# Load this file with # # ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif # # It will create the base directory and add services needed to for our # systems to work. # If "o=mailHosting,dc=fripost,dc=dev" exists, you can delete it with # # ldapdelete -Y EXTERNAL -H ldapi:/// -r "o=mailHosting,dc=fripost,dc=dev" dn: o=mailHosting,dc=fripost,dc=dev objectClass: organization description: Mail hosting dn: ou=ppolicies,o=mailHosting,dc=fripost,dc=dev objectClass: organizationalUnit description: Password Policies # The password policy for our users, hardened to counter brute-force # attacks. (Account are locked for 15min after 3 consecutive password # mismatchs with less than 5min in between.) dn: cn=users,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev objectClass: organizationalRole description: The Password Policy for our virtual users objectClass: pwdPolicy pwdAttribute: userPassword pwdLockout: TRUE pwdMaxFailure: 3 pwdLockoutDuration: 900 pwdFailureCountInterval: 300 # The password policy for our services, not hardened since not facing # the internet. dn: cn=services,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev objectClass: organizationalRole description: The Password Policy for our services objectClass: pwdPolicy pwdAttribute: userPassword pwdLockout: FALSE dn: ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: organizationalUnit objectClass: fripostVirtual fripostCanAddDomain: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostCanAddDomain: fvl=test,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostCanAddDomain: fvl=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev description: Virtual mail hosting # TODO: for postfix, it'd be more efficient and more secure to SASL-bind # on a UNIX socket (EXTERNAL mechanism); wait for Postfix 2.8. # TODO: IMAP, SASLauth, Amavis # TODO: if possible, make use GSSAPI/EXTERNAL for the services and the replication. dn: ou=services,o=mailHosting,dc=fripost,dc=dev objectClass: organizationalUnit dn: cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=dev objectClass: organizationalRole description: Where Postfix binds to for its LDAP lookups. objectClass: simpleSecurityObject userPassword: postfix objectClass: pwdPolicy pwdAttribute: userPassword pwdPolicySubentry: cn=services,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev dn: cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev objectClass: organizationalRole description: The entity that is authorized to add list commands objectClass: simpleSecurityObject userPassword: createlist objectClass: pwdPolicy pwdAttribute: userPassword pwdPolicySubentry: cn=services,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev dn: cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev objectClass: organizationalRole description: Delete expired pending entries objectClass: simpleSecurityObject userPassword: deletependingentries objectClass: pwdPolicy pwdAttribute: userPassword pwdPolicySubentry: cn=services,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev dn: cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=dev objectClass: organizationalRole description: The adminstrator Web Panel objectClass: simpleSecurityObject userPassword: {CLEARTEXT}panel # NOTE: ^ The password needs to be stored clear for DIGEST-MD5 SASL authentication authzTo: dn.regex:^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$ #authzTo: ldap:///ou=virtual,o=mailHosting,dc=fripost,dc=dev??sub?(objectClass=FripostVirtualUser) # NOTE: ^ This is an expensive operation, and requires search perms for the service. objectClass: pwdPolicy pwdAttribute: userPassword pwdPolicySubentry: cn=services,ou=ppolicies,o=mailHosting,dc=fripost,dc=dev