LDAP: Rotate soon-to-be expired key material.HEAD master

Also, switch from rsa4096 to ed25519 and use a separate key for each syncrepl.
author: Guilhem Moulin <guilhem@fripost.org> 2024-09-08 20:30:20 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2024-09-08 20:54:00 +0200
commit: 6b7ad809bbefc32216bac22547241ed402a570c8 (patch)
tree: 21b18d5268ecf4c2d86864832d384cc79de78b4d /roles/common-LDAP/templates
parent: ab26418d9e59314d88ebf4f0885659114a919961 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 2c0db0b..a0ac705 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -34,7 +34,7 @@ olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.fripost.org.key
 # terminate the connection.  Not providing a certificate is fine for
 # TLS-protected simple binds, though.
 olcTLSVerifyClient: try
-olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem
+olcTLSCACertificateFile: /etc/ldap/ssl/syncrepl.pem
 olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$"
                 "dn.exact:$1,dc=fripost,dc=org"
 olcSaslSecProps: minssf=128,noanonymous,noplain,nodict
author	Guilhem Moulin <guilhem@fripost.org>	2024-09-08 20:30:20 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2024-09-08 20:54:00 +0200
commit	6b7ad809bbefc32216bac22547241ed402a570c8 (patch)
tree	21b18d5268ecf4c2d86864832d384cc79de78b4d /roles/common-LDAP/templates
parent	ab26418d9e59314d88ebf4f0885659114a919961 (diff)