41 lines
1.0 KiB
YAML
41 lines
1.0 KiB
YAML
- name: Copy TLS cert into place
|
|
copy:
|
|
src: "/root/.lego/certificates/{{ inventory_hostname | default(cert_domain) }}.crt"
|
|
dest: /etc/openldap/certs/ldap.crt
|
|
owner: ldap
|
|
group: ldap
|
|
mode: 0600
|
|
remote_src: true
|
|
|
|
- name: Copy cert private key into place
|
|
copy:
|
|
src: "/root/.lego/certificates/{{ inventory_hostname | default(cert_domain) }}.key"
|
|
dest: /etc/openldap/certs/ldap.key
|
|
owner: ldap
|
|
group: ldap
|
|
mode: 0600
|
|
remote_src: true
|
|
|
|
- name: Configure TLS cert
|
|
community.general.ldap_attrs:
|
|
dn: cn=config
|
|
state: present
|
|
attributes:
|
|
olcTLSCertificateFile: "{{ ldap_cert_path }}"
|
|
olcTLSCertificateKeyFile: "{{ ldap_key_path }}"
|
|
olcTLSProtocolMin: "3.3" # TLS 1.2+
|
|
olcTLSCipherSuite: HIGH:!aNULL:!MD5
|
|
args:
|
|
server_uri: ldapi:///
|
|
sasl_class: external
|
|
|
|
- name: Require TLS
|
|
community.general.ldap_attrs:
|
|
dn: olcDatabase={2}mdb,cn=config
|
|
state: present
|
|
attributes:
|
|
olcSecurity: tls=1
|
|
args:
|
|
server_uri: ldapi:///
|
|
sasl_class: external
|