Skip to content
/ ansible-ldap-client Public

Ansible role to set up a generic proxy for LDAP clients to handle client certificates

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

s-hamann/ansible-ldap-client

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits

defaults

defaults

 
 

handlers

handlers

 
 

meta

meta

 
 

tasks

tasks

 
 

templates

templates

 
 

vars

vars

 
 

README.md

README.md

 
 

Repository files navigation

LDAP Client

This role prepares the system to connect to an LDAP directory which requires a client certificate. For this purpose, stunnel is set up as a local proxy which accepts unencrypted LDAP traffic and forwards it to the directory server via an encrypted connection. This proxy handles the client certificate, but not binding to the directory itself.

Requirements

The client certificate and matching private key need to be present on the target system. This roles does not handle generating or deploying them.

Role Variables

  • ldap_client_extra_groups
    A list of groups that the stunnel system user is added to. This allows granting access to additional resources, such as the private key file. All groups need to exist on the target system; this role does not create them. Empty by default.
  • ldap_client_inaccessible_paths
    If the target system uses systemd, this option takes a list of paths, that should not be accessible at all for stunnel. Regardless of this option, home directories are made inaccessible and the rest of the file system is mostly read-only. Optional.
  • ldap_client_server
    The LDAP server host name or IP address to proxy to. The system needs to support the LDAPS protocol; STARTTLS is not sufficient. Mandatory.
  • ldap_client_trusted_ca
    Path to a file containing the PEM-encoded X.509 certificate of the LDAP server's issuing CA. If not set, the system's certificate store is used.
  • ldap_client_tls_cert
    Path to a PEM-encoded X.509 client certificate for stunnel to use. The file needs to exist and be readable by the stunnel user. Mandatory.
  • ldap_client_tls_cert_key
    Path to the PEM-encoded private key file for the certificate. The file needs to exist and be readable by the stunnel user. Mandatory.
  • ldap_client_tls13_only
    If set to true this role attempt enforcing TLSv1.3 only. If the target system's OpenSSL version does not support TLSv1.3 or if ldap_client_tls13_only is false, TLSv1.2 is enforced as the minimal supported protocol version. Defaults to false.

Example Playbook

- hosts: servers
  roles:
    - role: ldap-client
      become: true
      ldap_client_servers:
        - ldap.example.org
      ldap_client_tls_cert: /etc/ssl/private/client.pem
      ldap_client_tls_cert_key: /etc/ssl/private/client.key

License

MIT

About

Ansible role to set up a generic proxy for LDAP clients to handle client certificates

Topics

tls stunnel ansible-role ldap-client client-certificate

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages