diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2014-07-08 07:02:56 +0200 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:52:45 +0200 |
| commit | 84b0e246987f1d72d0b7bcc3f6f9665c97e8e009 (patch) | |
| tree | 67b19face73739d9c986144bc84f9f9f1ca52d9e /roles/common-LDAP | |
| parent | b25fb1e7ea764de149f5c6604455436b7a819f06 (diff) | |
Fix client verification policy.
Diffstat (limited to 'roles/common-LDAP')
| -rw-r--r-- | roles/common-LDAP/templates/etc/ldap/database.ldif.j2 | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index f633692..9df56f7 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -15,42 +15,46 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. # There are a couple of XXX in this file, due to Postfix not supporting # SASL binds in Wheezy. dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcPidFile: /var/run/slapd/slapd.pid olcLogLevel: none olcToolThreads: 1 {% if ansible_processor_vcpus > 4 %} olcThreads: {{ 2 * ansible_processor_vcpus }} {% else %} olcThreads: 8 {% endif %} {% if 'LDAP-provider' in group_names %} olcTLSCertificateFile: /etc/ldap/ssl/ldap.fripost.org.pem olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.fripost.org.key +# If we are being offered a client cert, it has to be trusted (in which +# case we map the X.509 subject to a DN in our namespace), or we +# terminate the connection. Not providing a certificate is fine for +# TLS-protected simple binds, though. +olcTLSVerifyClient: try olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem -olcTLSVerifyClient: allow olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$" "$1,dc=fripost,dc=org" olcSaslSecProps: minssf=128,noanonymous,noplain,nodict # XXX We would like to say 'PFS' here, but Wheezy'z GnuTLS (libgnutls26 # 2.12.20-8+deb7u2) is too old :-( (Also, DHE/ECDHE are not supported.) olcTLSCipherSuite: SECURE128:!CIPHER-ALL:+AES-128-CBC:+AES-256-CBC:!MD5 {% endif %} olcLocalSSF: 128 # /!\ This is not portable! But we only use glibc's crypt(3), which # supports (salted, streched) SHA512 olcPasswordHash: {CRYPT} olcPasswordCryptSaltFormat: $6$%s dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDbDirectory: /var/lib/ldap olcSuffix: dc=fripost,dc=org {% if 'LDAP-provider' not in group_names and ('MX' in group_names or 'lists' in group_names) %} |