|author||Guilhem Moulin <firstname.lastname@example.org>||2014-07-07 05:16:53 +0200|
|committer||Guilhem Moulin <email@example.com>||2015-06-07 02:52:34 +0200|
Configure SyncRepl (OpenLDAP replication) and related ACLs.
The clients are identified using their certificate, and connect securely to the SyncProv. There are a few workarounds (XXX) in the ACLs due to Postfix not supporting SASL binds in Wheezy. Overview: - Authentication (XXX: strong authentication) is required prior to any DIT operation (see 'olcRequires'). - We force a Security Strength Factor of 128 or above for all operations (see 'olcSecurity'), meaning one must use either a local connection (eg, ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at least 128 bits of security. - XXX: Services may not simple bind other than locally on a ldapi:// socket. If no remote access is needed, they should use SASL/EXTERNAL on a ldapi:// socket whenever possible (if the service itself supports SASL binds). If remote access is needed, they should use SASL/EXTERNAL on a ldaps:// socket, and their identity should be derived from the CN of the client certificate only (hence services may not simple bind). - Admins have restrictions similar to that of the services. - User access is only restricted by our global 'olcSecurity' attribute.
Diffstat (limited to 'lib')
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/modules/openldap b/lib/modules/openldap
index 3f6ea39..0f0bc9a 100644
@@ -37,6 +37,7 @@ indexedAttributes = frozenset([