summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2015-05-14 21:53:14 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:53:26 +0200
commit334b7604727810c02ecb8942f3753dee15466691 (patch)
tree5a3abd1691c8d15a85ca3b41b4bb400e66b4691f
parent83ce4d28347d6bf7f8cd42e23465227548e3f878 (diff)
Upgrade the LDAP config to Jessie.
-rw-r--r--lib/modules/openldap2
-rw-r--r--roles/LDAP-provider/files/etc/ldap/syncprov.ldif2
-rw-r--r--roles/LDAP-provider/tasks/main.yml1
-rw-r--r--roles/common-LDAP/files/var/lib/ldap/DB_CONFIG20
-rw-r--r--roles/common-LDAP/tasks/main.yml6
-rw-r--r--roles/common-LDAP/templates/etc/ldap/database.ldif.j219
6 files changed, 11 insertions, 39 deletions
diff --git a/lib/modules/openldap b/lib/modules/openldap
index 69ee4df..91e6a3c 100644
--- a/lib/modules/openldap
+++ b/lib/modules/openldap
@@ -50,7 +50,7 @@ indexedAttributes = frozenset([
# entry.)
indexedDN = {
'olcSchemaConfig': [('cn', '{*}%s')],
- 'olcHdbConfig': [('olcDbDirectory', '%s' )],
+ 'olcMdbConfig': [('olcDbDirectory', '%s' )],
'olcOverlayConfig': [('olcOverlay', '%s' )],
}
diff --git a/roles/LDAP-provider/files/etc/ldap/syncprov.ldif b/roles/LDAP-provider/files/etc/ldap/syncprov.ldif
index 42f06a0..edb19c1 100644
--- a/roles/LDAP-provider/files/etc/ldap/syncprov.ldif
+++ b/roles/LDAP-provider/files/etc/ldap/syncprov.ldif
@@ -3,7 +3,7 @@
# - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
# - man 5 slapo-syncprov
-dn: olcOverlay=syncprov,olcDatabase={*}hdb,cn=config
+dn: olcOverlay=syncprov,olcDatabase={*}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
diff --git a/roles/LDAP-provider/tasks/main.yml b/roles/LDAP-provider/tasks/main.yml
index fa212a0..3f7f29f 100644
--- a/roles/LDAP-provider/tasks/main.yml
+++ b/roles/LDAP-provider/tasks/main.yml
@@ -8,6 +8,7 @@
lineinfile: dest=/usr/lib/sasl2/slapd.conf
regexp='^mech_list'':'
line=mech_list':'' EXTERNAL'
+ create=yes
owner=root group=root
mode=0644
diff --git a/roles/common-LDAP/files/var/lib/ldap/DB_CONFIG b/roles/common-LDAP/files/var/lib/ldap/DB_CONFIG
deleted file mode 100644
index 07738c2..0000000
--- a/roles/common-LDAP/files/var/lib/ldap/DB_CONFIG
+++ /dev/null
@@ -1,20 +0,0 @@
-# It may be a good idea to modify this file, depending on the output of
-#
-# db_stat -mh /var/lib/ldap | head -16
-#
-# (For optimal performance, the Requested pages found in the cache
-# should be above 95%, and the dirty/clean pages forced from the cache
-# should be 0.)
-#
-# and
-#
-# db_stat -ch /var/lib/ldap | head -16
-#
-# (For optimal performance, usage should be within 85% of the configured
-# values.)
-#
-# 5MB cachesize
-set_cachesize 0 5242880 0
-set_lk_max_objects 1500
-set_lk_max_locks 1500
-set_lk_max_lockers 1500
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 60ccc76..5c15cc8 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -18,12 +18,6 @@
notify:
- Restart slapd
-- name: Copy DB_CONFIG
- copy: src=var/lib/ldap/DB_CONFIG
- dest=/var/lib/ldap/DB_CONFIG
- owner=openldap group=openldap
- mode=0644
-
- name: Create directory /etc/ldap/ssl
file: path=/etc/ldap/ssl
state=directory
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index e19d182..48758be 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -41,9 +41,7 @@ olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem
olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$"
"$1,dc=fripost,dc=org"
olcSaslSecProps: minssf=128,noanonymous,noplain,nodict
-# XXX We would like to say 'PFS' here, but Wheezy'z GnuTLS (libgnutls26
-# 2.12.20-8+deb7u2) is too old :-( (Also, DHE/ECDHE are not supported.)
-olcTLSCipherSuite: SECURE128:!CIPHER-ALL:+AES-128-CBC:+AES-256-CBC:!MD5
+olcTLSCipherSuite: PFS:%LATEST_RECORD_VERSION:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1:!CIPHER-ALL:+AES-128-GCM:+AES-256-GCM
{% endif %}
olcLocalSSF: 128
# /!\ This is not portable! But we only use glibc's crypt(3), which
@@ -52,9 +50,9 @@ olcPasswordHash: {CRYPT}
olcPasswordCryptSaltFormat: $6$%s
-dn: olcDatabase=hdb,cn=config
+dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
-objectClass: olcHdbConfig
+objectClass: olcMdbConfig
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=fripost,dc=org
{% if 'LDAP-provider' not in group_names and ('MX' in group_names or 'lists' in group_names) %}
@@ -66,11 +64,6 @@ olcDbCheckpoint: 512 15
{% else %}
olcLastMod: FALSE
{% endif %}
-# See DB_CONFIG
-olcDbConfig: set_cachesize 0 5242880 0
-olcDbConfig: set_lk_max_objects 1500
-olcDbConfig: set_lk_max_locks 1500
-olcDbConfig: set_lk_max_lockers 1500
# The root user has all rights on the whole database (when SASL-binding
# on a UNIX socket).
olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
@@ -233,7 +226,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,dc=fripost,dc=org)$"
by realself tls_ssf=128 =w
by group/FripostVirtualDomain/fripostPostmaster.expand="$1" tls_ssf=128 =w
by dn.onelevel="ou=admins,dc=fripost,dc=org" tls_ssf=128 =w
- by dn.exact="username=guilhem,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =w
+ by group.exact="cn=admin,ou=groups,dc=fripost,dc=org" =w
#
# XXX
# * Anonymous users are allowed to simple bind as Postfix, but only when
@@ -269,6 +262,10 @@ olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org"
olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org"
attrs=entry,objectClass
by dn.onelevel="ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by group.exact="cn=admin,ou=groups,dc=fripost,dc=org" =wrsd
+ by users =0 break
+olcAccess: to dn.children="ou=virtual,dc=fripost,dc=org"
+ by group.exact="cn=admin,ou=groups,dc=fripost,dc=org" =wrsd
by users =0 break
{% endif -%}
#