[re2o-ldap-replica] Support LDAPS

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>

group_vars/re2o_ldap_replica.yml

@@ -6,3 +6,5 @@ glob_re2o_ldap_replica:
   suffix: dc=crans,dc=org
   url: "ldaps://{{ query('ldap', 'ip', 're2o-ldap', 'adm') | ipv4 | first }}:636"
   root_password_hash: "{{ vault.ldap_master_password_hash }}"
+  certificate: "{{ vault.ldap_re2o_certificate }}"
+  private_key: "{{ vault.ldap_re2o_private_key }}"

roles/re2o-ldap-replica/handlers/main.yml

+---
+- name: Restart slapd
+  service:
+    name: slapd.service
+    state: restarted

roles/re2o-ldap-replica/tasks/main.yml

@@ -42,10 +42,10 @@
     - /etc/ldap/slapd.d
     - /var/lib/ldap
 
-- name: Copy ldiff files
+- name: Copy ldif files
   template:
-    src: 'ldap/{{ item }}.ldiff.j2'
-    dest: '/tmp/{{ item }}.ldiff'
+    src: 'ldap/{{ item }}.ldif.j2'
+    dest: '/tmp/{{ item }}.ldif'
     owner: openldap
     group: openldap
     mode: 0600
@@ -53,15 +53,16 @@
     - db
     - schema
     - consumer_simple_sync
+    - certinfo
 
 - name: Initialize re2o-ldap schema
   when: not installation.stat.exists
-  shell: slapadd -n 0 -l /tmp/schema.ldiff -F /etc/ldap/slapd.d/
+  shell: slapadd -n 0 -l /tmp/schema.ldif -F /etc/ldap/slapd.d/
   become_user: openldap
 
 - name: Initialize re2o-ldap database
   when: not installation.stat.exists
-  shell: slapadd -n 1 -l /tmp/db.ldiff
+  shell: slapadd -n 1 -l /tmp/db.ldif
   become_user: openldap
 
 - name: Start slapd
@@ -72,7 +73,30 @@
 
 - name: Enable data replication
   when: not installation.stat.exists
-  shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/consumer_simple_sync.ldiff
+  shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/consumer_simple_sync.ldif
+
+- name: Copy TLS certificate
+  template:
+    src: "ldap/{{ item }}.j2"
+    dest: "/etc/ldap/{{ item }}"
+    owner: openldap
+    group: openldap
+    mode: 0600
+  loop:
+    - ldap.pem
+    - ldap.key
+
+- name: Load TLS certificates
+  when: not installation.stat.exists
+  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif
+
+- name: Enable LDAPS
+  lineinfile:
+     path: /etc/default/slapd
+     regexp: '^SLAPD_SERVICES='
+     line: 'SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"'
+  notify: Restart slapd
+  check_mode: no
 
 - name: Touch installation marker
   when: not installation.stat.exists

roles/re2o-ldap-replica/templates/ldap/certinfo.ldif.j2

+dn: cn=config
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ldap/ldap.pem
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ldap/ldap.key

roles/re2o-ldap-replica/templates/ldap/ldap.key.j2

+{{ re2o_ldap_replica.private_key }}

roles/re2o-ldap-replica/templates/ldap/ldap.pem.j2

+{{ re2o_ldap_replica.certificate }}