majic-ansible-roles Changeset

Changeset - 3907a5157ef8

Parent rev.

Child rev.

[Not reviewed]

0 2 0

Branko Majic (branko) - 8 years ago 2016-01-24 15:43:33
branko@majic.rs

MAR-49: Implemented TLS hardening for the LDAP server role.

2 files changed with 4 insertions and 1 deletions:

docs/rolereference.rst

roles/ldap_server/tasks/main.yml

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -449,6 +449,8 @@ destination machine. @@
 The role implements the following:
 * Deploys LDAP TLS private key and certificate.
 * Hardens TLS configuration by allowing only TLSv1.2 and PFS ciphers. **Note:**
   older clients may have problems connecting.
 * Installs OpenLDAP server (package ``slapd``).
 * Configures OpenLDAP server (base DN - domain, organisation, TLS, SSF, log levels).
 * Sets-up separate log file for OpenLDAP server at ``/var/log/slapd.log`` (with

roles/ldap_server/tasks/main.yml

➞

Show inline comments

@@ @@ -60,8 +60,9 @@ @@
   notify:
     - Restart slapd
 - name: Configure TLS for slapd
+- name: Configure TLS for slapd (includes hardening)
   ldap_entry: dn=cn=config state=replace olcTLSCertificateFile="/etc/ssl/certs/{{ ldap_server_tls_certificate | basename }}" olcTLSCertificateKeyFile="/etc/ssl/private/{{ ldap_server_tls_key | basename }}"
               olcTLSCipherSuite="NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL"
   notify:
     - Restart slapd

0 comments (0 inline, 0 general)