ldap/server: Tighten LDAP TLS settings

2021-03-30 14:20:46 +00:00 · 2021-03-30 14:20:46 +00:00 · e21753a7c8
commit e21753a7c8
parent 6a5d6b4459
2 changed files with 3 additions and 1 deletions
--- a/roles/ldap/server/meta/main.yml
+++ b/roles/ldap/server/meta/main.yml
@ -1,6 +1,7 @@
 ---

 dependencies:
+  - {role: dhparams}
  - {role: kerberos/client}
  - {role: ldap/client}
  - {role: saslauthd}
--- a/roles/ldap/server/templates/slapd.conf.j2
+++ b/roles/ldap/server/templates/slapd.conf.j2
@ -45,9 +45,10 @@ moduleload constraint.la
 TLSCertificateFile {{ tls_certs }}/{{ ldap_server_cert }}.crt
 TLSCertificateKeyFile {{ tls_private }}/{{ ldap_server_cert }}.key
 TLSCACertificatePath /etc/openldap/certs
+TLSDHParamFile {{ tls_certs }}/ffdhe3072.pem
 TLSVerifyClient try
 TLSECName prime256v1
-TLSCipherSuite {{ tls_ciphers }}
+TLSCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 TLSProtocolMin 3.3

 # force hostname to get kerberos working correctly behind proxies