Fix client verification policy.

author: Guilhem Moulin <guilhem@fripost.org> 2014-07-08 07:02:56 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2015-06-07 02:52:45 +0200
commit: 84b0e246987f1d72d0b7bcc3f6f9665c97e8e009 (patch)
tree: 67b19face73739d9c986144bc84f9f9f1ca52d9e /roles/common-LDAP
parent: b25fb1e7ea764de149f5c6604455436b7a819f06 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index f633692..9df56f7 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -32,8 +32,12 @@ olcThreads: 8
 {% if 'LDAP-provider' in group_names %}
 olcTLSCertificateFile: /etc/ldap/ssl/ldap.fripost.org.pem
 olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.fripost.org.key
+# If we are being offered a client cert, it has to be trusted (in which
+# case we map the X.509 subject to a DN in our namespace), or we
+# terminate the connection.  Not providing a certificate is fine for
+# TLS-protected simple binds, though.
+olcTLSVerifyClient: try
 olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem
-olcTLSVerifyClient: allow
 olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$"
                 "$1,dc=fripost,dc=org"
 olcSaslSecProps: minssf=128,noanonymous,noplain,nodict
author	Guilhem Moulin <guilhem@fripost.org>	2014-07-08 07:02:56 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2015-06-07 02:52:45 +0200
commit	84b0e246987f1d72d0b7bcc3f6f9665c97e8e009 (patch)
tree	67b19face73739d9c986144bc84f9f9f1ca52d9e /roles/common-LDAP
parent	b25fb1e7ea764de149f5c6604455436b7a819f06 (diff)