[PicaLDAP] Enforce TLS and remove default configuration

06a30935 · Quentin Duchemin · 808be55b · 06a30935
Verified Commit 06a30935 authored 4 years ago by Quentin Duchemin
--- a/pica-openldap/environment/pica.startup.yaml
+++ b/pica-openldap/environment/pica.startup.yaml
-# This is the default image startup configuration file
-# this file define environment variables used during the container **first start** in **startup files**.
-
-# This file is deleted right after startup files are processed for the first time,
-# after that all these values will not be available in the container environment.
-# This helps to keep your container configuration secret.
-# more information : https://github.com/osixia/docker-light-baseimage
+# See this page to know what variables can be used : https://github.com/osixia/docker-openldap#defaultstartupyaml
+# Here we only let the modified default variables

 # Required and used for new ldap server only
-LDAP_ORGANISATION: Picasoft 
+LDAP_ORGANISATION: Picasoft
 LDAP_DOMAIN: picasoft.net
 LDAP_BASE_DN: #if empty automatically set from LDAP_DOMAIN

 LDAP_ADMIN_PASSWORD: admin
-LDAP_CONFIG_PASSWORD: config

 LDAP_READONLY_USER: true
 LDAP_READONLY_USER_USERNAME: nss
-LDAP_READONLY_USER_PASSWORD: nss
-
-LDAP_RFC2307BIS_SCHEMA: false
-
-# Backend
-LDAP_BACKEND: mdb

-# Tls
+# TLS
 LDAP_TLS: true
 LDAP_TLS_CRT_FILENAME: cert.pem
 LDAP_TLS_KEY_FILENAME: privkey.pem
-LDAP_TLS_DH_PARAM_FILENAME: dhparam.pem
 LDAP_TLS_CA_CRT_FILENAME: chain.pem
-
-LDAP_TLS_ENFORCE: false
-LDAP_TLS_CIPHER_SUITE: SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC
+# Note 25/04 : This sets ssf to 128. Maybe it should set minssf to 128 instead to
+# reject any non-encryption connexion on port 389. Testing required.
+LDAP_TLS_ENFORCE: true
 LDAP_TLS_VERIFY_CLIENT: never

-# Replication
-LDAP_REPLICATION: false
-# variables $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD, $LDAP_CONFIG_PASSWORD
-# are automaticaly replaced at run time
-
-# if you want to add replication to an existing ldap
-# adapt LDAP_REPLICATION_CONFIG_SYNCPROV and LDAP_REPLICATION_DB_SYNCPROV to your configuration
-# avoid using $LDAP_BASE_DN, $LDAP_ADMIN_PASSWORD and $LDAP_CONFIG_PASSWORD variables
-LDAP_REPLICATION_CONFIG_SYNCPROV: binddn="cn=admin,cn=config" bindmethod=simple credentials="$LDAP_CONFIG_PASSWORD" searchbase="cn=config" type=refreshAndPersist retry="60 +" timeout=1 starttls=critical
-LDAP_REPLICATION_DB_SYNCPROV: binddn="cn=admin,$LDAP_BASE_DN" bindmethod=simple credentials="$LDAP_ADMIN_PASSWORD" searchbase="$LDAP_BASE_DN" type=refreshAndPersist interval=00:00:00:10 retry="60 +" timeout=1 starttls=critical
-LDAP_REPLICATION_HOSTS:
-  - ldap://ldap.example.org # The order must be the same on all ldap servers
-  - ldap://ldap2.example.org
-
-# Do not change the ldap config
-# - If set to true with an existing database, config will remain unchanged. Image tls and replication config will not be run.
-#   The container can be started with LDAP_ADMIN_PASSWORD and LDAP_CONFIG_PASSWORD empty or filled with fake data.
-# - If set to true when bootstrapping a new database, bootstap ldif and schema will not be added and tls and replication config will not be run.
-KEEP_EXISTING_CONFIG: false
-
-# Remove config after setup
-LDAP_REMOVE_CONFIG_AFTER_SETUP: true
-
-# ssl-helper environment variables prefix
-LDAP_SSL_HELPER_PREFIX: ldap # ssl-helper first search config from LDAP_SSL_HELPER_* variables, before SSL_HELPER_* variables.
-
-SSL_HELPER_AUTO_RENEW_SERVICES_IMPACTED: slapd
+HOSTNAME: ldaps.picasoft.net