aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ldap/Makefile10
-rw-r--r--ldap/base.ldif11
-rw-r--r--ldap/constraint.ldif4
-rw-r--r--ldap/database.ldif7
-rw-r--r--ldap/modules.ldif3
-rw-r--r--ldap/ppolicy.ldif26
6 files changed, 56 insertions, 5 deletions
diff --git a/ldap/Makefile b/ldap/Makefile
index 5efa7e7..d023d1c 100644
--- a/ldap/Makefile
+++ b/ldap/Makefile
@@ -32,9 +32,14 @@ install-mx:
install:
# WARN!
+# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/ppolicy.ldif
+# ldapadd -Y EXTERNAL -H ldapi:/// -f modules.ldif
+# ldapadd -Y EXTERNAL -H ldapi:/// -f database.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f fripost.ldif
+ ldapadd -Y EXTERNAL -H ldapi:/// -f authz.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f index.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f constraint.ldif
+ ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f acl.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f populate.ldif
@@ -49,7 +54,6 @@ install-schema:
install-acl:
@sed "s/^dn: olcDatabase={.*}hdb,cn=config$$/dn: $(NUM)/" acl.ldif | ldapmodify -Q -Y EXTERNAL -H ldapi:///
-
uninstall:
@echo "The database - suffix \"$(SUFFIX)\" - will be saved into \`$(BACKUPDB)' (if non-empty), and then *cleared* (but not deleted)."
@echo "Also, its ACLs, indexes and constraints will be cleared as well, if there are any."
@@ -87,6 +91,10 @@ uninstall:
echo "Deleting constraints" && find "$(TMPSLAPD)/$(NUM2)/" -type f -name "olcOverlay={*}constraint.ldif" -delete \
;fi
#
+ @if test -d "$(TMPSLAPD)/$(NUM2)"; then \
+ echo "Deleting ppolicy" && find "$(TMPSLAPD)/$(NUM2)/" -type f -name "olcOverlay={*}ppolicy.ldif" -delete \
+ ;fi
+#
@/etc/init.d/slapd stop
#
@echo "Replacing the old \`slapd.d'"
diff --git a/ldap/base.ldif b/ldap/base.ldif
index c102beb..81e8874 100644
--- a/ldap/base.ldif
+++ b/ldap/base.ldif
@@ -13,6 +13,14 @@ dn: o=mailHosting,dc=fripost,dc=dev
objectClass: organization
description: Mail hosting
+dn: cn=ppolicy,o=mailHosting,dc=fripost,dc=dev
+objectClass: organizationalRole
+objectClass: pwdPolicy
+pwdAttribute: userPassword
+pwdLockout: TRUE
+pwdLockoutDuration: 900
+pwdFailureCountInterval: 300
+pwdMaxFailure: 3
dn: ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: organizationalUnit
@@ -51,7 +59,8 @@ dn: cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=dev
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: The adminstrator Web Panel
-userPassword: panel
+userPassword: {CLEARTEXT}panel
+# NOTE: ^ The password needs to be stored clear for DIGEST-MD5 SASL authentication
authzTo: dn.regex:^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$
#authzTo: ldap:///ou=virtual,o=mailHosting,dc=fripost,dc=dev??sub?(objectClass=FripostVirtualUser)
# NOTE: ^ This is an expensive operation, and requires search perms for the service.
diff --git a/ldap/constraint.ldif b/ldap/constraint.ldif
index f909c6b..9466e86 100644
--- a/ldap/constraint.ldif
+++ b/ldap/constraint.ldif
@@ -7,6 +7,10 @@
#
# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "olcSuffix=o=mailHosting,dc=fripost,dc=dev" dn
#
+# Note: There is no clean way to remove/replace overlays, other than
+# stopping slapd and digging into the slapd.d directory:
+# http://www.zytrax.com/books/ldap/ch6/slapd-config.html#use-overlays
+#
#
# References:
# - http://www.openldap.org/doc/admin24/overlays.html#Constraints
diff --git a/ldap/database.ldif b/ldap/database.ldif
index eb94b87..e2c7071 100644
--- a/ldap/database.ldif
+++ b/ldap/database.ldif
@@ -46,14 +46,15 @@ olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
# 2. It may be a good idea to modify DB_CONFIG, depending on the output
# of
#
-# db4.8_stat -m -h /var/lib/ldap/ | head -16
+# db_stat -mh /var/lib/ldap/ | head -16
#
# (For optimal performance, the Requested pages found in the cache
-# should be above 95%, and the pages forced from the cache should be 0.)
+# should be above 95%, and the dirty/clean pages forced from the cache
+# should be 0.)
#
# and
#
-# db4.8_stat -m -h /var/lib/ldap/ | head -16
+# db_stat -ch /var/lib/ldap/ | head -16
#
# (For optimal performance, usage should be within 85% of the configured
# values.)
diff --git a/ldap/modules.ldif b/ldap/modules.ldif
index 46b9ca2..b6c17e8 100644
--- a/ldap/modules.ldif
+++ b/ldap/modules.ldif
@@ -16,4 +16,7 @@ add: olcModuleLoad
olcModuleLoad: syncprov.la
-
add: olcModuleLoad
+olcModuleLoad: ppolicy.la
+-
+add: olcModuleLoad
olcModuleLoad: constraint.la
diff --git a/ldap/ppolicy.ldif b/ldap/ppolicy.ldif
new file mode 100644
index 0000000..60b52aa
--- /dev/null
+++ b/ldap/ppolicy.ldif
@@ -0,0 +1,26 @@
+# Load this file with
+#
+# ldapadd -Y EXTERNAL -H ldapi:/// -f ppolicy.ldif
+#
+# It will load the "ppolicy" overlay configuration for the database #1.
+# Ensure that it's indeed the database #1 that you want to configure:
+#
+# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "olcSuffix=o=mailHosting,dc=fripost,dc=dev" dn
+#
+# Note: There is no clean way to remove/replace overlays, other than
+# stopping slapd and digging into the slapd.d directory:
+# http://www.zytrax.com/books/ldap/ch6/slapd-config.html#use-overlays
+#
+#
+# References:
+# - http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies
+# - http://www.zytrax.com/books/ldap/ch6/ppolicy.html
+# - man 5 slapo-ppolicy
+
+
+dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcPPolicyConfig
+olcPPolicyDefault: cn=ppolicy,o=mailHosting,dc=fripost,dc=dev
+olcPPolicyHashCleartext: TRUE
+olcPPolicyUseLockout: FALSE