Fix ldap-server (confirmed working on debian).

2016-03-24 11:43:40 +01:00 · 2016-03-24 11:43:40 +01:00 · 5d3282d567
commit 5d3282d567
parent 283a1154a9
6 changed files with 25 additions and 9 deletions
--- a/group_vars/all
+++ b/group_vars/all
@ -1,6 +1,6 @@
 ---

-ldap_ca: /etc/BKCA.crt
+ldap_ca: /etc/ldap/ssl/BKCA.crt
 ldap_uri: ldaps://ldap.binary.kitchen/
 ldap_host: ldap.binary.kitchen
 ldap_base: dc=binary-kitchen,dc=de
--- a/roles/common/tasks/Debian.yml
+++ b/roles/common/tasks/Debian.yml
@ -18,6 +18,7 @@
  with_items:
  - dnsutils
  - htop
+  - openssl
  - pydf
  - sudo
  - vim-nox
@ -34,5 +35,8 @@
 - name: Set shell for root user
  user: name=root shell=/bin/zsh

+- name: Create LDAP certificate directory
+  file: path=/etc/ldap/ssl state=directory
+
 - name: Copy LDAP certificate
-  copy: src=BKCA.crt dest=/etc/BKCA.crt
+  copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
--- a/roles/common/tasks/FreeBSD.yml
+++ b/roles/common/tasks/FreeBSD.yml
@ -26,5 +26,8 @@
  - { src: '.zshrc.local', dest: '/root/.zshrc.local' }
  - { src: 'prompt_gentoo_setup', dest: '/usr/local/share/zsh/5.2/functions/Prompts/prompt_gentoo_setup' }

+- name: Create LDAP certificate directory
+  file: path=/etc/ldap/ssl state=directory
+
 - name: Copy LDAP certificate
-  copy: src=BKCA.crt dest=/etc/BKCA.crt
+  copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444
--- a/roles/ldap-server/files/schema/kitchen.schema
+++ b/roles/ldap-server/files/schema/kitchen.schema
@ -6,12 +6,17 @@
 # attribute type definitions

 attributetype ( 23.42.1.1 NAME 'mailAlternateAddress'
-	DESC 'Secondary (alias) Aail Address'
-	SUP mail )
+	SUBSTR caseIgnoreSubstringsMatch
+	DESC 'Secondary (alias) mailaddresses for the same user'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

 attributetype ( 23.42.1.2 NAME 'rewMailAddress'
+	SUBSTR caseIgnoreSubstringsMatch
 	DESC 'Rewritten Mail Address'
-	SUP mail )
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+	SINGLE-VALUE )

 # object class definitions

@ -19,5 +24,4 @@ objectclass ( 23.42.2.1 NAME 'kitchenUser'
 	DESC 'Binary Kitchen User'
 	SUP top AUXILIARY
 	MUST ( mail $ uid )
-	MAY ( mailAlternateAddress $ rewMailAddress )
-)
+	MAY ( mailAlternateAddress $ rewMailAddress ) )
--- a/roles/ldap-server/tasks/main.yml
+++ b/roles/ldap-server/tasks/main.yml
@ -26,6 +26,11 @@
  notify: Restart slapd
  tags: ldap

+- name: Ensure certificates are available
+  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ldap/ssl/ldapm.key -out /etc/ldap/ssl/ldapm.crt -days 730 -subj "/CN=ldapm.binary.kitchen" creates=/etc/ldap/ssl/ldapm.crt
+  notify: Restart slapd
+  tags: nginx
+
 - name: Start slapd
  service: name=slapd state=started enabled=yes
  tags: ldap
--- a/roles/ldap-server/templates/slapd.conf.j2
+++ b/roles/ldap-server/templates/slapd.conf.j2
@ -62,7 +62,7 @@ access to *
 TLSCertificateFile	/etc/ldap/ssl/ldapm.crt
 TLSCertificateKeyFile	/etc/ldap/ssl/ldapm.key
 TLSCACertificateFile	{{ ldap_ca }}
-TLSCipherSuite		TLSv1+RSA:!NULL
+TLSCipherSuite		NORMAL
 TLSVerifyClient		never