diff --git a/group_vars/all b/group_vars/all index f02a1e7..3d64938 100644 --- a/group_vars/all +++ b/group_vars/all @@ -1,6 +1,6 @@ --- -ldap_ca: /etc/BKCA.crt +ldap_ca: /etc/ldap/ssl/BKCA.crt ldap_uri: ldaps://ldap.binary.kitchen/ ldap_host: ldap.binary.kitchen ldap_base: dc=binary-kitchen,dc=de diff --git a/roles/common/tasks/Debian.yml b/roles/common/tasks/Debian.yml index c160fe9..8d2ba3c 100644 --- a/roles/common/tasks/Debian.yml +++ b/roles/common/tasks/Debian.yml @@ -18,6 +18,7 @@ with_items: - dnsutils - htop + - openssl - pydf - sudo - vim-nox @@ -34,5 +35,8 @@ - name: Set shell for root user user: name=root shell=/bin/zsh +- name: Create LDAP certificate directory + file: path=/etc/ldap/ssl state=directory + - name: Copy LDAP certificate - copy: src=BKCA.crt dest=/etc/BKCA.crt + copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444 diff --git a/roles/common/tasks/FreeBSD.yml b/roles/common/tasks/FreeBSD.yml index 00e61f6..f21d60a 100644 --- a/roles/common/tasks/FreeBSD.yml +++ b/roles/common/tasks/FreeBSD.yml @@ -26,5 +26,8 @@ - { src: '.zshrc.local', dest: '/root/.zshrc.local' } - { src: 'prompt_gentoo_setup', dest: '/usr/local/share/zsh/5.2/functions/Prompts/prompt_gentoo_setup' } +- name: Create LDAP certificate directory + file: path=/etc/ldap/ssl state=directory + - name: Copy LDAP certificate - copy: src=BKCA.crt dest=/etc/BKCA.crt + copy: src=BKCA.crt dest=/etc/ldap/ssl/BKCA.crt mode=0444 diff --git a/roles/ldap-server/files/schema/kitchen.schema b/roles/ldap-server/files/schema/kitchen.schema index f70dae1..02bd189 100644 --- a/roles/ldap-server/files/schema/kitchen.schema +++ b/roles/ldap-server/files/schema/kitchen.schema @@ -6,12 +6,17 @@ # attribute type definitions attributetype ( 23.42.1.1 NAME 'mailAlternateAddress' - DESC 'Secondary (alias) Aail Address' - SUP mail ) + SUBSTR caseIgnoreSubstringsMatch + DESC 'Secondary (alias) mailaddresses for the same user' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 23.42.1.2 NAME 'rewMailAddress' + SUBSTR caseIgnoreSubstringsMatch DESC 'Rewritten Mail Address' - SUP mail ) + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + SINGLE-VALUE ) # object class definitions @@ -19,5 +24,4 @@ objectclass ( 23.42.2.1 NAME 'kitchenUser' DESC 'Binary Kitchen User' SUP top AUXILIARY MUST ( mail $ uid ) - MAY ( mailAlternateAddress $ rewMailAddress ) -) + MAY ( mailAlternateAddress $ rewMailAddress ) ) diff --git a/roles/ldap-server/tasks/main.yml b/roles/ldap-server/tasks/main.yml index f3b468b..0571726 100644 --- a/roles/ldap-server/tasks/main.yml +++ b/roles/ldap-server/tasks/main.yml @@ -26,6 +26,11 @@ notify: Restart slapd tags: ldap +- name: Ensure certificates are available + command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/ldap/ssl/ldapm.key -out /etc/ldap/ssl/ldapm.crt -days 730 -subj "/CN=ldapm.binary.kitchen" creates=/etc/ldap/ssl/ldapm.crt + notify: Restart slapd + tags: nginx + - name: Start slapd service: name=slapd state=started enabled=yes tags: ldap diff --git a/roles/ldap-server/templates/slapd.conf.j2 b/roles/ldap-server/templates/slapd.conf.j2 index cdeca8d..cc58bac 100644 --- a/roles/ldap-server/templates/slapd.conf.j2 +++ b/roles/ldap-server/templates/slapd.conf.j2 @@ -62,7 +62,7 @@ access to * TLSCertificateFile /etc/ldap/ssl/ldapm.crt TLSCertificateKeyFile /etc/ldap/ssl/ldapm.key TLSCACertificateFile {{ ldap_ca }} -TLSCipherSuite TLSv1+RSA:!NULL +TLSCipherSuite NORMAL TLSVerifyClient never