Deploy CA in all components for the TLS LDAP connection (#65)

5b12af70 · David Coutadeur · d023f38d · 5b12af70 · 5b12af70 · 5b12af70
Commit 5b12af70 authored 7 months ago by David Coutadeur
--- a/.env
+++ b/.env
+#LDAP_CA_CERTIFICATE_FILE=./run/volumes/ldap-tls/ca.crt
+LDAP_CA_CERTIFICATE_FILE=
+#LDAP_CERTIFICATE_FILE=./run/volumes/ldap-tls/openldap.crt
+LDAP_CERTIFICATE_FILE=
+#LDAP_CERTIFICATE_KEY=./run/volumes/ldap-tls/openldap.key
+LDAP_CERTIFICATE_KEY=
--- a/Makefile
+++ b/Makefile
@@ -33,6 +33,11 @@ IDBASE="fusioniam-database"
 IDFDB="fusioniam-fusiondirectory-php-fpm"
 IDFDF="fusioniam-fusiondirectory-nginx"
+# LDAP certificates path
+include .env
+LDAP_CA_CERTIFICATE_FILE ?= /dev/null
+LDAP_CERTIFICATE_FILE ?= /dev/null
+LDAP_CERTIFICATE_KEY ?= /dev/null
 ################################################################################
 # Run commands
@@ -55,7 +60,9 @@ runldap: startnet
 		--env-file=./run/ENVVAR.example \
 		-v $(PWD)/run/volumes/ldap-data:/usr/local/openldap/var/openldap-data \
 		-v $(PWD)/run/volumes/ldap-config:/usr/local/openldap/etc/openldap/slapd.d \
-		-v $(PWD)/run/volumes/ldap-tls:/usr/local/openldap/etc/openldap/tls \
+                -v $(PWD)/$(LDAP_CA_CERTIFICATE_FILE):/usr/local/openldap/etc/openldap/tls/ca.crt:ro \
+                -v $(PWD)/$(LDAP_CERTIFICATE_FILE):/usr/local/openldap/etc/openldap/tls/openldap.crt:ro \
+                -v $(PWD)/$(LDAP_CERTIFICATE_KEY):/usr/local/openldap/etc/openldap/tls/openldap.key:ro \
 		--rm=true \
 		--network=fusioniam-net \
 		--network-alias=fusioniam-directory-server \
@@ -71,6 +78,7 @@ runwp: startnet
 	$(CTN) run \
 		--env-file=./run/ENVVAR.example \
 		-v $(PWD)/run/volumes/wp-run:/run/php-fpm/ \
+                -v $(PWD)/$(LDAP_CA_CERTIFICATE_FILE):/etc/openldap/ca.crt:ro \
 		--rm=true \
 		--network=fusioniam-net \
 		--name=fusioniam-white-pages-php-fpm \
@@ -100,6 +108,7 @@ runsd: startnet
 	$(CTN) run \
 		--env-file=./run/ENVVAR.example \
 		-v $(PWD)/run/volumes/sd-run:/run/php-fpm/ \
+                -v $(PWD)/$(LDAP_CA_CERTIFICATE_FILE):/etc/openldap/ca.crt:ro \
 		--rm=true \
 		--network=fusioniam-net \
 		--name=fusioniam-service-desk-php-fpm \
@@ -129,6 +138,7 @@ runfd: startnet
 	$(CTN) run \
 		--env-file=./run/ENVVAR.example \
 		-v $(PWD)/run/volumes/fd-run:/run/php-fpm/ \
+                -v $(PWD)/$(LDAP_CA_CERTIFICATE_FILE):/etc/openldap/ca.crt:ro \
 		--rm=true \
 		--network=fusioniam-net \
 		--name=fusioniam-fusiondirectory-php-fpm \
@@ -173,6 +183,7 @@ runlemon: startnet
 		-v $(PWD)/run/volumes/llng-run:/run/llng-fastcgi-server \
 		-v $(PWD)/run/volumes/llng-cache:/var/cache/lemonldap-ng \
 		-v $(PWD)/run/volumes/llng-keys:/etc/lemonldap-ng-keys \
+                -v $(PWD)/$(LDAP_CA_CERTIFICATE_FILE):/etc/lemonldap-ng/ca.crt:ro \
 		--rm=true \
 		--network=fusioniam-net \
 		--name=fusioniam-access-manager-fastcgi-server \
@@ -266,3 +277,4 @@ enterlemon:
 enterfd:
 		$(CTN) exec --user 0 -it $(IDFDB) /bin/bash
--- a/README.md
+++ b/README.md
@@ -77,8 +77,11 @@ Configuration parameters are set as environment variables.
 | FUSIONDIRECTORY_WS_PASSWORD             | Password of webservice account                |
 | FUSIONDIRECTORY_WS_USERNAME             | Identifier of webservice account              |
 | LDAP_HOST                               | Hostname of LDAP server                       |
-| LDAP_PORT                               | Port of LDAP server                           |
+| LDAP_PORT                               | Port for services to join the LDAP server     |
 | LDAP_PROTO                              | LDAP protocol (ldap or ldaps)                 |
+| LDAP_TLS                                | Deploy TLS parameters at first run            |
+| LDAP_TLS_PROTOCOL_MIN                   | Minimal TLS protocol for LDAP server          |
+| LDAP_TLS_CIPHER_SUITE                   | Cipher suite for LDAP server                  |
 | LEMONLDAP2_LDAP_PASSWORD                | Password of LL::NG service account            |
 | LEMONLDAP2_LDAP_USERNAME                | Identifier of LL::NG service account          |
 | LEMONLDAP2_LOGFILE                      | If defined, also push logs to this path       |
@@ -130,11 +133,6 @@ Configuration parameters are set as environment variables.
 | WHITEPAGES_NAME                         | Virtual host name for WP                      |
 | WHITEPAGES_PORT                         | Internal port for WP                          |
 | LEMONLDAP2_LOCAL_PORT                   | port local de LemonLDAP                       |
-| LDAP_TLS                                | Deploy TLS parameters at first run            |
-| LDAP_CERTIFICATE_FILE                   | Path to certificate file for LDAP server      |
-| LDAP_CERTIFICATE_KEY                    | Path to certificate key file for LDAP server  |
-| LDAP_TLS_PROTOCOL_MIN                   | Minimal TLS protocol for LDAP server          |
-| LDAP_TLS_CIPHER_SUITE                   | Cipher suite for LDAP server                  |
 An example in this file is available in `run/ENVVAR.example`.
@@ -203,11 +201,28 @@ openssl genrsa -out run/volumes/llng-keys/oidc.key 4096
 openssl rsa -pubout -in run/volumes/llng-keys/oidc.key -out run/volumes/llng-keys/oidc_pub.key
 ```
-If you wish to enable TLS parameters with `LDAP_TLS=true`, you will also need a certificate. You can generate a self-signed one with:
+If you wish to enable TLS parameters with `LDAP_TLS=true`, you will also need a certificate. You can generate a CA and a certificate with the following commands:
 ```
-openssl req -new -newkey rsa:4096 -keyout run/volumes/ldap-tls/key.pem -nodes -out run/volumes/ldap-tls/cert.pem -x509 -days 3650
+openssl req -new -newkey rsa:4096 -keyout run/volumes/ldap-tls/ldap_tls_ca_certificate_file.key -nodes -out run/volumes/ldap-tls/ldap_tls_ca_certificate_file.crt -x509 -days 3650
+openssl genrsa -out run/volumes/ldap-tls/key.pem 4096
+# Take care to define the CN to LDAP_HOST content (fusioniam-directory-server)
+openssl req -new -key run/volumes/ldap-tls/key.pem > run/volumes/ldap-tls/cert.csr
+openssl x509 -req -in run/volumes/ldap-tls/cert.csr -out run/volumes/ldap-tls/cert.pem -CA run/volumes/ldap-tls/ldap_tls_ca_certificate_file.crt -days 3650 -CAkey run/volumes/ldap-tls/ldap_tls_ca_certificate_file.key
 ```
+In `.env` file (used for evaluating variables when running containers):
+* `LDAP_CA_CERTIFICATE_FILE`: path to the ca certificate for ldap server on the host system. It will be mounted in OpenLDAP container in /usr/local/openldap/etc/openldap/tls/ca.crt, in the white-pages, service-desk, and fusion-directory php-fpm containers in /etc/openldap/ca.crt, and in lemonldap-ng fastcgi container in /etc/lemonldap-ng/ca.crt
+* `LDAP_CERTIFICATE_FILE`: path to the certificate for ldap server on the host system. It will be mounted in OpenLDAP container in /usr/local/openldap/etc/openldap/tls/openldap.crt
+* `LDAP_CERTIFICATE_KEY`: path to the certificate key for ldap server on the host system. It will be mounted in OpenLDAP container in /usr/local/openldap/etc/openldap/tls/openldap.key
+Also take care to align the following variables from `run/ENVVAR.example` when setting TLS:
+* `LDAP_PROTO`: ldap / ldaps
+* `LDAP_PORT`: port for different services to join the ldap directory (33389 or 33636)
+* `LDAP_TLS`: "true" or not defined. If enabled, the first import of LDAP configuration will set TLS parameters
+* `LDAP_TLS_PROTOCOL_MIN` and `LDAP_TLS_CIPHER_SUITE`
 #### Run with docker-compose
 You need docker and docker-compose.

--- a/build/rockylinux9/fusiondirectory/ansible/install.yaml
+++ b/build/rockylinux9/fusiondirectory/ansible/install.yaml
@@ -312,6 +312,13 @@
    with_items:
      - /etc/php.ini
+  - name: Configure the TLS ca by default
+    ansible.builtin.lineinfile:
+      path: /etc/openldap/ldap.conf
+      regexp: '^TLS_CACERT'
+      insertafter: '^#TLS_CACERT'
+      line: TLS_CACERT /etc/openldap/ca.crt
  - name: Check directories
    command: php -d include_path=/usr/local/share/fusiondirectory/tools /usr/local/share/fusiondirectory/tools/fusiondirectory-configuration-manager --yes --check-directories

--- a/build/rockylinux9/lemonldap-ng/ansible/llng_config_auth.yaml
+++ b/build/rockylinux9/lemonldap-ng/ansible/llng_config_auth.yaml
@@ -4,6 +4,7 @@ passwordDB: 'LDAP'
 registerDB: 'Null'
 ldapPort: '{{ lemonldap2_ldapport }}'
 ldapServer: '{{ lemonldap2_ldapproto}}://{{ lemonldap2_ldaphost}}:{{ lemonldap2_ldapport }}/'
+ldapCAFile: '/etc/lemonldap-ng/ca.crt'
 managerDn: 'cn={{ lemonldap2_ldapusername }},ou=dsa,o=admin,{{ lemonldap2_ldapbase }}'
 managerPassword: '{{ lemonldap2_ldappassword }}'
 ldapBase: '{{ lemonldap2_ldapbase }}'

--- a/build/rockylinux9/openldap-ltb/ansible/deploy.yaml
+++ b/build/rockylinux9/openldap-ltb/ansible/deploy.yaml
@@ -17,6 +17,7 @@
    WHITEPAGES_LDAP_PASSWORD:           "{{ lookup('env','WHITEPAGES_LDAP_PASSWORD') }}"
    WHITEPAGES_LDAP_USERNAME:           "{{ lookup('env','WHITEPAGES_LDAP_USERNAME') }}"
    LDAP_TLS:                           "{{ lookup('env','LDAP_TLS') }}"
+    LDAP_CA_CERTIFICATE_FILE:           "{{ lookup('env','LDAP_CA_CERTIFICATE_FILE') }}"
    LDAP_CERTIFICATE_FILE:              "{{ lookup('env','LDAP_CERTIFICATE_FILE') }}"
    LDAP_CERTIFICATE_KEY:               "{{ lookup('env','LDAP_CERTIFICATE_KEY') }}"
    LDAP_TLS_PROTOCOL_MIN:              "{{ lookup('env','LDAP_TLS_PROTOCOL_MIN') }}"

--- a/build/rockylinux9/openldap-ltb/ansible/install.yaml
+++ b/build/rockylinux9/openldap-ltb/ansible/install.yaml
@@ -41,6 +41,12 @@
      state: directory
      mode: "0750"
+  - name: Create tls directory
+    file:
+      path: /usr/local/openldap/etc/openldap/tls
+      state: directory
+      mode: "0750"
  - name: remove slapd_conf parameter
    replace:
      path: /usr/local/openldap/etc/openldap/slapd-cli.conf

--- a/build/rockylinux9/openldap-ltb/ansible/templates/config.ldif.j2
+++ b/build/rockylinux9/openldap-ltb/ansible/templates/config.ldif.j2
@@ -6,8 +6,9 @@ olcPidFile: /usr/local/openldap/var/run/slapd.pid
 olcArgsFile: /usr/local/openldap/var/run/slapd.args
 olcServerID: 1
 {% if LDAP_TLS %}
-olcTLSCertificateFile: {{ LDAP_CERTIFICATE_FILE }}
+olcTLSCACertificateFile: /usr/local/openldap/etc/openldap/tls/ca.crt
-olcTLSCertificateKeyFile: {{ LDAP_CERTIFICATE_KEY }}
+olcTLSCertificateFile: /usr/local/openldap/etc/openldap/tls/openldap.crt
+olcTLSCertificateKeyFile: /usr/local/openldap/etc/openldap/tls/openldap.key
 olcTLSProtocolMin: {{ LDAP_TLS_PROTOCOL_MIN }}
 olcTLSCipherSuite: {{ LDAP_TLS_CIPHER_SUITE }}
 {% endif %}

--- a/build/rockylinux9/service-desk/ansible/install.yaml
+++ b/build/rockylinux9/service-desk/ansible/install.yaml
@@ -108,3 +108,11 @@
      path: /usr/share/service-desk/templates/footer.tpl
      regexp: '{\$listing_sortby\|default:0 \+ 1}'
      replace: '{if is_int($listing_sortby)}{$listing_sortby}{else}1{/if}'
+  # Define the default TLS CA certificate file
+  - name: Configure the TLS ca by default
+    ansible.builtin.lineinfile:
+      path: /etc/openldap/ldap.conf
+      regexp: '^TLS_CACERT'
+      insertafter: '^#TLS_CACERT'
+      line: TLS_CACERT /etc/openldap/ca.crt
--- a/build/rockylinux9/white-pages/ansible/install.yaml
+++ b/build/rockylinux9/white-pages/ansible/install.yaml
@@ -113,3 +113,11 @@
  - name: install composer dependencies
    ansible.builtin.shell: |
      /composer.phar require smarty/smarty:4.3.4
+  # Define the default TLS CA certificate file
+  - name: Configure the TLS ca by default
+    ansible.builtin.lineinfile:
+      path: /etc/openldap/ldap.conf
+      regexp: '^TLS_CACERT'
+      insertafter: '^#TLS_CACERT'
+      line: TLS_CACERT /etc/openldap/ca.crt
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -11,7 +11,9 @@ services:
    volumes:
    - ./run/volumes/ldap-data:/usr/local/openldap/var/openldap-data
    - ./run/volumes/ldap-config:/usr/local/openldap/etc/openldap/slapd.d
-    - ./run/volumes/ldap-tls:/usr/local/openldap/etc/openldap/tls
+    - ${LDAP_CA_CERTIFICATE_FILE:-/dev/null}:/usr/local/openldap/etc/openldap/tls/ca.crt:ro
+    - ${LDAP_CERTIFICATE_FILE:-/dev/null}:/usr/local/openldap/etc/openldap/tls/openldap.crt:ro
+    - ${LDAP_CERTIFICATE_KEY:-/dev/null}:/usr/local/openldap/etc/openldap/tls/openldap.key:ro
    ports:
    - 127.0.0.1:33389:33389
@@ -24,6 +26,7 @@ services:
     - ./run/ENVVAR.example
    volumes:
    - ./run/volumes/wp-run:/run/php-fpm
+    - ${LDAP_CA_CERTIFICATE_FILE:-/dev/null}:/etc/openldap/ca.crt:ro
    depends_on:
      - fusioniam-directory-server
    entrypoint: ["/usr/bin/tini"]
@@ -55,6 +58,7 @@ services:
     - ./run/ENVVAR.example
    volumes:
    - ./run/volumes/sd-run:/run/php-fpm
+    - ${LDAP_CA_CERTIFICATE_FILE:-/dev/null}:/etc/openldap/ca.crt:ro
    depends_on:
      - fusioniam-directory-server
    entrypoint: ["/usr/bin/tini"]
@@ -99,6 +103,7 @@ services:
    volumes:
    - ./run/volumes/llng-run:/run/llng-fastcgi-server
    - ./run/volumes/llng-keys:/etc/lemonldap-ng-keys
+    - ${LDAP_CA_CERTIFICATE_FILE:-/dev/null}:/etc/lemonldap-ng/ca.crt:ro
    extra_hosts:
    - "reload.demo.fusioniam.org:10.0.2.2"
    entrypoint: ["/usr/bin/tini"]
@@ -142,6 +147,7 @@ services:
    volumes:
    - ./run/volumes/fd-run:/run/php-fpm
    - ./run/volumes/rsyslog:/dev/rsyslog
+    - ${LDAP_CA_CERTIFICATE_FILE:-/dev/null}:/etc/openldap/ca.crt:ro
    entrypoint: ["/usr/bin/tini"]
    command: [ "/bin/bash","/run-ct.sh","php-fpm" ]

--- a/run/ENVVAR.example
+++ b/run/ENVVAR.example
@@ -15,6 +15,9 @@ LDAP_PROTO=ldap
 LDAP_HOST=fusioniam-directory-server
 LDAP_PORT=33389
 LDAP_SUFFIX=dc=fusioniam,dc=org
+LDAP_TLS=
+LDAP_TLS_PROTOCOL_MIN=3.4
+LDAP_TLS_CIPHER_SUITE=HIGH
 LEMONLDAP2_LDAP_PASSWORD=secret
 LEMONLDAP2_LDAP_USERNAME=lemonldapng
 LEMONLDAP2_OIDCPRIV=/etc/lemonldap-ng-keys/oidc.key
@@ -61,8 +64,3 @@ WHITEPAGES_LDAP_USERNAME=wp
 WHITEPAGES_NAME=wp
 WHITEPAGES_PORT=8080
 LEMONLDAP2_LOCAL_PORT=8080
-LDAP_TLS=
-LDAP_CERTIFICATE_FILE=/usr/local/openldap/etc/openldap/tls/cert.pem
-LDAP_CERTIFICATE_KEY=/usr/local/openldap/etc/openldap/tls/key.pem
-LDAP_TLS_PROTOCOL_MIN=3.4
-LDAP_TLS_CIPHER_SUITE=HIGH