summaryrefslogtreecommitdiffstats
path: root/roles/LDAP-provider
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2014-07-07 05:16:53 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:52:34 +0200
commit7c01a383fae4d84727d6a036d93117c761b98e10 (patch)
tree453fb77e9758ea29729fa4e65633bb3261e71345 /roles/LDAP-provider
parentf9fa7026603a298c46aea77d753e0a8121e5d71b (diff)
Configure SyncRepl (OpenLDAP replication) and related ACLs.
The clients are identified using their certificate, and connect securely to the SyncProv. There are a few workarounds (XXX) in the ACLs due to Postfix not supporting SASL binds in Wheezy. Overview: - Authentication (XXX: strong authentication) is required prior to any DIT operation (see 'olcRequires'). - We force a Security Strength Factor of 128 or above for all operations (see 'olcSecurity'), meaning one must use either a local connection (eg, ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at least 128 bits of security. - XXX: Services may not simple bind other than locally on a ldapi:// socket. If no remote access is needed, they should use SASL/EXTERNAL on a ldapi:// socket whenever possible (if the service itself supports SASL binds). If remote access is needed, they should use SASL/EXTERNAL on a ldaps:// socket, and their identity should be derived from the CN of the client certificate only (hence services may not simple bind). - Admins have restrictions similar to that of the services. - User access is only restricted by our global 'olcSecurity' attribute.
Diffstat (limited to 'roles/LDAP-provider')
-rw-r--r--roles/LDAP-provider/tasks/main.yml16
1 files changed, 16 insertions, 0 deletions
diff --git a/roles/LDAP-provider/tasks/main.yml b/roles/LDAP-provider/tasks/main.yml
index fc9ed62..48cc8d2 100644
--- a/roles/LDAP-provider/tasks/main.yml
+++ b/roles/LDAP-provider/tasks/main.yml
@@ -4,4 +4,20 @@
target=etc/ldap/syncprov.ldif
local=file
+- name: Enable the EXTERNAL SASL mechanism
+ lineinfile: dest=/usr/lib/sasl2/slapd.conf
+ regexp='^mech_list'':'
+ line=mech_list':'' EXTERNAL'
+ owner=root group=root
+ mode=0644
+
+- name: Copy the SyncRepls's client certificates
+ assemble: src=certs/ldap
+ remote_src=no
+ dest=/etc/ldap/ssl/clients.pem
+ owner=root group=root
+ mode=0644
+ tags:
+ - genkey
+
# TODO: authz constraint