[PR #6668/f3ecf4c7 backport][stable-7] ldap: Add client certificate support (#6696)

ldap: Add client certificate support (#6668) * Set up secure ldap server * ldap: Added client cert options Shamelessly copied from https://github.com/andrewshulgin/ldap_search * Added tests for ldap client authentication * Add changelog fragment * Make sure the openssl commands work on older versions of openssl * Apply suggestions from code review Co-authored-by: Felix Fontein <felix@fontein.de> * Remove aliases for new arguments * Add required_together to ldap module declerations --------- Co-authored-by: Felix Fontein <felix@fontein.de> (cherry picked from commit f3ecf4c7f8) Co-authored-by: Gnonthgol <gnonthgol+github@gmail.com>
2025-07-30 08:31:28 -07:00 · 2023-06-15 08:42:42 +02:00 · 2023-06-15 08:42:42 +02:00 · 94f23ee647
commit 94f23ee647
parent 7dcbb1ade4
12 changed files with 121 additions and 5 deletions
--- a/tests/integration/targets/setup_openldap/tasks/main.yml
+++ b/tests/integration/targets/setup_openldap/tasks/main.yml
@ -44,6 +44,22 @@
        cmd: "export DEBIAN_FRONTEND=noninteractive; cat /root/debconf-slapd.conf | debconf-set-selections; dpkg-reconfigure -f noninteractive slapd"
        creates: "/root/slapd_configured"

+    - name: Enable secure ldap
+      lineinfile:
+        path: /etc/default/slapd
+        regexp: "^SLAPD_SERVICES"
+        line: 'SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"'
+
+    - name: Create certificates
+      shell: |
+        openssl req -x509 -batch -sha256 -days 1825 -newkey rsa:2048 -nodes -keyout /root/ca.key -out /usr/local/share/ca-certificates/ca.crt
+        openssl req -batch -sha256 -days 365 -newkey rsa:2048 -subj "/CN=$(hostname)" -addext "subjectAltName = DNS:localhost" -nodes -keyout /etc/ldap/localhost.key -out /etc/ldap/localhost.csr
+        openssl x509 -req  -CA /usr/local/share/ca-certificates/ca.crt -CAkey /root/ca.key -CAcreateserial -in /etc/ldap/localhost.csr -out /etc/ldap/localhost.crt
+        chgrp openldap /etc/ldap/localhost.key
+        chmod 0640 /etc/ldap/localhost.key
+        openssl req -batch -sha256 -days 365 -newkey rsa:2048 -subj "/UID=ldaptest" -nodes -keyout /root/user.key -out /root/user.csr
+        openssl x509 -req  -CA /usr/local/share/ca-certificates/ca.crt -CAkey /root/ca.key -CAcreateserial -in /root/user.csr -out /root/user.crt
+
    - name: Start OpenLDAP service
      become: true
      service:
@ -61,10 +77,14 @@
        mode: '0644'
      loop:
        - rootpw_cnconfig.ldif
+        - cert_cnconfig.ldif
        - initial_config.ldif

    - name: Configure admin password for cn=config
-      shell: "ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/rootpw_cnconfig.ldif"
+      shell: "ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/{{ item }}"
+      loop:
+        - rootpw_cnconfig.ldif
+        - cert_cnconfig.ldif

    - name: Add initial config
      become: true