tpiccioli
/
ansible-roles
forked from ISTI-ansible-roles/ansible-roles
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

openvpn: better management of the native ldap authentication plugin.

This commit is contained in:
Andrea Dell'Amico 2019-08-07 18:43:35 +02:00
parent b2b1270b85
commit a089bc612a
5 changed files with 18 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
library/roles/openvpn/defaults/main.yml
View File

@ -73,7 +73,7 @@ openvpn_mute_after: 20
openvpn_ldap_uri: 'ldap:' openvpn_ldap_uri: 'ldap:'
openvpn_ldap_host: ldap.example.org openvpn_ldap_host: ldap.example.org
openvpn_ldap_url: '{{ openvpn_ldap_uri }}//{{ openvpn_ldap_host }}' openvpn_ldap_url: '{{ openvpn_ldap_uri }}//{{ openvpn_ldap_host }}'
openvpn_ldap_nonanon_bind: False openvpn_ldap_anon_bind: True
openvpn_ldap_binddn: uid=admin openvpn_ldap_binddn: uid=admin
openvpn_ldap_bindpwd: test openvpn_ldap_bindpwd: test
openvpn_ldap_ca: '{{ openvpn_ca }}' openvpn_ldap_ca: '{{ openvpn_ca }}'

5
library/roles/openvpn/handlers/main.yml
View File

@ -1,6 +1,7 @@
--- ---
# OpenVPN does not support a service reload
- name: Reload OpenVPN - name: Reload OpenVPN
service: name=openvpn state=reloaded service: name=openvpn state=restarted
when: openvpn_enabled when: openvpn_enabled
- name: Restart OpenVPN - name: Restart OpenVPN
@ -9,4 +10,4 @@
- name: Reload systemd - name: Reload systemd
systemd: daemon_reload=yes systemd: daemon_reload=yes
when: ansible_service_mgr == 'systemd' when: ansible_service_mgr == 'systemd'

11
library/roles/openvpn/tasks/openvpn.yml
View File

@ -22,14 +22,6 @@
tags: [ 'openvpn', 'openvpn_radius' ] tags: [ 'openvpn', 'openvpn_radius' ]
- block: - block:
- name: apt key for the internal ppa repository. Needed by the openvpn ldap auth with posix groups
apt_key: url=http://ppa.research-infrastructures.eu/system/keys/system-archive.asc state=present
when: not openvpn_ldap_without_posix_groups
- name: Setup the internal apt repository
apt_repository: repo='deb http://ppa.research-infrastructures.eu/system trusty main' update_cache=yes
when: not openvpn_ldap_without_posix_groups
- name: Install the OpenVPN ldap auth plugin package - name: Install the OpenVPN ldap auth plugin package
apt: pkg={{ openvpn_ldap_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800 apt: pkg={{ openvpn_ldap_pkg }} state={{ openvpn_pkg_state }} update_cache=yes cache_valid_time=1800
@ -121,10 +113,12 @@
#dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/dh2048.pem' #dest: 'rsync://root@{{ ansible_fqdn }}/{{ openvpn_conf_dir }}/dh2048.pem'
dest: '/{{ openvpn_conf_dir }}/dh2048.pem' dest: '/{{ openvpn_conf_dir }}/dh2048.pem'
delegate_to: '{{ openvpn_master_host }}' delegate_to: '{{ openvpn_master_host }}'
ignore_errors: True
- name: Relax the ta.key file permissions so that it can be copied around - name: Relax the ta.key file permissions so that it can be copied around
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0444 file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0444
delegate_to: '{{ openvpn_master_host }}' delegate_to: '{{ openvpn_master_host }}'
ignore_errors: True
- name: Get the ta key from the master host - name: Get the ta key from the master host
synchronize: synchronize:
@ -140,6 +134,7 @@
- name: Fix the ta.key file permissions on the master host - name: Fix the ta.key file permissions on the master host
file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400 file: dest={{ openvpn_conf_dir }}/ta.key owner=root group=root mode=0400
delegate_to: '{{ openvpn_master_host }}' delegate_to: '{{ openvpn_master_host }}'
ignore_errors: True
when: when:
- openvpn_ha - openvpn_ha

15
library/roles/openvpn/templates/auth-ldap.conf.j2
View File

@ -2,11 +2,11 @@
# LDAP server URL # LDAP server URL
URL {{ openvpn_ldap_url }} URL {{ openvpn_ldap_url }}
{% if openvpn_ldap_nonanon_bind %} {% if not openvpn_ldap_anon_bind %}
# Bind DN (If your LDAP server doesn't support anonymous binds) # Bind DN (If your LDAP server doesn't support anonymous binds)
BindDN {{ openvpn_ldap_binddn }} BindDN "{{ openvpn_ldap_binddn }}"
# Bind Password # Bind Password
Password {{ openvpn_ldap_bindpwd }} Password "{{ openvpn_ldap_bindpwd }}"
{% endif %} {% endif %}
# Network timeout (in seconds) # Network timeout (in seconds)
@ -15,10 +15,16 @@
{% if openvpn_ldap_starttls %} {% if openvpn_ldap_starttls %}
# Enable Start TLS # Enable Start TLS
TLSEnable yes TLSEnable yes
{% else %}
TLSEnable no
{% endif %} {% endif %}
{% if not openvpn_ldap_anon_bind %}
# Follow LDAP Referrals (anonymously) # Follow LDAP Referrals (anonymously)
FollowReferrals no
{% else %}
FollowReferrals yes FollowReferrals yes
{% endif %}
# TLS CA Certificate File # TLS CA Certificate File
TLSCACertFile {{ openvpn_ldap_ca }} TLSCACertFile {{ openvpn_ldap_ca }}
@ -37,7 +43,7 @@
# Cipher Suite # Cipher Suite
# The defaults are usually fine here # The defaults are usually fine here
TLSCipherSuite {{ openvpn_ldap_tls_ciphersuite }} #TLSCipherSuite {{ openvpn_ldap_tls_ciphersuite }}
</LDAP> </LDAP>
<Authorization> <Authorization>
@ -45,7 +51,6 @@
BaseDN "{{ openvpn_ldap_base_dn }}" BaseDN "{{ openvpn_ldap_base_dn }}"
# User Search Filter # User Search Filter
# SearchFilter "(&(uid=%u)(accountStatus=active))"
SearchFilter "{{ openvpn_ldap_user_search }}" SearchFilter "{{ openvpn_ldap_user_search }}"
# Require Group Membership # Require Group Membership

2
library/roles/openvpn/templates/openvpn.conf.j2
View File

@ -103,7 +103,7 @@ plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
{% if openvpn_ldap_perl_auth %} {% if openvpn_ldap_perl_auth %}
auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env auth-user-pass-verify /etc/openvpn/auth/auth-ldap via-env
script-security 3 execve #script-security 3 execve
{% endif %} {% endif %}
max-clients {{ openvpn_max_clients }} max-clients {{ openvpn_max_clients }}