From a69cc92f186b512c9be79ef468d853c42da510cb Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Wed, 4 Nov 2015 10:34:47 +0000 Subject: [PATCH 01/15] Support all types of LDAP connection Support LDAP with plain LDAP and LDAP with STARTTLS --- files/ldap | 2 +- files/slapd | 2 +- files/slapd_fedora | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/files/ldap b/files/ldap index c2894fe..20b2a9c 100644 --- a/files/ldap +++ b/files/ldap @@ -5,7 +5,7 @@ # # Run slapd with -h "... ldap:/// ..." # yes/no, default: yes -SLAPD_LDAP=no +SLAPD_LDAP=yes # Run slapd with -h "... ldapi:/// ..." # yes/no, default: yes diff --git a/files/slapd b/files/slapd index 9337b16..acc293c 100644 --- a/files/slapd +++ b/files/slapd @@ -21,7 +21,7 @@ SLAPD_PIDFILE= # sockets. # Example usage: # SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" -SLAPD_SERVICES="ldaps:/// ldapi:///" +SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///" # If SLAPD_NO_START is set, the init script will not start or restart # slapd (but stop will still work). Uncomment this if you are diff --git a/files/slapd_fedora b/files/slapd_fedora index 311e354..966d27f 100644 --- a/files/slapd_fedora +++ b/files/slapd_fedora @@ -6,7 +6,7 @@ # (use SASL with EXTERNAL mechanism for authentication) # - default: ldapi:/// ldap:/// # - example: ldapi:/// ldap://127.0.0.1/ ldap://10.0.0.1:1389/ ldaps:/// -SLAPD_URLS="ldapi:/// ldaps:///" +SLAPD_URLS="ldap:/// ldapi:/// ldaps:///" # Any custom options #SLAPD_OPTIONS="" From cfe11cea4f6f4f380add6d75ecf8ab43eaaa92f8 Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Tue, 3 Nov 2015 17:54:36 +0000 Subject: [PATCH 02/15] This line is fairly long and fairly opinionated The creation and signing shell command is quite long and difficult to read so I have split over a number of lines. It is also fairly opinionated i.e. in that the: * Common Name will always be the servers `ansible_hostname` so I have made it a overridable parameter. * The SSL certifate expiry date is forcible set to 10 years --- defaults/main.yml | 2 ++ tasks/configure_ldap.yml | 10 +++++++++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 51738ad..3348d6f 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -11,6 +11,8 @@ openldap_server_country: US openldap_server_state: oregon openldap_server_location: portland openldap_server_organization: IT +openldap_server_certificate_expiry_days: 3650 +openldap_server_hostname: "{{ ansible_hostname }}" openldap_server_enable_ssl: true diff --git a/tasks/configure_ldap.yml b/tasks/configure_ldap.yml index 12929d6..c639c9f 100644 --- a/tasks/configure_ldap.yml +++ b/tasks/configure_ldap.yml @@ -15,7 +15,15 @@ creates={{ openldap_server_app_path }}/certs/my.key - name: Create and sign the the new certificate - shell: openssl req -new -x509 -subj '/C={{ openldap_server_country }}/ST={{ openldap_server_state }}/L={{ openldap_server_location }}/O={{ openldap_server_organization }}/CN={{ ansible_hostname }}/' -days 3650 -key my.key -out cert.crt -extensions v3_ca chdir={{ openldap_server_app_path }}/certs/ creates={{ openldap_server_app_path }}/certs/cert.crt + shell: openssl req \ + -new \ + -x509 \ + -subj '/C={{ openldap_server_country }}/ST={{ openldap_server_state }}/L={{ openldap_server_location }}/O={{ openldap_server_organization }}/CN={{ openldap_server_hostname }}/' \ + -days {{ openldap_server_certificate_expiry_days }} \ + -key my.key \ + -out cert.crt \ + -extensions v3_ca chdir={{ openldap_server_app_path }}/certs/ + creates={{ openldap_server_app_path }}/certs/cert.crt - name: copy the supporting files copy: src=ldap dest=/etc/sysconfig/ldap mode=0755 From 76b8a263489badcbe13ae6f54d80496f246ea34f Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Tue, 3 Nov 2015 18:00:32 +0000 Subject: [PATCH 03/15] Parameterise the default SSL key size The default ssl keylength is quite low by todays standards. --- defaults/main.yml | 1 + tasks/configure_ldap.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3348d6f..c611b8a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -13,6 +13,7 @@ openldap_server_location: portland openldap_server_organization: IT openldap_server_certificate_expiry_days: 3650 openldap_server_hostname: "{{ ansible_hostname }}" +openldap_server_ssl_keylength: 1024 openldap_server_enable_ssl: true diff --git a/tasks/configure_ldap.yml b/tasks/configure_ldap.yml index c639c9f..95cdfc2 100644 --- a/tasks/configure_ldap.yml +++ b/tasks/configure_ldap.yml @@ -7,7 +7,7 @@ file: path={{ openldap_server_app_path }}/certs/ state=directory owner={{ openldap_server_user }} group={{ openldap_server_user }} - name: Generate the private key for certificate request - shell: openssl genrsa -des3 -passout pass:password -out my1.key 1024 chdir={{ openldap_server_app_path }}/certs/ + shell: openssl genrsa -des3 -passout pass:password -out my1.key {{ openldap_server_ssl_keylength }} chdir={{ openldap_server_app_path }}/certs/ creates={{ openldap_server_app_path }}/certs/my1.key - name: Strip the passphrase from the key From 1e12a54d6ef26d9754514dd5aa04eef95a26b229 Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Wed, 4 Nov 2015 08:38:52 +0000 Subject: [PATCH 04/15] We may want to provide our own private key We may want to provide our own private key rather than have one generated on the first run. --- tasks/configure_ldap.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tasks/configure_ldap.yml b/tasks/configure_ldap.yml index 95cdfc2..3953120 100644 --- a/tasks/configure_ldap.yml +++ b/tasks/configure_ldap.yml @@ -9,10 +9,18 @@ - name: Generate the private key for certificate request shell: openssl genrsa -des3 -passout pass:password -out my1.key {{ openldap_server_ssl_keylength }} chdir={{ openldap_server_app_path }}/certs/ creates={{ openldap_server_app_path }}/certs/my1.key + when: openldap_server_ssl_private_key is undefined - name: Strip the passphrase from the key shell: openssl rsa -in my1.key -passin pass:password -out my.key chdir={{ openldap_server_app_path }}/certs/ creates={{ openldap_server_app_path }}/certs/my.key + when: openldap_server_ssl_private_key is undefined + +- name: Create the ssl private key + copy: content='{{ openldap_server_ssl_private_key }}' + dest={{ openldap_server_app_path }}/certs/my.key + owner={{ openldap_server_user }} + when: openldap_server_ssl_private_key is defined - name: Create and sign the the new certificate shell: openssl req \ From d4f0436447329c81c172701e10d9a04c51b75af4 Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Wed, 4 Nov 2015 08:40:59 +0000 Subject: [PATCH 05/15] We may want to provide our own SSL certificate We may want to use a SSL certificate that is not self-signed. --- tasks/configure_ldap.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tasks/configure_ldap.yml b/tasks/configure_ldap.yml index 3953120..873b4b9 100644 --- a/tasks/configure_ldap.yml +++ b/tasks/configure_ldap.yml @@ -32,6 +32,14 @@ -out cert.crt \ -extensions v3_ca chdir={{ openldap_server_app_path }}/certs/ creates={{ openldap_server_app_path }}/certs/cert.crt + when: openldap_server_ssl_certificate is undefined + +- name: Create the ssl certificate + copy: content='{{ openldap_server_ssl_certificate }}' + dest={{ openldap_server_app_path }}/certs/cert.crt + owner={{ openldap_server_user }} + when: openldap_server_ssl_certificate is defined + - name: copy the supporting files copy: src=ldap dest=/etc/sysconfig/ldap mode=0755 From e38741a85e9b68b691b724cf35da6f92f9cc4003 Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Wed, 4 Nov 2015 08:45:23 +0000 Subject: [PATCH 06/15] Download an official CA certificate file Download an official Certificate Authority certificate chain file. --- tasks/configure_ldap.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tasks/configure_ldap.yml b/tasks/configure_ldap.yml index 873b4b9..dc4292c 100644 --- a/tasks/configure_ldap.yml +++ b/tasks/configure_ldap.yml @@ -40,6 +40,11 @@ owner={{ openldap_server_user }} when: openldap_server_ssl_certificate is defined +- name: Download certificate chain file + get_url: url=https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt + dest={{ openldap_server_app_path }}/certs/cacert.pem + mode=0444 + when: openldap_server_ssl_cacertificate is defined - name: copy the supporting files copy: src=ldap dest=/etc/sysconfig/ldap mode=0755 From 42a46fed50addfd31b2b51f9861f5bea1f81232c Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Wed, 4 Nov 2015 08:28:39 +0000 Subject: [PATCH 07/15] Use TLSCACertificateFile if defined --- templates/slapd.conf.j2 | 4 +++- templates/slapd.conf_ubuntu.j2 | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/templates/slapd.conf.j2 b/templates/slapd.conf.j2 index 3f699d5..396db11 100644 --- a/templates/slapd.conf.j2 +++ b/templates/slapd.conf.j2 @@ -31,6 +31,8 @@ index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub TLSCipherSuite HIGH:MEDIUM:+SSLv2 -#TLSCACertificateFile /etc/openldap/certs/cacert.pem +{% if openldap_server_tlscacertificatefile is defined %} +TLSCACertificateFile {{ openldap_server_tlscacertificatefile }} +{% endif %} TLSCertificateFile /etc/openldap/certs/cert.crt TLSCertificateKeyFile /etc/openldap/certs/my.key diff --git a/templates/slapd.conf_ubuntu.j2 b/templates/slapd.conf_ubuntu.j2 index f256ed6..4ec770b 100644 --- a/templates/slapd.conf_ubuntu.j2 +++ b/templates/slapd.conf_ubuntu.j2 @@ -36,6 +36,8 @@ index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub -#TLSCACertificateFile /etc/ldap/certs/cacert.pem +{% if openldap_server_tlscacertificatefile is defined %} +TLSCACertificateFile {{ openldap_server_tlscacertificatefile }} +{% endif %} TLSCertificateFile /etc/ldap/certs/cert.crt TLSCertificateKeyFile /etc/ldap/certs/my.key From b212a2a36b89717ea76251da50d3cc60ad960e7a Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Wed, 4 Nov 2015 08:47:14 +0000 Subject: [PATCH 08/15] Update the documentation with new variables --- README.md | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 081cbe1..f98ced8 100644 --- a/README.md +++ b/README.md @@ -16,14 +16,20 @@ Role Variables The variables that can be passed to this role and a brief description about them are as follows: - openldap_serverdomain_name: example.com # The domain prefix for ldap - openldap_serverrootpw: passme # This is the password for admin for openldap - openldap_serverenable_ssl: true # To enable/disable ssl for the ldap - openldap_servercountry: US # The self signed ssl certificate parameters - openldap_serverstate: Oregon - openldap_serverlocation: Portland - openldap_serverorganization: IT - + openldap_server_hostname: ldap.example.com # The hostname for ldap + openldap_server_domain_name: example.com # The domain prefix for ldap + openldap_server_rootpw: passme # This is the password for admin for openldap + openldap_server_enable_ssl: true # To enable/disable ssl for the ldap + openldap_server_country: US # The self signed ssl certificate parameters + openldap_server_ssl_cacertificate: # Downlaod CA certificate bundle + openldap_server_state: Oregon + openldap_server_location: Portland + openldap_server_organization: IT + openldap_server_tlscacertificatefile: /etc/openldap/certs/cacert.pem + openldap_server_certificate_expiry_days: 365 + openldap_server_ssl_keylength: 2048 # SSL Keylength + openldap_server_ssl_private_key: # Private Key + openldap_server_ssl_certificate: # SSL Certificate Examples -------- From 310c90f55e16fd4abe1460366dec382d54acaa8d Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Wed, 4 Nov 2015 09:29:50 +0000 Subject: [PATCH 09/15] Add vagrant environment for easy testing --- .gitignore | 1 + Vagrantfile | 25 +++++++++++++++++++++++++ site.yml | 8 ++++++++ 3 files changed, 34 insertions(+) create mode 100644 .gitignore create mode 100644 Vagrantfile create mode 100644 site.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8000dd9 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.vagrant diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 0000000..8133ba5 --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,25 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +MEMORY_DEFAULT = 512 + +Vagrant.configure(2) do |config| + config.vm.box = "ubuntu/trusty64" + config.vm.hostname = "openldap" + + config.vm.provider :virtualbox do |v| + v.memory = MEMORY_DEFAULT + end + + config.vm.provider :vmware_fusion do |v| + v.vmx["memsize"] = MEMORY_DEFAULT + end + + config.vm.network :private_network, ip: "33.33.33.11" + + config.vm.provision :shell, inline: "apt-get purge -qq -y --auto-remove chef puppet" + config.vm.provision :ansible do |ansible| + ansible.playbook = "site.yml" + ansible.verbose = "v" + end +end diff --git a/site.yml b/site.yml new file mode 100644 index 0000000..cc9ea73 --- /dev/null +++ b/site.yml @@ -0,0 +1,8 @@ +--- +- hosts: all + sudo: yes + vars: + openldap_server_ssl_cacertificate: true + openldap_server_tlscacertificatefile: /etc/ldap/certs/cacert.pem + roles: + - . From 11ce8d9be4fedff227b2829d16821f73c7b7301c Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Wed, 4 Nov 2015 09:31:07 +0000 Subject: [PATCH 10/15] Boy Scout Rule - cleaning up white space --- README.md | 2 +- tasks/configure_ldap.yml | 14 +++++++------- tasks/install_ldap.yml | 6 +++--- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index f98ced8..6f92531 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ Examples openldap_server_domain_name: example.com openldap_server_rootpw: passme openldap_server_enable_ssl: false - + 2) Configure an OpenLDAP server with SSL: - hosts: all diff --git a/tasks/configure_ldap.yml b/tasks/configure_ldap.yml index dc4292c..b05490d 100644 --- a/tasks/configure_ldap.yml +++ b/tasks/configure_ldap.yml @@ -11,8 +11,8 @@ creates={{ openldap_server_app_path }}/certs/my1.key when: openldap_server_ssl_private_key is undefined -- name: Strip the passphrase from the key - shell: openssl rsa -in my1.key -passin pass:password -out my.key chdir={{ openldap_server_app_path }}/certs/ +- name: Strip the passphrase from the key + shell: openssl rsa -in my1.key -passin pass:password -out my.key chdir={{ openldap_server_app_path }}/certs/ creates={{ openldap_server_app_path }}/certs/my.key when: openldap_server_ssl_private_key is undefined @@ -49,25 +49,25 @@ - name: copy the supporting files copy: src=ldap dest=/etc/sysconfig/ldap mode=0755 when: openldap_server_enable_ssl and ansible_os_family == 'RedHat' - notify: + notify: - restart slapd - name: copy the supporting files copy: src=slapd_fedora dest=/etc/sysconfig/slapd mode=0755 when: openldap_server_enable_ssl and ansible_distribution == "Fedora" - notify: + notify: - restart slapd - name: copy the supporting files copy: src=slapd dest=/etc/default/slapd mode=0755 when: openldap_server_enable_ssl and ansible_os_family == 'Debian' - notify: + notify: - restart slapd - name: start the slapd service - service: name=slapd state=started enabled=yes - + service: name=slapd state=started enabled=yes + - name: Copy the template for creating base dn template: src={{ openldap_server_ldif }} dest=/tmp/ register: result diff --git a/tasks/install_ldap.yml b/tasks/install_ldap.yml index c2aba5e..5d24a7c 100644 --- a/tasks/install_ldap.yml +++ b/tasks/install_ldap.yml @@ -19,19 +19,19 @@ file: path={{ openldap_server_app_path }}/slapd.d state=absent - name: Generate the root password for ldap - shell: slappasswd -s {{ openldap_server_rootpw }} + shell: slappasswd -s {{ openldap_server_rootpw }} register: root_password - name: Copy the slapd.conf configuration file for Redhat template: src=slapd.conf.j2 dest={{ openldap_server_app_path }}/slapd.conf when: ansible_os_family == "RedHat" - notify: + notify: - restart slapd - name: Copy the slapd.conf configuration file template: src=slapd.conf_ubuntu.j2 dest={{ openldap_server_app_path }}/slapd.conf when: ansible_os_family == "Debian" - notify: + notify: - restart slapd - name: Copy the ldap.conf configuration file From 737bc9c256243a0c524feac392b82652d6467835 Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Thu, 5 Nov 2015 10:38:10 +0000 Subject: [PATCH 11/15] Change hardcoded cacert bundle into parameter The current cacert bundle is hardcoded and we may want to download our own version of the cacert bundle. --- README.md | 2 +- site.yml | 2 +- tasks/configure_ldap.yml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 6f92531..e192b9c 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,7 @@ them are as follows: openldap_server_rootpw: passme # This is the password for admin for openldap openldap_server_enable_ssl: true # To enable/disable ssl for the ldap openldap_server_country: US # The self signed ssl certificate parameters - openldap_server_ssl_cacertificate: # Downlaod CA certificate bundle + openldap_server_ca_cert_url: # Download URL CA certificate bundle openldap_server_state: Oregon openldap_server_location: Portland openldap_server_organization: IT diff --git a/site.yml b/site.yml index cc9ea73..be96dca 100644 --- a/site.yml +++ b/site.yml @@ -2,7 +2,7 @@ - hosts: all sudo: yes vars: - openldap_server_ssl_cacertificate: true + openldap_server_ca_cert_url: https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt openldap_server_tlscacertificatefile: /etc/ldap/certs/cacert.pem roles: - . diff --git a/tasks/configure_ldap.yml b/tasks/configure_ldap.yml index b05490d..f23d8f2 100644 --- a/tasks/configure_ldap.yml +++ b/tasks/configure_ldap.yml @@ -41,10 +41,10 @@ when: openldap_server_ssl_certificate is defined - name: Download certificate chain file - get_url: url=https://raw.githubusercontent.com/bagder/ca-bundle/master/ca-bundle.crt + get_url: url={{ openldap_server_ca_cert_url }} dest={{ openldap_server_app_path }}/certs/cacert.pem mode=0444 - when: openldap_server_ssl_cacertificate is defined + when: openldap_server_ca_cert_url is defined - name: copy the supporting files copy: src=ldap dest=/etc/sysconfig/ldap mode=0755 From b50f2276a02cc5b4e295e3f04a4da498d43a0c39 Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Thu, 5 Nov 2015 11:07:16 +0000 Subject: [PATCH 12/15] Add GlobalSign root and DomainSSL certificate Adding the following GlobalSign certificates: * [R1 GlobalSign Root Certificate](https://support.globalsign.com/customer/en/portal/articles/1426602-globalsign-root-certificates) * [DomainSSL SHA-256 R1 Intermediate Certificates](https://support.globalsign.com/customer/portal/articles/1464460-domainssl-intermediate-certificates) --- ...L-SHA-256-R1-Intermediate-Certificates.pem | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 files/GlobalsignDomainSSL-SHA-256-R1-Intermediate-Certificates.pem diff --git a/files/GlobalsignDomainSSL-SHA-256-R1-Intermediate-Certificates.pem b/files/GlobalsignDomainSSL-SHA-256-R1-Intermediate-Certificates.pem new file mode 100644 index 0000000..26a748e --- /dev/null +++ b/files/GlobalsignDomainSSL-SHA-256-R1-Intermediate-Certificates.pem @@ -0,0 +1,47 @@ +-----BEGIN CERTIFICATE----- +MIIEYzCCA0ugAwIBAgILBAAAAAABRE7wPiAwDQYJKoZIhvcNAQELBQAwVzELMAkG +A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv +b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw +MDBaFw0yNDAyMjAxMDAwMDBaMGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i +YWxTaWduIG52LXNhMTYwNAYDVQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0 +aW9uIENBIC0gU0hBMjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQCp3cwOs+IyOd1JIqgTaZOHiOEM7nF9vZCHll1Z8syz0lhXV/lG72wm2DZC +jn4wsy+aPlN7H262okxFHzzTFZMcie089Ffeyr3sBppqKqAZUn9R0XQ5CJ+r69eG +ExWXrjbDVGYOWvKgc4Ux47JkFGr/paKOJLu9hVIVonnu8LXuPbj0fYC82ZA1ZbgX +qa2zmJ+gfn1u+z+tfMIbWTaW2jcyS0tdNQJjjtunz2LuzC7Ujcm9PGqRcqIip3It +INH6yjfaGJjmFiRxJUvE5XuJUgkC/VkrBG7KB4HUs9ra2+PMgKhWBwZ8lgg3nds4 +tmI0kWIHdAE42HIw4uuQcSZiwFfzAgMBAAGjggElMIIBITAOBgNVHQ8BAf8EBAMC +AQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU6k581IAt5RWBhiaMgm3A +mKTPlw8wRwYDVR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8v +d3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDMGA1UdHwQsMCowKKAmoCSG +Imh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC5jcmwwPQYIKwYBBQUHAQEE +MTAvMC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290 +cjEwHwYDVR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswDQYJKoZIhvcNAQEL +BQADggEBANdFnqDc4ONhWgt9d4QXLWVagpqNoycqhffJ7+mG/dRHzQFSlsVDvTex +4bjyqdKKEYRxkRWJ3AKdC8tsM4U0KJ4gsrGX3G0LEME8zV/qXdeYMcU0mVwAYVXE +GwJbxeOJyLS4bx448lYm6UHvPc2smU9ZSlctS32ux4j71pg79eXw6ImJuYsDy1oj +H6T9uOr7Lp2uanMJvPzVoLVEgqtEkS5QLlfBQ9iRBIvpES5ftD953x77PzAAi1Pj +tywdO02L3ORkHQRYM68bVeerDL8wBHTk8w4vMDmNSwSMHnVmZkngvkA0x1xaUZK6 +EjxS1QSCVS1npd+3lXzuP8MIugS+wEY= +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG +A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv +b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw +MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i +YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT +aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ +jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp +xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp +1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG +snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ +U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8 +9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E +BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B +AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz +yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE +38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP +AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad +DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME +HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A== +-----END CERTIFICATE----- From 2a16bd52216b7fe36f7203649eedb5bfd5aacf90 Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Thu, 5 Nov 2015 11:13:02 +0000 Subject: [PATCH 13/15] The Boyscout Rule act 1 - Fix hard to read lines This command was quite hard to read/review. --- tasks/configure_ldap.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tasks/configure_ldap.yml b/tasks/configure_ldap.yml index f23d8f2..03ed4ad 100644 --- a/tasks/configure_ldap.yml +++ b/tasks/configure_ldap.yml @@ -73,4 +73,7 @@ register: result - name: add the base domain - shell: ldapadd -x -D "cn=Manager,dc={{ openldap_server_domain_name.split('.')[0] }},dc={{ openldap_server_domain_name.split('.')[1] }}" -w {{ openldap_server_rootpw }} -f {{ result.dest|default(result.path) }} && touch {{ openldap_server_app_path }}/rootdn_created creates={{ openldap_server_app_path }}/rootdn_created + shell: ldapadd -x -D "cn=Manager,dc={{ openldap_server_domain_name.split('.')[0] }},dc={{ openldap_server_domain_name.split('.')[1] }}" \ + -w {{ openldap_server_rootpw }} \ + -f {{ result.dest|default(result.path) }} && touch {{ openldap_server_app_path }}/rootdn_created + creates={{ openldap_server_app_path }}/rootdn_created From b6e32f3c049f9607dcbbbc743e92baf7e8a6a7d5 Mon Sep 17 00:00:00 2001 From: Martin Jackson Date: Thu, 5 Nov 2015 11:15:11 +0000 Subject: [PATCH 14/15] The Boyscout Rule act 2 - Removing white space --- README.md | 2 -- tasks/configure_ldap.yml | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/README.md b/README.md index e192b9c..7d96b6f 100644 --- a/README.md +++ b/README.md @@ -72,5 +72,3 @@ Author Information ------------------ Benno Joy - - diff --git a/tasks/configure_ldap.yml b/tasks/configure_ldap.yml index 03ed4ad..de7e53b 100644 --- a/tasks/configure_ldap.yml +++ b/tasks/configure_ldap.yml @@ -22,7 +22,7 @@ owner={{ openldap_server_user }} when: openldap_server_ssl_private_key is defined -- name: Create and sign the the new certificate +- name: Create and sign the the new certificate shell: openssl req \ -new \ -x509 \ From 9cbbb9957e99f9930028962dff451115ed195612 Mon Sep 17 00:00:00 2001 From: Jim Conner Date: Thu, 5 Nov 2015 14:13:08 +0000 Subject: [PATCH 15/15] Remove GlobalSign CA Bundle This file belongs in the ldap-server-ansible repo, not here. --- ...L-SHA-256-R1-Intermediate-Certificates.pem | 47 ------------------- 1 file changed, 47 deletions(-) delete mode 100644 files/GlobalsignDomainSSL-SHA-256-R1-Intermediate-Certificates.pem diff --git a/files/GlobalsignDomainSSL-SHA-256-R1-Intermediate-Certificates.pem b/files/GlobalsignDomainSSL-SHA-256-R1-Intermediate-Certificates.pem deleted file mode 100644 index 26a748e..0000000 --- a/files/GlobalsignDomainSSL-SHA-256-R1-Intermediate-Certificates.pem +++ /dev/null @@ -1,47 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEYzCCA0ugAwIBAgILBAAAAAABRE7wPiAwDQYJKoZIhvcNAQELBQAwVzELMAkG -A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv -b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw -MDBaFw0yNDAyMjAxMDAwMDBaMGAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i -YWxTaWduIG52LXNhMTYwNAYDVQQDEy1HbG9iYWxTaWduIERvbWFpbiBWYWxpZGF0 -aW9uIENBIC0gU0hBMjU2IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQCp3cwOs+IyOd1JIqgTaZOHiOEM7nF9vZCHll1Z8syz0lhXV/lG72wm2DZC -jn4wsy+aPlN7H262okxFHzzTFZMcie089Ffeyr3sBppqKqAZUn9R0XQ5CJ+r69eG -ExWXrjbDVGYOWvKgc4Ux47JkFGr/paKOJLu9hVIVonnu8LXuPbj0fYC82ZA1ZbgX -qa2zmJ+gfn1u+z+tfMIbWTaW2jcyS0tdNQJjjtunz2LuzC7Ujcm9PGqRcqIip3It -INH6yjfaGJjmFiRxJUvE5XuJUgkC/VkrBG7KB4HUs9ra2+PMgKhWBwZ8lgg3nds4 -tmI0kWIHdAE42HIw4uuQcSZiwFfzAgMBAAGjggElMIIBITAOBgNVHQ8BAf8EBAMC -AQYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU6k581IAt5RWBhiaMgm3A -mKTPlw8wRwYDVR0gBEAwPjA8BgRVHSAAMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8v -d3d3Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMDMGA1UdHwQsMCowKKAmoCSG -Imh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5uZXQvcm9vdC5jcmwwPQYIKwYBBQUHAQEE -MTAvMC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9iYWxzaWduLmNvbS9yb290 -cjEwHwYDVR0jBBgwFoAUYHtmGkUNl8qJUC99BM00qP/8/UswDQYJKoZIhvcNAQEL -BQADggEBANdFnqDc4ONhWgt9d4QXLWVagpqNoycqhffJ7+mG/dRHzQFSlsVDvTex -4bjyqdKKEYRxkRWJ3AKdC8tsM4U0KJ4gsrGX3G0LEME8zV/qXdeYMcU0mVwAYVXE -GwJbxeOJyLS4bx448lYm6UHvPc2smU9ZSlctS32ux4j71pg79eXw6ImJuYsDy1oj -H6T9uOr7Lp2uanMJvPzVoLVEgqtEkS5QLlfBQ9iRBIvpES5ftD953x77PzAAi1Pj -tywdO02L3ORkHQRYM68bVeerDL8wBHTk8w4vMDmNSwSMHnVmZkngvkA0x1xaUZK6 -EjxS1QSCVS1npd+3lXzuP8MIugS+wEY= ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG -A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv -b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw -MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i -YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT -aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ -jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp -xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp -1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG -snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ -U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8 -9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E -BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B -AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz -yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE -38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP -AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad -DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME -HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A== ------END CERTIFICATE-----