Merge pull request CactuseSecurity#4098 from tpurschke/fix/v8/ldap-conf

v8 fix revert changes to ldap.conf

Author: tpurschke

inventory/group_vars/all.yml

@@ -94,6 +94,7 @@ ldap_manager_pwd_file: "{{ fworch_secrets_dir }}/ldap_manager_pwd"
 middleware_hostname: "127.0.0.1"
 ldif_changetype: add
 middleware_service_name: "{{ product_name }}-middleware"
+openldap_server_enable_ssl: true
 
 # middleware web server
 middleware_web_listener_port: 8888

roles/middleware/tasks/main.yml

@@ -106,6 +106,8 @@
     server_uri: "{{ openldap_url }}"
     bind_dn: "{{ openldap_superuser_dn }}"
     bind_pw: "{{ ldap_manager_pwd }}"
+    validate_certs: "{{ openldap_server_enable_ssl | ternary(false, omit) }}"
+    ca_path: "{{ openldap_server_enable_ssl | ternary(openldap_server_cert, omit) }}"
   when: installation_mode == 'new'
 
 - name: set importer user password randomly
@@ -139,6 +141,8 @@
     server_uri: "{{ openldap_url }}"
     bind_dn: "{{ openldap_superuser_dn }}"
     bind_pw: "{{ ldap_manager_pwd }}"
+    validate_certs: "{{ openldap_server_enable_ssl | ternary(false, omit) }}"
+    ca_path: "{{ openldap_server_enable_ssl | ternary(openldap_server_cert, omit) }}"
   when: installation_mode == 'new'
 
 - name: Set {{ openldap_readonly_user_name }} password in ldap
@@ -148,6 +152,8 @@
     server_uri: "{{ openldap_url }}"
     bind_dn: "{{ openldap_superuser_dn }}"
     bind_pw: "{{ ldap_manager_pwd }}"
+    validate_certs: "{{ openldap_server_enable_ssl | ternary(false, omit) }}"
+    ca_path: "{{ openldap_server_enable_ssl | ternary(openldap_server_cert, omit) }}"
   when: installation_mode == "new"
 
 - name: Set "{{ openldap_writer_name }}" password in ldap
@@ -157,6 +163,8 @@
     server_uri: "{{ openldap_url }}"
     bind_dn: "{{ openldap_superuser_dn }}"
     bind_pw: "{{ ldap_manager_pwd }}"
+    validate_certs: "{{ openldap_server_enable_ssl | ternary(false, omit) }}"
+    ca_path: "{{ openldap_server_enable_ssl | ternary(openldap_server_cert, omit) }}"
   when: installation_mode == "new"
 
 - name: Set {{ audit_user }} password in ldap
@@ -166,6 +174,8 @@
     server_uri: "{{ openldap_url }}"
     bind_dn: "{{ openldap_superuser_dn }}"
     bind_pw: "{{ ldap_manager_pwd }}"
+    validate_certs: "{{ openldap_server_enable_ssl | ternary(false, omit) }}"
+    ca_path: "{{ openldap_server_enable_ssl | ternary(openldap_server_cert, omit) }}"
   when: audit_user is defined and auditor_initial_pwd is defined and installation_mode=='new'
 
 - name: insert admin tenant0 to database

roles/middleware/tasks/set_initial_ldap_tree.yml

@@ -2,6 +2,19 @@
   set_fact:
     ldif_changetype: add
 
+- name: build ldap tls options
+  set_fact:
+    ldap_tls_opts: >-
+      {% if openldap_server_enable_ssl | default(false) -%}
+      -o TLS_REQCERT=never{% if openldap_server_cert is defined %} -o TLS_CACERT={{ openldap_server_cert }}{% endif %}
+      {%- endif %}
+    ldap_cmd_url: >-
+      {% if openldap_server_enable_ssl | default(false) -%}
+      ldaps://{{ openldap_server }}:{{ openldap_port | default(636) }}
+      {%- else -%}
+      ldap://{{ openldap_server }}:{{ (openldap_port | default(389) | int == 636) | ternary(389, openldap_port | default(389)) }}
+      {%- endif %}
+
 - name: copy the ldif templates to system
   template:
     src: "{{ item }}"
@@ -14,7 +27,7 @@
   become: true
 
 - name: add tree
-  command: "ldapmodify -H {{ openldap_url }} -D {{ openldap_superuser_dn }} -w {{ ldap_manager_pwd }} -x -f {{  middleware_ldif_dir }}/tree_{{ item }}.ldif"
+  command: "ldapmodify {{ ldap_tls_opts }} -H {{ ldap_cmd_url }} -D {{ openldap_superuser_dn }} -w {{ ldap_manager_pwd }} -x -f {{  middleware_ldif_dir }}/tree_{{ item }}.ldif"
   loop:
     - level_0
     - level_1

roles/middleware/tasks/upgrade/5.4.1.yml

@@ -21,3 +21,5 @@
     server_uri: "{{ openldap_url }}"
     bind_dn: "{{ openldap_superuser_dn }}"
     bind_pw: "{{ ldap_manager_pwd }}"
+    validate_certs: "{{ openldap_server_enable_ssl | ternary(false, omit) }}"
+    ca_path: "{{ openldap_server_enable_ssl | ternary(openldap_server_cert, omit) }}"

roles/middleware/tasks/upgrade_modify_routine.yml

@@ -7,32 +7,45 @@
     group: "{{ fworch_group }}"
   become: true
 
+- name: build ldap tls options
+  set_fact:
+    ldap_tls_opts: >-
+      {% if openldap_server_enable_ssl | default(false) -%}
+      -o TLS_REQCERT=never{% if openldap_server_cert is defined %} -o TLS_CACERT={{ openldap_server_cert }}{% endif %}
+      {%- endif %}
+    ldap_cmd_url: >-
+      {% if openldap_server_enable_ssl | default(false) -%}
+      ldaps://{{ openldap_server }}:{{ openldap_port | default(636) }}
+      {%- else -%}
+      ldap://{{ openldap_server }}:{{ (openldap_port | default(389) | int == 636) | ternary(389, openldap_port | default(389)) }}
+      {%- endif %}
+
 - name: determine distinguished name and changetype
   set_fact:
     distinguished_name: "{{ item.splitlines()[0] }}"
     changetype: "{{ item.split('changetype: ')[1].splitlines()[0] }}"
 
 - name: test if distinguished name exists
   # error code 32, when searchbase not existing
-  command: "ldapsearch -H {{ openldap_url }} -D {{ openldap_superuser_dn }} -w {{ ldap_manager_pwd }} -b {{ distinguished_name }}"
+  command: "ldapsearch {{ ldap_tls_opts }} -H {{ ldap_cmd_url }} -D {{ openldap_superuser_dn }} -w {{ ldap_manager_pwd }} -b {{ distinguished_name }}"
   #become: true
   register: search_existence
   failed_when: (search_existence.rc != 0) and (search_existence.rc != 32)
 
 - name: add ldap entry if not existing
-  command: "ldapmodify -H {{ openldap_url }} -D {{ openldap_superuser_dn }} -w {{ ldap_manager_pwd }} -x -f {{ middleware_ldif_dir }}/{{ outer_item }}_{{ item.split(',')[0] }}.ldif"
+  command: "ldapmodify {{ ldap_tls_opts }} -H {{ ldap_cmd_url }} -D {{ openldap_superuser_dn }} -w {{ ldap_manager_pwd }} -x -f {{ middleware_ldif_dir }}/{{ outer_item }}_{{ item.split(',')[0] }}.ldif"
   when: (changetype == 'add') and (search_existence.stdout.split('result:')[1].splitlines()[0] is match('.*No such object'))
   #become: true
 
 - name: delete ldap entry if existing
   # dont delete in case numEntries > 1, otherwise ldap nodes are disconected
-  command: "ldapmodify -H {{ openldap_url }} -D {{ openldap_superuser_dn }} -w {{ ldap_manager_pwd }} -x -f {{ middleware_ldif_dir }}/{{ outer_item }}_{{ item.split(',')[0] }}.ldif"
+  command: "ldapmodify {{ ldap_tls_opts }} -H {{ ldap_cmd_url }} -D {{ openldap_superuser_dn }} -w {{ ldap_manager_pwd }} -x -f {{ middleware_ldif_dir }}/{{ outer_item }}_{{ item.split(',')[0] }}.ldif"
   when: (changetype == 'delete') and (search_existence.stdout.split('# numEntries:')[1].splitlines()[0] is match('\s1'))
   #become: true
 
 - name: modify ldap entry if existing
   # error code 20, when attribute already exists
-  command: "ldapmodify -H {{ openldap_url }} -D {{ openldap_superuser_dn }} -w {{ ldap_manager_pwd }} -x -f {{ middleware_ldif_dir }}/{{ outer_item }}_{{ item.split(',')[0] }}.ldif"
+  command: "ldapmodify {{ ldap_tls_opts }} -H {{ ldap_cmd_url }} -D {{ openldap_superuser_dn }} -w {{ ldap_manager_pwd }} -x -f {{ middleware_ldif_dir }}/{{ outer_item }}_{{ item.split(',')[0] }}.ldif"
   register: modify_out
   when: (changetype == 'modify') and (search_existence.stdout.split('# numEntries:')[1].splitlines()[0] is match('\s1'))
   #become: true