forked from ISTI-ansible-roles/ansible-roles
library/roles/ldap-client-config: Install a better configuration for the ldap clients.
library/roles/ubuntu-deb-general: Install the additional CA certs correctly.
This commit is contained in:
parent
5b3a972453
commit
954ee7c25a
|
|
@ -1,4 +1,4 @@
|
|||
---
|
||||
nemis_ldap_uri: "ldap://ldap.sub.research-infrastructures.eu"
|
||||
nemis_ldap_base_dn: "dc=research-infrastructures,dc=eu"
|
||||
|
||||
ldap_uri: "ldap://ldap.sub.research-infrastructures.eu"
|
||||
ldap_base_dn: "dc=research-infrastructures,dc=eu"
|
||||
ldap_tls_cacert: /etc/ssl/certs/ca-certificates.crt
|
||||
|
|
|
|||
|
|
@ -4,36 +4,30 @@
|
|||
with_items:
|
||||
- ldapscripts
|
||||
- libpam-ldap
|
||||
tags:
|
||||
- ldap-client
|
||||
tags: ldap-client
|
||||
|
||||
- name: Write the ldap client configuration file
|
||||
template: src=ldap.conf.j2 dest=/etc/ldap.conf mode=444 owner=root group=root
|
||||
template: src=ldap.conf-old.j2 dest=/etc/ldap.conf mode=444 owner=root group=root
|
||||
when: is_ubuntu_less_than_trusty
|
||||
tags:
|
||||
- ldap-client
|
||||
tags: ldap-client
|
||||
|
||||
- name: Write the ldap client configuration file
|
||||
template: src=ldap.conf.j2 dest=/etc/ldap/ldap.conf mode=444 owner=root group=root
|
||||
when: is_trusty
|
||||
tags:
|
||||
- ldap-client
|
||||
tags: ldap-client
|
||||
|
||||
- name: set the ldapscripts.conf uri
|
||||
action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SERVER value='{{ nemis_ldap_uri }}' syntax=shell
|
||||
action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SERVER value='{{ ldap_uri }}' syntax=shell
|
||||
when: is_trusty
|
||||
tags:
|
||||
- ldap-client
|
||||
tags: ldap-client
|
||||
|
||||
- name: set the ldapscripts.conf bind dn
|
||||
action: configfile path=/etc/ldapscripts/ldapscripts.conf key=BINDDN value='cn=admin,{{ nemis_ldap_base_dn }}' syntax=shell
|
||||
action: configfile path=/etc/ldapscripts/ldapscripts.conf key=BINDDN value='cn=admin,{{ ldap_base_dn }}' syntax=shell
|
||||
when: is_trusty
|
||||
tags:
|
||||
- ldap-client
|
||||
tags: ldap-client
|
||||
|
||||
- name: set the ldapscripts.conf dn suffix
|
||||
action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SUFFIX value='{{ nemis_ldap_base_dn }}' syntax=shell
|
||||
action: configfile path=/etc/ldapscripts/ldapscripts.conf key=SUFFIX value='{{ ldap_base_dn }}' syntax=shell
|
||||
when: is_trusty
|
||||
tags:
|
||||
- ldap-client
|
||||
tags: ldap-client
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
# The distinguished name of the search base.
|
||||
BASE {{ ldap_base_dn }}
|
||||
|
||||
# Another way to specify your LDAP server is to provide an
|
||||
URI {{ ldap_uri }}
|
||||
|
||||
# The LDAP version to use (defaults to 3
|
||||
# if supported by client library)
|
||||
ldap_version 3
|
||||
|
||||
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data
|
||||
|
|
@ -1,11 +1,14 @@
|
|||
# The distinguished name of the search base.
|
||||
BASE {{ nemis_ldap_base_dn }}
|
||||
BASE {{ ldap_base_dn }}
|
||||
|
||||
# Another way to specify your LDAP server is to provide an
|
||||
URI {{ nemis_ldap_uri }}
|
||||
URI {{ ldap_uri }}
|
||||
|
||||
# The LDAP version to use (defaults to 3
|
||||
# if supported by client library)
|
||||
ldap_version 3
|
||||
|
||||
nss_initgroups_ignoreusers avahi,backup,bin,daemon,games,gnats,irc,libuuid,list,lp,mail,man,messagebus,munin,news,nslcd,proxy,root,rstudio-server,sshd,sync,sys,syslog,uucp,www-data
|
||||
|
||||
# TLS certificates (needed for GnuTLS)
|
||||
TLS_CACERT {{ ldap_tls_cacert }}
|
||||
|
|
|
|||
|
|
@ -88,10 +88,12 @@ configure_munin: False
|
|||
# Manage the root ssh keys
|
||||
manage_root_ssh_keys: False
|
||||
|
||||
install_external_ca_files: True
|
||||
external_ca_dest_dir: /etc/ssl/certs
|
||||
external_ca_list:
|
||||
- { url: "https://security.fi.infn.it/CA/mgt/INFNCA.pem", dest_file: '{{ external_ca_dest_dir }}/infn-ca.pem' }
|
||||
install_additional_ca_certs: False
|
||||
additional_ca_dest_dir: /usr/local/share/ca-certificates
|
||||
# IMPORTANT: the destination file extension must be .crt
|
||||
#x509_additional_ca_certs:
|
||||
# - { url: "https://security.fi.infn.it/CA/mgt/INFNCA.pem", dest_file: '{{ additional_ca_dest_dir }}/infn-ca.crt' }
|
||||
|
||||
#
|
||||
# debian/ubuntu distributions controllers
|
||||
#
|
||||
|
|
|
|||
|
|
@ -18,3 +18,7 @@
|
|||
- name: Restart rsyslog
|
||||
service: name=rsyslog state=restarted
|
||||
|
||||
- name: Update the CA bundle list
|
||||
shell: update-ca-certificates
|
||||
tags: ca
|
||||
|
||||
|
|
|
|||
|
|
@ -1,7 +1,8 @@
|
|||
---
|
||||
- name: Install the INFN CA certificate
|
||||
- name: Install the additional CA certificates
|
||||
get_url: url={{ item.url }} dest={{ item.dest_file }}
|
||||
with_items: external_ca_list
|
||||
when: install_external_ca_files
|
||||
with_items: x509_additional_ca_certs
|
||||
when: install_additional_ca_certs
|
||||
notify: Update the CA bundle list
|
||||
tags: ca
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue