Configure SyncRepl (OpenLDAP replication) and related ACLs.

The clients are identified using their certificate, and connect securely
to the SyncProv.

There are a few workarounds (XXX) in the ACLs due to Postfix not
supporting SASL binds in Wheezy.
Overview:
  - Authentication (XXX: strong authentication) is required prior to any DIT
    operation (see 'olcRequires').
  - We force a Security Strength Factor of 128 or above for all operations (see
    'olcSecurity'), meaning one must use either a local connection (eg,
    ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
    least 128 bits of security.
  - XXX: Services may not simple bind other than locally on a ldapi:// socket.
    If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
    socket whenever possible (if the service itself supports SASL binds).
    If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
    socket, and their identity should be derived from the CN of the client
    certificate only (hence services may not simple bind).
  - Admins have restrictions similar to that of the services.
  - User access is only restricted by our global 'olcSecurity' attribute.

1 files changed, 16 insertions, 0 deletions

diff --git a/roles/LDAP-provider/tasks/main.yml b/roles/LDAP-provider/tasks/main.yml
index fc9ed62..48cc8d2 100644
--- a/roles/LDAP-provider/tasks/main.yml
+++ b/roles/LDAP-provider/tasks/main.yml
@@ -4,4 +4,20 @@
             target=etc/ldap/syncprov.ldif
             local=file
 
+- name: Enable the EXTERNAL SASL mechanism
+  lineinfile: dest=/usr/lib/sasl2/slapd.conf
+              regexp='^mech_list'':'
+              line=mech_list':'' EXTERNAL'
+              owner=root group=root
+              mode=0644
+
+- name: Copy the SyncRepls's client certificates
+  assemble: src=certs/ldap
+            remote_src=no
+            dest=/etc/ldap/ssl/clients.pem
+            owner=root group=root
+            mode=0644
+  tags:
+    - genkey
+
 # TODO: authz constraint