From c906a6a3b095f87b5fdcec6f8a884c7dc4876ac5 Mon Sep 17 00:00:00 2001
From: philha <philha@worteks.com>
Date: Fri, 13 Oct 2023 17:29:14 +0200
Subject: [PATCH] Allow to start without certificates ( without ldaps or
 starttls ) (#11)

- update backup template with removal of optional cert related values if not provided
- fix useful for rhel quick validation tests
  - without this test would require many more change in default that are for debian.
---
 tasks/ldaptoolbox-certificates.yml         | 31 ++++++++++++++++++++++
 tasks/main.yml                             | 29 ++------------------
 templates/var/backups/openldap/config.ldif |  8 ++++--
 3 files changed, 39 insertions(+), 29 deletions(-)
 create mode 100644 tasks/ldaptoolbox-certificates.yml

diff --git a/tasks/ldaptoolbox-certificates.yml b/tasks/ldaptoolbox-certificates.yml
new file mode 100644
index 0000000..4c3b1e6
--- /dev/null
+++ b/tasks/ldaptoolbox-certificates.yml
@@ -0,0 +1,31 @@
+
+- name: allow ldap to read TLS certificates
+  ansible.builtin.user:
+    name: "{{ ldaptoolbox_openldap_configuration_owner }}"
+    groups: "{{ ldaptoolbox_openldap_sslgroup }}"
+    state: present
+  when: ( ldaptoolbox_openldap_olcTLSCertificateFile )
+
+- name: Ensure correct file ownership, group and permissions for CA
+  ansible.builtin.file:
+    path: "{{ ldaptoolbox_openldap_olcTLSCACertificateFile }}"
+    owner: "root"
+    group: "root"
+    mode: "644"
+  when: ( ldaptoolbox_openldap_olcTLSCACertificateFile )
+
+- name: Ensure correct file ownership, group and permissions for certificate
+  ansible.builtin.file:
+    path: "{{ ldaptoolbox_openldap_olcTLSCertificateFile }}"
+    owner: "root"
+    group: "root"
+    mode: "644"
+  when: ( ldaptoolbox_openldap_olcTLSCertificateFile )
+
+- name: Ensure correct file ownership, group and permissions for key
+  ansible.builtin.file:
+    path: "{{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}"
+    owner: "root"
+    group: "{{ ldaptoolbox_openldap_sslgroup }}"
+    mode: "640"
+  when: ( ldaptoolbox_openldap_olcTLSCertificateKeyFile )
diff --git a/tasks/main.yml b/tasks/main.yml
index c102fd2..74c5170 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -19,33 +19,8 @@
     name: "{{ ldaptoolbox_openldap_packages_base }}"
     state: "{{ ldaptoolbox_openldap_packages_state }}"
 
-- name: allow ldap to read TLS certificates
-  ansible.builtin.user:
-    name: "{{ ldaptoolbox_openldap_configuration_owner }}"
-    groups: "{{ ldaptoolbox_openldap_sslgroup }}"
-    state: present
-  when: ldaptoolbox_openldap_olcTLSCertificateFile is defined
-
-- name: Ensure correct file ownership, group and permissions for CA
-  ansible.builtin.file:
-    path: "{{ ldaptoolbox_openldap_olcTLSCACertificateFile }}"
-    owner: "root"
-    group: "root"
-    mode: "644"
-
-- name: Ensure correct file ownership, group and permissions for certificate
-  ansible.builtin.file:
-    path: "{{ ldaptoolbox_openldap_olcTLSCertificateFile }}"
-    owner: "root"
-    group: "root"
-    mode: "644"
-
-- name: Ensure correct file ownership, group and permissions for key
-  ansible.builtin.file:
-    path: "{{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}"
-    owner: "root"
-    group: "{{ ldaptoolbox_openldap_sslgroup }}"
-    mode: "640"
+- name: setup certificates
+  include_tasks: ldaptoolbox-certificates.yml
 
 # Configuration
 # -------------
diff --git a/templates/var/backups/openldap/config.ldif b/templates/var/backups/openldap/config.ldif
index 79db3c9..3a1c2ea 100644
--- a/templates/var/backups/openldap/config.ldif
+++ b/templates/var/backups/openldap/config.ldif
@@ -26,12 +26,16 @@ olcServerID: {{ ldaptoolbox_openldap_olcServerID }}
 olcSockbufMaxIncoming: 262143
 olcSockbufMaxIncomingAuth: 16777215
 olcThreads: 16
+{% if ldaptoolbox_openldap_olcTLSCACertificateFile %}
 olcTLSCACertificateFile: {{ ldaptoolbox_openldap_olcTLSCACertificateFile }}
-olcTLSCertificateFile:  {{ ldaptoolbox_openldap_olcTLSCertificateFile }}
-olcTLSCertificateKeyFile: {{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}
 olcTLSCRLCheck: none
 olcTLSVerifyClient: allow
+{% endif %}
+{% if ldaptoolbox_openldap_olcTLSCertificateFile %}
 olcTLSProtocolMin: {{ ldaptoolbox_openldap_olcTLSProtocolMin }}
+olcTLSCertificateFile:  {{ ldaptoolbox_openldap_olcTLSCertificateFile }}
+olcTLSCertificateKeyFile: {{ ldaptoolbox_openldap_olcTLSCertificateKeyFile }}
+{% endif %}
 olcToolThreads: 1
 olcWriteTimeout: 0
 olcLogLevel: {{ ldaptoolbox_openldap_olcLogLevel }}