Enable TLS for OpenLDAP
Also fix typo in cert name for DriveTrain services.
Change-Id: I604cd663c31018814f7380af56dee5ac9374aaa0
Related-Prod: PROD-23454
(cherry picked from commit 020ce66d304c7de7f120245dda124f97c3a8eb65)
diff --git a/docker/swarm/stack/ldap.yml b/docker/swarm/stack/ldap.yml
index b785711..5130caf 100644
--- a/docker/swarm/stack/ldap.yml
+++ b/docker/swarm/stack/ldap.yml
@@ -21,13 +21,24 @@
volumes:
- /srv/volumes/openldap/database:/var/lib/ldap
- /srv/volumes/openldap/config:/etc/ldap/slapd.d
+ - ${_param:openldap_tls:keyfile}:/container/service/slapd/assets/certs/drivetrain_ldap.key:ro
+ - ${_param:openldap_tls:certfile}:/container/service/slapd/assets/certs/drivetrain_ldap.crt:ro
+ - /etc/ssl/certs/ca-${_param:salt_minion_ca_authority}.pem:/container/service/slapd/assets/certs/ca.crt:ro
+ # copy to /container/run/service to avoid issues with owning certs as openldap user
+ # https://github.com/osixia/docker-openldap/issues/59
+ command: --copy-service
environment:
HOSTNAME: ldap01.${_param:openldap_domain}
LDAP_ORGANISATION: "${_param:openldap_organisation}"
LDAP_DOMAIN: "${_param:openldap_domain}"
LDAP_ADMIN_PASSWORD: ${_param:openldap_admin_password}
LDAP_CONFIG_PASSWORD: ${_param:openldap_config_password}
- LDAP_TLS: "false"
+ LDAP_TLS: "true"
+ LDAP_TLS_VERIFY_CLIENT: try
+ LDAP_TLS_CIPHER_SUITE: NORMAL:-VERS-SSL3.0:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0
+ LDAP_TLS_CRT_FILENAME: drivetrain_ldap.crt
+ LDAP_TLS_KEY_FILENAME: drivetrain_ldap.key
+ LDAP_TLS_CA_CRT_FILENAME: ca.crt
admin:
networks:
- ldap