From 7249ebbf9237afe6cccb6069d8c910b4a5975cdf Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 19 May 2020 06:11:29 +0200 Subject: LDAP: Update role to Debian Buster. --- roles/LDAP-provider/tasks/main.yml | 3 +++ roles/common-LDAP/templates/etc/ldap/database.ldif.j2 | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/LDAP-provider/tasks/main.yml b/roles/LDAP-provider/tasks/main.yml index af46c51..9bc227e 100644 --- a/roles/LDAP-provider/tasks/main.yml +++ b/roles/LDAP-provider/tasks/main.yml @@ -4,6 +4,9 @@ target=etc/ldap/syncprov.ldif local=file +## XXX should be /etc/sasl2/slapd.conf ideally, but it doesn't work with +## Stretch, cf #211156 and #798462: +## ldapsearch -LLLx -H ldapi:// -b "" -s base supportedSASLMechanisms - name: Enable the EXTERNAL SASL mechanism lineinfile: dest=/usr/lib/sasl2/slapd.conf regexp='^mech_list{{':'}}' diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index a154e29..1be00cb 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -17,8 +17,8 @@ dn: cn=config objectClass: olcGlobal cn: config -olcArgsFile: /var/run/slapd/slapd.args -olcPidFile: /var/run/slapd/slapd.pid +olcArgsFile: /run/slapd/slapd.args +olcPidFile: /run/slapd/slapd.pid olcLogLevel: none olcToolThreads: 1 {% if ansible_processor_vcpus > 4 %} @@ -39,6 +39,7 @@ olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$" "dn.exact:$1,dc=fripost,dc=org" olcSaslSecProps: minssf=128,noanonymous,noplain,nodict olcTLSCipherSuite: PFS:%LATEST_RECORD_VERSION:!CIPHER-ALL:+AES-128-GCM:+AES-256-GCM:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1 +olcTLSDHParamFile: /etc/ssl/dhparams.pem {% endif %} olcLocalSSF: 128 # /!\ This is not portable! But we only use glibc's crypt(3), which -- cgit v1.2.3