aboutsummaryrefslogtreecommitdiffstats
path: root/ldap
diff options
context:
space:
mode:
Diffstat (limited to 'ldap')
-rw-r--r--ldap/acl.ldif57
-rw-r--r--ldap/authz.ldif13
-rw-r--r--ldap/base.ldif9
-rw-r--r--ldap/populate.ldif14
4 files changed, 64 insertions, 29 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index eb28872..212d4d9 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -23,15 +23,39 @@
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
-## Managers have read/write access to the "virtual" subtree.
-#olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
-# by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" write
-# by * break
-#-
-## 1. Users/Services/Managers can change their password (but not read it).
-## 2. Anonymous users/services/managers can bind.
-## 3. Else, we inspect the 2 following ACLs.
-olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
+#
+# Services have read access to the attribute they need. We put this ACL
+# first as it's likely to be the most used.
+# TODO: for postfix, it'd be more efficient and more secure to SASL-bind
+# on a UNIX socket (EXTERNAL mechanism); wait for Postfix 2.8.
+# TODO: IMAP & SASLauth
+olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ attrs=entry,objectClass,fvd,fripostIsStatusActive,fripostOptionalMaildrop,fvu,fripostOptionalMaildrop,fva,fripostMaildrop,fvl,fripostListCommand
+ filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualMailbox)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList))
+ by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd
+ by users none break
+#
+# Anonymous can authenticate into the services. (But not read or write the password.)
+olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
+ attrs=userPassword
+ by anonymous auth
+#
+# That's necessary for SASL proxy Authorize the web application.
+olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
+ attrs=entry,objectClass,authzTo
+ by * =x
+#
+# 1. Services have no access other than the one above.
+# 2. Managers have read/write access to the "virtual" subtree.
+olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none
+ by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" write
+ by * none break
+#
+# 1. Users can change their password (but not read it).
+# 2. Anonymous users/services/managers can bind.
+# 3. Else, we inspect the 2 following ACLs.
+olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=userPassword
by self =w
by anonymous auth
@@ -49,17 +73,6 @@ olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
attrs=userPassword
by * none
#
-# That's necessary for SASL proxy Authorize the web application.
-olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
- attrs=entry,objectClass,authzTo
- by * =x
-##
-## Services can read the whole subtree (minus the userPassword attributes).
-#olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
-# attrs=entry,creatorsName,@fripostVirtualDomain,@fripostVirtualMailbox,@fripostVirtualAlias,@fripostVirtualList
-# by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" read
-# by users none break
-#
# Users can search (e.g., to list the entries they have created).
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=objectClass
@@ -270,6 +283,10 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rwd
by set.exact="this/-1/fripostCanCreateList & (user | user/-1)" +a
by users +0
+#TODO
+#olcAccess: to dn.regex="^fvl=([^,]+)-request,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+# filter=(objectClass=FripostVirtualListCommand)
+# by users read
#
# Catch the "break" control above.
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
diff --git a/ldap/authz.ldif b/ldap/authz.ldif
index 8f88d80..657d718 100644
--- a/ldap/authz.ldif
+++ b/ldap/authz.ldif
@@ -1,14 +1,18 @@
# Load this file with
#
-# ldapadd -Y EXTERNAL -H ldapi:/// -f authz.ldif
+# ldapmodify -Y EXTERNAL -H ldapi:/// -f authz.ldif
#
# That will allow the SASL-authenticated user (service) to be
# reformatted into a proper DN under our services directory.
#
# SASL authentication can be checked with:
#
-# ldapwhoami -W -Y PLAIN -U FPanel -H ldapi://
-# ldapwhoami -W -Y PLAIN -U FPanel -H ldapi:// -X "dn:fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+# ldapwhoami -W -Y PLAIN -U AdminWebPanel@fripost.org -H ldapi://
+# ldapwhoami -W -Y PLAIN -U AdminWebPanel@fripost.org -H ldapi:// -X "dn:fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+#
+# WARNING: Beware that will also delete existing AuthzRegexp and
+# AuthzPolicy.
+# Note: you may have to restart slapd to flush the cache.
#
# References:
# - http://www.openldap.org/doc/admin24/sasl.html#Direct%20Mapping
@@ -18,7 +22,8 @@
dn: cn=config
changetype: modify
replace: olcAuthzRegexp
-olcAuthzRegexp: uid=([^,]+),cn=[^,]+,cn=auth cn=$1,ou=services,o=mailHosting,dc=fripost,dc=dev
+# TODO: force the mechanism here (GSSAPI)
+olcAuthzRegexp: uid=(AdminWebPanel)@fripost\.org,cn=[^,]+,cn=auth cn=$1,ou=services,o=mailHosting,dc=fripost,dc=dev
-
replace: olcAuthzPolicy
olcAuthzPolicy: to
diff --git a/ldap/base.ldif b/ldap/base.ldif
index f91946b..8acbe10 100644
--- a/ldap/base.ldif
+++ b/ldap/base.ldif
@@ -22,9 +22,16 @@ description: Virtual mail hosting
dn: ou=services,o=mailHosting,dc=fripost,dc=dev
objectClass: organizationalUnit
-dn: cn=FPanel,ou=services,o=mailHosting,dc=fripost,dc=dev
+dn: cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=dev
objectClass: simpleSecurityObject
objectClass: organizationalRole
description: The adminstrator Web Panel
userPassword: panel
authzTo: dn.regex:^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$
+
+dn: cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+userPassword: smtp
+description: The entry the replicates bind to when fetching the LDAP
+ directory. Right now it is also used by Postfix for LDAP lookups.
diff --git a/ldap/populate.ldif b/ldap/populate.ldif
index 87c0a4b..70dcc3e 100644
--- a/ldap/populate.ldif
+++ b/ldap/populate.ldif
@@ -123,6 +123,9 @@ fripostIsStatusActive: TRUE
fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
# Buggy owner
fripostOwner: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostOptionalMaildrop: catch-all@example.org
+fripostOptionalMaildrop: @example2.org
+fripostOptionalMaildrop: @xn--v4h.net
dn: fva=alias,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualAlias
@@ -170,6 +173,9 @@ fripostPostmaster: fvu=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost,
# Buggy owner
fripostPostmaster: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostCanCreateAlias: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostOptionalMaildrop: catch-all@example.org
+fripostOptionalMaildrop: @example2.org
+fripostOptionalMaildrop: @xn--v4h.net
dn: fva=alias,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualAlias
@@ -195,11 +201,11 @@ fripostListManager: mailman
fripostIsStatusActive: TRUE
fripostListCommand: list-request
fripostListCommand: list-bounces
-FripostLocalAlias: postmastered.org#list-request
+#FripostLocalAlias: postmastered.org#list-request
-dn: fvlc=list-request,fvl=list,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: FripostVirtualListCommand
-FripostLocalAlias: postmastered.org#list-request
+#dn: fvlc=list-request,fvl=list,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+#objectClass: FripostVirtualListCommand
+#FripostLocalAlias: postmastered.org#list-request
dn: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualMailbox