| Commit message (Collapse) | Author | Age | Files |
| |
|
| |
|
|
|
|
| |
Using multigraphs instead.
|
|
|
|
|
| |
We don't use the provided 'slapd_' Munin plugin because it doesn't
support SASL binds.
|
|
|
|
|
| |
Using client-side data signing/encryption and wrapping inter-host
communication into stunnel.
|
| |
|
| |
|
| |
|
|
|
|
|
| |
Use it to delete cn=admin,dc=fripost,dc=org, and to remove the rootDN on
the 'config' database.
|
|
|
|
|
| |
The SyncProv won't start if the file olcTLSCACertificateFile points to
doesn't exist.
|
|
|
|
|
|
| |
So our suffix is now a mere 'dc=fripost,dc=org'. We're also using the
default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it
before hand).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The clients are identified using their certificate, and connect securely
to the SyncProv.
There are a few workarounds (XXX) in the ACLs due to Postfix not
supporting SASL binds in Wheezy.
Overview:
- Authentication (XXX: strong authentication) is required prior to any DIT
operation (see 'olcRequires').
- We force a Security Strength Factor of 128 or above for all operations (see
'olcSecurity'), meaning one must use either a local connection (eg,
ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
least 128 bits of security.
- XXX: Services may not simple bind other than locally on a ldapi:// socket.
If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
socket whenever possible (if the service itself supports SASL binds).
If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
socket, and their identity should be derived from the CN of the client
certificate only (hence services may not simple bind).
- Admins have restrictions similar to that of the services.
- User access is only restricted by our global 'olcSecurity' attribute.
|
| |
|
|
|
|
| |
(To be removed when the fix enters stable.)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Antispam & antivirus, using ClamAV and SpamAssassin through Amavisd-new.
Each user has his/her amavis preferences, and own Bayes filter (to
maximize privacy).
One question remains, though: how to set spamassassin's trusted_networks
/ internal_networks / msa_networks? It seems not obivious to get it
write with IPSec and dynamic IPs.
(Cf. https://wiki.apache.org/spamassassin/AwlWrongWay)
|
|
|
|
| |
(Hence the SyncProv overlay.)
|
| |
|
|
|
|
|
|
|
| |
This is because the UNIX domain socket to connect to when performing
LDAP lookups needs to be in the chroot.
Also, don't open a INET socket unless we're a Sync Provider.
|
|
|