From b2594765c8d729f678972e0a683ca2c8cbe8ab9d Mon Sep 17 00:00:00 2001
From: filip <filip.rupic@codeenigma.com>
Date: Thu, 16 Jan 2025 10:45:43 +0100
Subject: [PATCH 1/8] ldap ca certificate refactor

---
 roles/debian/pam_ldap/defaults/main.yml       | 2 ++
 roles/debian/pam_ldap/templates/ldap.conf.j2  | 8 +++++---
 roles/debian/pam_ldap/templates/nslcd.conf.j2 | 8 ++++++--
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/roles/debian/pam_ldap/defaults/main.yml b/roles/debian/pam_ldap/defaults/main.yml
index 7e2f74e89..5c4d888f8 100644
--- a/roles/debian/pam_ldap/defaults/main.yml
+++ b/roles/debian/pam_ldap/defaults/main.yml
@@ -10,6 +10,7 @@ ldap_client:
   # Debian cannot support multiple LDAP SSL connections.
   # See https://serverfault.com/questions/520597/how-to-securely-connect-to-multiple-different-ldaps-servers-debian
   ssl_certificate_check: true # set to false if you need to connect to multiple LDAP servers with different CA certs from the same machine
+  ssl_use_system_ca: true # Set to false if you don't want to use system provided CA certificates
   # List of ldap servers to
   endpoints:
     []
@@ -24,6 +25,7 @@ ldap_client:
 pam_ldap:
   ssl_certificate: "{{ ldap_client.ssl_certificate }}"
   ssl_certificate_check: "{{ ldap_client.ssl_certificate_check }}"
+  ssl_use_system_ca: "{{ ldap_client.ssl_use_system_ca }}"
   endpoints: "{{ ldap_client.endpoints }}"
   lookup_base: "{{ ldap_client.lookup_base }}"
   binddn: "{{ ldap_client.binddn }}"
diff --git a/roles/debian/pam_ldap/templates/ldap.conf.j2 b/roles/debian/pam_ldap/templates/ldap.conf.j2
index a4f1ddca7..dee790487 100644
--- a/roles/debian/pam_ldap/templates/ldap.conf.j2
+++ b/roles/debian/pam_ldap/templates/ldap.conf.j2
@@ -1,9 +1,11 @@
 BASE {{ pam_ldap.lookup_base }}
-URI	{{ pam_ldap.endpoints | join(' ') }}
-{% if pam_ldap.ssl_certificate is defined and pam_ldap.ssl_certificate %}
+URI {{ pam_ldap.endpoints | join(' ') }}
+{% if pam_ldap.ssl_certificate is defined and pam_ldap.ssl_use_system_ca %}
 TLS_CACERT /etc/ssl/certs/ca-certificates.crt
+{% elif pam_ldap.ssl_certificate is defined and pam_ldap.ssl_certificate %}
+TLS_CACERT /etc/ldap/ssl/{{ pam_ldap.ssl_certificate | basename }}
 {% endif %}
-BIND_TIMELIMIT	5
+BIND_TIMELIMIT  5
 TIMEOUT 5
 TIMELIMIT 5
 
diff --git a/roles/debian/pam_ldap/templates/nslcd.conf.j2 b/roles/debian/pam_ldap/templates/nslcd.conf.j2
index 85215792d..b335a75cf 100644
--- a/roles/debian/pam_ldap/templates/nslcd.conf.j2
+++ b/roles/debian/pam_ldap/templates/nslcd.conf.j2
@@ -28,10 +28,14 @@ bindpw {{ pam_ldap.bindpw }}
 #rootpwmoddn cn=admin,dc=example,dc=com
 
 # SSL options
-{% if pam_ldap.ssl_certificate is defined and pam_ldap.ssl_certificate %}
+{% if pam_ldap.ssl_certificate is defined and pam_ldap.ssl_use_system_ca %}
+ssl on
+tls_reqcert demand
+tls_cacertfile /etc/ssl/certs/ca-certificates.crt
+{% elif pam_ldap.ssl_certificate is defined and pam_ldap.ssl_certificate %}
 ssl on
 tls_reqcert demand
 tls_cacertfile /etc/ldap/ssl/{{ pam_ldap.ssl_certificate | basename }}
 {% endif %}
 # The search scope.
-#scope sub 
+#scope sub

From 05c0b4d2032e23a4dba46c4ff046d6261a0ea7a1 Mon Sep 17 00:00:00 2001
From: filip <filip.rupic@codeenigma.com>
Date: Thu, 16 Jan 2025 10:47:26 +0100
Subject: [PATCH 2/8] small spacing fix

---
 roles/debian/pam_ldap/templates/ldap.conf.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/debian/pam_ldap/templates/ldap.conf.j2 b/roles/debian/pam_ldap/templates/ldap.conf.j2
index dee790487..935514a43 100644
--- a/roles/debian/pam_ldap/templates/ldap.conf.j2
+++ b/roles/debian/pam_ldap/templates/ldap.conf.j2
@@ -5,7 +5,7 @@ TLS_CACERT /etc/ssl/certs/ca-certificates.crt
 {% elif pam_ldap.ssl_certificate is defined and pam_ldap.ssl_certificate %}
 TLS_CACERT /etc/ldap/ssl/{{ pam_ldap.ssl_certificate | basename }}
 {% endif %}
-BIND_TIMELIMIT  5
+BIND_TIMELIMIT 5
 TIMEOUT 5
 TIMELIMIT 5
 

From a99d55ed3b80b3f3338ede1a854c32a902444e8c Mon Sep 17 00:00:00 2001
From: filip <filip.rupic@codeenigma.com>
Date: Fri, 17 Jan 2025 13:13:39 +0100
Subject: [PATCH 3/8] fixing system ca path to not depend on defined ssl cert

---
 roles/debian/pam_ldap/templates/ldap.conf.j2  | 2 +-
 roles/debian/pam_ldap/templates/nslcd.conf.j2 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/debian/pam_ldap/templates/ldap.conf.j2 b/roles/debian/pam_ldap/templates/ldap.conf.j2
index 935514a43..d2d64f02d 100644
--- a/roles/debian/pam_ldap/templates/ldap.conf.j2
+++ b/roles/debian/pam_ldap/templates/ldap.conf.j2
@@ -1,6 +1,6 @@
 BASE {{ pam_ldap.lookup_base }}
 URI {{ pam_ldap.endpoints | join(' ') }}
-{% if pam_ldap.ssl_certificate is defined and pam_ldap.ssl_use_system_ca %}
+{% if pam_ldap.ssl_use_system_ca %}
 TLS_CACERT /etc/ssl/certs/ca-certificates.crt
 {% elif pam_ldap.ssl_certificate is defined and pam_ldap.ssl_certificate %}
 TLS_CACERT /etc/ldap/ssl/{{ pam_ldap.ssl_certificate | basename }}
diff --git a/roles/debian/pam_ldap/templates/nslcd.conf.j2 b/roles/debian/pam_ldap/templates/nslcd.conf.j2
index b335a75cf..06e38a42a 100644
--- a/roles/debian/pam_ldap/templates/nslcd.conf.j2
+++ b/roles/debian/pam_ldap/templates/nslcd.conf.j2
@@ -28,7 +28,7 @@ bindpw {{ pam_ldap.bindpw }}
 #rootpwmoddn cn=admin,dc=example,dc=com
 
 # SSL options
-{% if pam_ldap.ssl_certificate is defined and pam_ldap.ssl_use_system_ca %}
+{% if pam_ldap.ssl_use_system_ca %}
 ssl on
 tls_reqcert demand
 tls_cacertfile /etc/ssl/certs/ca-certificates.crt

From 519f14431b65f005825728bd19435eff9300648c Mon Sep 17 00:00:00 2001
From: filip <filip.rupic@codeenigma.com>
Date: Fri, 17 Jan 2025 13:19:40 +0100
Subject: [PATCH 4/8] fixing ldap ssl cert path to not depend on defined ssl
 cert

---
 roles/debian/pam_ldap/templates/ldap.conf.j2  | 2 +-
 roles/debian/pam_ldap/templates/nslcd.conf.j2 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/debian/pam_ldap/templates/ldap.conf.j2 b/roles/debian/pam_ldap/templates/ldap.conf.j2
index d2d64f02d..c3e7d3b35 100644
--- a/roles/debian/pam_ldap/templates/ldap.conf.j2
+++ b/roles/debian/pam_ldap/templates/ldap.conf.j2
@@ -2,7 +2,7 @@ BASE {{ pam_ldap.lookup_base }}
 URI {{ pam_ldap.endpoints | join(' ') }}
 {% if pam_ldap.ssl_use_system_ca %}
 TLS_CACERT /etc/ssl/certs/ca-certificates.crt
-{% elif pam_ldap.ssl_certificate is defined and pam_ldap.ssl_certificate %}
+{% elif pam_ldap.ssl_certificate %}
 TLS_CACERT /etc/ldap/ssl/{{ pam_ldap.ssl_certificate | basename }}
 {% endif %}
 BIND_TIMELIMIT 5
diff --git a/roles/debian/pam_ldap/templates/nslcd.conf.j2 b/roles/debian/pam_ldap/templates/nslcd.conf.j2
index 06e38a42a..f3d97f284 100644
--- a/roles/debian/pam_ldap/templates/nslcd.conf.j2
+++ b/roles/debian/pam_ldap/templates/nslcd.conf.j2
@@ -32,7 +32,7 @@ bindpw {{ pam_ldap.bindpw }}
 ssl on
 tls_reqcert demand
 tls_cacertfile /etc/ssl/certs/ca-certificates.crt
-{% elif pam_ldap.ssl_certificate is defined and pam_ldap.ssl_certificate %}
+{% elif pam_ldap.ssl_certificate %}
 ssl on
 tls_reqcert demand
 tls_cacertfile /etc/ldap/ssl/{{ pam_ldap.ssl_certificate | basename }}

From 965a2fbb708e1bf498ed3e2645a1de62b7bb7622 Mon Sep 17 00:00:00 2001
From: filip <filip.rupic@codeenigma.com>
Date: Fri, 17 Jan 2025 13:35:58 +0100
Subject: [PATCH 5/8] adding lenght requirement so an emtpy string is not true

---
 roles/debian/pam_ldap/templates/ldap.conf.j2  | 4 ++--
 roles/debian/pam_ldap/templates/nslcd.conf.j2 | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/roles/debian/pam_ldap/templates/ldap.conf.j2 b/roles/debian/pam_ldap/templates/ldap.conf.j2
index c3e7d3b35..d2b2bac7c 100644
--- a/roles/debian/pam_ldap/templates/ldap.conf.j2
+++ b/roles/debian/pam_ldap/templates/ldap.conf.j2
@@ -1,8 +1,8 @@
 BASE {{ pam_ldap.lookup_base }}
 URI {{ pam_ldap.endpoints | join(' ') }}
-{% if pam_ldap.ssl_use_system_ca %}
+{% if pam_ldap.ssl_use_system_ca % | length > 0 %}
 TLS_CACERT /etc/ssl/certs/ca-certificates.crt
-{% elif pam_ldap.ssl_certificate %}
+{% elif pam_ldap.ssl_certificate % | length > 0 %}
 TLS_CACERT /etc/ldap/ssl/{{ pam_ldap.ssl_certificate | basename }}
 {% endif %}
 BIND_TIMELIMIT 5
diff --git a/roles/debian/pam_ldap/templates/nslcd.conf.j2 b/roles/debian/pam_ldap/templates/nslcd.conf.j2
index f3d97f284..c8541c0d7 100644
--- a/roles/debian/pam_ldap/templates/nslcd.conf.j2
+++ b/roles/debian/pam_ldap/templates/nslcd.conf.j2
@@ -28,11 +28,11 @@ bindpw {{ pam_ldap.bindpw }}
 #rootpwmoddn cn=admin,dc=example,dc=com
 
 # SSL options
-{% if pam_ldap.ssl_use_system_ca %}
+{% if pam_ldap.ssl_use_system_ca % | length > 0 %}
 ssl on
 tls_reqcert demand
 tls_cacertfile /etc/ssl/certs/ca-certificates.crt
-{% elif pam_ldap.ssl_certificate %}
+{% elif pam_ldap.ssl_certificate % | length > 0 %}
 ssl on
 tls_reqcert demand
 tls_cacertfile /etc/ldap/ssl/{{ pam_ldap.ssl_certificate | basename }}

From a9570e97afeeabdaec8ee9e064e3f660a14d18b9 Mon Sep 17 00:00:00 2001
From: filip <filip.rupic@codeenigma.com>
Date: Fri, 17 Jan 2025 13:40:12 +0100
Subject: [PATCH 6/8] fix for jinja template

---
 roles/debian/pam_ldap/templates/ldap.conf.j2  | 4 ++--
 roles/debian/pam_ldap/templates/nslcd.conf.j2 | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/roles/debian/pam_ldap/templates/ldap.conf.j2 b/roles/debian/pam_ldap/templates/ldap.conf.j2
index d2b2bac7c..9af5fb80f 100644
--- a/roles/debian/pam_ldap/templates/ldap.conf.j2
+++ b/roles/debian/pam_ldap/templates/ldap.conf.j2
@@ -1,8 +1,8 @@
 BASE {{ pam_ldap.lookup_base }}
 URI {{ pam_ldap.endpoints | join(' ') }}
-{% if pam_ldap.ssl_use_system_ca % | length > 0 %}
+{% if pam_ldap.ssl_use_system_ca | length > 0 %}
 TLS_CACERT /etc/ssl/certs/ca-certificates.crt
-{% elif pam_ldap.ssl_certificate % | length > 0 %}
+{% elif pam_ldap.ssl_certificate | length > 0 %}
 TLS_CACERT /etc/ldap/ssl/{{ pam_ldap.ssl_certificate | basename }}
 {% endif %}
 BIND_TIMELIMIT 5
diff --git a/roles/debian/pam_ldap/templates/nslcd.conf.j2 b/roles/debian/pam_ldap/templates/nslcd.conf.j2
index c8541c0d7..ca2053e30 100644
--- a/roles/debian/pam_ldap/templates/nslcd.conf.j2
+++ b/roles/debian/pam_ldap/templates/nslcd.conf.j2
@@ -28,11 +28,11 @@ bindpw {{ pam_ldap.bindpw }}
 #rootpwmoddn cn=admin,dc=example,dc=com
 
 # SSL options
-{% if pam_ldap.ssl_use_system_ca % | length > 0 %}
+{% if pam_ldap.ssl_use_system_ca | length > 0 %}
 ssl on
 tls_reqcert demand
 tls_cacertfile /etc/ssl/certs/ca-certificates.crt
-{% elif pam_ldap.ssl_certificate % | length > 0 %}
+{% elif pam_ldap.ssl_certificate | length > 0 %}
 ssl on
 tls_reqcert demand
 tls_cacertfile /etc/ldap/ssl/{{ pam_ldap.ssl_certificate | basename }}

From 82b876f8797256a3b834f5a40f9bc4602ebe421e Mon Sep 17 00:00:00 2001
From: filip <filip.rupic@codeenigma.com>
Date: Fri, 17 Jan 2025 13:45:27 +0100
Subject: [PATCH 7/8] adjusting use ldap system ca variable

---
 roles/debian/pam_ldap/templates/ldap.conf.j2  | 2 +-
 roles/debian/pam_ldap/templates/nslcd.conf.j2 | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/roles/debian/pam_ldap/templates/ldap.conf.j2 b/roles/debian/pam_ldap/templates/ldap.conf.j2
index 9af5fb80f..a386e4868 100644
--- a/roles/debian/pam_ldap/templates/ldap.conf.j2
+++ b/roles/debian/pam_ldap/templates/ldap.conf.j2
@@ -1,6 +1,6 @@
 BASE {{ pam_ldap.lookup_base }}
 URI {{ pam_ldap.endpoints | join(' ') }}
-{% if pam_ldap.ssl_use_system_ca | length > 0 %}
+{% if pam_ldap.ssl_use_system_ca %}
 TLS_CACERT /etc/ssl/certs/ca-certificates.crt
 {% elif pam_ldap.ssl_certificate | length > 0 %}
 TLS_CACERT /etc/ldap/ssl/{{ pam_ldap.ssl_certificate | basename }}
diff --git a/roles/debian/pam_ldap/templates/nslcd.conf.j2 b/roles/debian/pam_ldap/templates/nslcd.conf.j2
index ca2053e30..16fe483f0 100644
--- a/roles/debian/pam_ldap/templates/nslcd.conf.j2
+++ b/roles/debian/pam_ldap/templates/nslcd.conf.j2
@@ -28,11 +28,11 @@ bindpw {{ pam_ldap.bindpw }}
 #rootpwmoddn cn=admin,dc=example,dc=com
 
 # SSL options
-{% if pam_ldap.ssl_use_system_ca | length > 0 %}
+{% if pam_ldap.ssl_use_system_ca %}
 ssl on
 tls_reqcert demand
 tls_cacertfile /etc/ssl/certs/ca-certificates.crt
-{% elif pam_ldap.ssl_certificate | length > 0 %}
+{% elif pam_ldap.ssl_certificate % | length > 0 %}
 ssl on
 tls_reqcert demand
 tls_cacertfile /etc/ldap/ssl/{{ pam_ldap.ssl_certificate | basename }}

From 6cd52d34202822656a2d2010ed09c89deffafe49 Mon Sep 17 00:00:00 2001
From: filip <filip.rupic@codeenigma.com>
Date: Fri, 17 Jan 2025 13:46:48 +0100
Subject: [PATCH 8/8] fixing small syntax

---
 roles/debian/pam_ldap/templates/nslcd.conf.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/debian/pam_ldap/templates/nslcd.conf.j2 b/roles/debian/pam_ldap/templates/nslcd.conf.j2
index 16fe483f0..d042421c9 100644
--- a/roles/debian/pam_ldap/templates/nslcd.conf.j2
+++ b/roles/debian/pam_ldap/templates/nslcd.conf.j2
@@ -32,7 +32,7 @@ bindpw {{ pam_ldap.bindpw }}
 ssl on
 tls_reqcert demand
 tls_cacertfile /etc/ssl/certs/ca-certificates.crt
-{% elif pam_ldap.ssl_certificate % | length > 0 %}
+{% elif pam_ldap.ssl_certificate | length > 0 %}
 ssl on
 tls_reqcert demand
 tls_cacertfile /etc/ldap/ssl/{{ pam_ldap.ssl_certificate | basename }}