ldap/server: Tighten LDAP TLS settings
This commit is contained in:
parent
6a5d6b4459
commit
e21753a7c8
2 changed files with 3 additions and 1 deletions
|
|
@ -1,6 +1,7 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
dependencies:
|
dependencies:
|
||||||
|
- {role: dhparams}
|
||||||
- {role: kerberos/client}
|
- {role: kerberos/client}
|
||||||
- {role: ldap/client}
|
- {role: ldap/client}
|
||||||
- {role: saslauthd}
|
- {role: saslauthd}
|
||||||
|
|
|
||||||
|
|
@ -45,9 +45,10 @@ moduleload constraint.la
|
||||||
TLSCertificateFile {{ tls_certs }}/{{ ldap_server_cert }}.crt
|
TLSCertificateFile {{ tls_certs }}/{{ ldap_server_cert }}.crt
|
||||||
TLSCertificateKeyFile {{ tls_private }}/{{ ldap_server_cert }}.key
|
TLSCertificateKeyFile {{ tls_private }}/{{ ldap_server_cert }}.key
|
||||||
TLSCACertificatePath /etc/openldap/certs
|
TLSCACertificatePath /etc/openldap/certs
|
||||||
|
TLSDHParamFile {{ tls_certs }}/ffdhe3072.pem
|
||||||
TLSVerifyClient try
|
TLSVerifyClient try
|
||||||
TLSECName prime256v1
|
TLSECName prime256v1
|
||||||
TLSCipherSuite {{ tls_ciphers }}
|
TLSCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||||
TLSProtocolMin 3.3
|
TLSProtocolMin 3.3
|
||||||
|
|
||||||
# force hostname to get kerberos working correctly behind proxies
|
# force hostname to get kerberos working correctly behind proxies
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue