Skip to content

Commit

Permalink
Merge pull request #47 from mwilck/ldapi
Browse files Browse the repository at this point in the history
Use LDAPI to connect if possible

Completes #19, closes #42
  • Loading branch information
lvps authored Feb 29, 2024
2 parents 6ad541a + 59a643b commit 69d102a
Show file tree
Hide file tree
Showing 3 changed files with 53 additions and 68 deletions.
2 changes: 1 addition & 1 deletion tasks/configure_authentication.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
rescue:
- name: Configure LDAPI over LDAPI
ldap_attrs:
server_uri: "ldapi:///{% if dirsrv_rundir is defined %}{{ dirsrv_rundir }}{% else %}/var/run{% endif %}/slapd-{{ dirsrv_serverid }}.socket"
server_uri: "{{ dirsrv_ldapi_uri }}"
bind_dn: "{{ dirsrv_rootdn }}"
bind_pw: "{{ dirsrv_rootdn_password }}"
dn: "cn=config"
Expand Down
50 changes: 16 additions & 34 deletions tasks/configure_tls_enforcing.yml
Original file line number Diff line number Diff line change
@@ -1,35 +1,17 @@
---
- block:
- name: Configure enforcing of TLS
ldap_attrs:
server_uri: "{{ dirsrv_server_uri }}"
validate_certs: "{{ dirsrv_tls_certificate_trusted }}"
start_tls: "{{ dirsrv_tls_enforced }}"
bind_dn: "{{ dirsrv_rootdn }}"
bind_pw: "{{ dirsrv_rootdn_password }}"
dn: "cn=config"
attributes:
nsslapd-require-secure-binds: "{{ 'on' if dirsrv_tls_enforced else 'off' }}"
nsslapd-minssf: "{{ dirsrv_tls_minssf if dirsrv_tls_enforced else '0' }}"
nsslapd-localssf: "{{ dirsrv_tls_minssf if dirsrv_tls_enforced else '0' }}"
state: exact
failed_when: false
tags: [ dirsrv_tls ]
register: dirsrv_restart_condition_tls_enforcing_1

rescue:
- name: Configure enforcing of TLS, over TLS
ldap_attrs:
server_uri: "{{ dirsrv_server_uri }}"
validate_certs: "{{ dirsrv_tls_certificate_trusted }}"
start_tls: "{{ dirsrv_tls_enforced }}"
bind_dn: "{{ dirsrv_rootdn }}"
bind_pw: "{{ dirsrv_rootdn_password }}"
dn: "cn=config"
attributes:
nsslapd-require-secure-binds: "{{ 'on' if dirsrv_tls_enforced else 'off' }}"
nsslapd-minssf: "{{ dirsrv_tls_minssf if dirsrv_tls_enforced else '0' }}"
nsslapd-localssf: "{{ dirsrv_tls_minssf if dirsrv_tls_enforced else '0' }}"
state: exact
tags: [ dirsrv_tls ]
register: dirsrv_restart_condition_tls_enforcing_2
- name: Configure enforcing of TLS
ldap_attrs:
server_uri: "{{ dirsrv_server_uri }}"
validate_certs: "{{ dirsrv_tls_certificate_trusted }}"
start_tls: "{{ dirsrv_tls_enforced }}"
bind_dn: "{{ dirsrv_rootdn }}"
bind_pw: "{{ dirsrv_rootdn_password }}"
dn: "cn=config"
attributes:
nsslapd-require-secure-binds: "{{ 'on' if dirsrv_tls_enforced else 'off' }}"
nsslapd-minssf: "{{ dirsrv_tls_minssf if dirsrv_tls_enforced else '0' }}"
nsslapd-localssf: "{{ dirsrv_tls_minssf if dirsrv_tls_enforced else '0' }}"
state: exact
failed_when: false
tags: [ dirsrv_tls ]
register: dirsrv_restart_condition_tls_enforcing_1
69 changes: 36 additions & 33 deletions tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,41 +14,44 @@
when: dirsrv_tls_enforced | bool
tags: [ dirsrv_tls ]

- name: Check if TLS is enforced (secure binds)
command: "grep \"nsslapd-require-secure-binds: on\" /etc/dirsrv/slapd-{{ dirsrv_serverid }}/dse.ldif"
register: dirsrv_tls_enforced_initially_binds
changed_when: false
failed_when: dirsrv_tls_enforced_initially_binds.rc != 0 and dirsrv_tls_enforced_initially_binds.rc != 1
- block:
- name: read LDAP server configuration
slurp:
src: /etc/dirsrv/slapd-{{ dirsrv_serverid }}/dse.ldif
register: dirsrv_ldif_base64
- name: check auth-related server configuration
set_fact:
dirsrv_ldapilisten_enabled: >-
{{ dirsrv_ldif_base64.content | b64decode |
regex_search('(?m)^nsslapd-ldapilisten:.*$')
== 'nsslapd-ldapilisten: on' }}
dirsrv_tls_ldapi_filepath: >-
{{ dirsrv_ldif_base64.content | b64decode |
regex_search('(?m)^nsslapd-ldapifilepath:.*$') |
regex_replace('^[^:]*: ', '') }}
dirsrv_tls_enforced_initially_binds: >-
{{ dirsrv_ldif_base64.content | b64decode |
regex_search('(?m)^nsslapd-require-secure-binds:.*$')
== 'nsslapd-require-secure-binds: on' }}
dirsrv_tls_enforced_initially_ssf: >-
{{ dirsrv_ldif_base64.content | b64decode |
regex_search('(?m)^nsslapd-minssf:.*$') |
regex_replace('^[^:]*: ', '') }}
dirsrv_ldapi_uri: >-
{{ "ldapi://" ~
( ( dirsrv_rundir | default("/var/run") ) ~
"/slapd-" ~ dirsrv_serverid ~ ".socket" ) | quote_plus }}
- name: Prepare LDAP auth data
set_fact:
dirsrv_starttls_early: >-
{{ not dirsrv_ldapilisten_enabled and
( dirsrv_tls_enforced_initially_binds or
dirsrv_tls_enforced_initially_ssf | int > 0 ) }}
dirsrv_server_uri: >-
{{ dirsrv_ldapi_uri if dirsrv_ldapilisten_enabled
else dirsrv_server_uri }}
tags: [ dirsrv_tls, dirsrv_cert, dirsrv_schema ] # Needed for all these tags

# If nsslapd-minssf isn't set at all, it defaults to 0.
# So we have to check if it's defined...
- name: Check if TLS is enforced (minimum SSF is set)
command: "grep \"nsslapd-minssf:\" /etc/dirsrv/slapd-{{ dirsrv_serverid }}/dse.ldif"
register: dirsrv_tls_enforced_initially_ssf_set
changed_when: false
failed_when: dirsrv_tls_enforced_initially_ssf_set.rc != 0 and dirsrv_tls_enforced_initially_ssf_set.rc != 1
tags: [ dirsrv_tls, dirsrv_cert, dirsrv_schema ] # Needed for all these tags

# ...and if it's 0 or something else.
- name: Check if TLS is enforced (minimum SSF)
command: "grep \"nsslapd-minssf: 0\" /etc/dirsrv/slapd-{{ dirsrv_serverid }}/dse.ldif"
register: dirsrv_tls_enforced_initially_ssf
changed_when: false
failed_when: dirsrv_tls_enforced_initially_ssf.rc != 0 and dirsrv_tls_enforced_initially_ssf.rc != 1
tags: [ dirsrv_tls, dirsrv_cert, dirsrv_schema ] # Needed for all these tags

- name: Prepare LDAP auth data
tags: [ dirsrv_tls, dirsrv_cert, dirsrv_schema ] # Needed for all these tags
set_fact:
# LDAPI or binding port 389 without STARTTLS will fail, if TLS
# is enforced. But we can't bind on port 636 or use STARTTLS
# without checking: when the server has been just installed, no
# certificates and no TLS are available.
# The condition checks "secure-binds is on (found) OR minssf is not 0 (is set and is not 0)"
dirsrv_starttls_early: "{{ dirsrv_tls_enforced_initially_binds.rc == 0 \
or (dirsrv_tls_enforced_initially_ssf_set.rc == 0 and dirsrv_tls_enforced_initially_ssf.rc == 1) }}"

- name: Configure listen address
ldap_attrs:
server_uri: "{{ dirsrv_server_uri }}"
Expand Down

0 comments on commit 69d102a

Please sign in to comment.