summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2013-12-02 03:42:57 +0100
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:51:05 +0200
commit5a7bec1a590e20e263d41eaf414cfe9b5ba48a75 (patch)
tree9c3ffabaed59ab3a0a5d324b5f2d74a200f4f4a2
parent7275b307b8e26e60392e600a3de0671d0aa49043 (diff)
LDAP Sync Replication.
-rw-r--r--common.yml2
-rw-r--r--group_vars/all.yml2
-rw-r--r--lib/openldap1
-rw-r--r--roles/common-LDAP/tasks/main.yml2
-rw-r--r--roles/common-LDAP/templates/etc/default/slapd.j22
-rw-r--r--roles/common-LDAP/templates/etc/ldap/database.ldif.j234
6 files changed, 39 insertions, 4 deletions
diff --git a/common.yml b/common.yml
index cea8611..ab8ab1d 100644
--- a/common.yml
+++ b/common.yml
@@ -20,7 +20,7 @@
- common-SQL
- name: Common LDAP tasks
- hosts: MDA:MSA:lists:LDAP-producer:MX
+ hosts: MDA:MSA:lists:LDAP-provider:MX
gather_facts: False
tags: slapd,ldap
roles:
diff --git a/group_vars/all.yml b/group_vars/all.yml
index fb7feb8..b9e025f 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -10,3 +10,5 @@ postfix_instance:
MTA_out: { IPv4: outgoing.fripost.org, port: 2525 }
LDA: { IPv4: lda.fripost.org, port: 2526 }
+
+LDAP_provider: host1.libvirt.guilhem.org
diff --git a/lib/openldap b/lib/openldap
index 020017c..a90a386 100644
--- a/lib/openldap
+++ b/lib/openldap
@@ -33,6 +33,7 @@ indexedAttributes = frozenset([
'olcAttributeTypes',
'olcObjectClasses',
'olcAccess',
+ 'olcSyncrepl',
])
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 270924c..27a0298 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -80,4 +80,4 @@
- meta: flush_handlers
-# TODO: authz constraint syncprov syncrepl
+# TODO: authz constraint syncprov
diff --git a/roles/common-LDAP/templates/etc/default/slapd.j2 b/roles/common-LDAP/templates/etc/default/slapd.j2
index 7eea421..92b3b22 100644
--- a/roles/common-LDAP/templates/etc/default/slapd.j2
+++ b/roles/common-LDAP/templates/etc/default/slapd.j2
@@ -23,7 +23,7 @@ SLAPD_SERVICES="ldapi:///"
{% for i in postfix_instance.keys() | intersect(group_names) | list %}
SLAPD_SERVICES="$SLAPD_SERVICES ldapi://%2Fvar%2Fspool%2Fpostfix-{{ postfix_instance[i].name }}%2Fprivate%2Fldapi/"
{% endfor %}
-{% if 'LDAP-producer' in group_names %}
+{% if 'LDAP-provider' in group_names %}
SLAPD_SERVICES="$SLAPD_SERVICES ldap://172.16.0.1:389/"
{% endif %}
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 03691f9..5a8674a 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -51,7 +51,7 @@ olcDbIndex: objectClass eq
# Let us make Postfix's life easier. TODO: only if MX, lists.f.o, MDA, etc.
olcDbIndex: fripostIsStatusActive,fvd,fvl,fripostLocalAlias eq
olcDbIndex: fripostOptionalMaildrop pres
-# SyncProv/SyncRepl specific indexing. TODO: only if SyncProv/SyncRepl
+# SyncProv/SyncRepl specific indexing.
olcDbIndex: entryCSN,entryUUID eq
#
#
@@ -84,6 +84,30 @@ olcDbIndex: entryCSN,entryUUID eq
#
########################################################################
########################################################################
+# Sync Replication
+# TODO: replace the simple bind by Kerberos/GSSAPI
+#
+# References:
+# - http://www.openldap.org/doc/admin24/replication.html#Syncrepl
+# - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
+#
+{% if 'LDAP_provider' not in group_names %}
+olcSyncrepl: rid=000
+ provider=ldap://{{ LDAP_provider }}
+ type=refreshAndPersist
+ retry="5 5 300 +"
+ searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+ attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias,fripostPostmaster,fripostOwner
+ scope=sub
+ schemachecking=off
+ bindmethod=simple
+ binddn="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org"
+ credentials=postfix
+{% endif %}
+#
+#
+########################################################################
+########################################################################
# Access control
# /!\ WARN: All modification to the ACL should be reflected to the test
# /!\ suite as well!
@@ -133,6 +157,14 @@ olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc
attrs=entry,objectClass,authzTo
by realanonymous =x
#
+# The following is required for Sync Replication.
+{% if 'LDAP-provider' in group_names %}
+olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+ attrs=entry,objectClass,structuralObjectClass,createTimestamp,creatorsName,entryDN,entryUUID,modifiersName,modifyTimestamp,hasSubordinates,subschemaSubentry
+ by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
+ by users =0 break
+{% endif %}
+#
# 1. The WebPanel itself cannot bind, read or write passwords. This
# guarantees that, if an attacker gains its priviledge, it will *not* be
# able to change user passwords (which would allow him/her to read every