fripost-ansible/lib/modules/openldap, branch master Fripost ansible scripts LDAP: Load dynlist overlay. 2025-02-01T12:56:14+00:00 Guilhem Moulin guilhem@fripost.org 2025-01-29T23:58:13+00:00 f647dd2265bf4c5a2903325f628774eace2011ce Looks like nextcloud 26-29 broke something in the handling of dynamic groups via memberURL attribute (and keeps repopulating the group — possibly due to paging — thereby spamming members with “An administrator removed you from group medlemmar” mails), so we expand on the slapd via slapo-dynlist(5) instead. This commit also fixes an issue with the openldap module where the index of the leftmost attribute of the DN is not necessary {0}. 
Looks like nextcloud 26-29 broke something in the handling of dynamic
groups via memberURL attribute (and keeps repopulating the group —
possibly due to paging — thereby spamming members with “An administrator
removed you from group medlemmar” mails), so we expand on the slapd via
slapo-dynlist(5) instead.

This commit also fixes an issue with the openldap module where the index
of the leftmost attribute of the DN is not necessary {0}.
openldap module: Fix python3's bytes vs str mismatch. 2022-10-11T18:05:33+00:00 Guilhem Moulin guilhem@fripost.org 2022-10-11T17:59:17+00:00 ab1f9b0eb7b3cd3c14ba4722a3c85507efde1fcd 






dovecot-auth-proxy: replace directory traversal with LDAP lookups.
2020-05-21T00:26:16+00:00

Guilhem Moulin
guilhem@fripost.org

2020-05-20T23:35:28+00:00

5118f8d3394579a245b355c863c69410fe92e26e

This provides better isolation opportunity as the service doesn't need
to run as ‘vmail’ user.  We use a dedicated system user instead, and
LDAP ACLs to limit its access to the strict minimum.

The new solution is also more robust to quoting/escaping, and doesn't
depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID
instead of %d/%n at some point to make user renaming simpler).

OTOH we no longer lists users that have been removed from LDAP but still
have a mailstore lingering around.  This is fair.





This provides better isolation opportunity as the service doesn't need
to run as ‘vmail’ user.  We use a dedicated system user instead, and
LDAP ACLs to limit its access to the strict minimum.

The new solution is also more robust to quoting/escaping, and doesn't
depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID
instead of %d/%n at some point to make user renaming simpler).

OTOH we no longer lists users that have been removed from LDAP but still
have a mailstore lingering around.  This is fair.







Port custom modules to python3.
2019-02-05T22:51:13+00:00

Guilhem Moulin
guilhem@fripost.org

2019-02-05T22:51:13+00:00

c19f6525465065496c485a5084a86707e4923580












Make Ansible modules compatible with Ansible 2.2.0.0.
2016-12-08T18:39:01+00:00

Guilhem Moulin
guilhem@fripost.org

2016-12-08T18:39:01+00:00

ca71056ec50e7b51ca0eaebb7a716207ce1a00e6












slapd monitoring.
2015-06-10T16:52:21+00:00

Guilhem Moulin
guilhem@fripost.org

2015-06-10T16:16:13+00:00

f24f936c69ee97cca6095923549430cb6d510320

We don't use the provided 'slapd_' Munin plugin because it doesn't
support SASL binds.





We don't use the provided 'slapd_' Munin plugin because it doesn't
support SASL binds.







Upgrade the LDAP config to Jessie.
2015-06-07T00:53:26+00:00

Guilhem Moulin
guilhem@fripost.org

2015-05-14T19:53:14+00:00

334b7604727810c02ecb8942f3753dee15466691












Make the Ansible LDAP plugin able to delete entries and attributes.
2015-06-07T00:52:41+00:00

Guilhem Moulin
guilhem@fripost.org

2014-07-07T21:02:45+00:00

9198e7f8096e9f1b0d5f474cf2345913a357f864

Use it to delete cn=admin,dc=fripost,dc=org, and to remove the rootDN on
the 'config' database.





Use it to delete cn=admin,dc=fripost,dc=org, and to remove the rootDN on
the 'config' database.







Remove o=mailHosting from the LDAP directory suffix.
2015-06-07T00:52:39+00:00

Guilhem Moulin
guilhem@fripost.org

2014-07-07T16:37:30+00:00

2dfe29dfcd35fae7160178e329fb0647cc896e3b

So our suffix is now a mere 'dc=fripost,dc=org'.  We're also using the
default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it
before hand).





So our suffix is now a mere 'dc=fripost,dc=org'.  We're also using the
default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it
before hand).







Configure SyncRepl (OpenLDAP replication) and related ACLs.
2015-06-07T00:52:34+00:00

Guilhem Moulin
guilhem@fripost.org

2014-07-07T03:16:53+00:00

7c01a383fae4d84727d6a036d93117c761b98e10

The clients are identified using their certificate, and connect securely
to the SyncProv.

There are a few workarounds (XXX) in the ACLs due to Postfix not
supporting SASL binds in Wheezy.
Overview:
  - Authentication (XXX: strong authentication) is required prior to any DIT
    operation (see 'olcRequires').
  - We force a Security Strength Factor of 128 or above for all operations (see
    'olcSecurity'), meaning one must use either a local connection (eg,
    ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
    least 128 bits of security.
  - XXX: Services may not simple bind other than locally on a ldapi:// socket.
    If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
    socket whenever possible (if the service itself supports SASL binds).
    If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
    socket, and their identity should be derived from the CN of the client
    certificate only (hence services may not simple bind).
  - Admins have restrictions similar to that of the services.
  - User access is only restricted by our global 'olcSecurity' attribute.





The clients are identified using their certificate, and connect securely
to the SyncProv.

There are a few workarounds (XXX) in the ACLs due to Postfix not
supporting SASL binds in Wheezy.
Overview:
  - Authentication (XXX: strong authentication) is required prior to any DIT
    operation (see 'olcRequires').
  - We force a Security Strength Factor of 128 or above for all operations (see
    'olcSecurity'), meaning one must use either a local connection (eg,
    ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
    least 128 bits of security.
  - XXX: Services may not simple bind other than locally on a ldapi:// socket.
    If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
    socket whenever possible (if the service itself supports SASL binds).
    If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
    socket, and their identity should be derived from the CN of the client
    certificate only (hence services may not simple bind).
  - Admins have restrictions similar to that of the services.
  - User access is only restricted by our global 'olcSecurity' attribute.