diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2014-07-07 05:16:53 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:52:34 +0200 |
commit | 7c01a383fae4d84727d6a036d93117c761b98e10 (patch) | |
tree | 453fb77e9758ea29729fa4e65633bb3261e71345 /roles/common-web/files/etc/nginx/ssl | |
parent | f9fa7026603a298c46aea77d753e0a8121e5d71b (diff) |
Configure SyncRepl (OpenLDAP replication) and related ACLs.
The clients are identified using their certificate, and connect securely
to the SyncProv.
There are a few workarounds (XXX) in the ACLs due to Postfix not
supporting SASL binds in Wheezy.
Overview:
- Authentication (XXX: strong authentication) is required prior to any DIT
operation (see 'olcRequires').
- We force a Security Strength Factor of 128 or above for all operations (see
'olcSecurity'), meaning one must use either a local connection (eg,
ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
least 128 bits of security.
- XXX: Services may not simple bind other than locally on a ldapi:// socket.
If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
socket whenever possible (if the service itself supports SASL binds).
If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
socket, and their identity should be derived from the CN of the client
certificate only (hence services may not simple bind).
- Admins have restrictions similar to that of the services.
- User access is only restricted by our global 'olcSecurity' attribute.
Diffstat (limited to 'roles/common-web/files/etc/nginx/ssl')
0 files changed, 0 insertions, 0 deletions