LDAP: Expose part of the database to Nextcloud.

2 files changed, 36 insertions, 2 deletions

diff --git a/roles/LDAP-provider/tasks/main.yml b/roles/LDAP-provider/tasks/main.yml
index ad6e7bb..af46c51 100644
--- a/roles/LDAP-provider/tasks/main.yml
+++ b/roles/LDAP-provider/tasks/main.yml
@@ -1,15 +1,18 @@
 - name: Load and configure the syncprov overlay
   openldap: module=syncprov
             suffix=dc=fripost,dc=org
             target=etc/ldap/syncprov.ldif
             local=file
 
 - name: Enable the EXTERNAL SASL mechanism
   lineinfile: dest=/usr/lib/sasl2/slapd.conf
               regexp='^mech_list{{':'}}'
               line='mech_list{{':'}} EXTERNAL'
               create=yes
               owner=root group=root
               mode=0644
 
+#- name: Load dyngroup schema
+#  openldap: target=/etc/ldap/schema/dyngroup.ldif
+
 # TODO: authz constraint
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 494888e..7372304 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -87,40 +87,41 @@ olcSecurity: simple_bind=128 ssf=128 update_ssf=128
 # To reindex an existing database, you have to
 #  * Stop slapd     sudo service slapd stop
 #  * Reindex        sudo -u openldap slapindex -b 'dc=fripost,dc=org'
 #  * Restart slapd  sudo service slapd start
 #
 olcDbIndex: objectClass eq
 # Let us make Postfix's life easier.
 {% if 'LDAP-provider' in group_names %}
 olcDbIndex: fvd,fvl eq,sub
 olcDbIndex: fripostIsStatusActive eq
 {% elif 'MX' in group_names or 'MDA' in group_names %}
 olcDbIndex: fripostIsStatusActive,fvd,fvl eq
 {% endif %}
 {% if 'LDAP-provider' in group_names %}
 olcDbIndex: fripostOptionalMaildrop,fripostMaildrop eq,sub
 olcDbIndex: fripostCanAddDomain,fripostCanAddAlias,fripostCanAddList,fripostOwner,fripostPostmaster,fripostListManager eq
 {% elif 'MX' in group_names %}
 olcDbIndex: fripostOptionalMaildrop pres
 {% endif %}
 {% if 'LDAP-provider' in group_names %}
+olcDbIndex: member,cn eq
 {% endif %}
 {% if ('LDAP-provider' not in group_names and 'MX' in group_names) or
       ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
 # SyncProv/SyncRepl specific indexing.
 olcDbIndex: entryCSN,entryUUID eq
 {% endif%}
 #
 #
 # References
 # - https://wiki.zimbra.com/wiki/OpenLDAP_Performance_Tuning_5.0
 # - http://www.openldap.org/doc/admin24/tuning.html
 # - http://www.openldap.org/faq/data/cache/42.html
 # - http://www.openldap.org/faq/data/cache/136.html
 # - http://www.zytrax.com/books/ldap/apa/indeces.html
 #
 #
 ########################################################################
 # Sync Replication
 #
 # References:
@@ -196,88 +197,98 @@ olcAddContentAcl: TRUE
 #   local ldapi:// socket (when using auth_binds, Dovecot delegates
 #   authentication to the LDAP server).
 # * Authenticated users are allowed to change (ie replace) their
 #   password through TLS-protected connections, but read access is not
 #   granted.
 # * Domain postmasters are allowed to change (ie replace) their users'
 #   password through TLS-protected connections, but read access is not
 #   granted.
 # * The same goes for general admins.
 # * The same goes for local admins.
 olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,dc=fripost,dc=org)$"
         filter=(objectClass=FripostVirtualUser)
         attrs=userPassword
     by realanonymous                                                tls_ssf=128               =xd
     by realanonymous                                                sockurl.regex="^ldapi://" =xd
     by realself                                                     tls_ssf=128               =w
     by group/FripostVirtualDomain/fripostPostmaster.expand="$1"     tls_ssf=128               =w
     by dn.onelevel="ou=admins,dc=fripost,dc=org"                    tls_ssf=128               =w
     by group.exact="cn=admin,ou=groups,dc=fripost,dc=org"                                     =w
 #
-# TODO: are there other services which need to be able to simple bind?
+# * Services can authenticate
+{% if 'LDAP-provider' in group_names -%}
+olcAccess: to dn.onelevel="ou=services,dc=fripost,dc=org"
+        filter=(objectClass=simpleSecurityObject)
+        attrs=userPassword
+    by realanonymous                                                tls_ssf=128               =xd
+{% endif -%}
 #
 # * Catch-all: no one else may access the passwords (including for
 #   simple bind).
 olcAccess: to dn.subtree="dc=fripost,dc=org"
         attrs=userPassword
     by * =0
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # Base
 #
 # * Only SyncRepl replicates may access operational attributes in the
 #   subtree, when using a TLS-protected connection.
 {% if 'LDAP-provider' in group_names -%}
 olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org"
-        attrs=entryDN,entryCSN,entryUUID,structuralObjectClass,hasSubordinates,subschemaSubentry
+        attrs=entryCSN,structuralObjectClass,hasSubordinates,subschemaSubentry
     by dn.onelevel="ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
     by *                                                       =0
 #
 # * They may also read entries (ie, the attributes they have access to
 #   as per the ACL below) in that subtree, when using a TLS-protected
 #   connection.  Listing entries (their DN) is required to replicate
 #   deletions properly.
 olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org"
         attrs=entry,objectClass
     by dn.onelevel="ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
     by group.exact="cn=admin,ou=groups,dc=fripost,dc=org"      =wrsd
     by users                                                   =0   break
 olcAccess: to dn.children="ou=virtual,dc=fripost,dc=org"
     by group.exact="cn=admin,ou=groups,dc=fripost,dc=org"      =wrsd
     by users                                                   =0   break
 {% endif -%}
 #
 # * Postfix may use the base as a searchBase on the MX:es, when
 #   connecting a local ldapi:// socket from the 'private' directory in
 #   one of the non-default instance's chroot.
 # * So may Dovecot on the MDA (needed for the iterate filter), when
 #   SASL-binding using the EXTERNAL mechanism and connecting to a local
 #   ldapi:// socket.
+# * So may Nextcloud on the LDAP provider
 olcAccess: to dn.exact="ou=virtual,dc=fripost,dc=org"
         attrs=entry,objectClass
         filter=(objectClass=FripostVirtual)
     {% if 'MDA' in group_names -%}
     by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://"                                                    =sd
     {% endif -%}
     {% if 'MX' in group_names or 'MSA' in group_names -%}
     by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =sd
     {% endif -%}
+    {% if 'LDAP-provider' in group_names -%}
+    by dn.exact="cn=nextcloud,ou=services,dc=fripost,dc=org"       tls_ssf=128                                                                  =sd
+    {% endif -%}
     by users                                                                                                                                    =0 break
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # Domain entries
 #
 # * The SyncRepl replicates have read access to the entry itself, when
 #   using a TLS-protected connection.
 # * So has Postfix, when connecting a local ldapi:// socket from the
 #   'private' directory in one of the non-default instance's chroot.
 # * So has Dovecot on the MDA (for the iterate filter), when
 #   SASL-binding using the EXTERNAL mechanism and connecting to a local
 #   ldapi:// socket.
 # * Amavis may use the entry as searchBase (required to look for the
 #   per-user preferences) but doesn't have read access to the entry.
 # * The 'nobody' UNIX user has read access on the MX:es, when using
 #   SASL-binding using the EXTERNAL mechanism and connecting to a local
 #   ldapi:// socket.  This is required for the 'reserved-alias.pl'
 #   script.
 olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
         attrs=entry,objectClass,fvd
@@ -477,34 +488,54 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
     by users                                                                                                                                    =0 break
 {% endif %}
 #
 # * The MSA's postfix user can read entry ownership to dermine the SASL
 #   login name(s) owning a given sender address
 {% if 'MSA' in group_names %}
 olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
         attrs=fripostOwner,fripostPostmaster
         filter=(|(objectClass=FripostVirtualAliasDomain)(objectClass=FripostVirtualDomain))
     by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
     by users                                                                                                                                    =0 break
 olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
         attrs=entry,objectClass,fvl,fripostOwner
         filter=(|(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualUser))
     by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
     by users                                                                                                                                    =0 break
 {% endif %}
 {% if 'LDAP-provider' in group_names %}
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
+#
+# Export Fripost members to Nextcloud
+olcAccess: to dn.exact="fvd=fripost.org,ou=virtual,dc=fripost,dc=org"
+        attrs=entry,objectClass,fvd
+        filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry)))
+    by dn.exact="cn=nextcloud,ou=services,dc=fripost,dc=org" tls_ssf=128 =rsd
+    by users                                                             =0 break
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=fripost.org,ou=virtual,dc=fripost,dc=org$"
+        attrs=entry,entryDN,entryUUID,objectClass,fvl,fripostIsStatusActive
+        filter=(&(objectClass=FripostVirtualUser)(!(objectClass=FripostPendingEntry))(fripostIsStatusActive=TRUE))
+    by dn.exact="cn=nextcloud,ou=services,dc=fripost,dc=org" tls_ssf=128 =rsd
+    by users                                                             =0 break
+olcAccess: to dn.exact="ou=groups,dc=fripost,dc=org"
+        attrs=entry,objectClass
+    by dn.exact="cn=nextcloud,ou=services,dc=fripost,dc=org" tls_ssf=128 =rsd
+    by users                                                             =0 break
+olcAccess: to dn.exact="cn=medlemmar,ou=groups,dc=fripost,dc=org"
+    by dn.exact="cn=nextcloud,ou=services,dc=fripost,dc=org" tls_ssf=128 =rsd
+    by users                                                             =0 break
+#
 # TODO: allow users to edit their entry, etc
 #
 {% endif %}
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # Catch-all
 #
 # * Catch all the breaks above.
 # * Deny any access to everyone else.
 olcAccess: to dn.subtree="dc=fripost,dc=org"
     by dn.children="ou=virtual,dc=fripost,dc=org" +0
     by *                                          =0
 
 # vim: set filetype=ldif :