From 6b7ad809bbefc32216bac22547241ed402a570c8 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 8 Sep 2024 20:30:20 +0200 Subject: LDAP: Rotate soon-to-be expired key material. Also, switch from rsa4096 to ed25519 and use a separate key for each syncrepl. --- roles/common-LDAP/templates/etc/ldap/database.ldif.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'roles/common-LDAP/templates/etc/ldap/database.ldif.j2') diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index 2c0db0b..a0ac705 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -34,7 +34,7 @@ olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.fripost.org.key # terminate the connection. Not providing a certificate is fine for # TLS-protected simple binds, though. olcTLSVerifyClient: try -olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem +olcTLSCACertificateFile: /etc/ldap/ssl/syncrepl.pem olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$" "dn.exact:$1,dc=fripost,dc=org" olcSaslSecProps: minssf=128,noanonymous,noplain,nodict -- cgit v1.2.3