library/roles/ldap-client-config: Install a better configuration for the ldap clients.

library/roles/ubuntu-deb-general: Install the additional CA certs correctly.
This commit is contained in:
Andrea Dell'Amico 2015-08-06 13:56:20 +02:00
parent 5b3a972453
commit 954ee7c25a
7 changed files with 43 additions and 28 deletions

View File

@ -1,4 +1,4 @@
--- ---
nemis_ldap_uri: "ldap://ldap.sub.research-infrastructures.eu" ldap_uri: "ldap://ldap.sub.research-infrastructures.eu"
nemis_ldap_base_dn: "dc=research-infrastructures,dc=eu" ldap_base_dn: "dc=research-infrastructures,dc=eu"
ldap_tls_cacert: /etc/ssl/certs/ca-certificates.crt

View File

@ -4,36 +4,30 @@
with_items: with_items:
- ldapscripts - ldapscripts
- libpam-ldap - libpam-ldap
tags: tags: ldap-client
- ldap-client
- name: Write the ldap client configuration file - name: Write the ldap client configuration file
template: src=ldap.conf.j2 dest=/etc/ldap.conf mode=444 owner=root group=root template: src=ldap.conf-old.j2 dest=/etc/ldap.conf mode=444 owner=root group=root
when: is_ubuntu_less_than_trusty when: is_ubuntu_less_than_trusty
tags: tags: ldap-client
- ldap-client
- name: Write the ldap client configuration file - name: Write the ldap client configuration file
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=444 owner=root group=root template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=444 owner=root group=root
when: is_trusty when: is_trusty
tags: tags: ldap-client
- ldap-client
- name: set the ldapscripts.conf uri - name: set the ldapscripts.conf uri
action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SERVER value='{{ nemis_ldap_uri }}' syntax=shell action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SERVER value='{{ ldap_uri }}' syntax=shell
when: is_trusty when: is_trusty
tags: tags: ldap-client
- ldap-client
- name: set the ldapscripts.conf bind dn - name: set the ldapscripts.conf bind dn
action: configfile path=/etc/ldapscripts/ldapscripts.conf key=BINDDN value='cn=admin,{{ nemis_ldap_base_dn }}' syntax=shell action: configfile path=/etc/ldapscripts/ldapscripts.conf key=BINDDN value='cn=admin,{{ ldap_base_dn }}' syntax=shell
when: is_trusty when: is_trusty
tags: tags: ldap-client
- ldap-client
- name: set the ldapscripts.conf dn suffix - name: set the ldapscripts.conf dn suffix
action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SUFFIX value='{{ nemis_ldap_base_dn }}' syntax=shell action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SUFFIX value='{{ ldap_base_dn }}' syntax=shell
when: is_trusty when: is_trusty
tags: tags: ldap-client
- ldap-client

View File

@ -0,0 +1,11 @@
# The distinguished name of the search base.
BASE {{ ldap_base_dn }}
# Another way to specify your LDAP server is to provide an
URI {{ ldap_uri }}
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data

View File

@ -1,11 +1,14 @@
# The distinguished name of the search base. # The distinguished name of the search base.
BASE {{ nemis_ldap_base_dn }} BASE {{ ldap_base_dn }}
# Another way to specify your LDAP server is to provide an # Another way to specify your LDAP server is to provide an
URI {{ nemis_ldap_uri }} URI {{ ldap_uri }}
# The LDAP version to use (defaults to 3 # The LDAP version to use (defaults to 3
# if supported by client library) # if supported by client library)
ldap_version 3 ldap_version 3
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data
# TLS certificates (needed for GnuTLS)
TLS_CACERT {{ ldap_tls_cacert }}

View File

@ -88,10 +88,12 @@ configure_munin: False
# Manage the root ssh keys # Manage the root ssh keys
manage_root_ssh_keys: False manage_root_ssh_keys: False
install_external_ca_files: True install_additional_ca_certs: False
external_ca_dest_dir: /etc/ssl/certs additional_ca_dest_dir: /usr/local/share/ca-certificates
external_ca_list: # IMPORTANT: the destination file extension must be .crt
- { url: "https://security.fi.infn.it/CA/mgt/INFNCA.pem", dest_file: '{{ external_ca_dest_dir }}/infn-ca.pem' } #x509_additional_ca_certs:
# - { url: "https://security.fi.infn.it/CA/mgt/INFNCA.pem", dest_file: '{{ additional_ca_dest_dir }}/infn-ca.crt' }
# #
# debian/ubuntu distributions controllers # debian/ubuntu distributions controllers
# #

View File

@ -18,3 +18,7 @@
- name: Restart rsyslog - name: Restart rsyslog
service: name=rsyslog state=restarted service: name=rsyslog state=restarted
- name: Update the CA bundle list
shell: update-ca-certificates
tags: ca

View File

@ -1,7 +1,8 @@
--- ---
- name: Install the INFN CA certificate - name: Install the additional CA certificates
get_url: url={{ item.url }} dest={{ item.dest_file }} get_url: url={{ item.url }} dest={{ item.dest_file }}
with_items: external_ca_list with_items: x509_additional_ca_certs
when: install_external_ca_files when: install_additional_ca_certs
notify: Update the CA bundle list
tags: ca tags: ca