Installation de base du système
SSH
Éditer le fichier /etc/ssh/sshd_config
:
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
Ciphers chacha20-poly1305@openssh.com
KexAlgorithms curve25519-sha256@libssh.org
MACs umac-128-etm@openssh.com
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no # pam does that
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
AllowUsers breizh darks lephe
Sont précisé ci-dessous les paramètres modifiés. Le reste correspond à la configuration par défaut.
Cryptologie :
HostKey /etc/ssh/ssh_host_ed25519_key
: force la clef du serveur à être en ed25519, plus sécurisée que le autres à l'heure actuelle.Ciphers chacha20-poly1305@openssh.com
: utilisation du cipher chacha20-poly1305 plus sécurisé que les paramètres par défaut.KexAlgorithms curve25519-sha256@libssh.org
: algorithme d'échanges des clefs.MACs umac-128-etm@openssh.com
: algorithme pour vérifier l'authenticité des échanges.
Authentification :
PermitRootLogin prohibit-password
: autorise à se connecter en root directement via des clefs SSH (connexion par mot de passe interdite)AuthorizedKeysFile .ssh/authorized_keys
: fichier listant les clefs SSH autorisées à se connecter (relatif au répertoire personnel de l'utilisateur)PasswordAuthentication no
: interdit la connexion par mot de passeAllowUsers
: utilisateurs autorisés à se connecter
systemctl reload sshd
Fstab
Ajouter les lignes suivantes au fstab
tmpfs /var/lock tmpfs defaults,nodev,nosuid,noexec,noatime,nodiratime 0 0
tmpfs /var/run tmpfs defaults,nodev,nosuid,noexec,noatime,nodiratime 0 0
tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec,noatime,nodiratime 0 0
tmpfs /var/tmp tmpfs defaults,nodev,nosuid,noexec,noatime,nodiratime 0 0
tmpfs /tmp tmpfs defaults,nodev,nosuid,noatime,nodiratime 0 0
Locale
Génération des locales française et anglaise, et utilisation du français par défaut.
cat > /etc/locale.gen <<<EOF
en_US.UTF-8 UTF-8
fr_FR.UTF-8 UTF-8
EOF
locale-gen
echo "LANG=fr_FR.UTF-8" > /etc/locale.conf
Heure
Activation de la synchronisation horaire par NTP et définition du fuseau horaire local.
timedatectl set-ntp true
ln -sf /usr/share/zoneinfo/Europe/Paris /etc/localtime
Pacman
Installer yay
pour pouvoir gérer l'AUR (https://github.com/Jguer/yay).
Installer et exécuter reflector
afin d'avoir une liste de miroirs correcte.
yay -S reflector
reflector -c FR --sort rate --save /etc/pacman.d/mirrorlist
Dans /etc/pacman.conf
, décommenter UseDelta = 0.7
, Color
,
TotalDownload
, CheckSpace
et VerbosePkgLists
. Ces paramètres permettent de ne télécharge que le nécessaire (UseDelta), de vérifier l'espace disque pour éviter les mauvaises surprises et d'améliorer l'affichage.
Mettre à jour dépôts et paquets :
yay -Syyu
IPTables
IPTables permet de configurer le pare-feu du kernel Linux.
/etc/iptables/iptables.rules
:
# Protection contre DDOS
*mangle
:PREROUTING ACCEPT [176:18588]
:INPUT ACCEPT [176:18588]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [157:27472]
:POSTROUTING ACCEPT [157:27472]
-A PREROUTING -f -j DROP
-A PREROUTING -m conntrack --ctstate INVALID -j DROP
-A PREROUTING -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP
-A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [155:26977]
# Autoriser les réponses
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Autoriser les requêtes sur Localhost
-A INPUT -i lo -j ACCEPT
# Autoriser le ping
-A INPUT -p icmp -j ACCEPT
# Autoriser SSH
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# Autoriser le HTTP(S)
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# Interdire tout le reste
-A INPUT -i eth0 -j DROP
# Protection contre le DDOS bis (limite le trafic)
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP
COMMIT
Même chose pour IPv6, à quelques détails près.
/etc/iptables/ip6tables.rules
:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [155:26977]
# Réponses
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Localhost
-A INPUT -i lo -j ACCEPT
# Ping
-A INPUT -p ipv6-icmp -j ACCEPT
# SSH
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# HTTP(S)
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# Tout le reste
-A INPUT -i eth0 -j DROP
# DDOS
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP
COMMIT
systemctl enable --now iptables
systemctl enable --now ip6tables
Réseau
On utilise systemd-networkd
. La configuration est assez explicite, ci-dessous celle pour le VPS (IP statique, v4 et v6).
rename '.network' '.network.bak' /etc/systemd/network/*.network
cat > /etc/systemd/network/eth0.network <<<EOF
[Match]
Name=eth0
[Address]
Address=2001:41d0:305:2100::8930/128
[Address]
Address=51.83.79.246/32
[Route]
Gateway=2001:41d0:305:2100::1
GatewayOnlink=true
[Route]
Gateway=51.83.72.1
GatewayOnlink=true
[Network]
DNS=2001:41d0:3:163::1
DNS=2001:910:800::12
DNS=2001:910:800::40
DNS=213.186.33.99
DNS=80.67.169.12
DNS=80.67.169.40
EOF
Adapter selon usage (IPs, interface…). Les DNS sont ceux d'OVH puis de la FDN.
Postfix
yay -S postfix
cp -a /etc/postfix/main.cf /etc/postfix/.main.cf.orig
cp -a /etc/postfix/master.cf /etc/postfix/.master.cf.orig
echo "planet-casio.com" > /etc/mailname
cat > /etc/postfix/main.cf <<<\EOF
smtpd_banner = $myhostname ESMTP
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = may
smtp_tls_loglevel = 1
myhostname = planet-casio.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = 127.0.0.1
inet_protocols = ipv4
slow_destination_recipient_limit = 20
slow_destination_concurrency_limit = 2
transport_maps = hash:/etc/postfix/transport
EOF
cat > /etc/postfix/master.cf <<\EOF
smtp inet n - - - - smtpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
-o smtp_fallback_relay=
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
slow unix - - n - 5 smtp
-o syslog_name=postfix-slow
-o smtp_destination_concurrency_limit=3
-o slow_destination_rate_delay=1
EOF
> /etc/postfix/transport
cat > /etc/postfix/transport <<\EOF
laposte.net slow:
orange.fr slow:
wanadoo.fr slow:
free.fr slow:
EOF
postmap /etc/postfix/transport
systemctl restart postfix
systemctl enable postfix
OpenDKIM
pacman -Syu opendkim
cp /usr/share/doc/opendkim/opendkim.conf.sample /etc/opendkim/opendkim.conf
Modifier /etc/opendkim/opendkim.conf
Domain planet-casio.com
KeyFile /etc/opendkim/dkim-selector.private
Selector dkim-selector
Socket inet:8891@localhost
Syslog Yes
UserID opendkim
Modifier /etc/postfix/main.cf
# OpenDKIM
smtpd_milters = inet:localhost:8891
non_smtpd_milters = $smtpd_milters
milter_default_action = accept
systemctl enable --now opendkim.service
systemctl reload postfix
Configurer le nom de domaine (cf. /etc/opendkim/dkim-selector.txt
)
Fail2ban (WIP)
Installation de fail2ban pour déjouer les attaques. La configuration de base peut suffire, à voir avec le temps s'il est nécessaire de la blinder un peu plus.
yay -S fail2ban
systemctl enable --now fail2ban
Nginx
Installation de Nginx, et dehydrated pour les certificats Let's Encrypt.
yay -S dehydrated nginx
Configuration initiale de Nginx.
cp -a /etc/nginx/nginx.conf /etc/nginx/.nginx.conf.orig
> /etc/nginx/nginx.conf
cat > /etc/nginx/nginx.conf <<\EOF
pid /var/run/nginx.pid;
user www-data;
worker_processes auto;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;
events {
multi_accept on;
use epoll;
worker_connections 256;
}
http {
index index.html index.htm index.php;
server_tokens off;
include /etc/nginx/mime.types;
charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_bucket_size 128;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
EOF
cat > /etc/nginx/conf.d/buffer.conf <<\EOF
# Buffer Overflow Protection
client_body_buffer_size 100K;
client_header_buffer_size 1k;
client_max_body_size 100k;
large_client_header_buffers 2 1k;
EOF
cat > /etc/nginx/conf.d/ddos.conf <<\EOF
# Slow DDOS Protection
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 5 5;
send_timeout 10;
# DDOS Protection
# Maximum request per IP // 100 per seconde
limit_req_zone $binary_remote_addr zone=flood:10m rate=100r/s;
limit_req zone=flood burst=100 nodelay;
# Maximum Connection per IP // 100 per seconde
limit_conn_zone $binary_remote_addr zone=ddos:10m;
limit_conn ddos 100;
EOF
cat > /etc/nginx/conf.d/header.conf <<\EOF
# Bad Header Protection
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
EOF
cat > /etc/nginx/conf.d/blockuseragents.conf <<\EOF
map $http_user_agent $blockedagent {
default 0;
~*malicious 1;
~*backdoor 1;
~*crawler 1;
~*spider 1;
}
EOF
cat > /etc/logrotate.d/nginx <<\EOF
/var/log/nginx/*.log {
daily
missingok
rotate 14
compress
delaycompress
notifempty
create 0644 root root
sharedscripts
prerotate
if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
run-parts /etc/logrotate.d/httpd-prerotate; \
fi \
endscript
postrotate
invoke-rc.d nginx rotate >/dev/null 2>&1
endscript
}
EOF
> /etc/nginx/ssl.conf
cat > /etc/nginx/ssl.conf <<EOF
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'EECDH+CHACHA20:EECDH+AES';
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_dhparam /etc/ssl/ssl.dh/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
EOF
> /etc/nginx/common.conf
cat > /etc/nginx/common.conf <<EOF
location ^~ /.well-known/acme-challenge {
alias /var/www/dehydrated;
}
if ($blockedagent) {
return 403;
}
if ($request_method !~ ^(GET|PUT|POST)$ ) {
return 444;
}
EOF
Monitoring
Installation des outils.
yay -S grafana telegraf influxdb goaccess
InfluxDB
systemctl enable --now influxdb
influx
CREATE DATABASE telegraf
CREATE USER telegraf WITH PASSWORD 'un_joli_password'
GRANT ALL ON telegraf TO telegraf
CREATE RETENTION POLICY thirty_days ON telegraf DURATION 30d REPLICATION 1 DEFAULT
Permet de conserver les informations de monitoring sur 30 jours.
Telegraf
Configuration pour enregistrer les données dans InfluxDB.
cat > /etc/telegraf/telegraf.d/outputs.conf <<EOF
[[outputs.influxdb]]
database = "telegraf"
precision = "s"
urls = [ "http://127.0.0.1:8086" ]
username = "telegraf"
password = "un_joli_password"
EOF
Configuration de base (mesures toutes les 15 secondes).
cat > /etc/telegraf/telegraf.conf <<EOF
[tags]
# Configuration for telegraf agent
[agent]
debug = false
flush_buffer_when_full = true
flush_interval = "15s"
flush_jitter = "0s"
hostname = "planet-casio.com"
interval = "15s"
round_interval = true
EOF
Diverses mesures systèmes utiles (CPU, RAM, disque, IO…).
cat > /etc/telegraf/telegraf.d/inputs_cpu.conf <<EOF
# Read metrics about CPU usage
[[inputs.cpu]]
percpu = false
totalcpu = true
fieldpass = [ "usage*" ]
EOF
cat > /etc/telegraf/telegraf.d/inputs_disk.conf <<EOF
# Read metrics about disk usagee
[[inputs.disk]]
mount_points=["/"]
EOF
cat > /etc/telegraf/telegraf.d/inputs_diskio.conf <<EOF
# Read metrics about diskio usage
[[inputs.diskio]]
devices = ["vda1"]
skip_serial_number = true
EOF
cat > /etc/telegraf/telegraf.d/inputs_net.conf <<EOF
# Read metrics about network usage
[[inputs.net]]
interfaces = [ "eth0" ]
fielddrop = [ "icmp*", "ip*", "tcp*", "udp*" ]
EOF
cat > /etc/telegraf/telegraf.d/inputs_memory.conf <<EOF
# Read metrics about memory usage
[[inputs.mem]]
# no configuration
EOF
cat > /etc/telegraf/telegraf.d/inputs_swap.conf <<EOF
# Read metrics about swap memory usage
[[inputs.swap]]
# no configuration
EOF
cat > /etc/telegraf/telegraf.d/inputs_system.conf <<EOF
# Read metrics about system load & uptime
[[inputs.system]]
# no configuration
EOF
cat > /etc/telegraf/telegraf.d/inputs_nginx.conf <<EOF
[[inputs.nginx]]
urls = ["http://127.0.0.1:8080/nginx-status"]
EOF
systemctl enable --now telegraf
Grafana
yay -S grafana
systemctl enable --now grafana
La configuration se trouve dans /etc/grafana.ini
, notamment pour y changer le port d'écoute.
Gitea
yay -S gitea
La configuration de base (port, URL, domaine SSH) se trouve dans /etc/gitea/app.ini
. Une fois lancé, le reste se fait via l'interface web d'installation.
Pour ajouter d'autres types de fichiers autorisés en upload :
[attachments]
ALLOWED_FILES = image/jpeg|image/png|application/zip|application/gzip|.g1a|.g3a
À la fin de l'installation, vérifier que les différents secrets sont bien aléatoires.
LDAP
Vérifier le contenu de /etc/openldap/slapd.conf
:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /run/openldap/slapd.pid
argsfile /run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath /usr/lib/openldap
# moduleload back_mdb.la
# moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# MDB database definitions
#######################################################################
database mdb
maxsize 1073741824
suffix "o=planet-casio"
rootdn "cn=ldap-root,o=planet-casio"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw unjolimotdepasse
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/openldap/openldap-data
# Indices to maintain
index objectClass eq
index uid pres,eq
index mail pres,sub,eq
index cn pres,sub,eq
index sn pres,sub,eq
index dc eq
Les champs include
, suffix
, rootdn
, rootpw
sont à priori les seuls à modifier.