majic-ansible-roles Changeset

Changeset - e1f36d36827b

Parent rev.

Child rev.

[Not reviewed]

0 6 0

Branko Majic (branko) - 10 years ago 2015-09-16 23:35:30
branko@majic.rs

MAR-19: Fixed missing parameter for using TLS for LDAP connections in Prosody configuraiton template. Fixed LDAP client configurations, moving most of them out of the individual yml files into all.yml (so only the ldap server gets different config).

6 files changed with 20 insertions and 37 deletions:

roles/xmpp_server/templates/prosody.cfg.lua.j2

testsite/group_vars/all.yml

testsite/group_vars/ldap.yml

testsite/group_vars/mail.yml

testsite/group_vars/web.yml

testsite/group_vars/xmpp.yml

0 comments (0 inline, 0 general)

roles/xmpp_server/templates/prosody.cfg.lua.j2

➞

Show inline comments

@@ @@ -56,24 +56,25 @@ c2s_require_encryption = true @@
 s2s_secure_auth = false
 -- Path to Prosody's PID file.
 pidfile = "/var/run/prosody/prosody.pid"
 -- Authentication backend.
 authentication = "ldap"
 ldap_server = "{{ xmpp_ldap_server }}"
 ldap_rootdn = "{{ xmpp_ldap_bind_dn }}"
 ldap_password = "{{ xmpp_ldap_password }}"
 ldap_filter = "{{ xmpp_ldap_filter }}"
 ldap_scope = "{{ xmpp_ldap_scope }}"
 ldap_tls = true
 ldap_base = "{{ xmpp_ldap_base }}"
 -- Storage backend.
 storage = "internal"
 -- Logging configuration.
 log = {
   info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
   error = "/var/log/prosody/prosody.err";
   "*syslog";
+}

testsite/group_vars/all.yml

➞

Show inline comments

@@ @@ -36,13 +36,28 @@ os_groups: @@
 common_packages:
   - emacs24-nox
   - screen
   - debconf-utils
   - colordiff
   - unzip
 ca_certificates:
   - "{{ inventory_dir }}/tls/ca.pem"
 incoming_connection_limit: 2/second
 incoming_connection_limit_burst: 6
@@ \ No newline at end of file @@
 incoming_connection_limit_burst: 6
 # Default LDAP client configuration.
 ldap_client_config:
   - comment: Set the base DN
     option: BASE
     value: "{{ testsite_ldap_base }}"
   - comment: Set the default URI
     option: URI
     value: ldap://ldap.{{ testsite_domain }}/
   - comment: Set the LDAP TLS truststore
     option: TLS_CACERT
     value: /etc/ssl/certs/ca.pem
   - comment: Enforce TLS
     option: TLS_REQCERT
     value: demand

testsite/group_vars/ldap.yml

➞

Show inline comments

@@ @@ -10,24 +10,27 @@ ldap_client_config: @@
   - comment: Set the base DN
     option: BASE
     value: "{{ testsite_ldap_base }}"
   - comment: Set the default URI
     option: URI
     value: ldapi:///
   - comment: Set the default bind DN
     option: BINDDN
     value: cn=admin,{{ testsite_ldap_base }}
   - comment: Set the LDAP TLS truststore
     option: TLS_CACERT
     value: /etc/ssl/certs/ca.pem
   - comment: Enforce TLS
     option: TLS_REQCERT
     value: demand
 ldap_server_domain: "{{ testsite_domain }}"
 ldap_server_organization: "Example Inc."
 ldap_server_log_level: 256
 ldap_server_tls_certificate: "{{ inventory_dir }}/tls/ldap.{{ testsite_domain }}_ldap.pem"
 ldap_server_tls_key: "{{ inventory_dir }}/tls/ldap.{{ testsite_domain }}_ldap.key"
 ldap_server_ssf: 128
 ldap_permissions:
   - >
     to *
     by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage

testsite/group_vars/mail.yml

➞

Show inline comments

 ---
 ldap_client_config:
   - comment: Set the base DN
     option: BASE
     value: "{{ testsite_ldap_base }}"
   - comment: Set the default URI
     option: URI
     value: ldap://ldap.{{ testsite_domain }}/
   - comment: Set the LDAP TLS truststore
     option: TLS_CACERT
     value: /etc/ssl/certs/ca.pem
 mail_ldap_url: ldap://ldap.{{ testsite_domain }}/
 mail_ldap_tls_truststore: /etc/ssl/certs/ca.pem
 mail_service_ldap_base_dn: "{{ testsite_ldap_base }}"
 mail_ldap_postfix_password: postfix
 mail_ldap_dovecot_password: dovecot
 mail_user: vmail
 mail_user_uid: 5000
 mail_user_gid: 5000
 imap_tls_certificate: "{{ inventory_dir }}/tls/mail.{{ testsite_domain }}_imap.pem"
 imap_tls_key: "{{ inventory_dir }}/tls/mail.{{ testsite_domain }}_imap.key"

testsite/group_vars/web.yml

➞

Show inline comments

 ---
 ldap_client_config:
   - comment: Set the base DN
     option: BASE
     value: "{{ testsite_ldap_base }}"
   - comment: Set the default URI
     option: URI
     value: ldap://ldap.{{ testsite_domain }}/
   - comment: Set the LDAP TLS truststore
     option: TLS_CACERT
     value: /etc/ssl/certs/ca.pem
 local_mail_aliases:
   root: "root john.doe@{{ testsite_domain }}"
 smtp_relay_host: mail.{{ testsite_domain }}
 smtp_relay_truststore: /etc/ssl/certs/ca.pem
 https_tls_key: "{{ inventory_dir }}/tls/web.{{ testsite_domain }}_https.key"
 https_tls_certificate: "{{ inventory_dir }}/tls/web.{{ testsite_domain }}_https.pem"
 web_default_title: "Welcome to Example Inc."
 web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."

testsite/group_vars/xmpp.yml

➞

Show inline comments

 ---
 ldap_client_config:
   - comment: Set the base DN
     option: BASE
     value: "{{ testsite_ldap_base }}"
   - comment: Set the default URI
     option: URI
     value: ldapi:///
   - comment: Set the default bind DN
     option: BINDDN
     value: cn=admin,{{ testsite_ldap_base }}
   - comment: Set the LDAP TLS truststore
     option: TLS_CACERT
     value: /etc/ssl/certs/ca.pem
 local_mail_aliases:
   root: "root john.doe@{{ testsite_domain }}"
 smtp_relay_host: mail.{{ testsite_domain }}
 smtp_relay_truststore: /etc/ssl/certs/ca.pem
 xmpp_administrators:
   - john.doe@{{ testsite_domain }}
 xmpp_tls_key: "{{ inventory_dir }}/tls/xmpp.{{ testsite_domain }}_xmpp.key"

0 comments (0 inline, 0 general)