From 253ea568696dd1a35da13bceea2953bcb1e097fa Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Tue, 20 Oct 2015 13:01:19 +0300
Subject: [PATCH] Since OpenLDAP uses gnuTLS and Apache uses OpenSSL, it's
 silly to keep 2 cipher list variables so the current (gnuTLS) cipher list
 variable is removed. Apache now uses HTTPS with the same key as OpenLDAP. All
 open ports are now rate limited.

---
 README.rst                   |  3 +--
 defaults/main.yml            |  1 -
 handlers/main.yml            |  5 +++++
 tasks/main.yml               | 35 ++++++++++++++++++++++++++++++-----
 templates/ldaps.ldif.j2      |  2 +-
 templates/phpmyadmin.conf.j2 | 12 ++++++++++++
 6 files changed, 49 insertions(+), 9 deletions(-)
 create mode 100644 templates/phpmyadmin.conf.j2

diff --git a/README.rst b/README.rst
index fe9c084..6f71c14 100644
--- a/README.rst
+++ b/README.rst
@@ -16,9 +16,8 @@ Role Variables
     domain: '{{ ansible_domain }}' #LDAP domain, converted to ldap formatted. Defaults to the domain name of the machine.
     basedn: #LDAP base distinguished name, defaults to machine's domain converted to LDAP format.
     password: #Password for admin account, if blank a random password will be generated and saved under files/ldap_password.
-    tls_cert: #Certificate for LDAPS, if blank the self-signed snakeoil cert is used.
+    tls_cert: #Certificate for LDAPS, if blank the self-signed snakeoil cert is used. Intermediate certs need to be included in this file.
     tls_key: #Key for LDAPS, if blank the self-signed snakeoil key is used.
-    cipherlist: #Cipher list for GnuTLS, used for LDAPS connection.
 
 Dependencies
 ------------
diff --git a/defaults/main.yml b/defaults/main.yml
index b4fa52d..1877485 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -5,4 +5,3 @@ organization: '{{ ansible_domain }}'
 domain: '{{ ansible_domain }}'
 basedn: 'dc={{ domain.split(".") | join(",dc=") }}'
 password: '{{ lookup("password", "ldap_password") }}'
-cipherlist: '+AES-128-GCM:+AES-256-GCM:+AES-128-CBC:+AES-256-CBC:+ECDHE-RSA:+DHE-RSA:+AEAD:+SHA1:+SHA256:+SHA384'
diff --git a/handlers/main.yml b/handlers/main.yml
index cfbcc15..0b8895f 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -9,3 +9,8 @@
 - name: Reload UFW
   ufw:
     state: reloaded
+
+- name: Restart Apache
+  service:
+    name: apache2
+    state: restarted
diff --git a/tasks/main.yml b/tasks/main.yml
index e1056e4..86b7312 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -64,6 +64,7 @@
     - slapd
     - phpldapadmin
     - gnutls-bin
+    - ssl-cert
 
 - name: Allow OpenLDAP access to the TLS key
   user:
@@ -75,12 +76,12 @@
 
 - name: Configure UFW
   ufw:
-    rule: allow
-    port: '{{ item }}'
+    rule: '{{ item[1] }}'
+    port: '{{ item[0] }}'
     proto: tcp
-  with_items:
-    - 22
-    - 636
+  with_nested:
+    - [ 22, 443, 636 ]
+    - [ 'allow', 'limit' ]
 
 - name: Configure UFW default policy
   ufw:
@@ -121,6 +122,30 @@
   notify:
     - Restart OpenLDAP
 
+- name: Enable mod-ssl on Apache
+  apache2_module:
+    name: ssl
+    state: present
+  notify:
+    - Restart Apache
+
+- name: Disable default Apache site
+  file:
+    path: /etc/apache2/sites-enabled/000-default.conf
+    state: absent
+  notify:
+    - Restart Apache
+
+- name: Add phpLDAPadmin Apache site
+  template:
+    src: phpmyadmin.conf.j2
+    dest: /etc/apache2/sites-enabled/phpmyadmin.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - Restart Apache
+
 - name: Add backup cron job
   cron:
     name: OpenLDAP daily backup
diff --git a/templates/ldaps.ldif.j2 b/templates/ldaps.ldif.j2
index cb06d84..62669fb 100644
--- a/templates/ldaps.ldif.j2
+++ b/templates/ldaps.ldif.j2
@@ -11,4 +11,4 @@ replace: olcTLSCertificateFile
 olcTLSCertificateFile: {{ internal_tls_cert }}
 -
 replace: olcTLSCipherSuite
-olcTLSCipherSuite: {{ cipherlist }}
+olcTLSCipherSuite: +AES-128-GCM:+AES-256-GCM:+AES-128-CBC:+AES-256-CBC:+ECDHE-RSA:+DHE-RSA:+AEAD:+SHA1:+SHA256:+SHA384
diff --git a/templates/phpmyadmin.conf.j2 b/templates/phpmyadmin.conf.j2
new file mode 100644
index 0000000..fa5adf5
--- /dev/null
+++ b/templates/phpmyadmin.conf.j2
@@ -0,0 +1,12 @@
+<VirtualHost _default_:443>
+    DocumentRoot            /usr/share/phpldapadmin
+    SSLEngine               on
+    SSLCertificateFile      {{ internal_tls_cert }}
+    SSLCertificateKeyFile   {{ internal_tls_key }}
+    SSLProtocol             all -SSLv2 -SSLv3
+    SSLCipherSuite          !kRSA:!3DES:!RC4:!DES:!MD5:!aNULL:!NULL:AESGCM+ECDH:AES256+ECDH:AES128:+SHA1;
+    SSLHonorCipherOrder     on
+    SSLCompression          off
+    ErrorLog                ${APACHE_LOG_DIR}/error.log
+    CustomLog               ${APACHE_LOG_DIR}/access.log combined
+</virtualHost>
-- 
GitLab