diff --git a/ldap-client-config/defaults/main.yml b/ldap-client-config/defaults/main.yml index 048eaa20..8ed59077 100644 --- a/ldap-client-config/defaults/main.yml +++ b/ldap-client-config/defaults/main.yml @@ -1,4 +1,4 @@ --- -nemis_ldap_uri: "ldap://ldap.sub.research-infrastructures.eu" -nemis_ldap_base_dn: "dc=research-infrastructures,dc=eu" - +ldap_uri: "ldap://ldap.sub.research-infrastructures.eu" +ldap_base_dn: "dc=research-infrastructures,dc=eu" +ldap_tls_cacert: /etc/ssl/certs/ca-certificates.crt diff --git a/ldap-client-config/tasks/main.yml b/ldap-client-config/tasks/main.yml index 7f5d78bf..c4b4e76e 100644 --- a/ldap-client-config/tasks/main.yml +++ b/ldap-client-config/tasks/main.yml @@ -4,36 +4,30 @@ with_items: - ldapscripts - libpam-ldap - tags: - - ldap-client + tags: ldap-client - name: Write the ldap client configuration file - template: src=ldap.conf.j2 dest=/etc/ldap.conf mode=444 owner=root group=root + template: src=ldap.conf-old.j2 dest=/etc/ldap.conf mode=444 owner=root group=root when: is_ubuntu_less_than_trusty - tags: - - ldap-client + tags: ldap-client - name: Write the ldap client configuration file template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=444 owner=root group=root when: is_trusty - tags: - - ldap-client + tags: ldap-client - name: set the ldapscripts.conf uri - action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SERVER value='{{ nemis_ldap_uri }}' syntax=shell + action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SERVER value='{{ ldap_uri }}' syntax=shell when: is_trusty - tags: - - ldap-client + tags: ldap-client - name: set the ldapscripts.conf bind dn - action: configfile path=/etc/ldapscripts/ldapscripts.conf key=BINDDN value='cn=admin,{{ nemis_ldap_base_dn }}' syntax=shell + action: configfile path=/etc/ldapscripts/ldapscripts.conf key=BINDDN value='cn=admin,{{ ldap_base_dn }}' syntax=shell when: is_trusty - tags: - - ldap-client + tags: ldap-client - name: set the ldapscripts.conf dn suffix - action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SUFFIX value='{{ nemis_ldap_base_dn }}' syntax=shell + action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SUFFIX value='{{ ldap_base_dn }}' syntax=shell when: is_trusty - tags: - - ldap-client + tags: ldap-client diff --git a/ldap-client-config/templates/ldap.conf-old.j2 b/ldap-client-config/templates/ldap.conf-old.j2 new file mode 100644 index 00000000..38754476 --- /dev/null +++ b/ldap-client-config/templates/ldap.conf-old.j2 @@ -0,0 +1,11 @@ +# The distinguished name of the search base. +BASE {{ ldap_base_dn }} + +# Another way to specify your LDAP server is to provide an +URI {{ ldap_uri }} + +# The LDAP version to use (defaults to 3 +# if supported by client library) +ldap_version 3 + +nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data diff --git a/ldap-client-config/templates/ldap.conf.j2 b/ldap-client-config/templates/ldap.conf.j2 index 7a81eae4..ae1526d6 100644 --- a/ldap-client-config/templates/ldap.conf.j2 +++ b/ldap-client-config/templates/ldap.conf.j2 @@ -1,11 +1,14 @@ # The distinguished name of the search base. -BASE {{ nemis_ldap_base_dn }} +BASE {{ ldap_base_dn }} # Another way to specify your LDAP server is to provide an -URI {{ nemis_ldap_uri }} +URI {{ ldap_uri }} # The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3 nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data + +# TLS certificates (needed for GnuTLS) +TLS_CACERT {{ ldap_tls_cacert }} diff --git a/ubuntu-deb-general/defaults/main.yml b/ubuntu-deb-general/defaults/main.yml index 5ebb13bc..140e53c0 100644 --- a/ubuntu-deb-general/defaults/main.yml +++ b/ubuntu-deb-general/defaults/main.yml @@ -88,10 +88,12 @@ configure_munin: False # Manage the root ssh keys manage_root_ssh_keys: False -install_external_ca_files: True -external_ca_dest_dir: /etc/ssl/certs -external_ca_list: - - { url: "https://security.fi.infn.it/CA/mgt/INFNCA.pem", dest_file: '{{ external_ca_dest_dir }}/infn-ca.pem' } +install_additional_ca_certs: False +additional_ca_dest_dir: /usr/local/share/ca-certificates +# IMPORTANT: the destination file extension must be .crt +#x509_additional_ca_certs: +# - { url: "https://security.fi.infn.it/CA/mgt/INFNCA.pem", dest_file: '{{ additional_ca_dest_dir }}/infn-ca.crt' } + # # debian/ubuntu distributions controllers # diff --git a/ubuntu-deb-general/handlers/main.yml b/ubuntu-deb-general/handlers/main.yml index cbb26546..fb906757 100644 --- a/ubuntu-deb-general/handlers/main.yml +++ b/ubuntu-deb-general/handlers/main.yml @@ -18,3 +18,7 @@ - name: Restart rsyslog service: name=rsyslog state=restarted +- name: Update the CA bundle list + shell: update-ca-certificates + tags: ca + diff --git a/ubuntu-deb-general/tasks/install_external_ca_cert.yml b/ubuntu-deb-general/tasks/install_external_ca_cert.yml index c90d7752..0be2a9e4 100644 --- a/ubuntu-deb-general/tasks/install_external_ca_cert.yml +++ b/ubuntu-deb-general/tasks/install_external_ca_cert.yml @@ -1,7 +1,8 @@ --- -- name: Install the INFN CA certificate +- name: Install the additional CA certificates get_url: url={{ item.url }} dest={{ item.dest_file }} - with_items: external_ca_list - when: install_external_ca_files + with_items: x509_additional_ca_certs + when: install_additional_ca_certs + notify: Update the CA bundle list tags: ca