Fix issue with delete entries in the replication.

It looks as if the SyncRepl need read access on the 'entry' and
'objectClass' attributes of the entry being deleted, and the entry being
deleted no longer matches the ACL filters, so we have to grant access
globally. (We still have fine-grain control on the other attributes
which are not disclosed, though.)

1 files changed, 23 insertions, 29 deletions

diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 6680462..d3915df 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -229,74 +229,68 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,dc=fripost,dc=org)$"
 #
 # XXX
 # * Anonymous users are allowed to simple bind as Postfix, but only when
 #   using a local ldapi:// listener from one of the Postfix instance
 #   (which should be accessible by the 'postfix' UNIX user only).
 olcAccess: to dn.exact="cn=postfix,ou=services,dc=fripost,dc=org"
         attrs=userPassword
     by realanonymous sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =xd
 #
 # TODO: are there other services which need to be able to simple bind?
 #
 # * Catch-all: no one else may access the passwords (including for
 #   simple bind).
 olcAccess: to dn.subtree="dc=fripost,dc=org"
         attrs=userPassword
     by * =0
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # Base
 #
-# * The SyncRepl replicates may use the base as a searchBase, when using
-#   a TLS-protected connection.
-# * So can Dovecot on the MDA (for the iterate filter), when
-#   SASL-binding using the EXTERNAL mechanism and connecting to a local
-#   ldapi:// socket.
+# * Only SyncRepl replicates may access operational attributes in the
+#   subtree, when using a TLS-protected connection.
+{% if 'LDAP-provider' in group_names -%}
+olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org"
+        attrs=entryDN,entryCSN,entryUUID,structuralObjectClass,hasSubordinates,subschemaSubentry
+    by dn.onelevel="ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
+    by *                                                       =0
+#
+# * They may also read entries (ie, the attributes they have access to
+#   as per the ACL below) in that subtree, when using a TLS-protected
+#   connection.  Listing entries (their DN) is required to replicate
+#   deletions properly.
+olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org"
+        attrs=entry,objectClass
+    by dn.onelevel="ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
+    by users                                                   =0   break
+{% endif -%}
+#
+# * Dovecot may use the base as a searchBase on the MDA (for the iterate
+#   filter), when SASL-binding using the EXTERNAL mechanism and
+#   connecting to a local ldapi:// socket.
+{% if 'MDA' in group_names -%}
 olcAccess: to dn.exact="ou=virtual,dc=fripost,dc=org"
         attrs=entry,objectClass
         filter=(objectClass=FripostVirtual)
-    {% if 'LDAP-provider' in group_names -%}
-    {% if groups.MX | difference([inventory_hostname]) -%}
-    by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org"              tls_ssf=128               =rsd
-    {% endif -%}
-    {% if groups.lists | difference([inventory_hostname]) -%}
-    by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org"           tls_ssf=128               =rsd
-    {% endif -%}
-    {% endif -%}
-    {% if 'MDA' in group_names -%}
     by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =sd
-    {% endif -%}
     by users                                                                                 =0 break
-#
-# * Only SyncRepl replicates may access operational attributes in the
-#   subtree, when using a TLS-protected connection.
-olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org"
-        attrs=structuralObjectClass,createTimestamp,creatorsName,entryDN,entryUUID,modifiersName,modifyTimestamp,hasSubordinates,subschemaSubentry
-    {% if 'LDAP-provider' in group_names -%}
-    {% if groups.MX | difference([inventory_hostname]) -%}
-    by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org"    tls_ssf=128 =rsd
-    {% endif -%}
-    {% if groups.lists | difference([inventory_hostname]) -%}
-    by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
-    {% endif -%}
-    {% endif -%}
-    by *                                                             =0
+{% endif -%}
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # Domain entries
 #
 # * The SyncRepl replicates have read access to the entry itself, when
 #   using a TLS-protected connection.
 # * So has Postfix, when connecting a local ldapi:// socket from the
 #   'private' directory in one of the non-default instance's chroot.
 # * So has Dovecot on the MDA (for the iterate filter), when
 #   SASL-binding using the EXTERNAL mechanism and connecting to a local
 #   ldapi:// socket.
 # * Amavis may use the entry as searchBase (required to look for the
 #   per-user preferences) but doesn't have read access to the entry.
 # * The 'nobody' UNIX user has read access on the MX:es, when using
 #   SASL-binding using the EXTERNAL mechanism and connecting to a local
 #   ldapi:// socket.  This is required for the 'reserved-alias.pl'
 #   script.
 olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
         attrs=entry,objectClass,fvd
         filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry)))