_path }}/certs/ creates={{ openldap_server_app_path }}/certs/cert.crt +- name: Create the ssl private key + copy: content='{{ openldap_server_ssl_private_key }}' + dest={{ openldap_server_app_path }}/certs/my.key + owner={{ openldap_server_user }} + when: openldap_server_ssl_private_key is defined + +- name: Create and sign the the new certificate + shell: openssl req \ + -new \ + -x509 \ + -subj '/C={{ openldap_server_country }}/ST={{ openldap_server_state }}/L={{ openldap_server_location }}/O={{ openldap_server_organization }}/CN={{ openldap_server_hostname }}/' \ + -days {{ openldap_server_certificate_expiry_days }} \ + -key my.key \ + -out cert.crt \ + -extensions v3_ca chdir={{ openldap_server_app_path }}/certs/ + creates={{ openldap_server_app_path }}/certs/cert.crt + when: openldap_server_ssl_certificate is undefined + +- name: Create the ssl certificate + copy: content='{{ openldap_server_ssl_certificate }}' + dest={{ openldap_server_app_path }}/certs/cert.crt + owner={{ openldap_server_user }} + when: openldap_server_ssl_certificate is defined + +- name: Download certificate chain file + get_url: url={{ openldap_server_ca_cert_url }} + dest={{ openldap_server_app_path }}/certs/cacert.pem + mode=0444 + when: openldap_server_ca_cert_url is defined - name: copy the supporting files copy: src=ldap dest=/etc/sysconfig/ldap mode=0755 when: openldap_server_enable_ssl and ansible_os_family == 'RedHat' - notify: + notify: - restart slapd - name: copy the supporting files copy: src=slapd_fedora dest=/etc/sysconfig/slapd mode=0755 when: openldap_server_enable_ssl and ansible_distribution == "Fedora" - notify: + notify: - restart slapd - name: copy the supporting files copy: src=slapd dest=/etc/default/slapd mode=0755 when: openldap_server_enable_ssl and ansible_os_family == 'Debian' - notify: + notify: - restart slapd - name: start the slapd service - service: name=slapd state=started enabled=yes - + service: name=slapd state=started enabled=yes + - name: Copy the template for creating base dn template: src={{ openldap_server_ldif }} dest=/tmp/ register: result - name: add the base domain - shell: ldapadd -x -D "cn=Manager,dc={{ openldap_server_domain_name.split('.')[0] }},dc={{ openldap_server_domain_name.split('.')[1] }}" -w {{ openldap_server_rootpw }} -f {{ result.dest|default(result.path) }} && touch {{ openldap_server_app_path }}/rootdn_created creates={{ openldap_server_app_path }}/rootdn_created + shell: ldapadd -x -D "cn=Manager,dc={{ openldap_server_domain_name.split('.')[0] }},dc={{ openldap_server_domain_name.split('.')[1] }}" \ + -w {{ openldap_server_rootpw }} \ + -f {{ result.dest|default(result.path) }} && touch {{ openldap_server_app_path }}/rootdn_created + creates={{ openldap_server_app_path }}/rootdn_created diff --git a/tasks/install_ldap.yml b/tasks/install_ldap.yml index c2aba5e..5d24a7c 100644 --- a/tasks/install_ldap.yml +++ b/tasks/install_ldap.yml @@ -19,19 +19,19 @@ file: path={{ openldap_server_app_path }}/slapd.d state=absent - name: Generate the root password for ldap - shell: slappasswd -s {{ openldap_server_rootpw }} + shell: slappasswd -s {{ openldap_server_rootpw }} register: root_password - name: Copy the slapd.conf configuration file for Redhat template: src=slapd.conf.j2 dest={{ openldap_server_app_path }}/slapd.conf when: ansible_os_family == "RedHat" - notify: + notify: - restart slapd - name: Copy the slapd.conf configuration file template: src=slapd.conf_ubuntu.j2 dest={{ openldap_server_app_path }}/slapd.conf when: ansible_os_family == "Debian" - notify: + notify: - restart slapd - name: Copy the ldap.conf configuration file diff --git a/templates/slapd.conf.j2 b/templates/slapd.conf.j2 index 3f699d5..396db11 100644 --- a/templates/slapd.conf.j2 +++ b/templates/slapd.conf.j2 @@ -31,6 +31,8 @@ index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub TLSCipherSuite HIGH:MEDIUM:+SSLv2 -#TLSCACertificateFile /etc/openldap/certs/cacert.pem +{% if openldap_server_tlscacertificatefile is defined %} +TLSCACertificateFile {{ openldap_server_tlscacertificatefile }} +{% endif %} TLSCertificateFile /etc/openldap/certs/cert.crt TLSCertificateKeyFile /etc/openldap/certs/my.key diff --git a/templates/slapd.conf_ubuntu.j2 b/templates/slapd.conf_ubuntu.j2 index f256ed6..4ec770b 100644 --- a/templates/slapd.conf_ubuntu.j2 +++ b/templates/slapd.conf_ubuntu.j2 @@ -36,6 +36,8 @@ index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub -#TLSCACertificateFile /etc/ldap/certs/cacert.pem +{% if openldap_server_tlscacertificatefile is defined %} +TLSCACertificateFile {{ openldap_server_tlscacertificatefile }} +{% endif %} TLSCertificateFile /etc/ldap/certs/cert.crt TLSCertificateKeyFile /etc/ldap/certs/my.key