diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml index 4d8244da636486a66aff05a80343cbe8906aa330..0aca5e5ad2c2f72dc163a3817fbca5edc6f93721 100644 --- a/roles/ldap_server/tasks/main.yml +++ b/roles/ldap_server/tasks/main.yml @@ -13,9 +13,15 @@ user: name=openldap append=yes groups=ssl-cert register: openldap_in_ssl_cert -- name: Restart slapd if group membership has changed +- name: Restart slapd if group membership has changed (apply immediatelly) service: name=slapd state=restarted when: openldap_in_ssl_cert.changed + tags: + # [ANSIBLE0016] Tasks that run when changed should likely be handlers + # In order to be able to change LDAP server TLS configuration, it must be + # able to read both the private key and certificate. Therefore we need to + # immediatelly restart (since configuration is done live on the server. + - skip_ansible_lint - name: Install Python LDAP bindings apt: name=python-ldap state=installed @@ -46,29 +52,29 @@ ldap_entry: dn=cn=config state=replace olcLogLevel="{{ ldap_server_log_level }}" - name: Test if LDAP misc schema has been applied - command: ldapsearch -Q -LLL -A -Y EXTERNAL -b cn=schema,cn=config -s one '(cn={*}misc)' cn + command: ldapsearch -H ldapi:/// -Q -LLL -A -Y EXTERNAL -b cn=schema,cn=config -s one '(cn={*}misc)' cn register: ldap_misc_schema_present changed_when: false - name: Deploy LDAP misc schema - command: ldapadd -Y EXTERNAL -f /etc/ldap/schema/misc.ldif + command: ldapadd -H ldapi:/// -Q -Y EXTERNAL -f /etc/ldap/schema/misc.ldif when: ldap_misc_schema_present.stdout == "" - name: Deploy LDAP TLS private key copy: dest="/etc/ssl/private/{{ ansible_fqdn }}_ldap.key" content="{{ ldap_server_tls_key }}" - mode=640 owner=root group=openldap + mode=0640 owner=root group=openldap notify: - Restart slapd - name: Deploy LDAP TLS certificate copy: dest="/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem" content="{{ ldap_server_tls_certificate }}" - mode=644 owner=root group=root + mode=0644 owner=root group=root notify: - Restart slapd - name: Deploy configuration file for checking certificate validity via cron copy: content="/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem" dest="/etc/check_certificate/{{ ansible_fqdn }}_ldap.conf" - owner=root group=root mode=644 + owner=root group=root mode=0644 - name: Configure TLS for slapd (includes hardening) ldap_entry: dn=cn=config state=replace olcTLSCertificateFile="/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem" olcTLSCertificateKeyFile="/etc/ssl/private/{{ ansible_fqdn }}_ldap.key" @@ -154,22 +160,22 @@ ldap_entry: "" args: dn: "{{ item.dn }}" - state: "{{ item.state | default(omit)}}" + state: "{{ item.state | default('present')}}" attributes: "{{ item.attributes }}" with_items: "{{ ldap_entries }}" - name: Deploy firewall configuration for LDAP - copy: src="ferm_ldap.conf" dest="/etc/ferm/conf.d/10-ldap.conf" owner=root group=root mode=640 + copy: src="ferm_ldap.conf" dest="/etc/ferm/conf.d/10-ldap.conf" owner=root group=root mode=0640 notify: - Restart ferm - name: Deploy temporary file with LDAP admin password template: src="ldap_admin_password.j2" dest="/root/.ldap_admin_password" - owner=root group=root mode=400 + owner=root group=root mode=0400 changed_when: False - name: Test if LDAP admin password needs to be changed - command: ldapwhoami -D "cn=admin,{{ ldap_server_int_basedn }}" -x -y /root/.ldap_admin_password + command: ldapwhoami -H ldapi:/// -D "cn=admin,{{ ldap_server_int_basedn }}" -x -y /root/.ldap_admin_password register: ldap_admin_password_check changed_when: ldap_admin_password_check.rc != 0 failed_when: False @@ -190,4 +196,4 @@ include: ../handlers/main.yml when: "handlers | default(False) | bool() == True" tags: - - handlers \ No newline at end of file + - handlers