BKCA as system CA to allow smooth migration to let's encrypt #17
|
@ -13,7 +13,6 @@ hackmd_dbuser: hackmd
|
|||
hackmd_dbpass: "{{ vault_hackmd_dbpass }}"
|
||||
hackmd_secret: "{{ vault_hackmd_secret }}"
|
||||
|
||||
ldap_ca: /etc/ldap/ssl/BKCA.crt
|
||||
ldap_uri: ldaps://ldap.binary.kitchen/
|
||||
ldap_host: ldap.binary.kitchen
|
||||
ldap_base: dc=binary-kitchen,dc=de
|
||||
|
|
|
@ -8,3 +8,6 @@
|
|||
|
||||
- name: update-initramfs
|
||||
command: update-initramfs -u -k all
|
||||
|
||||
- name: update-ca-certificates
|
||||
command: update-ca-certificates
|
||||
|
|
|
@ -57,7 +57,8 @@
|
|||
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=0644
|
||||
|
||||
- name: Copy LDAP certificate
|
||||
copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
|
||||
copy: src=BKCA.crt dest=/usr/local/share/ca-certificates/BKCA.crt mode=0444
|
||||
notify: update-ca-certificates
|
||||
|
||||
- name: Disable hibernation/resume
|
||||
copy: src=resume dest=/etc/initramfs-tools/conf.d/resume
|
||||
|
|
|
@ -28,7 +28,18 @@
|
|||
- { src: 'prompt_gentoo_setup', dest: '/usr/local/share/zsh/5.6/functions/Prompts/prompt_gentoo_setup' }
|
||||
|
||||
- name: Create LDAP certificate directory
|
||||
file: path=/etc/ldap/ssl state=directory
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: "directory"
|
||||
loop:
|
||||
- "/etc/ssl/certs"
|
||||
- "/usr/local/etc/ssl/certs"
|
||||
|
||||
- name: Copy LDAP certificate
|
||||
copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
|
||||
copy:
|
||||
src: "BKCA.crt"
|
||||
dest: "{{ item }}/BKCA.crt"
|
||||
mode: "0444"
|
||||
loop:
|
||||
- "/etc/ssl/certs"
|
||||
- "/usr/local/etc/ssl/certs"
|
||||
|
|
|
@ -11,7 +11,3 @@ URI {{ ldap_uri }}
|
|||
#SIZELIMIT 12
|
||||
#TIMELIMIT 15
|
||||
#DEREF never
|
||||
|
||||
# TLS certificates (needed for GnuTLS)
|
||||
TLS_CACERT /etc/ldap/ssl/BKCA.crt
|
||||
|
||||
|
|
|
@ -37,7 +37,6 @@
|
|||
"searchAttributes": ["cn", "uid"],
|
||||
"usernameField": "cn",
|
||||
"useridField": "uid",
|
||||
"tlsca": "/etc/ldap/ssl/BKCA.crt"
|
||||
},
|
||||
"email": false
|
||||
}
|
||||
|
|
|
@ -32,4 +32,3 @@ base shadow {{ nslcd_base_shadow }}
|
|||
|
||||
# SSL options
|
||||
tls_reqcert demand
|
||||
tls_cacertfile {{ ldap_ca }}
|
||||
|
|
|
@ -105,9 +105,6 @@
|
|||
- name: Ensure postfix chroot has an LDAP CA directory
|
||||
file: path=/var/spool/postfix/etc/ldap/ssl/ state=directory
|
||||
|
||||
- name: Ensure postfix chroot has the LDAP CA file
|
||||
copy: remote_src=yes src=/etc/ldap/ssl/BKCA.crt dest=/var/spool/postfix/etc/ldap/ssl/BKCA.crt
|
||||
|
||||
- name: Ensure postfix certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/postfix/ssl/{{ mail_server }}.key -out /etc/postfix/ssl/{{ mail_server }}.crt -days 730 -subj "/CN={{ mail_server }}" creates=/etc/postfix/ssl/{{ mail_server }}.crt
|
||||
notify: Restart postfix
|
||||
|
|
|
@ -43,9 +43,9 @@ dnpass = {{ ldap_bindpw }}
|
|||
#sasl_authz_id =
|
||||
|
||||
# Use TLS to connect to the LDAP server.
|
||||
tls = no
|
||||
tls = yes
|
||||
# TLS options, currently supported only with OpenLDAP:
|
||||
tls_ca_cert_file = {{ ldap_ca }}
|
||||
#tls_ca_cert_file =
|
||||
#tls_ca_cert_dir =
|
||||
#tls_cipher_suite =
|
||||
# TLS cert/key is used only if LDAP server requires a client certificate.
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
server_host = {{ ldap_uri }}
|
||||
tls_ca_cert_file = {{ ldap_ca }}
|
||||
tls_require_cert = yes
|
||||
bind = yes
|
||||
bind_dn = {{ ldap_binddn }}
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
server_host = {{ ldap_uri }}
|
||||
tls_ca_cert_file = {{ ldap_ca }}
|
||||
tls_require_cert = yes
|
||||
bind = yes
|
||||
bind_dn = {{ ldap_binddn }}
|
||||
|
|
|
@ -67,7 +67,6 @@ access to *
|
|||
|
||||
TLSCertificateFile /etc/ldap/ssl/srv.crt
|
||||
TLSCertificateKeyFile /etc/ldap/ssl/srv.key
|
||||
TLSCACertificateFile {{ ldap_ca }}
|
||||
TLSCipherSuite NORMAL
|
||||
TLSVerifyClient never
|
||||
|
||||
|
|
Loading…
Reference in New Issue