From 7c01a383fae4d84727d6a036d93117c761b98e10 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 7 Jul 2014 05:16:53 +0200 Subject: Configure SyncRepl (OpenLDAP replication) and related ACLs. The clients are identified using their certificate, and connect securely to the SyncProv. There are a few workarounds (XXX) in the ACLs due to Postfix not supporting SASL binds in Wheezy. Overview: - Authentication (XXX: strong authentication) is required prior to any DIT operation (see 'olcRequires'). - We force a Security Strength Factor of 128 or above for all operations (see 'olcSecurity'), meaning one must use either a local connection (eg, ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at least 128 bits of security. - XXX: Services may not simple bind other than locally on a ldapi:// socket. If no remote access is needed, they should use SASL/EXTERNAL on a ldapi:// socket whenever possible (if the service itself supports SASL binds). If remote access is needed, they should use SASL/EXTERNAL on a ldaps:// socket, and their identity should be derived from the CN of the client certificate only (hence services may not simple bind). - Admins have restrictions similar to that of the services. - User access is only restricted by our global 'olcSecurity' attribute. --- roles/common/templates/etc/iptables/services.j2 | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'roles/common/templates/etc/iptables/services.j2') diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2 index f382ea3..4e78d1e 100644 --- a/roles/common/templates/etc/iptables/services.j2 +++ b/roles/common/templates/etc/iptables/services.j2 @@ -13,6 +13,11 @@ out udp 123 123 # NTP {% endif %} in tcp {{ ansible_ssh_port|default('22') }} # SSH +{% if 'LDAP-provider' in group_names %} +in tcp 636 # LDAPS +{% elif 'MX' in group_names or 'lists' in group_name %} +out tcp 636 # LDAPS +{% endif %} {% if 'MX' in group_names %} in tcp 25 # SMTP {% endif %} -- cgit v1.2.3