ldap ca certificate refactor

roles/debian/pam_ldap/defaults/main.yml

@@ -10,6 +10,7 @@ ldap_client:
   # Debian cannot support multiple LDAP SSL connections.
   # See https://serverfault.com/questions/520597/how-to-securely-connect-to-multiple-different-ldaps-servers-debian
   ssl_certificate_check: true # set to false if you need to connect to multiple LDAP servers with different CA certs from the same machine
+  ssl_use_system_ca: true # Set to false if you don't want to use system provided CA certificates
   # List of ldap servers to
   endpoints:
     []
@@ -24,6 +25,7 @@ ldap_client:
 pam_ldap:
   ssl_certificate: "{{ ldap_client.ssl_certificate }}"
   ssl_certificate_check: "{{ ldap_client.ssl_certificate_check }}"
+  ssl_use_system_ca: "{{ ldap_client.ssl_use_system_ca }}"
   endpoints: "{{ ldap_client.endpoints }}"
   lookup_base: "{{ ldap_client.lookup_base }}"
   binddn: "{{ ldap_client.binddn }}"

roles/debian/pam_ldap/templates/ldap.conf.j2

@@ -1,9 +1,11 @@
 BASE {{ pam_ldap.lookup_base }}
-URI	{{ pam_ldap.endpoints | join(' ') }}
-{% if pam_ldap.ssl_certificate is defined and pam_ldap.ssl_certificate %}
+URI {{ pam_ldap.endpoints | join(' ') }}
+{% if pam_ldap.ssl_use_system_ca %}
 TLS_CACERT /etc/ssl/certs/ca-certificates.crt
+{% elif pam_ldap.ssl_certificate | length > 0 %}
+TLS_CACERT /etc/ldap/ssl/{{ pam_ldap.ssl_certificate | basename }}
 {% endif %}
-BIND_TIMELIMIT	5
+BIND_TIMELIMIT 5
 TIMEOUT 5
 TIMELIMIT 5
 

roles/debian/pam_ldap/templates/nslcd.conf.j2

@@ -28,10 +28,14 @@ bindpw {{ pam_ldap.bindpw }}
 #rootpwmoddn cn=admin,dc=example,dc=com
 
 # SSL options
-{% if pam_ldap.ssl_certificate is defined and pam_ldap.ssl_certificate %}
+{% if pam_ldap.ssl_use_system_ca %}
+ssl on
+tls_reqcert demand
+tls_cacertfile /etc/ssl/certs/ca-certificates.crt
+{% elif pam_ldap.ssl_certificate | length > 0 %}
 ssl on
 tls_reqcert demand
 tls_cacertfile /etc/ldap/ssl/{{ pam_ldap.ssl_certificate | basename }}
 {% endif %}
 # The search scope.
-#scope sub 
+#scope sub