tls: add script to restart slapd when renweing Le certificate

README.md

@@ -46,7 +46,7 @@ defined in vars/main.yml and vars/CentOS.yml
   * ldap_schemas     - list of additionnal schema names to load - default cosine
   * ldap_replication_consumer - bool -true to setup a replication consumer
   * ldap_replication_provider - bool -true to setup a replication provider
-  * ldap_replication_account - account used for replication
+  * ldap_replication_account_dn- account used for replication
   * ldap_replication_password - account password  used for replication
   - ldap_replication_provider_uri - ldap uri of provider server
   * ldap_have_ssl    - boolean - wether we use ssl or not

files/le_restart_slapd.sh

@@ -0,0 +1,3 @@
+#! /bin/bash
+
+/bin/systemctl restart slapd

meta/main.yml

@@ -46,6 +46,7 @@ galaxy_info:
     # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
     #       Maximum 20 tags per role.
 
-  dependencies: []
+  dependencies: 
+  - { role: tco.changelog, myrole_name: ansible_slapd }
   # List your role dependencies here, one per line. Be sure to remove the '[]' above,
   # if you add dependencies to this list.

tasks/import_ldap_schema.yml

@@ -1,9 +1,9 @@
 - name: check if schema is loaded
-  command: "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn"
+  ansible.builtin.command: "ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config dn"
   register: ldap_schema_list
   changed_when: false
 
 - name: import additional schemas
-  command: "ldapadd -Y EXTERNAL -H ldapi:/// -f {{ ldap_config_dir }}/schema/{{ schema }}.ldif"
+  ansible.builtin.command: "ldapadd -Y EXTERNAL -H ldapi:/// -f {{ ldap_config_dir }}/schema/{{ schema }}.ldif"
   when: schema not in ldap_schema_list.stdout
 

tasks/main.yml

@@ -2,40 +2,41 @@
 # tasks file for /etc/ansible/roles/slapd
 
 - name: get admin password from keepass
-  set_fact:
+  ansible.builtin.set_fact:
     ldap_admin_dn: "{{ lookup( 'viczem.keepass.keepass', '{{ group_names[0]}}/{{ inventory_hostname }}_ldap_admin', 'username' ) }}"
     ldap_admin_password: "{{ lookup( 'viczem.keepass.keepass', '{{ group_names[0]}}/{{ inventory_hostname }}_ldap_admin', 'password' ) }}"
   tags: always
+  when: ldap_admin_dn is not defined or ldap_admin_password is not defined
 
 - name: OS specific vars
-  include_vars: "{{ ansible_distribution }}.yml"
+  ansible.builtin.include_vars: "{{ ansible_distribution }}.yml"
   tags: always
 
 - name: CentOS8 stuff
   block:
   - name: CentOS 8 specific vars
-    include_vars: CentOS8.yml
+    ansible.builtin.include_vars: CentOS8.yml
 
   - name: configure Symas repo for CentOS8
-    get_url:
+    ansible.builtin.get_url:
       url:  https://repo.symas.com/configs/SOFL/rhel8/sofl.repo
       dest: /etc/yum.repos.d/sofl.repo
   when: ansible_distribution_major_version == 8 and ansible_distribution =='CentOS'
   tags: always
 
 - name: install
-  package:
+  ansible.builtin.package:
     name: "{{ ldap_packages }}"
     state: present
 
 - name: configure client
-  template:
+  ansible.builtin.template:
     src: ldap.conf
     dest: "{{ ldap_config_dir }}/"
     mode: 0644
 
 - name: activate service
-  service:
+  ansible.builtin.service:
     name: "{{ ldap_service }}"
     state: started
     enabled: yes
@@ -74,7 +75,7 @@
     ordered: true
 
 - name: reconfigure slapd - access to cn=config
-  ldap_attrs:
+  community.general.ldap_attrs:
     dn: olcDatabase={0}config,cn=config
     attributes:
       olcAccess:
@@ -85,7 +86,7 @@
     state: exact
 
 - name: reconfigure slapd - access to cn=monitor
-  ldap_attrs:
+  community.general.ldap_attrs:
     dn: olcDatabase={1}monitor,cn=config
     attributes:
       olcAccess:
@@ -97,13 +98,13 @@
   when: ansible_os_family == 'RedHat'
 
 - name: load additionnal schema
-  include_tasks: import_ldap_schema.yml
+  ansible.builtin.include_tasks: import_ldap_schema.yml
   loop: "{{ ldap_schemas }}"
   loop_control:
     loop_var: schema
 
 - name: create suffix
-  ldap_entry:
+  community.general.ldap_entry:
     server_uri: ldap://localhost
     bind_dn: "{{ ldap_admin_dn }}"
     bind_pw: "{{ ldap_admin_password }}"
@@ -113,7 +114,7 @@
       dc: "{{ ldap_domain }}"
 
 - name: create passwd file
-  copy:
+  ansible.builtin.copy:
     dest: "{{ ldap_secret_file }}"
     mode: 0600
     content: "{{ ldap_admin_password }}"
@@ -121,38 +122,38 @@
 - name: import data
   block:
   - name:  create initial directory
-    file:
+    ansible.builtin.file:
       path: /root/Ldif
       state: directory
       mode: 0700
 
   - name: send ldif files
-    template:
+    ansible.builtin.template:
       src: "{{ item }}"
       dest: /root/Ldif/
       mode: 0600
     loop: "{{ ldap_ldif_files }}"
 
   - name: get list of ldif files
-    find:
+    ansible.builtin.find:
       paths: /root/Ldif
       patterns: "*.ldif"
       file_type: file
     register: ldif_list
 
   - name: import ldif files
-    command: "ldapadd -c -y {{ ldap_secret_file }} -xD {{ ldap_admin_dn }} -f {{ item .path }}"
+    ansible.builtin.command: "ldapadd -c -y {{ ldap_secret_file }} -xD {{ ldap_admin_dn }} -f {{ item .path }}"
     with_items: "{{ ldif_list.files }}"
     ignore_errors: true
 
   when: ldap_ldif_files is defined
 
 - name: configure replication provider
-  include_tasks: replication_provider.yml
+  ansible.builtin.include_tasks: replication_provider.yml
   when: ldap_replication_provider
 
 - name: configure replication consumer
-  include_tasks: replication_consumer.yml
+  ansible.builtin.include_tasks: replication_consumer.yml
   when: ldap_replication_consumer
 
 # cannot use ldap_entry module because attr olcTLS* don't have equality matching
@@ -164,15 +165,25 @@
   block:
 
   - name: send ldif file
-    template:
+    ansible.builtin.template:
       src: ssl.ldif
       dest: /root/
 
   - name: import ldif
-    command: ldapmodify  -c -y {{ ldap_secret_file }} -xD {{ ldap_admin_dn }}  -f /root/ssl.ldif
+    ansible.builtin.command: ldapmodify  -c -y {{ ldap_secret_file }} -xD {{ ldap_admin_dn }}  -f /root/ssl.ldif
 
-  - name: configure url
+  - name: configure url - Debian
-    lineinfile:
+    when: ansible_os_family == 'Debian'
+    ansible.builtin.lineinfile:
+      path: /etc/default/slapd
+      regexp: '^SLAPD_SERVICES="ldap:/// ldapi:///"'
+      line: 'SLAPD_SERVICES="ldapi:/// ldap:/// ldaps:///"'
+      state: present
+    notify: restart_slapd
+
+  - name: configure url - RH
+    when: ansible_os_family == 'RedHat'
+    ansible.builtin.lineinfile:
       path: /etc/sysconfig/slapd
       regexp: '^SLAPD_URLS="ldapi:/// ldap:///"'
       line: 'SLAPD_URLS="ldapi:/// ldap:/// ldaps:///"'
@@ -180,9 +191,16 @@
     notify: restart_slapd
 
   - name: remove ldif
-    file:
+    ansible.builtin.file:
       path: /root/ssl.ldif
       state: absent
+
+  - name: restart slapd upon certificate renewal
+    ansible.builtin.copy:
+     src: le_restart_slapd.sh
+     dest: /etc/letsencrypt/renewal-hooks/post/service_slapd.sh
+     mode: 0700
+
   when: ldap_have_ssl
 
 - name: configure ldap aliases - 0/1
@@ -199,7 +217,7 @@
     line: source /root/.ldap_aliases.sh
 
 - name: add some entries
-  ldap_entry:
+  community.general.ldap_entry:
     dn: "{{ item.dn }}"
     objectClass: "{{ item.objectClass }}"
     attributes: "{{ item.attributes }}"
@@ -208,6 +226,20 @@
   when: ldap_entries is defined
   ignore_errors: true
 
+- name: touch /var/log/ldapaudit.log
+  ansible.builtin.file:
+   path: /var/log/ldapaudit.log
+   owner: "{{ ldap_user }}"
+   group: "{{ ldap_user }}"
+   state: touch
+  tags: auditlog
+
+- name: rotate /var/log/ldapaudit.log
+  tags: auditlog
+  ansible.builtin.template:
+   src: logrotate_auditlog
+   dest: /etc/logrotate.d/
+
 - name: setup backup
-  import_tasks: backup.yml
+  ansible.builtin.import_tasks: backup.yml
   tags: backup_ldap

tasks/replication_consumer.yml

@@ -1,19 +1,15 @@
 ---
 - name: add synrepl entry
-  ldap_attr:
+  community.general.ldap_attrs:
     dn: "{{ ldap_database }}"
-    name: "{{ item.name }}"
+    attributes:
-    values: "{{ item.value }}"
+     olcSyncRepl: |
-  loop:
-   - name: olcSyncRepl
-     value: |
       rid=001
        provider="{{ ldap_replication_provider_uri }}"
-       binddn="cn={{ ldap_replication_account }},{{ ldap_suffix }}"
+       binddn="{{ ldap_replication_account_dn }}"
        bindmethod="simple"
        credentials="{{ ldap_replication_password }}"
        searchbase="{{ ldap_suffix }}"
        type=refreshAndPersist
        retry="10 +"
-   - name: olcUpdateRef
+     olcUpdateRef: "{{ ldap_provider_uri }}"
-     value: "{{ ldap_provider_uri }}"

tasks/replication_provider.yml

@@ -1,19 +1,19 @@
 ---
 - name: create replication account
-  ldap_entry:
+  community.general.ldap_entry:
-    dn: "cn={{ ldap_replication_account }},{{ ldap_suffix }}"
+    dn: "{{ ldap_replication_account_dn }}"
     objectClass: person
     attributes:
-     sn: "{{ ldap_replication_account }}"
+     sn: "Replication"
      userPassword: "{{ ldap_replication_password }}"
-    params: "{{ ldap_auth }}"
+  args: "{{ ldap_auth }}"
 
 - name: check wether module is already loaded
   command: ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config   objectClass=olcModuleList olcmoduleload
   register: ldap_result
 
 - name: add syncprov overlay module
-  ldap_entry:
+  community.general.ldap_entry:
     dn: cn=module,cn=config
     objectClass: olcModuleList
     attributes:
@@ -22,7 +22,7 @@
   when: '"syncprov.la" not in  ldap_result.stdout'
 
 - name: add syncprov overlay config
-  ldap_entry:
+  community.general.ldap_entry:
     dn: olcOverlay=syncprov,{{ ldap_database }}
     objectClass: olcSyncProvConfig
     attributes:
@@ -31,15 +31,15 @@
       olcSpSessionLog: 200
 
 - name: configure serverid
-  ldap_attr:
+  community.general.ldap_attrs:
     dn: cn=config
-    name: olcServerId
+    attributes:
-    values: "{{ ldap_replication_server_id|default(42) }}"
+      olcServerId: "{{ ldap_replication_server_id|default(42) }}"
 
 - name: add indexes for replication
-  ldap_attr:
+  community.general.ldap_attrs:
-    dn: olcdatabase={2}hdb,cn=config
+    dn: "{{ ldap_database }}"
-    name: olcDbIndex
+    attributes:
-    values:
+      olcDbIndex:
-    - entryUUID eq
+      - entryUUID eq
-    - entryCSN eq
+      - entryCSN eq

template logrotate_auditlog

@@ -0,0 +1,7 @@
+/var/log/ldapaudit.log {
+  daily
+  create 640 {{ ldap_user }} {{ ldap_user }}
+  rotate 30
+  missingok
+  notifempty
+}

templates/logrotate_auditlog

@@ -0,0 +1,7 @@
+/var/log/ldapaudit.log {
+  daily
+  create 640 {{ ldap_user }} {{ ldap_user }}
+  rotate 30
+  missingok
+  notifempty
+}

templates/ssl.ldif

@@ -3,15 +3,18 @@ changetype: modify
 replace: olcTLSCertificateFile
 olcTLSCertificateFile: {{ ldap_ssl_cert_path }}
 -
+replace: olcTLSCACertificatePath
+olcTLSCACertificatePath: /etc/ssl/certs
+-
 replace: olcTLSCertificateKeyfile
 olcTLSCertificateKeyfile: {{ ldap_ssl_key_path }}
 -
-replace: olcTLSCipherSuite
+replace: olcTLSProtocolMin
-olcTLSCipherSuite: TLSv1+RSA:!NULL
+olcTLSProtocolMin: 3.3
 -
 replace: olctlsverifyclient
 olctlsverifyclient: never
 -
 replace: olctlscacertificatefile
-olctlscacertificatefile: {{ ldap_ssl_cacert_path }}
+olctlscacertificatefile: {{ ldap_ssl_cert_path }}
 

vars/CentOS8.yml

@@ -6,3 +6,5 @@ ldap_service: slapd
 ldap_user: ldap
 ldap_database: olcDatabase={2}hdb,cn=config
 ldap_module_dir: /usr/lib64/openldap/
+ldap_daemon_config: /etc/sysconfig/slapd
+ldap_daemon_url: SLAPD_URLS

vars/Debian.yml

@@ -7,3 +7,5 @@ ldap_packages:
   - python3-ldap
 ldap_service: slapd
 ldap_user: openldap
+ldap_daemon_config: /etc/default/slapd
+ldap_daemon_url: SLAPD_SERVICES=