Finalise registration ACLs

Restrict anonymous access (to none)
Add some additional ACLs to put back some access that previously relied on anonymous
Listen on all IP addresses, and ldapi
Assign localSSF matching ssf requirement, so we allow ldapi,ldaps,ldap+start_tls

3 files changed, 23 insertions, 12 deletions

diff --git a/modules/openldap/templates/ldap.sysconfig b/modules/openldap/templates/ldap.sysconfig
index a5830732..31e39dda 100644
--- a/modules/openldap/templates/ldap.sysconfig
+++ b/modules/openldap/templates/ldap.sysconfig
@@ -3,7 +3,7 @@ SLAPDSYSLOGLEVEL="0"
 SLAPDSYSLOGLOCALUSER="local4"
 
 # SLAPD URL list 
-SLAPDURLLIST="ldap://127.0.0.1/ ldaps://127.0.0.1/"
+SLAPDURLLIST="ldap:/// ldaps:/// ldapi:///"
 
 # Config file to use for slapd
 #SLAPDCONF=/etc/openldap/slapd.conf
diff --git a/modules/openldap/templates/mandriva-dit-access.conf b/modules/openldap/templates/mandriva-dit-access.conf
index 95541890..e97be748 100644
--- a/modules/openldap/templates/mandriva-dit-access.conf
+++ b/modules/openldap/templates/mandriva-dit-access.conf
@@ -85,11 +85,24 @@ access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
 	by dnattr=owner write
 	by * break
 
+# registration - allow registrar group to create basic unprivileged accounts
+access to dn.subtree="ou=People,dc=mageia,dc=org" 
+	attrs="objectClass" 
+	val="inetOrgperson" 
+	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =a
+	by * +0 break
+
+access to dn.subtree="ou=People,dc=mageia,dc=org" 
+	filter="(!(objectclass=posixAccount))"
+	attrs=cn,sn,gn,mail,entry,children
+	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =a
+	by * +0 break
+
 # let the user change some of his/her attributes
 access to dn.subtree="ou=People,dc=mageia,dc=org"
 	attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage
 	by self write
-	by * break
+	by * +0 break
 
 # create new accounts
 access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$"
@@ -146,16 +159,6 @@ access to dn.sub="ou=dns,dc=mageia,dc=org"
 	by group.exact="cn=DNS Readers,ou=System Groups,dc=mageia,dc=org" read
 	by * none
 
-# registration - allow registrar group to create basic unprivileged accounts
-access to dn.subtree="ou=People,dc=mageia,dc=org" 
-	attrs="objectClass" 
-	val="inetOrgperson" 
-	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" write by * +0 break
-
-access to dn.subtree="ou=People,dc=mageia,dc=org" 
-	attrs="cn,sn,gn,mail,entry,children" 
-	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" +a break
-	by * +0 break
 
 # MTA
 # XXX - what else can we add here? Virtual Domains? With which schema?
diff --git a/modules/openldap/templates/slapd.conf b/modules/openldap/templates/slapd.conf
index 62f0b67f..ab97aacd 100644
--- a/modules/openldap/templates/slapd.conf
+++ b/modules/openldap/templates/slapd.conf
@@ -40,6 +40,14 @@ TLSCertificateFile      /etc/ssl/openldap/ldap.pem
 TLSCertificateKeyFile   /etc/ssl/openldap/ldap.pem
 TLSCACertificateFile    /etc/ssl/openldap/ldap.pem
 
+# Give ldapi connection some security
+localSSF 56
+# Require at least this security, so we allow:
+# ldapi
+# ldap+start_tls
+# ldaps
+security ssf=56
+
 loglevel 256
 
 database	bdb