openvpn: better management of the native ldap authentication plugin.

library/roles/openvpn/defaults/main.yml

@@ -73,7 +73,7 @@ openvpn_mute_after: 20
 openvpn_ldap_uri: 'ldap:'
 openvpn_ldap_host: ldap.example.org
 openvpn_ldap_url: '{{ openvpn_ldap_uri }}//{{ openvpn_ldap_host }}'
-openvpn_ldap_nonanon_bind: False
+openvpn_ldap_anon_bind: True
 openvpn_ldap_binddn: uid=admin
 openvpn_ldap_bindpwd: test
 openvpn_ldap_ca: '{{ openvpn_ca }}'

library/roles/openvpn/handlers/main.yml

@@ -1,6 +1,7 @@
 ---
+# OpenVPN does not support a service reload
 - name: Reload OpenVPN
-  service: name=openvpn state=reloaded
+  service: name=openvpn state=restarted
   when: openvpn_enabled
 
 - name: Restart OpenVPN
@@ -9,4 +10,4 @@
 
 - name: Reload systemd
   systemd: daemon_reload=yes
-  when: ansible_service_mgr == 'systemd'
+  when: ansible_service_mgr == 'systemd'

library/roles/openvpn/tasks/openvpn.yml

@@ -22,14 +22,6 @@
   tags: [ 'openvpn', 'openvpn_radius' ]
 
 - block:
-    - name: apt key for the internal ppa repository. Needed by the openvpn ldap auth with posix groups
-      apt_key: url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present
-      when: not openvpn_ldap_without_posix_groups
-  
-    - name: Setup the internal apt repository
-      apt_repository: repo='deb http://ppa.research-infrastructures.eu/system trusty main' update_cache=yes
-      when: not openvpn_ldap_without_posix_groups
-
     - name: Install the OpenVPN ldap auth plugin package
       apt: pkg={{ openvpn_ldap_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
 
@@ -121,10 +113,12 @@
         #dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/dh2048.pem'
         dest: '/{{ openvpn_conf_dir }}/dh2048.pem'
       delegate_to: '{{ openvpn_master_host }}'
+      ignore_errors: True
       
     - name: Relax the ta.key file permissions so that it can be copied around
       file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0444
       delegate_to: '{{ openvpn_master_host }}'
+      ignore_errors: True
 
     - name: Get the ta key from the master host
       synchronize:
@@ -140,6 +134,7 @@
     - name: Fix the ta.key file permissions on the master host
       file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400 
       delegate_to: '{{ openvpn_master_host }}'
+      ignore_errors: True
 
   when:
     - openvpn_ha

library/roles/openvpn/templates/auth-ldap.conf.j2

@@ -2,11 +2,11 @@
         # LDAP server URL
         URL                     {{ openvpn_ldap_url }}
 
-{% if openvpn_ldap_nonanon_bind %}
+{% if not openvpn_ldap_anon_bind %}
         # Bind DN (If your LDAP server doesn't support anonymous binds)
-        BindDN                  {{ openvpn_ldap_binddn }}
+        BindDN                  "{{ openvpn_ldap_binddn }}"
         # Bind Password
-        Password                {{ openvpn_ldap_bindpwd }}
+        Password                "{{ openvpn_ldap_bindpwd }}"
 {% endif %}
 
         # Network timeout (in seconds)
@@ -15,10 +15,16 @@
 {% if openvpn_ldap_starttls %}
         # Enable Start TLS
         TLSEnable      yes
+{% else %}
+        TLSEnable      no
 {% endif %}
 
+{% if not openvpn_ldap_anon_bind %}
         # Follow LDAP Referrals (anonymously)
+        FollowReferrals no
+{% else %}
         FollowReferrals yes
+{% endif %}
 
         # TLS CA Certificate File
         TLSCACertFile           {{ openvpn_ldap_ca }}
@@ -37,7 +43,7 @@
 
         # Cipher Suite
         # The defaults are usually fine here
-        TLSCipherSuite   {{ openvpn_ldap_tls_ciphersuite }}
+        #TLSCipherSuite   {{ openvpn_ldap_tls_ciphersuite }}
 </LDAP>
 
 <Authorization>
@@ -45,7 +51,6 @@
         BaseDN          "{{ openvpn_ldap_base_dn }}"
 
         # User Search Filter
-        # SearchFilter  "(&(uid=%u)(accountStatus=active))"
         SearchFilter    "{{ openvpn_ldap_user_search }}"
 
         # Require Group Membership

library/roles/openvpn/templates/openvpn.conf.j2

@@ -103,7 +103,7 @@ plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
 
 {% if openvpn_ldap_perl_auth %}
 auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env
-script-security 3 execve
+#script-security 3 execve
 {% endif %}
 
 max-clients {{ openvpn_max_clients }}