diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 57a6d03..0470215 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -13,7 +13,6 @@ hackmd_dbuser: hackmd hackmd_dbpass: "{{ vault_hackmd_dbpass }}" hackmd_secret: "{{ vault_hackmd_secret }}" -ldap_ca: /etc/ldap/ssl/BKCA.crt ldap_uri: ldaps://ldap.binary.kitchen/ ldap_host: ldap.binary.kitchen ldap_base: dc=binary-kitchen,dc=de diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 041e8eb..94fe6ec 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -8,3 +8,6 @@ - name: update-initramfs command: update-initramfs -u -k all + +- name: update-ca-certificates + command: update-ca-certificates diff --git a/roles/common/tasks/Debian.yml b/roles/common/tasks/Debian.yml index 24a952f..86abc2b 100644 --- a/roles/common/tasks/Debian.yml +++ b/roles/common/tasks/Debian.yml @@ -57,7 +57,8 @@ template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644 - name: Copy LDAP certificate - copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444 + copy: src=BKCA.crt dest=/usr/local/share/ca-certificates/BKCA.crt mode=0444 + notify: update-ca-certificates - name: Disable hibernation/resume copy: src=resume dest=/etc/initramfs-tools/conf.d/resume diff --git a/roles/common/tasks/FreeBSD.yml b/roles/common/tasks/FreeBSD.yml index 367f49c..a633955 100644 --- a/roles/common/tasks/FreeBSD.yml +++ b/roles/common/tasks/FreeBSD.yml @@ -28,7 +28,18 @@ - { src: 'prompt_gentoo_setup', dest: '/usr/local/share/zsh/5.6/functions/Prompts/prompt_gentoo_setup' } - name: Create LDAP certificate directory - file: path=/etc/ldap/ssl state=directory + file: + path: "{{ item }}" + state: "directory" + loop: + - "/etc/ssl/certs" + - "/usr/local/etc/ssl/certs" - name: Copy LDAP certificate - copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444 + copy: + src: "BKCA.crt" + dest: "{{ item }}/BKCA.crt" + mode: "0444" + loop: + - "/etc/ssl/certs" + - "/usr/local/etc/ssl/certs" diff --git a/roles/common/templates/ldap.conf.j2 b/roles/common/templates/ldap.conf.j2 index 4622f5a..68c992d 100644 --- a/roles/common/templates/ldap.conf.j2 +++ b/roles/common/templates/ldap.conf.j2 @@ -11,7 +11,3 @@ URI {{ ldap_uri }} #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never - -# TLS certificates (needed for GnuTLS) -TLS_CACERT /etc/ldap/ssl/BKCA.crt - diff --git a/roles/hackmd/templates/config.json.j2 b/roles/hackmd/templates/config.json.j2 index aa1570a..b02eb65 100644 --- a/roles/hackmd/templates/config.json.j2 +++ b/roles/hackmd/templates/config.json.j2 @@ -37,7 +37,6 @@ "searchAttributes": ["cn", "uid"], "usernameField": "cn", "useridField": "uid", - "tlsca": "/etc/ldap/ssl/BKCA.crt" }, "email": false } diff --git a/roles/ldap-pam/templates/nslcd.conf.j2 b/roles/ldap-pam/templates/nslcd.conf.j2 index 01a0948..ecca929 100644 --- a/roles/ldap-pam/templates/nslcd.conf.j2 +++ b/roles/ldap-pam/templates/nslcd.conf.j2 @@ -32,4 +32,3 @@ base shadow {{ nslcd_base_shadow }} # SSL options tls_reqcert demand -tls_cacertfile {{ ldap_ca }} diff --git a/roles/mail/tasks/main.yml b/roles/mail/tasks/main.yml index 3bb3929..7a6725b 100644 --- a/roles/mail/tasks/main.yml +++ b/roles/mail/tasks/main.yml @@ -105,9 +105,6 @@ - name: Ensure postfix chroot has an LDAP CA directory file: path=/var/spool/postfix/etc/ldap/ssl/ state=directory -- name: Ensure postfix chroot has the LDAP CA file - copy: remote_src=yes src=/etc/ldap/ssl/BKCA.crt dest=/var/spool/postfix/etc/ldap/ssl/BKCA.crt - - name: Ensure postfix certificates are available command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt notify: Restart postfix diff --git a/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2 b/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2 index 7e5a844..11b94b2 100644 --- a/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2 +++ b/roles/mail/templates/dovecot/dovecot-ldap.conf.ext.j2 @@ -43,9 +43,9 @@ dnpass = {{ ldap_bindpw }} #sasl_authz_id = # Use TLS to connect to the LDAP server. -tls = no +tls = yes # TLS options, currently supported only with OpenLDAP: -tls_ca_cert_file = {{ ldap_ca }} +#tls_ca_cert_file = #tls_ca_cert_dir = #tls_cipher_suite = # TLS cert/key is used only if LDAP server requires a client certificate. diff --git a/roles/mail/templates/postfix/ldap-aliases.cf.j2 b/roles/mail/templates/postfix/ldap-aliases.cf.j2 index 25fa1ed..d70125d 100644 --- a/roles/mail/templates/postfix/ldap-aliases.cf.j2 +++ b/roles/mail/templates/postfix/ldap-aliases.cf.j2 @@ -1,5 +1,4 @@ server_host = {{ ldap_uri }} -tls_ca_cert_file = {{ ldap_ca }} tls_require_cert = yes bind = yes bind_dn = {{ ldap_binddn }} diff --git a/roles/mail/templates/postfix/ldap-virtual-maps.cf.j2 b/roles/mail/templates/postfix/ldap-virtual-maps.cf.j2 index 68812b5..c227d54 100644 --- a/roles/mail/templates/postfix/ldap-virtual-maps.cf.j2 +++ b/roles/mail/templates/postfix/ldap-virtual-maps.cf.j2 @@ -1,5 +1,4 @@ server_host = {{ ldap_uri }} -tls_ca_cert_file = {{ ldap_ca }} tls_require_cert = yes bind = yes bind_dn = {{ ldap_binddn }} diff --git a/roles/slapd/templates/slapd.conf.j2 b/roles/slapd/templates/slapd.conf.j2 index fd6931e..4948079 100644 --- a/roles/slapd/templates/slapd.conf.j2 +++ b/roles/slapd/templates/slapd.conf.j2 @@ -67,7 +67,6 @@ access to * TLSCertificateFile /etc/ldap/ssl/srv.crt TLSCertificateKeyFile /etc/ldap/ssl/srv.key -TLSCACertificateFile {{ ldap_ca }} TLSCipherSuite NORMAL TLSVerifyClient never