majic-ansible-roles Changeset

Changeset - 430eb250e244

Parent rev.

Child rev.

[Not reviewed]

0 4 0

Branko Majic (branko) - 7 years ago 2017-02-11 19:21:10
branko@majic.rs

MAR-90: Added option to ldap_server role for specifying TLS version/ciphers. Updated role reference documentation. Update usage instructions to mention the TLS ciphers/versions are configurable.

4 files changed with 12 insertions and 3 deletions:

docs/rolereference.rst

docs/usage.rst

roles/ldap_server/defaults/main.yml

roles/ldap_server/tasks/main.yml

0 comments (0 inline, 0 general)

docs/rolereference.rst

➞

Show inline comments

@@ @@ -484,7 +484,7 @@ destination machine. @@
 The role implements the following:
 * Deploys LDAP TLS private key and certificate.
-* Hardens TLS configuration by allowing only TLSv1.2 and PFS ciphers.
+* Configures TLS versions and ciphers suppported by the server.
 * Installs OpenLDAP server (package ``slapd``).
 * Configures OpenLDAP server (base DN - domain, organisation, TLS, SSF, log levels).
 * Sets-up separate log file for OpenLDAP server at ``/var/log/slapd.log`` (with
@@ @@ -643,6 +643,12 @@ Parameters @@
   Minimum *Security Strength Factor* to require from all incoming
   connections. This applies for both remote and local connections.
 **ldap_tls_ciphers** (string, optional ``NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL``)
   TLS ciphers to enable on the LDAP server. This should be a GnuTLS-compatible
   cipher specification that should also include what TLS protocol versions
   should be used. Value should be compatible with OpenLDAP server option
   ``olcTLSCipherSuite``. Default value only TLSv1.2 and strong PFS ciphers.
 Examples
 ~~~~~~~~

docs/usage.rst

➞

Show inline comments

@@ @@ -817,7 +817,8 @@ role. @@
   Of course, free feel to also test out the mail server using any mail client of
   your choice. When doing so, use port 587 for SMTP. Port 25 is reserved for
   unauthenticated server-to-server mail deliveries. TLS has also been hardened
   on port 587 to allow only TLSv1.2 and PFS ciphers.
   on port 587 to allow only TLSv1.2 and PFS ciphers (you can override TLS
   versions/ciphers via role configuration).
 Setting-up mail relaying from web and backup servers

roles/ldap_server/defaults/main.yml

➞

Show inline comments

@@ @@ -32,3 +32,5 @@ ldap_permissions: @@
     by dn="cn=admin,{{ ldap_server_int_basedn }}" write
     by users read
     by * none
 ldap_tls_ciphers: "NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL"
@@ \ No newline at end of file @@

roles/ldap_server/tasks/main.yml

➞

Show inline comments

@@ @@ -68,7 +68,7 @@ @@
 - name: Configure TLS for slapd (includes hardening)
   ldap_entry: dn=cn=config state=replace olcTLSCertificateFile="/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem" olcTLSCertificateKeyFile="/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"
-              olcTLSCipherSuite="NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL"
+              olcTLSCipherSuite="{{ ldap_tls_ciphers }}"
   notify:
     - Restart slapd

0 comments (0 inline, 0 general)