diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2015-06-10 18:16:13 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-10 18:52:21 +0200 |
| commit | f24f936c69ee97cca6095923549430cb6d510320 (patch) | |
| tree | c541c7976bfdf43486b3052ed893c84b1ae029b1 /roles/common-LDAP/templates/etc/ldap | |
| parent | b408390ae9311b7d703ce57c25a78dce23c31b16 (diff) | |
slapd monitoring.
We don't use the provided 'slapd_' Munin plugin because it doesn't
support SASL binds.
Diffstat (limited to 'roles/common-LDAP/templates/etc/ldap')
| -rw-r--r-- | roles/common-LDAP/templates/etc/ldap/database.ldif.j2 | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index b2981b3..5f9d8b1 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -30,40 +30,48 @@ olcThreads: 8 olcTLSCertificateFile: /etc/ldap/ssl/ldap.fripost.org.pem olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.fripost.org.key # If we are being offered a client cert, it has to be trusted (in which # case we map the X.509 subject to a DN in our namespace), or we # terminate the connection. Not providing a certificate is fine for # TLS-protected simple binds, though. olcTLSVerifyClient: try olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$" "$1,dc=fripost,dc=org" olcSaslSecProps: minssf=128,noanonymous,noplain,nodict olcTLSCipherSuite: PFS:%LATEST_RECORD_VERSION:!CIPHER-ALL:+AES-128-GCM:+AES-256-GCM:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1 {% endif %} olcLocalSSF: 128 # /!\ This is not portable! But we only use glibc's crypt(3), which # supports (salted, streched) SHA512 olcPasswordHash: {CRYPT} olcPasswordCryptSaltFormat: $6$%s +dn: olcDatabase=monitor,cn=config +objectClass: olcDatabaseConfig +objectClass: olcMonitorConfig +olcAccess: to dn.subtree="cn=monitor" + by dn.exact="username=munin,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" read + by * =0 + + dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDbDirectory: /var/lib/ldap olcSuffix: dc=fripost,dc=org {% if 'LDAP-provider' not in group_names and 'MX' in group_names %} olcReadOnly: TRUE {% endif %} {% if 'LDAP-provider' in group_names %} olcLastMod: TRUE olcDbCheckpoint: 512 15 {% else %} olcLastMod: FALSE {% endif %} # The root user has all rights on the whole database (when SASL-binding # on a UNIX socket). olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth # Ensure that all DIT access is made according to the LDAPv3 protocol, # and must use 1/ authentication, and 2/ SASL or TLS. (Local clients # should use ldapi:// and SASL/EXERNAL, while remote clients should use |