hmm01i
8/12/2017 - 1:13 AM

setup ldaps for 389 DS

setup ldaps for 389 DS

ldaps.yml
content_copyfile_download
---
# ansible code documenting steps to setup ssl certs for 389DS / RHDS
- set_fact:
    dirsrv_root: "/etc/dirsrv/slapd-{{ dirsrv_server_id }}"
  tags:
    - dirsrv
    - dirsrv-ssl

- name: certdb password file (temporary)
  copy:
    content: "{{dirsrv_certdb_pw}}"
    dest: "/root/dirsrv-setup/certdb_pw"
  no_log: true
  tags:
    - dirsrv
    - dirsrv-ssl

- name: create pin file
  copy:
    content: "Internal (Software) Token:{{dirsrv_certdb_pw}}"
    dest: "{{dirsrv_root }}/pin.txt"
  no_log: true
  tags:
    - dirsrv
    - dirsrv-ssl

- name: create certdb
  command: "certutil -N -d {{ dirsrv_root }} -f /root/dirsrv-setup/certdb_pw"
  args:
    creates: "{{dirsrv_root}}/cert8.db"
  tags:
    - dirsrv
    - dirsrv-ssl

- name: generate selfsigned certs
  command: "openssl req -new -x509 -nodes -newkey rsa:2048 -keyout {{ dirsrv_root }}/dirsrv.key -out {{ dirsrv_root }
}/dirsrv.crt -days 365 -sha256 -subj '/CN={{ansible_fqdn}}' -extensions v3_ca"
  args:
    creates: "{{ dirsrv_root }}/dirsrv.key"
  tags:
    - dirsrv
    - dirsrv-ssl

- name: export cert and key to pk21
  command: "openssl pkcs12 -export -in {{ dirsrv_root }}/dirsrv.crt -inkey {{ dirsrv_root }}/dirsrv.key -password 'fi
le:/root/dirsrv-setup/certdb_pw' -out {{ dirsrv_root }}/server-cert.p12 -name server-cert"
  args:
    creates: "{{ dirsrv_root }}/server-cert.p12"
  tags:
    - dirsrv
    - dirsrv-ssl

- name: import to nssdb
  command: "pk12util -d {{ dirsrv_root }} -i {{ dirsrv_root }}/server-cert.p12 -w /root/dirsrv-setup/certdb_pw -k /ro
ot/dirsrv-setup/certdb_pw"
  tags:
    - dirsrv
    - dirsrv-ssl

- name: trust selfsigned
  command: "certutil -M -d {{ dirsrv_root }} -n server-cert -t Cu,u,u"
  tags:
    - dirsrv
    - dirsrv-ssl

- name: ldif to enable ssl
  template:
    src: ssl.ldif.j2
    dest: "/root/dirsrv-setup/ssl.ldif"
  tags:
    - dirsrv
    - dirsrv-ssl

- name: (ldapmodify) enable ssl
  command: "{{ ldapmodify_cmd }} /root/dirsrv-setup/ssl.ldif"
  register: ldap_result
  failed_when: "(ldap_result.rc != 0) and (ldap_result.rc != 20) and (ldap_result.rc != 68)"
  no_log: true
  notify:
    - restart services
  tags:
    - dirsrv
    - dirsrv-ssl
###
# ssl.ldif
###
#dn: cn=encryption,cn=config
#changetype: modify
#replace: nsSSL3
#nsSSL3: off
#-
#replace: nsSSL2
#nsSSL2: off
#
#dn: cn=RSA,cn=encryption,cn=config
#changetype: add
#objectClass: top
#objectClass: nsEncryptionModule
#nsSSLPersonalitySSL: server-cert
#nsSSLActivation: on
#nsSSLToken: internal (software)
#cn: RSA