Moved certificate management behind nginx proxy

roles/docker-ldap/README.md

@@ -125,6 +125,9 @@ The following directories are mounted in the container:
 - [Bitnami OpenLDAP](https://hub.docker.com/r/bitnami/openldap)
 - [phpLDAPadmin Documentation](https://github.com/leenooks/phpLDAPadmin/wiki/Docker-Container)
 - [LDAP Account Manager](https://github.com/LDAPAccountManager/docker)
+- https://github.com/bitnami/containers/issues/53392
+- https://kb.i-doit.com/de/administration/troubleshooting/ldap-via-tls.html
+- https://forum.ubuntuusers.de/topic/tls-verbindung-mit-openldap/
 
 ---
 

roles/docker-ldap/tasks/main.yml

@@ -5,16 +5,18 @@
 - name: "include tasks nginx-docker-proxy-domain.yml"
   include_tasks: nginx-docker-proxy-domain.yml
 
+- name: create {{domain}}.conf
+  template: 
+    src:  "nginx.stream.conf.j2" 
+    dest: "{{nginx_streams_directory}}{{domain}}.conf"
+  notify: restart nginx
+
 - name: "create {{docker_compose_instance_directory}}"
   file:
     path: "{{docker_compose_instance_directory}}"
     state: directory
     mode: 0755
 
-- name: "include the nginx-docker-cert-deploy role"
-  include_role:
-    name: nginx-docker-cert-deploy
-
 - name: add docker-compose.yml
   template: 
     src:  "docker-compose.yml.j2" 

roles/docker-ldap/templates/docker-compose.yml.j2

@@ -16,28 +16,23 @@ services:
       driver: journald
     restart: {{docker_restart_policy}}
     ports:
-      - '127.0.0.1:389:389'   # Expose just on local host for security reasons, phpLDAPadmin requires this
-      - '636:636'             # Expose to internet
+      - 127.0.0.1:{{ldap_localhost_port}}:{{ldap_localhost_port}}               # Expose just on localhost so that nginx stream proxy can use it
+      - 127.0.0.1:{{ldap_secure_localhost_port}}:{{ldap_secure_localhost_port}} # Expose just on localhost
     environment:
       # @See https://hub.docker.com/r/bitnami/openldap
-
+      
       # GENERAL
-      LDAP_ADMIN_USERNAME:    {{ldap_administrator_username}} # LDAP database admin user.
-      LDAP_ADMIN_PASSWORD:    {{ldap_administrator_password}} # LDAP database admin password.
-      #LDAP_USERS:            user01,user02                   # Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02
-      #LDAP_PASSWORDS:        password1,password2             # Comma separated list of passwords to use for LDAP users. Default: bitnami1,bitnami 
-      LDAP_ROOT:              {{ldap_root}}                   # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org
-      LDAP_ADMIN_DN:          {{ldap_admin_dn}}
-      LDAP_PORT_NUMBER:       389                             # Route to default port
+      LDAP_ADMIN_USERNAME:      {{ldap_administrator_username}} # LDAP database admin user.
+      LDAP_ADMIN_PASSWORD:      {{ldap_administrator_password}} # LDAP database admin password.
+      #LDAP_USERS:              user01,user02                   # Comma separated list of LDAP users to create in the default LDAP tree. Default: user01,user02
+      #LDAP_PASSWORDS:          password1,password2             # Comma separated list of passwords to use for LDAP users. Default: bitnami1,bitnami 
+      LDAP_ROOT:                {{ldap_root}}                   # LDAP baseDN (or suffix) of the LDAP tree. Default: dc=example,dc=org
+      LDAP_ADMIN_DN:            {{ldap_admin_dn}}
+      LDAP_PORT_NUMBER:         {{ldap_localhost_port}}         # Route to default port
 
       # TLS
-      LDAP_ENABLE_TLS:          yes                         # Whether to enable TLS for traffic or not. Defaults to no
-      LDAP_REQUIRE_TLS:         no                          # Deactivated so that it can be accessed on the server itself via phpldapadmin
-      LDAP_LDAPS_PORT_NUMBER:   636                         # Port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non privileged port).
-      LDAP_TLS_CERT_FILE:       /certs/cert.pem             # File containing the certificate file for the TLS traffic. No defaults.
-      LDAP_TLS_KEY_FILE:        /certs/key.pem              # File containing the key for certificate. No defaults.
-      LDAP_TLS_CA_FILE:         /certs/chain.pem            # File containing the CA of the certificate. No defaults.
-      #LDAP_TLS_DH_PARAMS_FILE:                             # File containing the DH parameters. No defaults.
+      LDAP_ENABLE_TLS:          no                              # Using nginx proxy
+      LDAP_LDAPS_PORT_NUMBER:   {{ldap_secure_localhost_port}}  # Port used for TLS secure traffic. Priviledged port is supported (e.g. 636). Default: 1636 (non privileged port).
     volumes:
       - {{cert_mount_directory}}:/certs:ro
       - 'data:/bitnami/openldap'

roles/docker-ldap/templates/nginx.stream.conf.j2

@@ -0,0 +1,10 @@
+server {
+    listen {{ldap_secure_internet_port}} ssl;
+    proxy_pass 127.0.0.1:{{ldap_localhost_port}};
+
+    # SSL Configuration for LDAPS
+    ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+}

roles/docker-ldap/vars/main.yml

@@ -1,4 +1,7 @@
 docker_compose_project_name:  "ldap"
 ldap_root:                    "dc={{primary_domain_sld}},dc={{primary_domain_tld}}"
 ldap_admin_dn:                "cn={{ldap_administrator_username}},{{ldap_root}}"
-cert_mount_directory:         "{{docker_compose_instance_directory}}/certs/"
+cert_mount_directory:         "{{docker_compose_instance_directory}}/certs/"
+ldap_secure_localhost_port:   1636
+ldap_secure_internet_port:    636
+ldap_localhost_port:          389