From 84b0e246987f1d72d0b7bcc3f6f9665c97e8e009 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 8 Jul 2014 07:02:56 +0200 Subject: Fix client verification policy. --- roles/common-LDAP/templates/etc/ldap/database.ldif.j2 | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'roles/common-LDAP') diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index f633692..9df56f7 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -32,8 +32,12 @@ olcThreads: 8 {% if 'LDAP-provider' in group_names %} olcTLSCertificateFile: /etc/ldap/ssl/ldap.fripost.org.pem olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.fripost.org.key +# If we are being offered a client cert, it has to be trusted (in which +# case we map the X.509 subject to a DN in our namespace), or we +# terminate the connection. Not providing a certificate is fine for +# TLS-protected simple binds, though. +olcTLSVerifyClient: try olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem -olcTLSVerifyClient: allow olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$" "$1,dc=fripost,dc=org" olcSaslSecProps: minssf=128,noanonymous,noplain,nodict -- cgit v1.2.3