From a293945d04d533965b5273ddd4ed651851f5dd8a Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Thu, 11 Mar 2021 17:01:24 +0000
Subject: [PATCH] saslauthd: Fix LDAP mech

* Fix server address
* Force server certificate check
* Use client certificates for authenticating to LDAP
---
 roles/saslauthd/tasks/main.yml              |  2 +-
 roles/saslauthd/templates/saslauthd.conf.j2 | 11 ++++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/roles/saslauthd/tasks/main.yml b/roles/saslauthd/tasks/main.yml
index e769f58..a0bab05 100644
--- a/roles/saslauthd/tasks/main.yml
+++ b/roles/saslauthd/tasks/main.yml
@@ -19,7 +19,7 @@
       template:
         dest: /etc/saslauthd.conf
         src: saslauthd.conf.j2
-        mode: 0644
+        mode: 0640
         owner: root
         group: "{{ ansible_wheel }}"
       notify: restart saslauthd
diff --git a/roles/saslauthd/templates/saslauthd.conf.j2 b/roles/saslauthd/templates/saslauthd.conf.j2
index 740e768..e6df18c 100644
--- a/roles/saslauthd/templates/saslauthd.conf.j2
+++ b/roles/saslauthd/templates/saslauthd.conf.j2
@@ -1,2 +1,11 @@
-ldap_servers: {{ ldap_server }}
+ldap_servers: {% for server in ldap_server %}ldaps://{{ server }} {% endfor %}
+
 ldap_search_base: {{ ldap_basedn }}
+
+ldap_tls_check_peer: yes
+ldap_tls_cacert_file: {{ tls_bundle }}
+
+ldap_use_sasl: yes
+ldap_mech: EXTERNAL
+ldap_tls_cert: {{ tls_certs }}/{{ inventory_hostname }}.crt
+ldap_tls_key: {{ tls_private }}/{{ inventory_hostname }}.key