From 045fa507650563cc52afc85e5b23c5af47b3db6e Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Thu, 11 Dec 2014 21:27:25 +0200
Subject: [PATCH] ldap: Disable SSLv3 and add list of ciphers to ldap::server.

---
 ldap/manifests/init.pp        | 1 +
 ldap/templates/slapd.conf.erb | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/ldap/manifests/init.pp b/ldap/manifests/init.pp
index fdbba6e..4d9d2e2 100644
--- a/ldap/manifests/init.pp
+++ b/ldap/manifests/init.pp
@@ -354,6 +354,7 @@ class ldap::client::ruby {
 class ldap::server {
 
     require ssl
+    include ssl::ciphersuites
 
     if !$ldap_server_key {
         $ldap_server_key = "${puppet_ssldir}/private_keys/${homename}.pem"
diff --git a/ldap/templates/slapd.conf.erb b/ldap/templates/slapd.conf.erb
index 7c1d95e..e553500 100644
--- a/ldap/templates/slapd.conf.erb
+++ b/ldap/templates/slapd.conf.erb
@@ -43,6 +43,8 @@ TLSCertificateFile	<%= scope.lookupvar('ssl::certs') %>/slapd.crt
 TLSCertificateKeyFile	<%= scope.lookupvar('ssl::private') %>/slapd.key
 TLSCACertificatePath	<%= scope.lookupvar('ldap::server::config') %>/cacerts
 TLSVerifyClient		try
+TLSCipherSuite		<%= scope.lookupvar('ssl::ciphersuites::default_ciphersuites') %>
+TLSProtocolMin		3.1
 
 # include database configs
 include		<%= scope.lookupvar('ldap::server::config') %>/slapd.conf.d/database.conf