fripost-ansible/roles/common-LDAP/templates/etc/default, branch master Fripost ansible scripts typofix 2024-09-08T00:27:38+00:00 Guilhem Moulin guilhem@fripost.org 2024-09-08T00:27:38+00:00 b84b96b199f22c7b5332605072759c8f74f968bc 






Port baseline to Debian 11 (codename Bullseye).
2022-10-13T20:12:05+00:00

Guilhem Moulin
guilhem@fripost.org

2022-10-11T23:43:23+00:00

85347041a04d17f6803100dd2cec9b489c9db47d












s/LDAP-provider/LDAP_provider/
2020-05-19T04:07:43+00:00

Guilhem Moulin
guilhem@fripost.org

2020-05-19T04:04:47+00:00

c9ecd815b4b77a57589f3588eba6c7d8ddfac020

This was forgotten after a092bfd947773281a23419ee0ab62358371b7166.





This was forgotten after a092bfd947773281a23419ee0ab62358371b7166.







Don't let authenticated client use arbitrary sender addresses.
2017-05-31T23:09:00+00:00

Guilhem Moulin
guilhem@fripost.org

2017-05-31T19:42:32+00:00

6e39bad3fbe75b88fca4c2e2aad8eb51af14b1be

The following policy is now implemented:

    * users can use their SASL login name as sender address;
    * alias and/or list owners can use the address as envelope sender;
    * domain postmasters can use arbitrary sender addresses under their
      domains;
    * domain owners can use arbitrary sender addresses under their domains,
      unless it is also an existing account name;
    * for known domains without owner or postmasters, other sender addresses
      are not allowed; and
    * arbitrary sender addresses under unknown domains are allowed.





The following policy is now implemented:

    * users can use their SASL login name as sender address;
    * alias and/or list owners can use the address as envelope sender;
    * domain postmasters can use arbitrary sender addresses under their
      domains;
    * domain owners can use arbitrary sender addresses under their domains,
      unless it is also an existing account name;
    * for known domains without owner or postmasters, other sender addresses
      are not allowed; and
    * arbitrary sender addresses under unknown domains are allowed.







Ensure Postfix's LDAP searchBase exists when doing a lookup.
2015-06-07T00:52:48+00:00

Guilhem Moulin
guilhem@fripost.org

2014-07-08T23:08:02+00:00

368540caee8fff8aa90b1542897188e9f98ac585

Postfix interprets Error Code 32 (No Such Object) as lookup failures,
but that's ugly...

Also, make Postfix simple bind against
cn=postfix,ou=services,dc=fripost,dc=org.





Postfix interprets Error Code 32 (No Such Object) as lookup failures,
but that's ugly...

Also, make Postfix simple bind against
cn=postfix,ou=services,dc=fripost,dc=org.







Configure SyncRepl (OpenLDAP replication) and related ACLs.
2015-06-07T00:52:34+00:00

Guilhem Moulin
guilhem@fripost.org

2014-07-07T03:16:53+00:00

7c01a383fae4d84727d6a036d93117c761b98e10

The clients are identified using their certificate, and connect securely
to the SyncProv.

There are a few workarounds (XXX) in the ACLs due to Postfix not
supporting SASL binds in Wheezy.
Overview:
  - Authentication (XXX: strong authentication) is required prior to any DIT
    operation (see 'olcRequires').
  - We force a Security Strength Factor of 128 or above for all operations (see
    'olcSecurity'), meaning one must use either a local connection (eg,
    ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
    least 128 bits of security.
  - XXX: Services may not simple bind other than locally on a ldapi:// socket.
    If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
    socket whenever possible (if the service itself supports SASL binds).
    If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
    socket, and their identity should be derived from the CN of the client
    certificate only (hence services may not simple bind).
  - Admins have restrictions similar to that of the services.
  - User access is only restricted by our global 'olcSecurity' attribute.





The clients are identified using their certificate, and connect securely
to the SyncProv.

There are a few workarounds (XXX) in the ACLs due to Postfix not
supporting SASL binds in Wheezy.
Overview:
  - Authentication (XXX: strong authentication) is required prior to any DIT
    operation (see 'olcRequires').
  - We force a Security Strength Factor of 128 or above for all operations (see
    'olcSecurity'), meaning one must use either a local connection (eg,
    ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
    least 128 bits of security.
  - XXX: Services may not simple bind other than locally on a ldapi:// socket.
    If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
    socket whenever possible (if the service itself supports SASL binds).
    If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
    socket, and their identity should be derived from the CN of the client
    certificate only (hence services may not simple bind).
  - Admins have restrictions similar to that of the services.
  - User access is only restricted by our global 'olcSecurity' attribute.







LDAP Sync Replication.
2015-06-07T00:51:05+00:00

Guilhem Moulin
guilhem@fripost.org

2013-12-02T02:42:57+00:00

5a7bec1a590e20e263d41eaf414cfe9b5ba48a75












Provision /etc/default/slapd
2015-06-07T00:51:02+00:00

Guilhem Moulin
guilhem@fripost.org

2013-12-01T21:21:41+00:00

0c99d9d1600c0fe2c494f9c59ba8ea7966dcd65f

This is because the UNIX domain socket to connect to when performing
LDAP lookups needs to be in the chroot.

Also, don't open a INET socket unless we're a Sync Provider.





This is because the UNIX domain socket to connect to when performing
LDAP lookups needs to be in the chroot.

Also, don't open a INET socket unless we're a Sync Provider.