forked from ISTI-ansible-roles/ansible-roles
openvpn: better management of the native ldap authentication plugin.
This commit is contained in:
parent
b2b1270b85
commit
a089bc612a
|
@ -73,7 +73,7 @@ openvpn_mute_after: 20
|
||||||
openvpn_ldap_uri: 'ldap:'
|
openvpn_ldap_uri: 'ldap:'
|
||||||
openvpn_ldap_host: ldap.example.org
|
openvpn_ldap_host: ldap.example.org
|
||||||
openvpn_ldap_url: '{{ openvpn_ldap_uri }}//{{ openvpn_ldap_host }}'
|
openvpn_ldap_url: '{{ openvpn_ldap_uri }}//{{ openvpn_ldap_host }}'
|
||||||
openvpn_ldap_nonanon_bind: False
|
openvpn_ldap_anon_bind: True
|
||||||
openvpn_ldap_binddn: uid=admin
|
openvpn_ldap_binddn: uid=admin
|
||||||
openvpn_ldap_bindpwd: test
|
openvpn_ldap_bindpwd: test
|
||||||
openvpn_ldap_ca: '{{ openvpn_ca }}'
|
openvpn_ldap_ca: '{{ openvpn_ca }}'
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
---
|
---
|
||||||
|
# OpenVPN does not support a service reload
|
||||||
- name: Reload OpenVPN
|
- name: Reload OpenVPN
|
||||||
service: name=openvpn state=reloaded
|
service: name=openvpn state=restarted
|
||||||
when: openvpn_enabled
|
when: openvpn_enabled
|
||||||
|
|
||||||
- name: Restart OpenVPN
|
- name: Restart OpenVPN
|
||||||
|
|
|
@ -22,14 +22,6 @@
|
||||||
tags: [ 'openvpn', 'openvpn_radius' ]
|
tags: [ 'openvpn', 'openvpn_radius' ]
|
||||||
|
|
||||||
- block:
|
- block:
|
||||||
- name: apt key for the internal ppa repository. Needed by the openvpn ldap auth with posix groups
|
|
||||||
apt_key: url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present
|
|
||||||
when: not openvpn_ldap_without_posix_groups
|
|
||||||
|
|
||||||
- name: Setup the internal apt repository
|
|
||||||
apt_repository: repo='deb http://ppa.research-infrastructures.eu/system trusty main' update_cache=yes
|
|
||||||
when: not openvpn_ldap_without_posix_groups
|
|
||||||
|
|
||||||
- name: Install the OpenVPN ldap auth plugin package
|
- name: Install the OpenVPN ldap auth plugin package
|
||||||
apt: pkg={{ openvpn_ldap_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
|
apt: pkg={{ openvpn_ldap_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
|
||||||
|
|
||||||
|
@ -121,10 +113,12 @@
|
||||||
#dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/dh2048.pem'
|
#dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/dh2048.pem'
|
||||||
dest: '/{{ openvpn_conf_dir }}/dh2048.pem'
|
dest: '/{{ openvpn_conf_dir }}/dh2048.pem'
|
||||||
delegate_to: '{{ openvpn_master_host }}'
|
delegate_to: '{{ openvpn_master_host }}'
|
||||||
|
ignore_errors: True
|
||||||
|
|
||||||
- name: Relax the ta.key file permissions so that it can be copied around
|
- name: Relax the ta.key file permissions so that it can be copied around
|
||||||
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0444
|
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0444
|
||||||
delegate_to: '{{ openvpn_master_host }}'
|
delegate_to: '{{ openvpn_master_host }}'
|
||||||
|
ignore_errors: True
|
||||||
|
|
||||||
- name: Get the ta key from the master host
|
- name: Get the ta key from the master host
|
||||||
synchronize:
|
synchronize:
|
||||||
|
@ -140,6 +134,7 @@
|
||||||
- name: Fix the ta.key file permissions on the master host
|
- name: Fix the ta.key file permissions on the master host
|
||||||
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
|
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
|
||||||
delegate_to: '{{ openvpn_master_host }}'
|
delegate_to: '{{ openvpn_master_host }}'
|
||||||
|
ignore_errors: True
|
||||||
|
|
||||||
when:
|
when:
|
||||||
- openvpn_ha
|
- openvpn_ha
|
||||||
|
|
|
@ -2,11 +2,11 @@
|
||||||
# LDAP server URL
|
# LDAP server URL
|
||||||
URL {{ openvpn_ldap_url }}
|
URL {{ openvpn_ldap_url }}
|
||||||
|
|
||||||
{% if openvpn_ldap_nonanon_bind %}
|
{% if not openvpn_ldap_anon_bind %}
|
||||||
# Bind DN (If your LDAP server doesn't support anonymous binds)
|
# Bind DN (If your LDAP server doesn't support anonymous binds)
|
||||||
BindDN {{ openvpn_ldap_binddn }}
|
BindDN "{{ openvpn_ldap_binddn }}"
|
||||||
# Bind Password
|
# Bind Password
|
||||||
Password {{ openvpn_ldap_bindpwd }}
|
Password "{{ openvpn_ldap_bindpwd }}"
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
# Network timeout (in seconds)
|
# Network timeout (in seconds)
|
||||||
|
@ -15,10 +15,16 @@
|
||||||
{% if openvpn_ldap_starttls %}
|
{% if openvpn_ldap_starttls %}
|
||||||
# Enable Start TLS
|
# Enable Start TLS
|
||||||
TLSEnable yes
|
TLSEnable yes
|
||||||
|
{% else %}
|
||||||
|
TLSEnable no
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
{% if not openvpn_ldap_anon_bind %}
|
||||||
# Follow LDAP Referrals (anonymously)
|
# Follow LDAP Referrals (anonymously)
|
||||||
|
FollowReferrals no
|
||||||
|
{% else %}
|
||||||
FollowReferrals yes
|
FollowReferrals yes
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
# TLS CA Certificate File
|
# TLS CA Certificate File
|
||||||
TLSCACertFile {{ openvpn_ldap_ca }}
|
TLSCACertFile {{ openvpn_ldap_ca }}
|
||||||
|
@ -37,7 +43,7 @@
|
||||||
|
|
||||||
# Cipher Suite
|
# Cipher Suite
|
||||||
# The defaults are usually fine here
|
# The defaults are usually fine here
|
||||||
TLSCipherSuite {{ openvpn_ldap_tls_ciphersuite }}
|
#TLSCipherSuite {{ openvpn_ldap_tls_ciphersuite }}
|
||||||
</LDAP>
|
</LDAP>
|
||||||
|
|
||||||
<Authorization>
|
<Authorization>
|
||||||
|
@ -45,7 +51,6 @@
|
||||||
BaseDN "{{ openvpn_ldap_base_dn }}"
|
BaseDN "{{ openvpn_ldap_base_dn }}"
|
||||||
|
|
||||||
# User Search Filter
|
# User Search Filter
|
||||||
# SearchFilter "(&(uid=%u)(accountStatus=active))"
|
|
||||||
SearchFilter "{{ openvpn_ldap_user_search }}"
|
SearchFilter "{{ openvpn_ldap_user_search }}"
|
||||||
|
|
||||||
# Require Group Membership
|
# Require Group Membership
|
||||||
|
|
|
@ -103,7 +103,7 @@ plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
|
||||||
|
|
||||||
{% if openvpn_ldap_perl_auth %}
|
{% if openvpn_ldap_perl_auth %}
|
||||||
auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env
|
auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env
|
||||||
script-security 3 execve
|
#script-security 3 execve
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
max-clients {{ openvpn_max_clients }}
|
max-clients {{ openvpn_max_clients }}
|
||||||
|
|
Loading…
Reference in New Issue