wibble

author: Guilhem Moulin <guilhem@fripost.org> 2013-12-11 01:03:42 +0100
committer: Guilhem Moulin <guilhem@fripost.org> 2015-06-07 02:51:21 +0200
commit: bd92a9f645f53da01c13d1411cef7fe20fdd4503 (patch)
tree: 1ed620eecf14fcf3c6b6995e91418a4531bd1a80
parent: 025db13070cabde62aed0b9c694baaaa4538b205 (diff)
6 files changed, 14 insertions, 12 deletions
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext
index 15eb306..0b38f00 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext
+++ b/roles/IMAP/files/etc/dovecot/conf.d/auth-ldap.conf.ext
@@ -3,35 +3,37 @@
 # <doc/wiki/AuthDatabase.LDAP.txt>
 
 passdb {
   driver = ldap
 
   # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
   args = /etc/dovecot/dovecot-ldap.conf.ext
 }
 
 # "prefetch" user database means that the passdb already provided the
 # needed information and there's no need to do a separate userdb lookup.
 # <doc/wiki/UserDatabase.Prefetch.txt>
 #userdb {
 #  driver = prefetch
 #}
 
 #userdb {
 #  driver = ldap
 #  # This should be a different file from the passdb's, in order to perform
 #  # asynchronous requests.
+#
 #  args = /etc/dovecot/dovecot-ldap-userdb.conf.ext
-#  
+#
 #  # Default fields can be used to specify defaults that LDAP may override
 #  default_fields = home=/home/mail/%d/%n
 #}
 
 # If you don't have any user-specific settings, you can avoid the userdb LDAP
 # lookup by using userdb static instead of userdb ldap, for example:
 # <doc/wiki/UserDatabase.Static.txt>
 userdb {
   driver = static
+
   # The MTA has already verified the existence of users when doing alias resolution,
   # so we can skip the passdb lookup here.
   args = home=/home/mail/%d/%n allow_all_users=yes
 }
diff --git a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext
index 1c504d3..77edba8 100644
--- a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext
+++ b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext
@@ -1,48 +1,48 @@
 # This file is opened as root, so it should be owned by root and mode 0600.
 #
 # http://wiki2.dovecot.org/AuthDatabase/LDAP
 #
 # NOTE: If you're not using authentication binds, you'll need to give
 # dovecot-auth read access to userPassword field in the LDAP server.
 # With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should
 # already be something like this:
 
 # access to attribute=userPassword
 #        by dn="<dovecot's dn>" read # add this
 #        by anonymous auth
 #        by self write
 #        by * none
 
 # Space separated list of LDAP hosts to use. host:port is allowed too.
-hosts = localhost
+#hosts =
 
 # LDAP URIs to use. You can use this instead of hosts list. Note that this
 # setting isn't supported by all LDAP libraries.
 uris = ldapi://
 
 # Distinguished Name - the username used to login to the LDAP server.
 # Leave it commented out to bind anonymously (useful with auth_bind=yes).
-#dn = 
+#dn =
 
 # Password for LDAP server, if dn is specified.
-#dnpass = 
+#dnpass =
 
 # Use SASL binding instead of the simple binding. Note that this changes
 # ldap_version automatically to be 3 if it's lower. Also note that SASL binds
 # and auth_bind=yes don't work together.
 #sasl_bind = no
 # SASL mechanism name to use.
 #sasl_mech =
 # SASL realm to use.
 #sasl_realm =
 # SASL authorization ID, ie. the dnpass is for this "master user", but the
 # dn is still the logged in user. Normally you want to keep this empty.
 #sasl_authz_id =
 
 # Use TLS to connect to the LDAP server.
 #tls = no
 # TLS options, currently supported only with OpenLDAP:
 #tls_ca_cert_file =
 #tls_ca_cert_dir =
 #tls_cipher_suite =
 # TLS cert/key is used only if LDAP server requires a client certificate.
@@ -102,39 +102,39 @@ scope = base
 #   home - Home directory
 #   mail - Mail location
 #
 # There are also other special fields which can be returned, see
 # http://wiki2.dovecot.org/UserDatabase/ExtraFields
 user_attrs =
 
 # Filter for user lookup. Some variables can be used (see
 # http://wiki2.dovecot.org/Variables for full list):
 #   %u - username
 #   %n - user part in user@domain, same as %u if there's no domain
 #   %d - domain part in user@domain, empty if user there's no domain
 user_filter =
 
 # Password checking attributes:
 #  user: Virtual user name (user@domain), if you wish to change the
 #        user-given username to something else
 #  password: Password, may optionally start with {type}, eg. {crypt}
 # There are also other special fields which can be returned, see
 # http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
-pass_attrs = fvl=user
+pass_attrs =
 
 # If you wish to avoid two LDAP lookups (passdb + userdb), you can use
 # userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
 # also have to include user_attrs in pass_attrs field prefixed with "userdb_"
 # string. For example:
 #pass_attrs = uid=user,userPassword=password,\
 #  homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
 
-# Filter for password lookups
-pass_filter = (&(objectClass=FripostVirtualUser)(fvl=%n)(isActive=TRUE))
+# Filter for password lookups (ignored for auth binds)
+pass_filter = (&(objectClass=FripostVirtualUser)(fvl=%n)(fripostIsStatusActive=TRUE))
 
 # Attributes and filter to get a list of all users
 #iterate_attrs = uid=user
 #iterate_filter = (objectClass=posixAccount)
 
 # Default password scheme. "{scheme}" before password overrides this.
 # List of supported schemes is in: http://wiki2.dovecot.org/Authentication
 #default_pass_scheme = CRYPT
diff --git a/roles/IMAP/tasks/mda.yml b/roles/IMAP/tasks/mda.yml
index 39938fd..0d41669 100644
--- a/roles/IMAP/tasks/mda.yml
+++ b/roles/IMAP/tasks/mda.yml
@@ -1,36 +1,36 @@
 - name: Install Postfix
   apt: pkg={{ item }}
   with_items:
     - postfix
     - postfix-ldap
 
 - name: Configure Postfix
   template: src=etc/postfix/main.cf.j2
             dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf
             owner=root group=root
             mode=0644
   register: r
   notify:
     - Restart Postfix
 
 - name: Create directory /etc/postfix-.../virtual
   file: path=/etc/postfix-{{ postfix_instance[inst].name }}/virtual
-        owner=root group=root
         state=directory
+        owner=root group=root
         mode=0755
 
 - name: Copy lookups tables
   copy: src=etc/postfix/virtual/{{ item }}
         dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/{{ item }}
         owner=root group=root
         mode=0644
   with_items:
     - mailbox_domains.cf
     - mailbox_maps.cf
     - transport_content_filter_maps.cf
 
 - name: Start Postfix
   service: name=postfix state=started
   when: not r.changed
 
 - meta: flush_handlers
diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml
index e2da61e..1f5136a 100644
--- a/roles/MX/tasks/main.yml
+++ b/roles/MX/tasks/main.yml
@@ -19,42 +19,42 @@
   notify:
     - Restart Postgrey
 
 - name: Start Postgrey
   service: name=postgrey state=started
   when: not r.changed
 
 - meta: flush_handlers
 
 - name: Configure Postfix
   template: src=etc/postfix/main.cf.j2
             dest=/etc/postfix-{{ postfix_instance[inst].name }}/main.cf
             owner=root group=root
             mode=0644
   register: r
   notify:
     - Restart Postfix
 
 - name: Create directory /etc/postfix-.../virtual
   file: path=/etc/postfix-{{ postfix_instance[inst].name }}/virtual
-        owner=root group=root
         state=directory
+        owner=root group=root
         mode=0755
 
 - name: Copy lookups tables
   copy: src=etc/postfix/virtual/{{ item }}
         dest=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/{{ item }}
         owner=root group=root
         mode=0644
   with_items:
     - mailbox_domains.cf
     - reserved_maps.pcre
     - alias_maps.cf
     - lists_maps.cf
     - alias_catchall_maps.cf
     - mailbox_maps.cf
     - reserved_transport_maps
     - transport_lists_maps.cf
 
 - name: Compile the Reserved Transport Maps
   postmap: cmd=postalias instance={{ postfix_instance[inst].name }}
            src=/etc/postfix-{{ postfix_instance[inst].name }}/virtual/reserved_transport_maps db=cdb
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 5c993fc..711954c 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -10,58 +10,58 @@
 - name: Configure slapd
   template: src=etc/default/slapd.j2
             dest=/etc/default/slapd
             owner=root group=root
             mode=0644
   register: r1
   notify:
     - Restart slapd
 
 # Upon install slapd create and populate a database under /var/lib/ldap.
 # We clear it up and create a children directory to get finer-grain
 # control.
 - name: Clear empty /var/lib/ldap
   # Don't remove the database (and fail) if it contains something else
   # than its suffix or cn=admin,...
   openldap: dbdirectory=/var/lib/ldap ignoredn=cn=admin
             state=absent
 
 - name: Create directory /var/lib/ldap/fripost
   file: path=/var/lib/ldap/fripost
-        owner=openldap group=openldap
         state=directory
+        owner=openldap group=openldap
         mode=0700
 
 - name: Copy /var/lib/ldap/fripost/DB_CONFIG
   copy: src=var/lib/ldap/fripost/DB_CONFIG
         dest=/var/lib/ldap/fripost/DB_CONFIG
         owner=openldap group=openldap
         mode=0600
   register: r2
   notify:
     # Not sure if required
     - Restart slapd
 
 - name: Create directory /etc/ldap/fripost
   file: path=/etc/ldap/fripost
-        owner=root group=root
         state=directory
+        owner=root group=root
         mode=0755
 
 - name: Copy fripost database definition
   template: src=etc/ldap/database.ldif.j2
             dest=/etc/ldap/fripost/database.ldif
             owner=root group=root
             mode=0600
 
 - name: Copy fripost & amavis' schema
   copy: src=etc/ldap/schema/{{ item }}
         dest=/etc/ldap/schema/{{ item }}
         owner=root group=root
         mode=0644
   # It'd certainly be nicer if we didn't have to deploy amavis' schema
   # everywhere, but we need the 'objectClass' in our replicates, hence
   # they need to be aware of the 'amavisAccount' class.
   with_items:
     - fripost.ldif
     - amavis.schema
   tags:
diff --git a/roles/common/tasks/firewall.yml b/roles/common/tasks/firewall.yml
index 9ed2f72..29c0e2b 100644
--- a/roles/common/tasks/firewall.yml
+++ b/roles/common/tasks/firewall.yml
@@ -1,31 +1,31 @@
 - name: Install some packages required for the firewall
   apt: pkg={{ item }}
   with_items:
     - iptables
     - netmask
     - bsdutils
 
 - name: Create directory /etc/iptables
   file: path=/etc/iptables
-        owner=root group=root
         state=directory
+        owner=root group=root
         mode=0755
 
 - name: Generate /etc/iptables/services
   template: src=etc/iptables/services.j2
             dest=/etc/iptables/services
             owner=root group=root
             mode=0600
 
 - name: Copy /usr/local/sbin/update-firewall.sh
   copy: src=usr/local/sbin/update-firewall.sh
         dest=/usr/local/sbin/update-firewall.sh
         owner=root group=root
         mode=0755
 
 - name: Make the rulesets persistent
   copy: src=etc/network/{{ item }}
         dest=/etc/network/{{ item }}
         owner=root group=root
         mode=0755
   with_items:
author	Guilhem Moulin <guilhem@fripost.org>	2013-12-11 01:03:42 +0100
committer	Guilhem Moulin <guilhem@fripost.org>	2015-06-07 02:51:21 +0200
commit	bd92a9f645f53da01c13d1411cef7fe20fdd4503 (patch)
tree	1ed620eecf14fcf3c6b6995e91418a4531bd1a80
parent	025db13070cabde62aed0b9c694baaaa4538b205 (diff)