From 334b7604727810c02ecb8942f3753dee15466691 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 14 May 2015 21:53:14 +0200 Subject: Upgrade the LDAP config to Jessie. --- lib/modules/openldap | 2 +- roles/LDAP-provider/files/etc/ldap/syncprov.ldif | 2 +- roles/LDAP-provider/tasks/main.yml | 1 + roles/common-LDAP/files/var/lib/ldap/DB_CONFIG | 20 -------------------- roles/common-LDAP/tasks/main.yml | 6 ------ .../common-LDAP/templates/etc/ldap/database.ldif.j2 | 19 ++++++++----------- 6 files changed, 11 insertions(+), 39 deletions(-) delete mode 100644 roles/common-LDAP/files/var/lib/ldap/DB_CONFIG diff --git a/lib/modules/openldap b/lib/modules/openldap index 69ee4df..91e6a3c 100644 --- a/lib/modules/openldap +++ b/lib/modules/openldap @@ -50,7 +50,7 @@ indexedAttributes = frozenset([ # entry.) indexedDN = { 'olcSchemaConfig': [('cn', '{*}%s')], - 'olcHdbConfig': [('olcDbDirectory', '%s' )], + 'olcMdbConfig': [('olcDbDirectory', '%s' )], 'olcOverlayConfig': [('olcOverlay', '%s' )], } diff --git a/roles/LDAP-provider/files/etc/ldap/syncprov.ldif b/roles/LDAP-provider/files/etc/ldap/syncprov.ldif index 42f06a0..edb19c1 100644 --- a/roles/LDAP-provider/files/etc/ldap/syncprov.ldif +++ b/roles/LDAP-provider/files/etc/ldap/syncprov.ldif @@ -3,7 +3,7 @@ # - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap # - man 5 slapo-syncprov -dn: olcOverlay=syncprov,olcDatabase={*}hdb,cn=config +dn: olcOverlay=syncprov,olcDatabase={*}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov diff --git a/roles/LDAP-provider/tasks/main.yml b/roles/LDAP-provider/tasks/main.yml index fa212a0..3f7f29f 100644 --- a/roles/LDAP-provider/tasks/main.yml +++ b/roles/LDAP-provider/tasks/main.yml @@ -8,6 +8,7 @@ lineinfile: dest=/usr/lib/sasl2/slapd.conf regexp='^mech_list'':' line=mech_list':'' EXTERNAL' + create=yes owner=root group=root mode=0644 diff --git a/roles/common-LDAP/files/var/lib/ldap/DB_CONFIG b/roles/common-LDAP/files/var/lib/ldap/DB_CONFIG deleted file mode 100644 index 07738c2..0000000 --- a/roles/common-LDAP/files/var/lib/ldap/DB_CONFIG +++ /dev/null @@ -1,20 +0,0 @@ -# It may be a good idea to modify this file, depending on the output of -# -# db_stat -mh /var/lib/ldap | head -16 -# -# (For optimal performance, the Requested pages found in the cache -# should be above 95%, and the dirty/clean pages forced from the cache -# should be 0.) -# -# and -# -# db_stat -ch /var/lib/ldap | head -16 -# -# (For optimal performance, usage should be within 85% of the configured -# values.) -# -# 5MB cachesize -set_cachesize 0 5242880 0 -set_lk_max_objects 1500 -set_lk_max_locks 1500 -set_lk_max_lockers 1500 diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml index 60ccc76..5c15cc8 100644 --- a/roles/common-LDAP/tasks/main.yml +++ b/roles/common-LDAP/tasks/main.yml @@ -18,12 +18,6 @@ notify: - Restart slapd -- name: Copy DB_CONFIG - copy: src=var/lib/ldap/DB_CONFIG - dest=/var/lib/ldap/DB_CONFIG - owner=openldap group=openldap - mode=0644 - - name: Create directory /etc/ldap/ssl file: path=/etc/ldap/ssl state=directory diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index e19d182..48758be 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -41,9 +41,7 @@ olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$" "$1,dc=fripost,dc=org" olcSaslSecProps: minssf=128,noanonymous,noplain,nodict -# XXX We would like to say 'PFS' here, but Wheezy'z GnuTLS (libgnutls26 -# 2.12.20-8+deb7u2) is too old :-( (Also, DHE/ECDHE are not supported.) -olcTLSCipherSuite: SECURE128:!CIPHER-ALL:+AES-128-CBC:+AES-256-CBC:!MD5 +olcTLSCipherSuite: PFS:%LATEST_RECORD_VERSION:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1:!CIPHER-ALL:+AES-128-GCM:+AES-256-GCM {% endif %} olcLocalSSF: 128 # /!\ This is not portable! But we only use glibc's crypt(3), which @@ -52,9 +50,9 @@ olcPasswordHash: {CRYPT} olcPasswordCryptSaltFormat: $6$%s -dn: olcDatabase=hdb,cn=config +dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig -objectClass: olcHdbConfig +objectClass: olcMdbConfig olcDbDirectory: /var/lib/ldap olcSuffix: dc=fripost,dc=org {% if 'LDAP-provider' not in group_names and ('MX' in group_names or 'lists' in group_names) %} @@ -66,11 +64,6 @@ olcDbCheckpoint: 512 15 {% else %} olcLastMod: FALSE {% endif %} -# See DB_CONFIG -olcDbConfig: set_cachesize 0 5242880 0 -olcDbConfig: set_lk_max_objects 1500 -olcDbConfig: set_lk_max_locks 1500 -olcDbConfig: set_lk_max_lockers 1500 # The root user has all rights on the whole database (when SASL-binding # on a UNIX socket). olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth @@ -233,7 +226,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,dc=fripost,dc=org)$" by realself tls_ssf=128 =w by group/FripostVirtualDomain/fripostPostmaster.expand="$1" tls_ssf=128 =w by dn.onelevel="ou=admins,dc=fripost,dc=org" tls_ssf=128 =w - by dn.exact="username=guilhem,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =w + by group.exact="cn=admin,ou=groups,dc=fripost,dc=org" =w # # XXX # * Anonymous users are allowed to simple bind as Postfix, but only when @@ -269,6 +262,10 @@ olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org" olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org" attrs=entry,objectClass by dn.onelevel="ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd + by group.exact="cn=admin,ou=groups,dc=fripost,dc=org" =wrsd + by users =0 break +olcAccess: to dn.children="ou=virtual,dc=fripost,dc=org" + by group.exact="cn=admin,ou=groups,dc=fripost,dc=org" =wrsd by users =0 break {% endif -%} # -- cgit v1.2.3