From e21753a7c86bcf0a1a63a517a6bb1843358b2986 Mon Sep 17 00:00:00 2001 From: Timo Makinen Date: Tue, 30 Mar 2021 14:20:46 +0000 Subject: [PATCH] ldap/server: Tighten LDAP TLS settings --- roles/ldap/server/meta/main.yml | 1 + roles/ldap/server/templates/slapd.conf.j2 | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/ldap/server/meta/main.yml b/roles/ldap/server/meta/main.yml index 700faae..9575393 100644 --- a/roles/ldap/server/meta/main.yml +++ b/roles/ldap/server/meta/main.yml @@ -1,6 +1,7 @@ --- dependencies: + - {role: dhparams} - {role: kerberos/client} - {role: ldap/client} - {role: saslauthd} diff --git a/roles/ldap/server/templates/slapd.conf.j2 b/roles/ldap/server/templates/slapd.conf.j2 index 9ce4c21..e2466cc 100644 --- a/roles/ldap/server/templates/slapd.conf.j2 +++ b/roles/ldap/server/templates/slapd.conf.j2 @@ -45,9 +45,10 @@ moduleload constraint.la TLSCertificateFile {{ tls_certs }}/{{ ldap_server_cert }}.crt TLSCertificateKeyFile {{ tls_private }}/{{ ldap_server_cert }}.key TLSCACertificatePath /etc/openldap/certs +TLSDHParamFile {{ tls_certs }}/ffdhe3072.pem TLSVerifyClient try TLSECName prime256v1 -TLSCipherSuite {{ tls_ciphers }} +TLSCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 TLSProtocolMin 3.3 # force hostname to get kerberos working correctly behind proxies