summaryrefslogtreecommitdiffstats
path: root/roles/common-LDAP/tasks/main.yml
Commit message (Collapse)AuthorAgeFiles
* Upgrade the LDAP config to Jessie.Guilhem Moulin2015-06-071
|
* Key usage 'keyCertSign' is required for self-signed certificates.Guilhem Moulin2015-06-071
|
* Make the Ansible LDAP plugin able to delete entries and attributes.Guilhem Moulin2015-06-071
| | | | | Use it to delete cn=admin,dc=fripost,dc=org, and to remove the rootDN on the 'config' database.
* Fix race condition when generating cerificates for slapd.Guilhem Moulin2015-06-071
| | | | | The SyncProv won't start if the file olcTLSCACertificateFile points to doesn't exist.
* Remove o=mailHosting from the LDAP directory suffix.Guilhem Moulin2015-06-071
| | | | | | So our suffix is now a mere 'dc=fripost,dc=org'. We're also using the default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it before hand).
* Configure SyncRepl (OpenLDAP replication) and related ACLs.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | | | | | | | | | | The clients are identified using their certificate, and connect securely to the SyncProv. There are a few workarounds (XXX) in the ACLs due to Postfix not supporting SASL binds in Wheezy. Overview: - Authentication (XXX: strong authentication) is required prior to any DIT operation (see 'olcRequires'). - We force a Security Strength Factor of 128 or above for all operations (see 'olcSecurity'), meaning one must use either a local connection (eg, ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at least 128 bits of security. - XXX: Services may not simple bind other than locally on a ldapi:// socket. If no remote access is needed, they should use SASL/EXTERNAL on a ldapi:// socket whenever possible (if the service itself supports SASL binds). If remote access is needed, they should use SASL/EXTERNAL on a ldaps:// socket, and their identity should be derived from the CN of the client certificate only (hence services may not simple bind). - Admins have restrictions similar to that of the services. - User access is only restricted by our global 'olcSecurity' attribute.
* Enable zero-copy updates to the LDAP directory.Guilhem Moulin2015-06-071
|
* Add XXX comments for ad hoc fixes for some known bugs.Guilhem Moulin2015-06-071
| | | | (To be removed when the fix enters stable.)
* wibbleGuilhem Moulin2015-06-071
|
* Configure the content filter.Guilhem Moulin2015-06-071
| | | | | | | | | | | Antispam & antivirus, using ClamAV and SpamAssassin through Amavisd-new. Each user has his/her amavis preferences, and own Bayes filter (to maximize privacy). One question remains, though: how to set spamassassin's trusted_networks / internal_networks / msa_networks? It seems not obivious to get it write with IPSec and dynamic IPs. (Cf. https://wiki.apache.org/spamassassin/AwlWrongWay)
* Configure the LDAP provider.Guilhem Moulin2015-06-071
| | | | (Hence the SyncProv overlay.)
* LDAP Sync Replication.Guilhem Moulin2015-06-071
|
* Provision /etc/default/slapdGuilhem Moulin2015-06-071
| | | | | | | This is because the UNIX domain socket to connect to when performing LDAP lookups needs to be in the chroot. Also, don't open a INET socket unless we're a Sync Provider.
* Reorganization.Guilhem Moulin2015-06-071