fripost-ansible/roles/LDAP-provider, branch master Fripost ansible scripts LDAP: Load dynlist overlay. 2025-02-01T12:56:14+00:00 Guilhem Moulin guilhem@fripost.org 2025-01-29T23:58:13+00:00 f647dd2265bf4c5a2903325f628774eace2011ce Looks like nextcloud 26-29 broke something in the handling of dynamic groups via memberURL attribute (and keeps repopulating the group — possibly due to paging — thereby spamming members with “An administrator removed you from group medlemmar” mails), so we expand on the slapd via slapo-dynlist(5) instead. This commit also fixes an issue with the openldap module where the index of the leftmost attribute of the DN is not necessary {0}. 
Looks like nextcloud 26-29 broke something in the handling of dynamic
groups via memberURL attribute (and keeps repopulating the group —
possibly due to paging — thereby spamming members with “An administrator
removed you from group medlemmar” mails), so we expand on the slapd via
slapo-dynlist(5) instead.

This commit also fixes an issue with the openldap module where the index
of the leftmost attribute of the DN is not necessary {0}.
LDAP: Update role to Debian Buster. 2020-05-19T04:36:36+00:00 Guilhem Moulin guilhem@fripost.org 2020-05-19T04:11:29+00:00 7249ebbf9237afe6cccb6069d8c910b4a5975cdf 






LDAP: Expose part of the database to Nextcloud.
2018-04-04T14:07:53+00:00

Guilhem Moulin
guilhem@fripost.org

2018-04-04T14:07:53+00:00

779fc904868bb2bc3f5f73cfd225ec7655ba14cf












Upgrade playbooks to Ansible 2.0.
2016-02-12T19:06:22+00:00

Guilhem Moulin
guilhem@fripost.org

2016-02-12T14:25:31+00:00

fa8d2b668550259e6f78d16fc209c4da1a20b842












Upgrade the LDAP config to Jessie.
2015-06-07T00:53:26+00:00

Guilhem Moulin
guilhem@fripost.org

2015-05-14T19:53:14+00:00

334b7604727810c02ecb8942f3753dee15466691












Make the Ansible LDAP plugin able to delete entries and attributes.
2015-06-07T00:52:41+00:00

Guilhem Moulin
guilhem@fripost.org

2014-07-07T21:02:45+00:00

9198e7f8096e9f1b0d5f474cf2345913a357f864

Use it to delete cn=admin,dc=fripost,dc=org, and to remove the rootDN on
the 'config' database.





Use it to delete cn=admin,dc=fripost,dc=org, and to remove the rootDN on
the 'config' database.







Fix race condition when generating cerificates for slapd.
2015-06-07T00:52:40+00:00

Guilhem Moulin
guilhem@fripost.org

2014-07-07T18:12:28+00:00

3e38718677b10faca8970d9b1cc8edc215cce798

The SyncProv won't start if the file olcTLSCACertificateFile points to
doesn't exist.





The SyncProv won't start if the file olcTLSCACertificateFile points to
doesn't exist.







Remove o=mailHosting from the LDAP directory suffix.
2015-06-07T00:52:39+00:00

Guilhem Moulin
guilhem@fripost.org

2014-07-07T16:37:30+00:00

2dfe29dfcd35fae7160178e329fb0647cc896e3b

So our suffix is now a mere 'dc=fripost,dc=org'.  We're also using the
default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it
before hand).





So our suffix is now a mere 'dc=fripost,dc=org'.  We're also using the
default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it
before hand).







Configure SyncRepl (OpenLDAP replication) and related ACLs.
2015-06-07T00:52:34+00:00

Guilhem Moulin
guilhem@fripost.org

2014-07-07T03:16:53+00:00

7c01a383fae4d84727d6a036d93117c761b98e10

The clients are identified using their certificate, and connect securely
to the SyncProv.

There are a few workarounds (XXX) in the ACLs due to Postfix not
supporting SASL binds in Wheezy.
Overview:
  - Authentication (XXX: strong authentication) is required prior to any DIT
    operation (see 'olcRequires').
  - We force a Security Strength Factor of 128 or above for all operations (see
    'olcSecurity'), meaning one must use either a local connection (eg,
    ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
    least 128 bits of security.
  - XXX: Services may not simple bind other than locally on a ldapi:// socket.
    If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
    socket whenever possible (if the service itself supports SASL binds).
    If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
    socket, and their identity should be derived from the CN of the client
    certificate only (hence services may not simple bind).
  - Admins have restrictions similar to that of the services.
  - User access is only restricted by our global 'olcSecurity' attribute.





The clients are identified using their certificate, and connect securely
to the SyncProv.

There are a few workarounds (XXX) in the ACLs due to Postfix not
supporting SASL binds in Wheezy.
Overview:
  - Authentication (XXX: strong authentication) is required prior to any DIT
    operation (see 'olcRequires').
  - We force a Security Strength Factor of 128 or above for all operations (see
    'olcSecurity'), meaning one must use either a local connection (eg,
    ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
    least 128 bits of security.
  - XXX: Services may not simple bind other than locally on a ldapi:// socket.
    If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
    socket whenever possible (if the service itself supports SASL binds).
    If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
    socket, and their identity should be derived from the CN of the client
    certificate only (hence services may not simple bind).
  - Admins have restrictions similar to that of the services.
  - User access is only restricted by our global 'olcSecurity' attribute.







Enable zero-copy updates to the LDAP directory.
2015-06-07T00:52:32+00:00

Guilhem Moulin
guilhem@fripost.org

2014-07-06T17:55:58+00:00

1e68d980a0587bb1afea3685d0a46fce86135cb9