1 files changed, 8 insertions, 11 deletions

diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index e19d182..48758be 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -24,70 +24,63 @@ olcArgsFile: /var/run/slapd/slapd.args
 olcPidFile: /var/run/slapd/slapd.pid
 olcLogLevel: none
 olcToolThreads: 1
 {% if ansible_processor_vcpus > 4 %}
 olcThreads: {{ 2 * ansible_processor_vcpus }}
 {% else %}
 olcThreads: 8
 {% endif %}
 {% if 'LDAP-provider' in group_names %}
 olcTLSCertificateFile: /etc/ldap/ssl/ldap.fripost.org.pem
 olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.fripost.org.key
 # If we are being offered a client cert, it has to be trusted (in which
 # case we map the X.509 subject to a DN in our namespace), or we
 # terminate the connection.  Not providing a certificate is fine for
 # TLS-protected simple binds, though.
 olcTLSVerifyClient: try
 olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem
 olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$"
                 "$1,dc=fripost,dc=org"
 olcSaslSecProps: minssf=128,noanonymous,noplain,nodict
-# XXX We would like to say 'PFS' here, but Wheezy'z GnuTLS (libgnutls26
-# 2.12.20-8+deb7u2) is too old :-( (Also, DHE/ECDHE are not supported.)
-olcTLSCipherSuite: SECURE128:!CIPHER-ALL:+AES-128-CBC:+AES-256-CBC:!MD5
+olcTLSCipherSuite: PFS:%LATEST_RECORD_VERSION:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1:!CIPHER-ALL:+AES-128-GCM:+AES-256-GCM
 {% endif %}
 olcLocalSSF: 128
 # /!\ This is not portable! But we only use glibc's crypt(3), which
 # supports (salted, streched) SHA512
 olcPasswordHash: {CRYPT}
 olcPasswordCryptSaltFormat: $6$%s
 
 
-dn: olcDatabase=hdb,cn=config
+dn: olcDatabase=mdb,cn=config
 objectClass: olcDatabaseConfig
-objectClass: olcHdbConfig
+objectClass: olcMdbConfig
 olcDbDirectory: /var/lib/ldap
 olcSuffix: dc=fripost,dc=org
 {% if 'LDAP-provider' not in group_names and ('MX' in group_names or 'lists' in group_names) %}
 olcReadOnly: TRUE
 {% endif %}
 {% if 'LDAP-provider' in group_names %}
 olcLastMod: TRUE
 olcDbCheckpoint: 512 15
 {% else %}
 olcLastMod: FALSE
 {% endif %}
-# See DB_CONFIG
-olcDbConfig: set_cachesize 0 5242880 0
-olcDbConfig: set_lk_max_objects 1500
-olcDbConfig: set_lk_max_locks   1500
-olcDbConfig: set_lk_max_lockers 1500
 # The root user has all rights on the whole database (when SASL-binding
 # on a UNIX socket).
 olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 # Ensure that all DIT access is made according to the LDAPv3 protocol,
 # and must use 1/ authentication, and 2/ SASL or TLS.  (Local clients
 # should use ldapi:// and SASL/EXERNAL, while remote clients should use
 # TLS.)
 # XXX: olcRequires: none LDAPv3 authc strong
 olcRequires: none LDAPv3 authc
 olcSecurity: simple_bind=128 ssf=128 update_ssf=128
 #
 #
 ########################################################################
 # Performance considerations
 #
 # To reindex an existing database, you have to
 #  * Stop slapd     sudo service slapd stop
 #  * Reindex        sudo -u openldap slapindex -b 'dc=fripost,dc=org'
 #  * Restart slapd  sudo service slapd start
 #
@@ -216,76 +209,80 @@ olcAddContentAcl: TRUE
 #   connections.
 # * Anonymous users are allowed to simple bind when connecting to a
 #   local ldapi:// socket (when using auth_binds, Dovecot delegates
 #   authentication to the LDAP server).
 # * Authenticated users are allowed to change (ie replace) their
 #   password through TLS-protected connections, but read access is not
 #   granted.
 # * Domain postmasters are allowed to change (ie replace) their users'
 #   password through TLS-protected connections, but read access is not
 #   granted.
 # * The same goes for general admins.
 # * The same goes for local admins.
 olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,dc=fripost,dc=org)$"
         filter=(objectClass=FripostVirtualUser)
         attrs=userPassword
     by realanonymous                                                tls_ssf=128               =xd
     by realanonymous                                                sockurl.regex="^ldapi://" =xd
     by realself                                                     tls_ssf=128               =w
     by group/FripostVirtualDomain/fripostPostmaster.expand="$1"     tls_ssf=128               =w
     by dn.onelevel="ou=admins,dc=fripost,dc=org"                    tls_ssf=128               =w
-    by dn.exact="username=guilhem,cn=peercred,cn=external,cn=auth"  sockurl.regex="^ldapi://" =w
+    by group.exact="cn=admin,ou=groups,dc=fripost,dc=org"                                     =w
 #
 # XXX
 # * Anonymous users are allowed to simple bind as Postfix, but only when
 #   using a local ldapi:// listener from one of the Postfix instance
 #   (which should be accessible by the 'postfix' UNIX user only).
 olcAccess: to dn.exact="cn=postfix,ou=services,dc=fripost,dc=org"
         attrs=userPassword
     by realanonymous sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =xd
 #
 # TODO: are there other services which need to be able to simple bind?
 #
 # * Catch-all: no one else may access the passwords (including for
 #   simple bind).
 olcAccess: to dn.subtree="dc=fripost,dc=org"
         attrs=userPassword
     by * =0
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # Base
 #
 # * Only SyncRepl replicates may access operational attributes in the
 #   subtree, when using a TLS-protected connection.
 {% if 'LDAP-provider' in group_names -%}
 olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org"
         attrs=entryDN,entryCSN,entryUUID,structuralObjectClass,hasSubordinates,subschemaSubentry
     by dn.onelevel="ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
     by *                                                       =0
 #
 # * They may also read entries (ie, the attributes they have access to
 #   as per the ACL below) in that subtree, when using a TLS-protected
 #   connection.  Listing entries (their DN) is required to replicate
 #   deletions properly.
 olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org"
         attrs=entry,objectClass
     by dn.onelevel="ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
+    by group.exact="cn=admin,ou=groups,dc=fripost,dc=org"      =wrsd
+    by users                                                   =0   break
+olcAccess: to dn.children="ou=virtual,dc=fripost,dc=org"
+    by group.exact="cn=admin,ou=groups,dc=fripost,dc=org"      =wrsd
     by users                                                   =0   break
 {% endif -%}
 #
 # * Postfix may use the base as a searchBase on the MX:es, when
 #   connecting a local ldapi:// socket from the 'private' directory in
 #   one of the non-default instance's chroot.
 # * So may Dovecot on the MDA (needed for the iterate filter), when
 #   SASL-binding using the EXTERNAL mechanism and connecting to a local
 #   ldapi:// socket.
 olcAccess: to dn.exact="ou=virtual,dc=fripost,dc=org"
         attrs=entry,objectClass
         filter=(objectClass=FripostVirtual)
     {% if 'MDA' in group_names -%}
     by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://"                                                    =sd
     {% endif -%}
     {% if 'MX' in group_names -%}
     by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org"         sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =sd
     {% endif -%}
     by users                                                                                                                                    =0 break
 #