1 files changed, 11 insertions, 15 deletions
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index ff46178..b2981b3 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -1,95 +1,91 @@
 # Fripost's LDAP database definition
 # Copyright (c) 2013-2014 Guilhem Moulin <guilhem@fripost.org>
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-# There are a couple of XXX in this file, due to Postfix not supporting
-# SASL binds in Wheezy.
-
 dn: cn=config
 objectClass: olcGlobal
 cn: config
 olcArgsFile: /var/run/slapd/slapd.args
 olcPidFile: /var/run/slapd/slapd.pid
 olcLogLevel: none
 olcToolThreads: 1
 {% if ansible_processor_vcpus > 4 %}
 olcThreads: {{ 2 * ansible_processor_vcpus }}
 {% else %}
 olcThreads: 8
 {% endif %}
 {% if 'LDAP-provider' in group_names %}
 olcTLSCertificateFile: /etc/ldap/ssl/ldap.fripost.org.pem
 olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.fripost.org.key
 # If we are being offered a client cert, it has to be trusted (in which
 # case we map the X.509 subject to a DN in our namespace), or we
 # terminate the connection.  Not providing a certificate is fine for
 # TLS-protected simple binds, though.
 olcTLSVerifyClient: try
 olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem
 olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$"
                 "$1,dc=fripost,dc=org"
 olcSaslSecProps: minssf=128,noanonymous,noplain,nodict
-olcTLSCipherSuite: PFS:%LATEST_RECORD_VERSION:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1:!CIPHER-ALL:+AES-128-GCM:+AES-256-GCM
+olcTLSCipherSuite: PFS:%LATEST_RECORD_VERSION:!CIPHER-ALL:+AES-128-GCM:+AES-256-GCM:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1
 {% endif %}
 olcLocalSSF: 128
 # /!\ This is not portable! But we only use glibc's crypt(3), which
 # supports (salted, streched) SHA512
 olcPasswordHash: {CRYPT}
 olcPasswordCryptSaltFormat: $6$%s
 
 
 dn: olcDatabase=mdb,cn=config
 objectClass: olcDatabaseConfig
 objectClass: olcMdbConfig
 olcDbDirectory: /var/lib/ldap
 olcSuffix: dc=fripost,dc=org
 {% if 'LDAP-provider' not in group_names and 'MX' in group_names %}
 olcReadOnly: TRUE
 {% endif %}
 {% if 'LDAP-provider' in group_names %}
 olcLastMod: TRUE
 olcDbCheckpoint: 512 15
 {% else %}
 olcLastMod: FALSE
 {% endif %}
 # The root user has all rights on the whole database (when SASL-binding
 # on a UNIX socket).
 olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 # Ensure that all DIT access is made according to the LDAPv3 protocol,
 # and must use 1/ authentication, and 2/ SASL or TLS.  (Local clients
 # should use ldapi:// and SASL/EXERNAL, while remote clients should use
 # TLS.)
-# XXX: olcRequires: none LDAPv3 authc strong
-olcRequires: none LDAPv3 authc
+olcRequires: none LDAPv3 authc strong
 olcSecurity: simple_bind=128 ssf=128 update_ssf=128
 #
 #
 ########################################################################
 # Performance considerations
 #
 # To reindex an existing database, you have to
 #  * Stop slapd     sudo service slapd stop
 #  * Reindex        sudo -u openldap slapindex -b 'dc=fripost,dc=org'
 #  * Restart slapd  sudo service slapd start
 #
 olcDbIndex: objectClass eq
 # Let us make Postfix's life easier.
 {% if 'LDAP-provider' in group_names %}
 olcDbIndex: fvd,fvl eq,sub
 olcDbIndex: fripostIsStatusActive eq
 {% elif 'MX' in group_names or 'MDA' in group_names %}
 olcDbIndex: fripostIsStatusActive,fvd,fvl eq
 {% endif %}
 {% if 'LDAP-provider' in group_names %}
@@ -141,53 +137,53 @@ olcSyncrepl: rid=000
   attrs=objectClass,fvd,fvl,fripostIsStatusActive,fripostMaildrop,fripostOptionalMaildrop,fripostPostmaster,fripostOwner,fripostUseContentFilter,fripostListManager
   scope=sub
   sizelimit=unlimited
   schemachecking=off
   bindmethod=sasl
   saslmech=external
   tls_cert=/etc/ldap/ssl/mx.pem
   tls_key=/etc/ldap/ssl/mx.key
   tls_cacert=/etc/ldap/ssl/ldap.fripost.org.pem
   tls_reqcert=hard
 {% endif %}
 #
 #
 ########################################################################
 # Access control
 # /!\ WARN: All modification to the ACL should be reflected to the test
 # /!\ suite as well!
 olcAddContentAcl: TRUE
 #
 # Overview:
-# - Authentication (XXX: strong authentication) is required prior to any DIT
-#   operation (see 'olcRequires').
+# - Strong authentication is required prior to any DIT operation (see
+#   'olcRequires').
 # - We force a Security Strength Factor of 128 or above for all operations (see
 #   'olcSecurity'), meaning one must use either a local connection (eg,
 #   ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
 #   least 128 bits of security.
-# - XXX: Services may not simple bind other than locally on a ldapi:// socket.
-#   If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
-#   socket whenever possible (if the service itself supports SASL binds).
-#   If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
-#   socket, and their identity should be derived from the Subject of the
-#   client certificate (the cert should be added to 'olcTLSCACertificateFile',
-#   and 'olcAuthzRegexp' should map the X.509 subject to the LDAP DN).
+# - Services should support SASL binds and use SASL/EXTERNAL on a
+#   ldapi:// socket.
+# - For (partial) remote replicates should use SASL/EXTERNAL on a
+#   ldaps:// socket, and their identity should be derived from the
+#   Subject of the client certificate (the cert should be added to
+#   'olcTLSCACertificateFile', and 'olcAuthzRegexp' should map the X.509
+#   subject to the LDAP DN).
 # - Admins have restrictions similar to that of the services.
 # - User access is only restricted by our global 'olcSecurity' attribute.
 #
 #
 # References:
 # - http://www.openldap.org/doc/admin24/access-control.html
 # - http://www.openldap.org/faq/data/cache/189.html
 # - http://www.openldap.org/faq/data/cache/1140.html
 # - http://www.openldap.org/faq/data/cache/1133.html
 # - man 5 slapd.access
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # User Passwords:
 #
 # * Anonymous users are allowed to simple bind through TLS-protected
 #   connections.
 # * Anonymous users are allowed to simple bind when connecting to a
 #   local ldapi:// socket (when using auth_binds, Dovecot delegates
 #   authentication to the LDAP server).
 # * Authenticated users are allowed to change (ie replace) their