forked from ISTI-ansible-roles/ansible-roles
openvpn: better management of the native ldap authentication plugin.
This commit is contained in:
parent
b2b1270b85
commit
a089bc612a
|
@ -73,7 +73,7 @@ openvpn_mute_after: 20
|
|||
openvpn_ldap_uri: 'ldap:'
|
||||
openvpn_ldap_host: ldap.example.org
|
||||
openvpn_ldap_url: '{{ openvpn_ldap_uri }}//{{ openvpn_ldap_host }}'
|
||||
openvpn_ldap_nonanon_bind: False
|
||||
openvpn_ldap_anon_bind: True
|
||||
openvpn_ldap_binddn: uid=admin
|
||||
openvpn_ldap_bindpwd: test
|
||||
openvpn_ldap_ca: '{{ openvpn_ca }}'
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
---
|
||||
# OpenVPN does not support a service reload
|
||||
- name: Reload OpenVPN
|
||||
service: name=openvpn state=reloaded
|
||||
service: name=openvpn state=restarted
|
||||
when: openvpn_enabled
|
||||
|
||||
- name: Restart OpenVPN
|
||||
|
@ -9,4 +10,4 @@
|
|||
|
||||
- name: Reload systemd
|
||||
systemd: daemon_reload=yes
|
||||
when: ansible_service_mgr == 'systemd'
|
||||
when: ansible_service_mgr == 'systemd'
|
||||
|
|
|
@ -22,14 +22,6 @@
|
|||
tags: [ 'openvpn', 'openvpn_radius' ]
|
||||
|
||||
- block:
|
||||
- name: apt key for the internal ppa repository. Needed by the openvpn ldap auth with posix groups
|
||||
apt_key: url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present
|
||||
when: not openvpn_ldap_without_posix_groups
|
||||
|
||||
- name: Setup the internal apt repository
|
||||
apt_repository: repo='deb http://ppa.research-infrastructures.eu/system trusty main' update_cache=yes
|
||||
when: not openvpn_ldap_without_posix_groups
|
||||
|
||||
- name: Install the OpenVPN ldap auth plugin package
|
||||
apt: pkg={{ openvpn_ldap_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
|
||||
|
||||
|
@ -121,10 +113,12 @@
|
|||
#dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/dh2048.pem'
|
||||
dest: '/{{ openvpn_conf_dir }}/dh2048.pem'
|
||||
delegate_to: '{{ openvpn_master_host }}'
|
||||
ignore_errors: True
|
||||
|
||||
- name: Relax the ta.key file permissions so that it can be copied around
|
||||
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0444
|
||||
delegate_to: '{{ openvpn_master_host }}'
|
||||
ignore_errors: True
|
||||
|
||||
- name: Get the ta key from the master host
|
||||
synchronize:
|
||||
|
@ -140,6 +134,7 @@
|
|||
- name: Fix the ta.key file permissions on the master host
|
||||
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
|
||||
delegate_to: '{{ openvpn_master_host }}'
|
||||
ignore_errors: True
|
||||
|
||||
when:
|
||||
- openvpn_ha
|
||||
|
|
|
@ -2,11 +2,11 @@
|
|||
# LDAP server URL
|
||||
URL {{ openvpn_ldap_url }}
|
||||
|
||||
{% if openvpn_ldap_nonanon_bind %}
|
||||
{% if not openvpn_ldap_anon_bind %}
|
||||
# Bind DN (If your LDAP server doesn't support anonymous binds)
|
||||
BindDN {{ openvpn_ldap_binddn }}
|
||||
BindDN "{{ openvpn_ldap_binddn }}"
|
||||
# Bind Password
|
||||
Password {{ openvpn_ldap_bindpwd }}
|
||||
Password "{{ openvpn_ldap_bindpwd }}"
|
||||
{% endif %}
|
||||
|
||||
# Network timeout (in seconds)
|
||||
|
@ -15,10 +15,16 @@
|
|||
{% if openvpn_ldap_starttls %}
|
||||
# Enable Start TLS
|
||||
TLSEnable yes
|
||||
{% else %}
|
||||
TLSEnable no
|
||||
{% endif %}
|
||||
|
||||
{% if not openvpn_ldap_anon_bind %}
|
||||
# Follow LDAP Referrals (anonymously)
|
||||
FollowReferrals no
|
||||
{% else %}
|
||||
FollowReferrals yes
|
||||
{% endif %}
|
||||
|
||||
# TLS CA Certificate File
|
||||
TLSCACertFile {{ openvpn_ldap_ca }}
|
||||
|
@ -37,7 +43,7 @@
|
|||
|
||||
# Cipher Suite
|
||||
# The defaults are usually fine here
|
||||
TLSCipherSuite {{ openvpn_ldap_tls_ciphersuite }}
|
||||
#TLSCipherSuite {{ openvpn_ldap_tls_ciphersuite }}
|
||||
</LDAP>
|
||||
|
||||
<Authorization>
|
||||
|
@ -45,7 +51,6 @@
|
|||
BaseDN "{{ openvpn_ldap_base_dn }}"
|
||||
|
||||
# User Search Filter
|
||||
# SearchFilter "(&(uid=%u)(accountStatus=active))"
|
||||
SearchFilter "{{ openvpn_ldap_user_search }}"
|
||||
|
||||
# Require Group Membership
|
||||
|
|
|
@ -103,7 +103,7 @@ plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
|
|||
|
||||
{% if openvpn_ldap_perl_auth %}
|
||||
auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env
|
||||
script-security 3 execve
|
||||
#script-security 3 execve
|
||||
{% endif %}
|
||||
|
||||
max-clients {{ openvpn_max_clients }}
|
||||
|
|
Loading…
Reference in New Issue