saslauthd: Fix LDAP mech

* Fix server address * Force server certificate check * Use client certificates for authenticating to LDAP
2021-03-11 17:01:24 +00:00 · 2021-03-11 17:01:24 +00:00 · a293945d04
commit a293945d04
parent 61633eb07b
2 changed files with 11 additions and 2 deletions
--- a/roles/saslauthd/tasks/main.yml
+++ b/roles/saslauthd/tasks/main.yml
@ -19,7 +19,7 @@
      template:
        dest: /etc/saslauthd.conf
        src: saslauthd.conf.j2
-        mode: 0644
+        mode: 0640
        owner: root
        group: "{{ ansible_wheel }}"
      notify: restart saslauthd
--- a/roles/saslauthd/templates/saslauthd.conf.j2
+++ b/roles/saslauthd/templates/saslauthd.conf.j2
@ -1,2 +1,11 @@
-ldap_servers: {{ ldap_server }}
+ldap_servers: {% for server in ldap_server %}ldaps://{{ server }} {% endfor %}
+
 ldap_search_base: {{ ldap_basedn }}
+
+ldap_tls_check_peer: yes
+ldap_tls_cacert_file: {{ tls_bundle }}
+
+ldap_use_sasl: yes
+ldap_mech: EXTERNAL
+ldap_tls_cert: {{ tls_certs }}/{{ inventory_hostname }}.crt
+ldap_tls_key: {{ tls_private }}/{{ inventory_hostname }}.key