From e1f36d36827b607b66d667cb0b5f7fa5a04eb11a 2015-09-16 23:35:30
From: Branko Majic <branko@majic.rs>
Date: 2015-09-16 23:35:30
Subject: [PATCH] MAR-19: Fixed missing parameter for using TLS for LDAP connections in Prosody configuraiton template. Fixed LDAP client configurations, moving most of them out of the individual yml files into all.yml (so only the ldap server gets different config).

---

diff --git a/roles/xmpp_server/templates/prosody.cfg.lua.j2 b/roles/xmpp_server/templates/prosody.cfg.lua.j2
index e6a403d68fb1770ce129fb441a36bccc3671d941..259fd6e824df0d871f87770c9c16a0700cb6d6dc 100644
--- a/roles/xmpp_server/templates/prosody.cfg.lua.j2
+++ b/roles/xmpp_server/templates/prosody.cfg.lua.j2
@@ -65,6 +65,7 @@ ldap_rootdn = "{{ xmpp_ldap_bind_dn }}"
 ldap_password = "{{ xmpp_ldap_password }}"
 ldap_filter = "{{ xmpp_ldap_filter }}"
 ldap_scope = "{{ xmpp_ldap_scope }}"
+ldap_tls = true
 ldap_base = "{{ xmpp_ldap_base }}"
 
 -- Storage backend.
diff --git a/testsite/group_vars/all.yml b/testsite/group_vars/all.yml
index 2cdfa0a62e94bbf9ddf7df81b146c1695c04893c..e37d3b30b06db03dcb81d0759d97e6afb677e348 100644
--- a/testsite/group_vars/all.yml
+++ b/testsite/group_vars/all.yml
@@ -45,4 +45,19 @@ ca_certificates:
 
 incoming_connection_limit: 2/second
 
-incoming_connection_limit_burst: 6
\ No newline at end of file
+incoming_connection_limit_burst: 6
+
+# Default LDAP client configuration.
+ldap_client_config:
+  - comment: Set the base DN
+    option: BASE
+    value: "{{ testsite_ldap_base }}"
+  - comment: Set the default URI
+    option: URI
+    value: ldap://ldap.{{ testsite_domain }}/
+  - comment: Set the LDAP TLS truststore
+    option: TLS_CACERT
+    value: /etc/ssl/certs/ca.pem
+  - comment: Enforce TLS
+    option: TLS_REQCERT
+    value: demand
diff --git a/testsite/group_vars/ldap.yml b/testsite/group_vars/ldap.yml
index e8d9aebdd8bb97d10d8b7fe6804897d662e5321e..350d5a2ddc79bdb6139d68ca9d43e879b5f0f886 100644
--- a/testsite/group_vars/ldap.yml
+++ b/testsite/group_vars/ldap.yml
@@ -19,6 +19,9 @@ ldap_client_config:
   - comment: Set the LDAP TLS truststore
     option: TLS_CACERT
     value: /etc/ssl/certs/ca.pem
+  - comment: Enforce TLS
+    option: TLS_REQCERT
+    value: demand
 
 ldap_server_domain: "{{ testsite_domain }}"
 ldap_server_organization: "Example Inc."
diff --git a/testsite/group_vars/mail.yml b/testsite/group_vars/mail.yml
index 60c448619920c8720ce0472b7d00362f353d9d40..a930c71a29f3a2bbf2dc878d70aad3cf223c9c29 100644
--- a/testsite/group_vars/mail.yml
+++ b/testsite/group_vars/mail.yml
@@ -1,16 +1,5 @@
 ---
 
-ldap_client_config:
-  - comment: Set the base DN
-    option: BASE
-    value: "{{ testsite_ldap_base }}"
-  - comment: Set the default URI
-    option: URI
-    value: ldap://ldap.{{ testsite_domain }}/
-  - comment: Set the LDAP TLS truststore
-    option: TLS_CACERT
-    value: /etc/ssl/certs/ca.pem
-
 mail_ldap_url: ldap://ldap.{{ testsite_domain }}/
 mail_ldap_tls_truststore: /etc/ssl/certs/ca.pem
 mail_service_ldap_base_dn: "{{ testsite_ldap_base }}"
diff --git a/testsite/group_vars/web.yml b/testsite/group_vars/web.yml
index 0095ed20df91bb04dac68ef7738dd525dff0c696..05c38234cf7e21b6e1861152fa9405b3511cfe20 100644
--- a/testsite/group_vars/web.yml
+++ b/testsite/group_vars/web.yml
@@ -1,16 +1,5 @@
 ---
 
-ldap_client_config:
-  - comment: Set the base DN
-    option: BASE
-    value: "{{ testsite_ldap_base }}"
-  - comment: Set the default URI
-    option: URI
-    value: ldap://ldap.{{ testsite_domain }}/
-  - comment: Set the LDAP TLS truststore
-    option: TLS_CACERT
-    value: /etc/ssl/certs/ca.pem
-
 local_mail_aliases:
   root: "root john.doe@{{ testsite_domain }}"
 
diff --git a/testsite/group_vars/xmpp.yml b/testsite/group_vars/xmpp.yml
index f26c906a09b95700bd1244ce5deb30286bec94ad..e003fac54f42ec660698b849411b31b3affc31cd 100644
--- a/testsite/group_vars/xmpp.yml
+++ b/testsite/group_vars/xmpp.yml
@@ -1,19 +1,5 @@
 ---
 
-ldap_client_config:
-  - comment: Set the base DN
-    option: BASE
-    value: "{{ testsite_ldap_base }}"
-  - comment: Set the default URI
-    option: URI
-    value: ldapi:///
-  - comment: Set the default bind DN
-    option: BINDDN
-    value: cn=admin,{{ testsite_ldap_base }}
-  - comment: Set the LDAP TLS truststore
-    option: TLS_CACERT
-    value: /etc/ssl/certs/ca.pem
-
 local_mail_aliases:
   root: "root john.doe@{{ testsite_domain }}"