From 695a689ff91a83b47fbc6f575be37e1f811bd719 Mon Sep 17 00:00:00 2001
From: David Coutadeur <david.coutadeur@gmail.com>
Date: Wed, 18 Oct 2023 10:06:00 +0000
Subject: [PATCH] fix certificate install on rhel-like (#11)

---
 README.md              | 11 ++++-------
 defaults/main.yml      |  8 ++++----
 tests/multimaster1.yml |  6 +++---
 tests/multimaster2.yml |  6 +++---
 tests/standalone.yml   |  6 +++---
 5 files changed, 17 insertions(+), 20 deletions(-)

diff --git a/README.md b/README.md
index 90008e9..8c20af1 100644
--- a/README.md
+++ b/README.md
@@ -63,22 +63,19 @@ Run the corresponding task with:
 ansible-playbook tests/monitoring.yml -i tests/inventory
 ```
 
-Test for RHEL
--------------
 
-here sample of what certificates configuration can be :
+If you want to install openldap on RHEL-like OS with certificates, you can define them in `tests/standalone.yml`:
 
 ```
-ldaptoolbox_openldap_sslgroup=root
 ldaptoolbox_openldap_olcTLSCACertificateFile=/etc/pki/ca-trust/source/anchors/ca-cert.pem
 ldaptoolbox_openldap_olcTLSCertificateFile=/etc/pki/tls/certs/ldaps-cert.pem
-ldaptoolbox_openldap_olcTLSCertificateKeyFile=/etc/pki/tls/private/ldaps.key"
+ldaptoolbox_openldap_olcTLSCertificateKeyFile=/etc/pki/tls/private/ldaps.key
 ```
 
-can be run with extra-vars :
+You can also overload these variables in the command line:
 
 ```
-ansible-playbook tests/standalone.yml -i tests/inventory --ask-vault-pass --extra-vars "ldaptoolbox_openldap_sslgroup=root ldaptoolbox_openldap_olcTLSCACertificateFile=/etc/pki/ca-trust/source/anchors/ca-cert.pem ldaptoolbox_openldap_olcTLSCertificateFile=/etc/pki/tls/certs/ldaps-cert.pem ldaptoolbox_openldap_olcTLSCertificateKeyFile=/etc/pki/tls/private/ldaps.key"
+ansible-playbook tests/standalone.yml -i tests/inventory --ask-vault-pass --extra-vars "ldaptoolbox_openldap_olcTLSCACertificateFile=/etc/pki/ca-trust/source/anchors/ca-cert.pem ldaptoolbox_openldap_olcTLSCertificateFile=/etc/pki/tls/certs/ldaps-cert.pem ldaptoolbox_openldap_olcTLSCertificateKeyFile=/etc/pki/tls/private/ldaps.key"
 ```
 
 License
diff --git a/defaults/main.yml b/defaults/main.yml
index f40303a..b8bb49f 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -25,7 +25,7 @@ ldaptoolbox_openldap_configuration_prefix: "config"
 ldaptoolbox_openldap_configuration_owner: ldap
 ldaptoolbox_openldap_configuration_group: ldap
 ldaptoolbox_openldap_configuration_mode: 0600
-ldaptoolbox_openldap_sslgroup: ssl-cert
+ldaptoolbox_openldap_sslgroup: "{{ 'root' if ansible_os_family == 'RedHat' else 'ssl-cert' }}"
 
 # OpenLDAP LTB CLI command path
 ldaptoolbox_openldap_slapd_cli_cmd: /usr/local/openldap/sbin/slapd-cli
@@ -44,9 +44,9 @@ ldaptoolbox_openldap_custom_schema_list: []
 ldaptoolbox_openldap_schema_dir: /usr/local/openldap/etc/openldap/schema
 
 # Certificates
-ldaptoolbox_openldap_olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
-ldaptoolbox_openldap_olcTLSCertificateFile: /etc/ssl/certs/ssl-cert-snakeoil.pem
-ldaptoolbox_openldap_olcTLSCertificateKeyFile: /etc/ssl/private/ssl-cert-snakeoil.key
+ldaptoolbox_openldap_olcTLSCACertificateFile: "{{ '' if ansible_os_family == 'RedHat' else '/etc/ssl/certs/ca-certificates.crt' }}"
+ldaptoolbox_openldap_olcTLSCertificateFile: "{{ '' if ansible_os_family == 'RedHat' else '/etc/ssl/certs/ssl-cert-snakeoil.pem' }}"
+ldaptoolbox_openldap_olcTLSCertificateKeyFile: "{{ '' if ansible_os_family == 'RedHat' else '/etc/ssl/private/ssl-cert-snakeoil.key' }}"
 ldaptoolbox_openldap_olcTLSProtocolMin: 3.3
 
 # Log level
diff --git a/tests/multimaster1.yml b/tests/multimaster1.yml
index 4a5efbb..9376540 100644
--- a/tests/multimaster1.yml
+++ b/tests/multimaster1.yml
@@ -13,9 +13,9 @@
     - ldaptoolbox_openldap_custom_schema_srcdir: "{{ playbook_dir }}/files/ldaptoolbox.oldap/usr/local/openldap/etc/openldap/schema"
     - ldaptoolbox_openldap_custom_schema_list: [ custom.ldif ]
     # define certificates (must be deployed before)
-    - ldaptoolbox_openldap_olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
-    - ldaptoolbox_openldap_olcTLSCertificateFile: /etc/ssl/certs/ssl-cert-snakeoil.pem
-    - ldaptoolbox_openldap_olcTLSCertificateKeyFile: /etc/ssl/private/ssl-cert-snakeoil.key
+    - ldaptoolbox_openldap_olcTLSCACertificateFile: "{{ '' if ansible_os_family == 'RedHat' else '/etc/ssl/certs/ca-certificates.crt' }}"
+    - ldaptoolbox_openldap_olcTLSCertificateFile: "{{ '' if ansible_os_family == 'RedHat' else '/etc/ssl/certs/ssl-cert-snakeoil.pem' }}"
+    - ldaptoolbox_openldap_olcTLSCertificateKeyFile: "{{ '' if ansible_os_family == 'RedHat' else '/etc/ssl/private/ssl-cert-snakeoil.key' }}"
     # Accounts and passwords
     - ldaptoolbox_openldap_config_olcRootDN: cn=admin,cn=config
     - ldaptoolbox_openldap_config_olcRootPW_hash: "{{ ldaptoolbox_openldap_config_olcRootPW_hash_vault }}"
diff --git a/tests/multimaster2.yml b/tests/multimaster2.yml
index 003e8c2..b66b475 100644
--- a/tests/multimaster2.yml
+++ b/tests/multimaster2.yml
@@ -13,9 +13,9 @@
     - ldaptoolbox_openldap_custom_schema_srcdir: "{{ playbook_dir }}/files/ldaptoolbox.oldap/usr/local/openldap/etc/openldap/schema"
     - ldaptoolbox_openldap_custom_schema_list: [ custom.ldif ]
     # define certificates (must be deployed before)
-    - ldaptoolbox_openldap_olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
-    - ldaptoolbox_openldap_olcTLSCertificateFile: /etc/ssl/certs/ssl-cert-snakeoil.pem
-    - ldaptoolbox_openldap_olcTLSCertificateKeyFile: /etc/ssl/private/ssl-cert-snakeoil.key
+    - ldaptoolbox_openldap_olcTLSCACertificateFile: "{{ '' if ansible_os_family == 'RedHat' else '/etc/ssl/certs/ca-certificates.crt' }}"
+    - ldaptoolbox_openldap_olcTLSCertificateFile: "{{ '' if ansible_os_family == 'RedHat' else '/etc/ssl/certs/ssl-cert-snakeoil.pem' }}"
+    - ldaptoolbox_openldap_olcTLSCertificateKeyFile: "{{ '' if ansible_os_family == 'RedHat' else '/etc/ssl/private/ssl-cert-snakeoil.key' }}"
     # Accounts and passwords
     - ldaptoolbox_openldap_config_olcRootDN: cn=admin,cn=config
     - ldaptoolbox_openldap_config_olcRootPW_hash: "{{ ldaptoolbox_openldap_config_olcRootPW_hash_vault }}"
diff --git a/tests/standalone.yml b/tests/standalone.yml
index 0a705c9..2fdf085 100644
--- a/tests/standalone.yml
+++ b/tests/standalone.yml
@@ -13,9 +13,9 @@
     - ldaptoolbox_openldap_custom_schema_srcdir: "{{ playbook_dir }}/files/ldaptoolbox.oldap/usr/local/openldap/etc/openldap/schema"
     - ldaptoolbox_openldap_custom_schema_list: [ custom.ldif ]
     # define certificates (must be deployed before)
-    - ldaptoolbox_openldap_olcTLSCACertificateFile: /etc/ssl/certs/ca-certificates.crt
-    - ldaptoolbox_openldap_olcTLSCertificateFile: /etc/ssl/certs/ssl-cert-snakeoil.pem
-    - ldaptoolbox_openldap_olcTLSCertificateKeyFile: /etc/ssl/private/ssl-cert-snakeoil.key
+    - ldaptoolbox_openldap_olcTLSCACertificateFile: "{{ '' if ansible_os_family == 'RedHat' else '/etc/ssl/certs/ca-certificates.crt' }}"
+    - ldaptoolbox_openldap_olcTLSCertificateFile: "{{ '' if ansible_os_family == 'RedHat' else '/etc/ssl/certs/ssl-cert-snakeoil.pem' }}"
+    - ldaptoolbox_openldap_olcTLSCertificateKeyFile: "{{ '' if ansible_os_family == 'RedHat' else '/etc/ssl/private/ssl-cert-snakeoil.key' }}"
     # Accounts and passwords
     - ldaptoolbox_openldap_config_olcRootDN: cn=admin,cn=config
     - ldaptoolbox_openldap_config_olcRootPW_hash: "{{ ldaptoolbox_openldap_config_olcRootPW_hash_vault }}"