summaryrefslogtreecommitdiffstats
path: root/roles/common-LDAP/templates/etc/ldap
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2015-05-31 04:03:02 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:53:56 +0200
commit0b0f73b7e303a9169224fb42a2210d312c5363ff (patch)
treebaa8d89179f057398f82b506d6cd48425f4959e1 /roles/common-LDAP/templates/etc/ldap
parentb29601e313e8d35ec7edee343c82ca71ed6a3a12 (diff)
Enforce "strong" authentication and FPS in LDAP.
Which is now possible since all LDAP clients and servers have been upgraded to Jessie, and Postfix is now able to perform SASL binds.
Diffstat (limited to 'roles/common-LDAP/templates/etc/ldap')
-rw-r--r--roles/common-LDAP/templates/etc/ldap/database.ldif.j226
1 files changed, 11 insertions, 15 deletions
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index ff46178..b2981b3 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -14,9 +14,6 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-# There are a couple of XXX in this file, due to Postfix not supporting
-# SASL binds in Wheezy.
-
dn: cn=config
objectClass: olcGlobal
cn: config
@@ -41,7 +38,7 @@ olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem
olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$"
"$1,dc=fripost,dc=org"
olcSaslSecProps: minssf=128,noanonymous,noplain,nodict
-olcTLSCipherSuite: PFS:%LATEST_RECORD_VERSION:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1:!CIPHER-ALL:+AES-128-GCM:+AES-256-GCM
+olcTLSCipherSuite: PFS:%LATEST_RECORD_VERSION:!CIPHER-ALL:+AES-128-GCM:+AES-256-GCM:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1
{% endif %}
olcLocalSSF: 128
# /!\ This is not portable! But we only use glibc's crypt(3), which
@@ -71,8 +68,7 @@ olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
# and must use 1/ authentication, and 2/ SASL or TLS. (Local clients
# should use ldapi:// and SASL/EXERNAL, while remote clients should use
# TLS.)
-# XXX: olcRequires: none LDAPv3 authc strong
-olcRequires: none LDAPv3 authc
+olcRequires: none LDAPv3 authc strong
olcSecurity: simple_bind=128 ssf=128 update_ssf=128
#
#
@@ -158,19 +154,19 @@ olcSyncrepl: rid=000
olcAddContentAcl: TRUE
#
# Overview:
-# - Authentication (XXX: strong authentication) is required prior to any DIT
-# operation (see 'olcRequires').
+# - Strong authentication is required prior to any DIT operation (see
+# 'olcRequires').
# - We force a Security Strength Factor of 128 or above for all operations (see
# 'olcSecurity'), meaning one must use either a local connection (eg,
# ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
# least 128 bits of security.
-# - XXX: Services may not simple bind other than locally on a ldapi:// socket.
-# If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
-# socket whenever possible (if the service itself supports SASL binds).
-# If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
-# socket, and their identity should be derived from the Subject of the
-# client certificate (the cert should be added to 'olcTLSCACertificateFile',
-# and 'olcAuthzRegexp' should map the X.509 subject to the LDAP DN).
+# - Services should support SASL binds and use SASL/EXTERNAL on a
+# ldapi:// socket.
+# - For (partial) remote replicates should use SASL/EXTERNAL on a
+# ldaps:// socket, and their identity should be derived from the
+# Subject of the client certificate (the cert should be added to
+# 'olcTLSCACertificateFile', and 'olcAuthzRegexp' should map the X.509
+# subject to the LDAP DN).
# - Admins have restrictions similar to that of the services.
# - User access is only restricted by our global 'olcSecurity' attribute.
#