From 741a13b4024f00626205a77277a149f5c1b208b1 Mon Sep 17 00:00:00 2001
From: Yohann D'ANELLO <ynerant@crans.org>
Date: Thu, 13 May 2021 01:28:50 +0200
Subject: [PATCH] [re2o-ldap-replica] Support LDAPS

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
---
 group_vars/re2o_ldap_replica.yml              |  2 ++
 roles/re2o-ldap-replica/handlers/main.yml     |  5 +++
 roles/re2o-ldap-replica/tasks/main.yml        | 36 +++++++++++++++----
 .../templates/ldap/certinfo.ldif.j2           |  6 ++++
 ....ldiff.j2 => consumer_simple_sync.ldif.j2} |  0
 .../ldap/{db.ldiff.j2 => db.ldif.j2}          |  0
 .../templates/ldap/ldap.key.j2                |  1 +
 .../templates/ldap/ldap.pem.j2                |  1 +
 .../ldap/{schema.ldiff.j2 => schema.ldif.j2}  |  0
 9 files changed, 45 insertions(+), 6 deletions(-)
 create mode 100644 roles/re2o-ldap-replica/handlers/main.yml
 create mode 100644 roles/re2o-ldap-replica/templates/ldap/certinfo.ldif.j2
 rename roles/re2o-ldap-replica/templates/ldap/{consumer_simple_sync.ldiff.j2 => consumer_simple_sync.ldif.j2} (100%)
 rename roles/re2o-ldap-replica/templates/ldap/{db.ldiff.j2 => db.ldif.j2} (100%)
 create mode 100644 roles/re2o-ldap-replica/templates/ldap/ldap.key.j2
 create mode 100644 roles/re2o-ldap-replica/templates/ldap/ldap.pem.j2
 rename roles/re2o-ldap-replica/templates/ldap/{schema.ldiff.j2 => schema.ldif.j2} (100%)

diff --git a/group_vars/re2o_ldap_replica.yml b/group_vars/re2o_ldap_replica.yml
index f2919b5e..474f735a 100644
--- a/group_vars/re2o_ldap_replica.yml
+++ b/group_vars/re2o_ldap_replica.yml
@@ -6,3 +6,5 @@ glob_re2o_ldap_replica:
   suffix: dc=crans,dc=org
   url: "ldaps://{{ query('ldap', 'ip', 're2o-ldap', 'adm') | ipv4 | first }}:636"
   root_password_hash: "{{ vault.ldap_master_password_hash }}"
+  certificate: "{{ vault.ldap_re2o_certificate }}"
+  private_key: "{{ vault.ldap_re2o_private_key }}"
diff --git a/roles/re2o-ldap-replica/handlers/main.yml b/roles/re2o-ldap-replica/handlers/main.yml
new file mode 100644
index 00000000..ce4f0cdd
--- /dev/null
+++ b/roles/re2o-ldap-replica/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart slapd
+  service:
+    name: slapd.service
+    state: restarted
diff --git a/roles/re2o-ldap-replica/tasks/main.yml b/roles/re2o-ldap-replica/tasks/main.yml
index e16c438f..bbd6033a 100644
--- a/roles/re2o-ldap-replica/tasks/main.yml
+++ b/roles/re2o-ldap-replica/tasks/main.yml
@@ -42,10 +42,10 @@
     - /etc/ldap/slapd.d
     - /var/lib/ldap
 
-- name: Copy ldiff files
+- name: Copy ldif files
   template:
-    src: 'ldap/{{ item }}.ldiff.j2'
-    dest: '/tmp/{{ item }}.ldiff'
+    src: 'ldap/{{ item }}.ldif.j2'
+    dest: '/tmp/{{ item }}.ldif'
     owner: openldap
     group: openldap
     mode: 0600
@@ -53,15 +53,16 @@
     - db
     - schema
     - consumer_simple_sync
+    - certinfo
 
 - name: Initialize re2o-ldap schema
   when: not installation.stat.exists
-  shell: slapadd -n 0 -l /tmp/schema.ldiff -F /etc/ldap/slapd.d/
+  shell: slapadd -n 0 -l /tmp/schema.ldif -F /etc/ldap/slapd.d/
   become_user: openldap
 
 - name: Initialize re2o-ldap database
   when: not installation.stat.exists
-  shell: slapadd -n 1 -l /tmp/db.ldiff
+  shell: slapadd -n 1 -l /tmp/db.ldif
   become_user: openldap
 
 - name: Start slapd
@@ -72,7 +73,30 @@
 
 - name: Enable data replication
   when: not installation.stat.exists
-  shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/consumer_simple_sync.ldiff
+  shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/consumer_simple_sync.ldif
+
+- name: Copy TLS certificate
+  template:
+    src: "ldap/{{ item }}.j2"
+    dest: "/etc/ldap/{{ item }}"
+    owner: openldap
+    group: openldap
+    mode: 0600
+  loop:
+    - ldap.pem
+    - ldap.key
+
+- name: Load TLS certificates
+  when: not installation.stat.exists
+  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif
+
+- name: Enable LDAPS
+  lineinfile:
+     path: /etc/default/slapd
+     regexp: '^SLAPD_SERVICES='
+     line: 'SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"'
+  notify: Restart slapd
+  check_mode: no
 
 - name: Touch installation marker
   when: not installation.stat.exists
diff --git a/roles/re2o-ldap-replica/templates/ldap/certinfo.ldif.j2 b/roles/re2o-ldap-replica/templates/ldap/certinfo.ldif.j2
new file mode 100644
index 00000000..9e1d6b51
--- /dev/null
+++ b/roles/re2o-ldap-replica/templates/ldap/certinfo.ldif.j2
@@ -0,0 +1,6 @@
+dn: cn=config
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ldap/ldap.pem
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ldap/ldap.key
diff --git a/roles/re2o-ldap-replica/templates/ldap/consumer_simple_sync.ldiff.j2 b/roles/re2o-ldap-replica/templates/ldap/consumer_simple_sync.ldif.j2
similarity index 100%
rename from roles/re2o-ldap-replica/templates/ldap/consumer_simple_sync.ldiff.j2
rename to roles/re2o-ldap-replica/templates/ldap/consumer_simple_sync.ldif.j2
diff --git a/roles/re2o-ldap-replica/templates/ldap/db.ldiff.j2 b/roles/re2o-ldap-replica/templates/ldap/db.ldif.j2
similarity index 100%
rename from roles/re2o-ldap-replica/templates/ldap/db.ldiff.j2
rename to roles/re2o-ldap-replica/templates/ldap/db.ldif.j2
diff --git a/roles/re2o-ldap-replica/templates/ldap/ldap.key.j2 b/roles/re2o-ldap-replica/templates/ldap/ldap.key.j2
new file mode 100644
index 00000000..1dc6da0c
--- /dev/null
+++ b/roles/re2o-ldap-replica/templates/ldap/ldap.key.j2
@@ -0,0 +1 @@
+{{ re2o_ldap_replica.private_key }}
diff --git a/roles/re2o-ldap-replica/templates/ldap/ldap.pem.j2 b/roles/re2o-ldap-replica/templates/ldap/ldap.pem.j2
new file mode 100644
index 00000000..71d67e1a
--- /dev/null
+++ b/roles/re2o-ldap-replica/templates/ldap/ldap.pem.j2
@@ -0,0 +1 @@
+{{ re2o_ldap_replica.certificate }}
diff --git a/roles/re2o-ldap-replica/templates/ldap/schema.ldiff.j2 b/roles/re2o-ldap-replica/templates/ldap/schema.ldif.j2
similarity index 100%
rename from roles/re2o-ldap-replica/templates/ldap/schema.ldiff.j2
rename to roles/re2o-ldap-replica/templates/ldap/schema.ldif.j2
-- 
GitLab