diff --git a/Makefile.in b/Makefile.in index c97be4c..c5b9719 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,72 +1,76 @@ SHELL = /bin/bash prefix ?= @prefix@ listen_on_ip ?= @listen_on_ip@ hostname ?= @hostname@ -port ?= 1389 +ldaps_port ?= 1390 +ldap_port ?= 1389 debug ?= loglevel ?= stats conns dbname = @dbname@ dbinit = @dbinit@ slapd = @slapd@ slapadd = @slapadd@ slapcat = @slapcat@ srcdir = $(PWD) .PHONY: stop start pristine clean status dump clean: stop + @echo "Tearing down installation in $(prefix)." @-rm -rf $(prefix) pristine: clean @-rm Makefile *.ldif configure config.* slapd.conf @-rm -rf autom4te.cache - @echo "installation in $(prefix) cleaned." + @echo "Back at pristine state. Run 'autoconf && ./configure' to build the Makefile." start: init @[[ ! -f $(prefix)/run/slapd.pid ]] \ && ( \ if [[ -n "$(debug)" ]]; then \ for opt in $(loglevel); do \ debug_opts="$${debug_opts} -d $${opt}"; \ done; \ else \ debug_opts=""; \ fi \ && cd $(prefix) \ - && $(slapd) $${debug_opts} -h 'ldap://$(listen_on_ip):$(port)' -f ./slapd.conf \ - && echo "slapd installation in $(prefix) started on port $(port)." \ + && $(slapd) $${debug_opts} -h 'ldaps://$(listen_on_ip):$(ldaps_port) ldap://$(listen_on_ip):$(ldap_port)' -f ./slapd.conf \ + && echo "slapd installation in $(prefix) started ldap listener on port $(ldap_port) and ldaps listener on $(ldaps_port)." \ || echo "slapd can't start." ) dump: @@[[ -d $(prefix)/db/$(dbname) ]] && cd $(prefix) && $(slapcat) -o ldif-wrap=no -f ./slapd.conf stop: @[[ -f $(prefix)/run/slapd.pid ]] && kill -TERM $$(< $(prefix)/run/slapd.pid) \ - && echo "slapd installation in $(prefix) stopped." \ - || echo "no slapd process found." + && echo "Slapd installation in $(prefix) stopped." \ + || echo "No slapd process found." status: @[[ -f $(prefix)/run/slapd.pid ]] \ - && echo "slapd installation in $(prefix) running, pid $$(< $(prefix)/run/slapd.pid)." \ - || echo "no slapd process detected." + && echo "Slapd installation in $(prefix) running, pidfile found, pid $$(< $(prefix)/run/slapd.pid)." \ + || echo "No slapd process detected." $(prefix): @mkdir -p $(prefix) $(prefix)/server.pem: | $(prefix) + @echo "Generating certificate for $(hostname) and $(listen_on_ip)" @ALTNAME="DNS:$(hostname),IP:$(listen_on_ip)" openssl req -new -x509 -sha1 -nodes \ -subj "/CN=IE/ST=Leinster/L=Dublin/O=Playground/OU=Operations/CN=$(listen_on_ip)/emailAddress=$(hostname)" \ -config ./openssl.cnf -extensions v3_req -days 90 \ - -keyout $(prefix)/server.pem -out $(prefix)/server.pem + -keyout $(prefix)/server.pem -out $(prefix)/server.pem 2>/dev/null && echo "Done." || echo "Failed." cert: $(prefix)/server.pem init: cert | $(prefix) - @echo "setting up $(slapd) in $(prefix) on port $(port)." + @echo "setting up $(slapd) in $(prefix) to run on ldap://$(listen_on_ip):$(ldap_port) and ldaps://$(listen_on_ip):$(ldaps_port)." @-mkdir -p $(prefix)/db @-mkdir -p $(prefix)/run + @cp $(srcdir)/dh8192param $(prefix) @cp -a $(srcdir)/schema $(prefix) @[[ -f $(prefix)/slapd.conf ]] || cp slapd.conf $(prefix)/slapd.conf @[[ -d $(prefix)/db/$(dbname) ]] || mkdir -p $(prefix)/db/$(dbname) - @[[ -f $(prefix)/db/$(dbname)/lock.mdb ]] || (cd $(prefix) && $(slapadd) -n 2 -f ./slapd.conf < $(srcdir)/$(dbinit)) + @[[ -f $(prefix)/db/$(dbname)/lock.mdb ]] || (cd $(prefix) && $(slapadd) -n 2 -f ./slapd.conf < $(srcdir)/$(dbinit) 2>/dev/null) diff --git a/dh8192param b/dh8192param new file mode 100644 index 0000000..c57e61f --- /dev/null +++ b/dh8192param @@ -0,0 +1,24 @@ +-----BEGIN DH PARAMETERS----- +MIIECAKCBAEAyEkKu0SKzJ0tsPTryyUVbNItkVWB61RjZvG5WU5lMv5x/bbSKw8c +yFiH5FfV9iVxtDwXlpiKSK5nkB1/loo4BCRjBFDZgpsHEAcmzgknyGZ9NpQV3CUU +U02q9qKXqjt/blm0b2hh5QXRoMBCPxHOH/awY1/K/nIegQAUabWwbOyGv7/zb3I5 +8Z5GplJUQ01/7x6bRbqSjWni388467RYPLkoXFMSMHob48rBvVA06oxdbbamN+gK +9bwGqy+zCYV56FBO63mUERtEblpoOg01T35r7ubsbbgRSeDDvXVMRRYYJIr5DRho +OHaxL8R+VCXWFFCYpA5p3XZkZMka7hEJoOuSolJtOQFoDVMhpFx0MRQ+92e8bWFQ +9JXMBidWxMpyO8dSQR8IvdbtNbDpVHcOXC0a8E5xIJz043GeuKwoOCfJsMdWju4u +KGcs6LKmw92IGNCPioiYaMpULmodcUAOtw2u4bDSaaGM3ufwu/WifD+who+GzH2o +BizVyxedrktEnJowYv1O2hl3iQgxiw/YmsoF8K2ctzIE4fQGT0OC1+/MojDphDIe +uf/okAVT7+cswOEn3U40rrvsXKBr/rLY4oFG8nLPBu7iTUU7neaEy6ypnca5VUNT +3x1bCyKeLBxQYrx0MHBs8h7WTAPotUBg1XexJ66mvj1uEA45FbhXEh9W8+aUE3ca +7rI3So99wRQdKezLPp7VlGIkmi/Tu43lrLXWm/wTIuOR6qlFtakDVabb0x77uEav +p1KXuAh1H47G2R7m/xLQMWGS2dN/rlWoUS9crTOSSQlfVlR91UTY8O65XXKL57tP +JqXga13GKH/ntkwn9yUyy5nSjcbfyGUMs3VwVpTtYaNpBtGOCbWTX4TJZXdELiL4 +GrEPNncEGZVtXoKbKKgBjkunpiD8Wb8IXf6d5/iSI+mfC2DhHQEbrb8jLJdMlebo +XSfpnomzHh1marSNkvUwGKwSSDO5oKbrMa0BSMOXlT4jxaY7zi/vVOmLGqiD0wXV +mncHzSZXVZf/ep7Mi9bbzsmS8GrbBM42UNZhVNf70UsrrZkk3EGevdBxBzEzMklW +rRlmJOCubGxqq0+WrOt2PIeEVc5N2B39JjQsj8ugIZgjGHcMZ97NOaX4KG1TnE2r +zp5q/mMOEQ9eQ42uu6Y/X9DO0k0hLuNMBJV/r4fd9VBTgVRwaHAOrjo62qtbXRT4 +BlahrH+7HOo6cVHiXJs1t0dCCQgpVAyuAZ8OxcM4g0xavvI75fOPM6340kdqZQeQ +WR02QYLhUPJ2xlZdzsDnPqsVSIF3ziMSs1t2G2QNwNyk+vBvX39vUJn/2GcdxV12 +IZt8Up58IKoyRJ8f5CkUG7/bSFyg+YoXIwIBAg== +-----END DH PARAMETERS----- diff --git a/slapd.conf.in b/slapd.conf.in index 4068c64..897d6bf 100644 --- a/slapd.conf.in +++ b/slapd.conf.in @@ -1,120 +1,123 @@ # Schema and objectClass definitions include ./schema/core.schema include ./schema/cosine.schema include ./schema/inetorgperson.schema include ./schema/rfc2307bis.schema include ./schema/freeradius.schema include ./schema/uidnext.schema # local extensions include ./schema/openssh-lpk.schema include ./schema/sudo.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile ./run/slapd.pid # List of arguments that were passed to the server argsfile ./slapd.args # Read slapd.conf(5) for possible values loglevel stats config acl # Where the dynamically loaded modules are stored # modulepath /usr/lib/ldap/ @hdb_module_prefix@moduleload back_hdb moduleload back_mdb moduleload back_monitor moduleload syncprov # The maximum number of entries that is returned for a search operation sizelimit 50000 # TLS -# TLSCipherSuite TLSv1:SSLv3:SSLv2:-MEDIUM:-LOW +# TLSCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256 +TLSCipherSuite DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:AES256-GCM-SHA384:AES256-SHA256:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256 + TLSCACertificateFile ./server.pem TLSCertificateFile ./server.pem TLSCertificateKeyFile ./server.pem +TLSDHParamFile ./dh8192param TLSVerifyClient allow security @security_factors@ # for indexing. tool-threads 1 # close idle connections after 30s, wait for writes indefinitely idletimeout 120 writetimeout 0 gentlehup on # limit the connection queue for anon and authenticated connections conn_max_pending 200 conn_max_pending_auth 1000 # Generic ACLs access to * by * write access to dn.base="" by * read # Monitoring DB database monitor rootdn "cn=monitoring,cn=Monitor" rootpw "jablonka" access to dn.subtree="cn=Monitor" by dn.exact="cn=ldap-monitor,ou=services,ou=accounts,dc=@dbname@,dc=tree" write by * none # Configuration for database @dbname@ database mdb suffix "dc=@dbname@,dc=tree" directory "./db/@dbname@" rootdn "cn=root,dc=@dbname@,dc=tree" rootpw "jablonka" index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index ou pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index default sub index uidNumber eq index gidNumber eq index memberUid eq index uniqueMember eq index dc eq index sudoUser,sudoHost eq index mail,givenName,gecos eq,sub index entryCSN,entryUUID eq index contextCSN eq limits dn="cn=root,dc=@dbname@,dc=tree" size=unlimited time=unlimited limits dn="cn=admin,dc=@dbname@,dc=tree" size=unlimited time=unlimited lastmod on checkpoint 512 30 access to attrs=userPassword by dn="cn=ACL Quality Checker,dc=@dbname@,dc=tree" write by dn="cn=admin,dc=@dbname@,dc=tree" write by anonymous auth by self write by * none access to attrs=loginShell,shadowLastChange,userCertificate,sshPublicKey,mail,photo,jpegPhoto by dn="cn=ACL Quality Checker,dc=@dbname@,dc=tree" write by dn="cn=admin,dc=@dbname@,dc=tree" write by self write by * read access to dn.subtree="dc=@dbname@,dc=tree" by dn="cn=ACL Quality Checker,dc=@dbname@,dc=tree" write by dn="cn=admin,dc=@dbname@,dc=tree" write by * read