From a016bec4d89fd2944db35cf4e3d0811ca56d5670 Mon Sep 17 00:00:00 2001 From: Martin Wilck Date: Wed, 28 Feb 2024 22:03:33 +0100 Subject: [PATCH 1/3] main.yml: use LDAPI to connect if possible LDAPI connections don't use TLS, even if TLS is required on regular sockets. (At least not if localssf is >= minssf). Therefore if LDAPI is enabled, it makes sense to use it to connect instead of using TLS over a regular socket, which is more error-prone (it fails if the certificate has expired, for example). Also, rather than running grep over dse.ldif, just read it in and examine it using native ansible code, which is considerably faster. --- tasks/main.yml | 69 ++++++++++++++++++++++++++------------------------ 1 file changed, 36 insertions(+), 33 deletions(-) diff --git a/tasks/main.yml b/tasks/main.yml index 92fe55d..11a35c4 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -14,41 +14,44 @@ when: dirsrv_tls_enforced | bool tags: [ dirsrv_tls ] -- name: Check if TLS is enforced (secure binds) - command: "grep \"nsslapd-require-secure-binds: on\" /etc/dirsrv/slapd-{{ dirsrv_serverid }}/dse.ldif" - register: dirsrv_tls_enforced_initially_binds - changed_when: false - failed_when: dirsrv_tls_enforced_initially_binds.rc != 0 and dirsrv_tls_enforced_initially_binds.rc != 1 +- block: + - name: read LDAP server configuration + slurp: + src: /etc/dirsrv/slapd-{{ dirsrv_serverid }}/dse.ldif + register: dirsrv_ldif_base64 + - name: check auth-related server configuration + set_fact: + dirsrv_ldapilisten_enabled: >- + {{ dirsrv_ldif_base64.content | b64decode | + regex_search('(?m)^nsslapd-ldapilisten:.*$') + == 'nsslapd-ldapilisten: on' }} + dirsrv_tls_ldapi_filepath: >- + {{ dirsrv_ldif_base64.content | b64decode | + regex_search('(?m)^nsslapd-ldapifilepath:.*$') | + regex_replace('^[^:]*: ', '') }} + dirsrv_tls_enforced_initially_binds: >- + {{ dirsrv_ldif_base64.content | b64decode | + regex_search('(?m)^nsslapd-require-secure-binds:.*$') + == 'nsslapd-require-secure-binds: on' }} + dirsrv_tls_enforced_initially_ssf: >- + {{ dirsrv_ldif_base64.content | b64decode | + regex_search('(?m)^nsslapd-minssf:.*$') | + regex_replace('^[^:]*: ', '') }} + dirsrv_ldapi_uri: >- + {{ "ldapi://" ~ + ( ( dirsrv_rundir | default("/var/run") ) ~ + "/slapd-" ~ dirsrv_serverid ~ ".socket" ) | quote_plus }} + - name: Prepare LDAP auth data + set_fact: + dirsrv_starttls_early: >- + {{ not dirsrv_ldapilisten_enabled and + ( dirsrv_tls_enforced_initially_binds or + dirsrv_tls_enforced_initially_ssf | int > 0 ) }} + dirsrv_server_uri: >- + {{ dirsrv_ldapi_uri if dirsrv_ldapilisten_enabled + else dirsrv_server_uri }} tags: [ dirsrv_tls, dirsrv_cert, dirsrv_schema ] # Needed for all these tags -# If nsslapd-minssf isn't set at all, it defaults to 0. -# So we have to check if it's defined... -- name: Check if TLS is enforced (minimum SSF is set) - command: "grep \"nsslapd-minssf:\" /etc/dirsrv/slapd-{{ dirsrv_serverid }}/dse.ldif" - register: dirsrv_tls_enforced_initially_ssf_set - changed_when: false - failed_when: dirsrv_tls_enforced_initially_ssf_set.rc != 0 and dirsrv_tls_enforced_initially_ssf_set.rc != 1 - tags: [ dirsrv_tls, dirsrv_cert, dirsrv_schema ] # Needed for all these tags - -# ...and if it's 0 or something else. -- name: Check if TLS is enforced (minimum SSF) - command: "grep \"nsslapd-minssf: 0\" /etc/dirsrv/slapd-{{ dirsrv_serverid }}/dse.ldif" - register: dirsrv_tls_enforced_initially_ssf - changed_when: false - failed_when: dirsrv_tls_enforced_initially_ssf.rc != 0 and dirsrv_tls_enforced_initially_ssf.rc != 1 - tags: [ dirsrv_tls, dirsrv_cert, dirsrv_schema ] # Needed for all these tags - -- name: Prepare LDAP auth data - tags: [ dirsrv_tls, dirsrv_cert, dirsrv_schema ] # Needed for all these tags - set_fact: - # LDAPI or binding port 389 without STARTTLS will fail, if TLS - # is enforced. But we can't bind on port 636 or use STARTTLS - # without checking: when the server has been just installed, no - # certificates and no TLS are available. - # The condition checks "secure-binds is on (found) OR minssf is not 0 (is set and is not 0)" - dirsrv_starttls_early: "{{ dirsrv_tls_enforced_initially_binds.rc == 0 \ - or (dirsrv_tls_enforced_initially_ssf_set.rc == 0 and dirsrv_tls_enforced_initially_ssf.rc == 1) }}" - - name: Configure listen address ldap_attrs: server_uri: "{{ dirsrv_server_uri }}" From 36c0920cc48e66d4830068d59ce3f196dd6c8bb2 Mon Sep 17 00:00:00 2001 From: Martin Wilck Date: Wed, 28 Feb 2024 12:49:37 +0100 Subject: [PATCH 2/3] configure_authentication.yml: fix quoting in ldapi:// URI ldapi URLS must be quoted, otherwise connect will fail: $ ldapsearch -LLL -x -H ldapi://var/run/slapd-${INSTANCE}.socket ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) $ ldapsearch -LLL -x -H ldapi://%2Fvar%2Frun%2F${INSTANCE}.socket => works See e.g. https://www.openldap.org/doc/admin24/runningslapd.html Take advantage of the fact that we've set dirsrv_ldapi_uri correctly in main.yml already. --- tasks/configure_authentication.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/configure_authentication.yml b/tasks/configure_authentication.yml index 3f1a695..73fe7d1 100644 --- a/tasks/configure_authentication.yml +++ b/tasks/configure_authentication.yml @@ -31,7 +31,7 @@ rescue: - name: Configure LDAPI over LDAPI ldap_attrs: - server_uri: "ldapi:///{% if dirsrv_rundir is defined %}{{ dirsrv_rundir }}{% else %}/var/run{% endif %}/slapd-{{ dirsrv_serverid }}.socket" + server_uri: "{{ dirsrv_ldapi_uri }}" bind_dn: "{{ dirsrv_rootdn }}" bind_pw: "{{ dirsrv_rootdn_password }}" dn: "cn=config" From 2784fc22cae95382c467bb9293c4f2eaad4608d8 Mon Sep 17 00:00:00 2001 From: Martin Wilck Date: Thu, 29 Feb 2024 12:27:08 +0100 Subject: [PATCH 3/3] configure_tls_enforcing.yml: remove duplicate task The rescue task has identical parameter to the first one, remove it. --- tasks/configure_tls_enforcing.yml | 50 ++++++++++--------------------- 1 file changed, 16 insertions(+), 34 deletions(-) diff --git a/tasks/configure_tls_enforcing.yml b/tasks/configure_tls_enforcing.yml index bd16def..ae0e35f 100644 --- a/tasks/configure_tls_enforcing.yml +++ b/tasks/configure_tls_enforcing.yml @@ -1,35 +1,17 @@ --- -- block: - - name: Configure enforcing of TLS - ldap_attrs: - server_uri: "{{ dirsrv_server_uri }}" - validate_certs: "{{ dirsrv_tls_certificate_trusted }}" - start_tls: "{{ dirsrv_tls_enforced }}" - bind_dn: "{{ dirsrv_rootdn }}" - bind_pw: "{{ dirsrv_rootdn_password }}" - dn: "cn=config" - attributes: - nsslapd-require-secure-binds: "{{ 'on' if dirsrv_tls_enabled and dirsrv_tls_enforced else 'off' }}" - nsslapd-minssf: "{{ dirsrv_tls_minssf if dirsrv_tls_enabled and dirsrv_tls_enforced else '0' }}" - nsslapd-localssf: "{{ dirsrv_tls_minssf if dirsrv_tls_enabled and dirsrv_tls_enforced else '0' }}" - state: exact - failed_when: false - tags: [ dirsrv_tls ] - register: dirsrv_restart_condition_tls_enforcing_1 - - rescue: - - name: Configure enforcing of TLS, over TLS - ldap_attrs: - server_uri: "{{ dirsrv_server_uri }}" - validate_certs: "{{ dirsrv_tls_certificate_trusted }}" - start_tls: "{{ dirsrv_tls_enforced }}" - bind_dn: "{{ dirsrv_rootdn }}" - bind_pw: "{{ dirsrv_rootdn_password }}" - dn: "cn=config" - attributes: - nsslapd-require-secure-binds: "{{ 'on' if dirsrv_tls_enabled and dirsrv_tls_enforced else 'off' }}" - nsslapd-minssf: "{{ dirsrv_tls_minssf if dirsrv_tls_enabled and dirsrv_tls_enforced else '0' }}" - nsslapd-localssf: "{{ dirsrv_tls_minssf if dirsrv_tls_enabled and dirsrv_tls_enforced else '0' }}" - state: exact - tags: [ dirsrv_tls ] - register: dirsrv_restart_condition_tls_enforcing_2 +- name: Configure enforcing of TLS + ldap_attrs: + server_uri: "{{ dirsrv_server_uri }}" + validate_certs: "{{ dirsrv_tls_certificate_trusted }}" + start_tls: "{{ dirsrv_tls_enforced }}" + bind_dn: "{{ dirsrv_rootdn }}" + bind_pw: "{{ dirsrv_rootdn_password }}" + dn: "cn=config" + attributes: + nsslapd-require-secure-binds: "{{ 'on' if dirsrv_tls_enforced else 'off' }}" + nsslapd-minssf: "{{ dirsrv_tls_minssf if dirsrv_tls_enforced else '0' }}" + nsslapd-localssf: "{{ dirsrv_tls_minssf if dirsrv_tls_enforced else '0' }}" + state: exact + failed_when: false + tags: [ dirsrv_tls ] + register: dirsrv_restart_condition_tls_enforcing_1