Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for LDAP with STARTTLS #11

Open
wants to merge 17 commits into
base: master
Choose a base branch
from

Conversation

actionjack
Copy link

What

The version of the bennojoy/openldap_server role that we use does not support the following:

  • LDAP with STARTTLS
  • Using your own Certificate Authority signed SSL certificates
  • Using a custom version of a CA Certificate file bundle

This PR intends to fix that

How this PR should be reviewed

This PR has been crafted with the aid of dainty white mice wearing pink slippers to be reviewed with the following narrative:

  • I want to:
    • Support all types of LDAP connection rather than just LDAPI and LDAPS (which has been deprecated)
    • Remove long and difficult to read lines of code and also make certain options like the hostname & expiry date overrideable
    • Parameterise the default SSL key size since the default is quite low by today's standards
    • Optionally use my own SSL private key
    • Optionally use my own SSL certificate
    • Optionally download a valid CA certificate bundle
    • Optionally use a TLSCACertificateFile on my LDAP server, so I can supply a valid CA certificate chain file if I ever want to use a valid SSL certificate
    • Update the documentation with new variables and fix any mistakes in the previous ones
    • Add a vagrant environment so I can test my changes in a disposal environment rather than on the live server
    • Invoke The Boy Scout Rule and remove all the white space littered around the campground

How to test this PR

A vagrant box has been provided for local testing, simply just:

vagrant up

You modify the site.yml to test the variables and run:

vagrant provision

actionjack and others added 17 commits November 4, 2015 10:41
Support LDAP with plain LDAP and LDAP with STARTTLS
The creation and signing shell command is quite long and difficult to
read so I have split over a number of lines.
It is also fairly opinionated i.e. in that the:

* Common Name will always be the servers `ansible_hostname` so
  I have made it a overridable parameter.
* The SSL certifate expiry date is forcible set to 10 years
The default ssl keylength is quite low by todays standards.
We may want to provide our own private key rather than have one
generated on the first run.
We may want to use a SSL certificate that is not self-signed.
Download an official Certificate Authority certificate chain file.
The current cacert bundle is hardcoded and we may want to download our
own version of the cacert bundle.
This command was quite hard to read/review.
…icates_for_the_apcera_test

[#107033028] Add support for LDAP with STARTTLS
This file belongs in the ldap-server-ansible repo, not here.
…wnload_url

[#107033028] Parameterising CA Cert download URL
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants