Make LDAP CA cert file a variable.

group_vars/all

@@ -1,5 +1,6 @@
 ---
 
+ldap_ca: /etc/ssl/BKCA.crt
 ldap_uri: ldaps://ldap.binary.kitchen/
 ldap_host: ldap.binary.kitchen
 ldap_base: dc=binary-kitchen,dc=de

roles/ldap-client/templates/nslcd.conf.j2

@@ -32,4 +32,4 @@ base shadow {{ nslcd_base_shadow }}
 
 # SSL options
 tls_reqcert demand
-tls_cacertfile /etc/ssl/BKCA.crt
+tls_cacertfile {{ ldap_ca }}

roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2

@@ -45,14 +45,14 @@ dnpass = {{ ldap_bindpw }}
 # Use TLS to connect to the LDAP server.
 tls = yes
 # TLS options, currently supported only with OpenLDAP:
-#tls_ca_cert_file = TODO
+tls_ca_cert_file = {{ ldap_ca }}
 #tls_ca_cert_dir =
 #tls_cipher_suite =
 # TLS cert/key is used only if LDAP server requires a client certificate.
 #tls_cert_file =
 #tls_key_file =
 # Valid values: never, hard, demand, allow, try
-#tls_require_cert = TODO
+tls_require_cert = demand
 
 # Use the given ldaprc path.
 #ldaprc_path =