Enforce "strong" authentication and FPS in LDAP.

Which is now possible since all LDAP clients and servers have been upgraded to Jessie, and Postfix is now able to perform SASL binds.
author: Guilhem Moulin <guilhem@fripost.org> 2015-05-31 04:03:02 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2015-06-07 02:53:56 +0200
commit: 0b0f73b7e303a9169224fb42a2210d312c5363ff (patch)
tree: baa8d89179f057398f82b506d6cd48425f4959e1 /roles/common-LDAP
parent: b29601e313e8d35ec7edee343c82ca71ed6a3a12 (diff)
1 files changed, 11 insertions, 15 deletions
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index ff46178..b2981b3 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -1,95 +1,91 @@
 # Fripost's LDAP database definition
 # Copyright (c) 2013-2014 Guilhem Moulin <guilhem@fripost.org>
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-# There are a couple of XXX in this file, due to Postfix not supporting
-# SASL binds in Wheezy.
-
 dn: cn=config
 objectClass: olcGlobal
 cn: config
 olcArgsFile: /var/run/slapd/slapd.args
 olcPidFile: /var/run/slapd/slapd.pid
 olcLogLevel: none
 olcToolThreads: 1
 {% if ansible_processor_vcpus > 4 %}
 olcThreads: {{ 2 * ansible_processor_vcpus }}
 {% else %}
 olcThreads: 8
 {% endif %}
 {% if 'LDAP-provider' in group_names %}
 olcTLSCertificateFile: /etc/ldap/ssl/ldap.fripost.org.pem
 olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.fripost.org.key
 # If we are being offered a client cert, it has to be trusted (in which
 # case we map the X.509 subject to a DN in our namespace), or we
 # terminate the connection.  Not providing a certificate is fine for
 # TLS-protected simple binds, though.
 olcTLSVerifyClient: try
 olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem
 olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$"
                 "$1,dc=fripost,dc=org"
 olcSaslSecProps: minssf=128,noanonymous,noplain,nodict
-olcTLSCipherSuite: PFS:%LATEST_RECORD_VERSION:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1:!CIPHER-ALL:+AES-128-GCM:+AES-256-GCM
+olcTLSCipherSuite: PFS:%LATEST_RECORD_VERSION:!CIPHER-ALL:+AES-128-GCM:+AES-256-GCM:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1
 {% endif %}
 olcLocalSSF: 128
 # /!\ This is not portable! But we only use glibc's crypt(3), which
 # supports (salted, streched) SHA512
 olcPasswordHash: {CRYPT}
 olcPasswordCryptSaltFormat: $6$%s
 
 
 dn: olcDatabase=mdb,cn=config
 objectClass: olcDatabaseConfig
 objectClass: olcMdbConfig
 olcDbDirectory: /var/lib/ldap
 olcSuffix: dc=fripost,dc=org
 {% if 'LDAP-provider' not in group_names and 'MX' in group_names %}
 olcReadOnly: TRUE
 {% endif %}
 {% if 'LDAP-provider' in group_names %}
 olcLastMod: TRUE
 olcDbCheckpoint: 512 15
 {% else %}
 olcLastMod: FALSE
 {% endif %}
 # The root user has all rights on the whole database (when SASL-binding
 # on a UNIX socket).
 olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 # Ensure that all DIT access is made according to the LDAPv3 protocol,
 # and must use 1/ authentication, and 2/ SASL or TLS.  (Local clients
 # should use ldapi:// and SASL/EXERNAL, while remote clients should use
 # TLS.)
-# XXX: olcRequires: none LDAPv3 authc strong
-olcRequires: none LDAPv3 authc
+olcRequires: none LDAPv3 authc strong
 olcSecurity: simple_bind=128 ssf=128 update_ssf=128
 #
 #
 ########################################################################
 # Performance considerations
 #
 # To reindex an existing database, you have to
 #  * Stop slapd     sudo service slapd stop
 #  * Reindex        sudo -u openldap slapindex -b 'dc=fripost,dc=org'
 #  * Restart slapd  sudo service slapd start
 #
 olcDbIndex: objectClass eq
 # Let us make Postfix's life easier.
 {% if 'LDAP-provider' in group_names %}
 olcDbIndex: fvd,fvl eq,sub
 olcDbIndex: fripostIsStatusActive eq
 {% elif 'MX' in group_names or 'MDA' in group_names %}
 olcDbIndex: fripostIsStatusActive,fvd,fvl eq
 {% endif %}
 {% if 'LDAP-provider' in group_names %}
@@ -141,53 +137,53 @@ olcSyncrepl: rid=000
   attrs=objectClass,fvd,fvl,fripostIsStatusActive,fripostMaildrop,fripostOptionalMaildrop,fripostPostmaster,fripostOwner,fripostUseContentFilter,fripostListManager
   scope=sub
   sizelimit=unlimited
   schemachecking=off
   bindmethod=sasl
   saslmech=external
   tls_cert=/etc/ldap/ssl/mx.pem
   tls_key=/etc/ldap/ssl/mx.key
   tls_cacert=/etc/ldap/ssl/ldap.fripost.org.pem
   tls_reqcert=hard
 {% endif %}
 #
 #
 ########################################################################
 # Access control
 # /!\ WARN: All modification to the ACL should be reflected to the test
 # /!\ suite as well!
 olcAddContentAcl: TRUE
 #
 # Overview:
-# - Authentication (XXX: strong authentication) is required prior to any DIT
-#   operation (see 'olcRequires').
+# - Strong authentication is required prior to any DIT operation (see
+#   'olcRequires').
 # - We force a Security Strength Factor of 128 or above for all operations (see
 #   'olcSecurity'), meaning one must use either a local connection (eg,
 #   ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
 #   least 128 bits of security.
-# - XXX: Services may not simple bind other than locally on a ldapi:// socket.
-#   If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
-#   socket whenever possible (if the service itself supports SASL binds).
-#   If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
-#   socket, and their identity should be derived from the Subject of the
-#   client certificate (the cert should be added to 'olcTLSCACertificateFile',
-#   and 'olcAuthzRegexp' should map the X.509 subject to the LDAP DN).
+# - Services should support SASL binds and use SASL/EXTERNAL on a
+#   ldapi:// socket.
+# - For (partial) remote replicates should use SASL/EXTERNAL on a
+#   ldaps:// socket, and their identity should be derived from the
+#   Subject of the client certificate (the cert should be added to
+#   'olcTLSCACertificateFile', and 'olcAuthzRegexp' should map the X.509
+#   subject to the LDAP DN).
 # - Admins have restrictions similar to that of the services.
 # - User access is only restricted by our global 'olcSecurity' attribute.
 #
 #
 # References:
 # - http://www.openldap.org/doc/admin24/access-control.html
 # - http://www.openldap.org/faq/data/cache/189.html
 # - http://www.openldap.org/faq/data/cache/1140.html
 # - http://www.openldap.org/faq/data/cache/1133.html
 # - man 5 slapd.access
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # User Passwords:
 #
 # * Anonymous users are allowed to simple bind through TLS-protected
 #   connections.
 # * Anonymous users are allowed to simple bind when connecting to a
 #   local ldapi:// socket (when using auth_binds, Dovecot delegates
 #   authentication to the LDAP server).
 # * Authenticated users are allowed to change (ie replace) their
author	Guilhem Moulin <guilhem@fripost.org>	2015-05-31 04:03:02 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2015-06-07 02:53:56 +0200
commit	0b0f73b7e303a9169224fb42a2210d312c5363ff (patch)
tree	baa8d89179f057398f82b506d6cd48425f4959e1 /roles/common-LDAP
parent	b29601e313e8d35ec7edee343c82ca71ed6a3a12 (diff)