diff --git a/README.rst b/README.rst index fe9c08436e5afde443c71554c2e1f026c347697b..6f71c14202fea545ff834dc61690e311fd173e9d 100644 --- a/README.rst +++ b/README.rst @@ -16,9 +16,8 @@ Role Variables domain: '{{ ansible_domain }}' #LDAP domain, converted to ldap formatted. Defaults to the domain name of the machine. basedn: #LDAP base distinguished name, defaults to machine's domain converted to LDAP format. password: #Password for admin account, if blank a random password will be generated and saved under files/ldap_password. - tls_cert: #Certificate for LDAPS, if blank the self-signed snakeoil cert is used. + tls_cert: #Certificate for LDAPS, if blank the self-signed snakeoil cert is used. Intermediate certs need to be included in this file. tls_key: #Key for LDAPS, if blank the self-signed snakeoil key is used. - cipherlist: #Cipher list for GnuTLS, used for LDAPS connection. Dependencies ------------ diff --git a/defaults/main.yml b/defaults/main.yml index b4fa52db557812f15e0231519d6d3310d9b01580..1877485e2b74544bee4dacdc04ea331265d28f1c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,4 +5,3 @@ organization: '{{ ansible_domain }}' domain: '{{ ansible_domain }}' basedn: 'dc={{ domain.split(".") | join(",dc=") }}' password: '{{ lookup("password", "ldap_password") }}' -cipherlist: '+AES-128-GCM:+AES-256-GCM:+AES-128-CBC:+AES-256-CBC:+ECDHE-RSA:+DHE-RSA:+AEAD:+SHA1:+SHA256:+SHA384' diff --git a/handlers/main.yml b/handlers/main.yml index cfbcc159870dbb781343c46ec25b94edef8ef439..0b8895f0942dd5872121ba3949cd664d8e0b8948 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -9,3 +9,8 @@ - name: Reload UFW ufw: state: reloaded + +- name: Restart Apache + service: + name: apache2 + state: restarted diff --git a/tasks/main.yml b/tasks/main.yml index e1056e417e04507d68f65360315da4ad000b69ee..86b73128f207c55c374538d73554023a6abe3bbf 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -64,6 +64,7 @@ - slapd - phpldapadmin - gnutls-bin + - ssl-cert - name: Allow OpenLDAP access to the TLS key user: @@ -75,12 +76,12 @@ - name: Configure UFW ufw: - rule: allow - port: '{{ item }}' + rule: '{{ item[1] }}' + port: '{{ item[0] }}' proto: tcp - with_items: - - 22 - - 636 + with_nested: + - [ 22, 443, 636 ] + - [ 'allow', 'limit' ] - name: Configure UFW default policy ufw: @@ -121,6 +122,30 @@ notify: - Restart OpenLDAP +- name: Enable mod-ssl on Apache + apache2_module: + name: ssl + state: present + notify: + - Restart Apache + +- name: Disable default Apache site + file: + path: /etc/apache2/sites-enabled/000-default.conf + state: absent + notify: + - Restart Apache + +- name: Add phpLDAPadmin Apache site + template: + src: phpmyadmin.conf.j2 + dest: /etc/apache2/sites-enabled/phpmyadmin.conf + owner: root + group: root + mode: '0644' + notify: + - Restart Apache + - name: Add backup cron job cron: name: OpenLDAP daily backup diff --git a/templates/ldaps.ldif.j2 b/templates/ldaps.ldif.j2 index cb06d847cceda08a22151d43192bf84044baf41b..62669fb698b7533cd2b2258a695b6a987969425e 100644 --- a/templates/ldaps.ldif.j2 +++ b/templates/ldaps.ldif.j2 @@ -11,4 +11,4 @@ replace: olcTLSCertificateFile olcTLSCertificateFile: {{ internal_tls_cert }} - replace: olcTLSCipherSuite -olcTLSCipherSuite: {{ cipherlist }} +olcTLSCipherSuite: +AES-128-GCM:+AES-256-GCM:+AES-128-CBC:+AES-256-CBC:+ECDHE-RSA:+DHE-RSA:+AEAD:+SHA1:+SHA256:+SHA384 diff --git a/templates/phpmyadmin.conf.j2 b/templates/phpmyadmin.conf.j2 new file mode 100644 index 0000000000000000000000000000000000000000..fa5adf5df9af459e11c582c08ac4c9e6f44c9d1a --- /dev/null +++ b/templates/phpmyadmin.conf.j2 @@ -0,0 +1,12 @@ + + DocumentRoot /usr/share/phpldapadmin + SSLEngine on + SSLCertificateFile {{ internal_tls_cert }} + SSLCertificateKeyFile {{ internal_tls_key }} + SSLProtocol all -SSLv2 -SSLv3 + SSLCipherSuite !kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1; + SSLHonorCipherOrder on + SSLCompression off + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined +