From 7c01a383fae4d84727d6a036d93117c761b98e10 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Mon, 7 Jul 2014 05:16:53 +0200
Subject: Configure SyncRepl (OpenLDAP replication) and related ACLs.

The clients are identified using their certificate, and connect securely
to the SyncProv.

There are a few workarounds (XXX) in the ACLs due to Postfix not
supporting SASL binds in Wheezy.
Overview:
  - Authentication (XXX: strong authentication) is required prior to any DIT
    operation (see 'olcRequires').
  - We force a Security Strength Factor of 128 or above for all operations (see
    'olcSecurity'), meaning one must use either a local connection (eg,
    ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
    least 128 bits of security.
  - XXX: Services may not simple bind other than locally on a ldapi:// socket.
    If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
    socket whenever possible (if the service itself supports SASL binds).
    If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
    socket, and their identity should be derived from the CN of the client
    certificate only (hence services may not simple bind).
  - Admins have restrictions similar to that of the services.
  - User access is only restricted by our global 'olcSecurity' attribute.
---
 lib/modules/openldap | 1 +
 1 file changed, 1 insertion(+)

(limited to 'lib/modules')

diff --git a/lib/modules/openldap b/lib/modules/openldap
index 3f6ea39..0f0bc9a 100644
--- a/lib/modules/openldap
+++ b/lib/modules/openldap
@@ -37,6 +37,7 @@ indexedAttributes = frozenset([
     'olcSyncrepl',
     'olcOverlay',
     'olcLimits',
+    'olcAuthzRegexp',
 ])
 
 
-- 
cgit v1.2.3