Postfix is compiled without SASL support.

As of 2.9.6 (2.10), at least. See bug #730848.
author: Guilhem Moulin <guilhem@fripost.org> 2013-12-01 23:54:28 +0100
committer: Guilhem Moulin <guilhem@fripost.org> 2015-06-07 02:51:04 +0200
commit: 7275b307b8e26e60392e600a3de0671d0aa49043 (patch)
tree: 8442ab8d0a2fa78381b5ba6e6f865b75f345290a /roles/common-LDAP/templates/etc/ldap/database.ldif.j2
parent: d363522c15b1d1ce61b2780a539dd09e2e679d34 (diff)
1 files changed, 11 insertions, 11 deletions
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 8333032..03691f9 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -6,44 +6,43 @@
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 dn: olcDatabase=hdb,cn=config
 objectClass: olcDatabaseConfig
 objectClass: olcHdbConfig
 olcDbDirectory: /var/lib/ldap/fripost
 olcSuffix: o=mailHosting,dc=fripost,dc=org
 olcLastMod: TRUE
 olcDbCheckpoint: 512 15
 # Require LDAPv3 protocol and authentication prior to directory
 # operations.
-olcRequires: LDAPv3 authc
-# We don't want to give "canAdd{Alias,List}" write access to alias/list
-# attributes.
-olcAddContentAcl: FALSE
+olcRequires: LDAPv3
+# TODO: how 'olcAddContentAcl' affects the test suite?
+olcAddContentAcl: TRUE
 # The root user has all rights on the whole database (when SASL-binding
 # on a UNIX socket).
 olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
 #
 #
 ########################################################################
 ########################################################################
 # Performance considerations
 #
 # To reindex an existing database, you have to
 #  * Stop slapd     sudo service slapd stop
 #  * Reindex        su openldap -c "slapindex -b 'o=mailHosting,dc=fripost,dc=org'"
 #  * Restart slapd  sudo service slapd start
 #
 # References
 # - https://wiki.zimbra.com/wiki/OpenLDAP_Performance_Tuning_5.0
 # - http://www.openldap.org/doc/admin24/tuning.html
 # - http://www.openldap.org/faq/data/cache/42.html
 # - http://www.openldap.org/faq/data/cache/136.html
 # - http://www.zytrax.com/books/ldap/apa/indeces.html
@@ -81,71 +80,72 @@ olcDbIndex: entryCSN,entryUUID eq
 #
 # (For optimal performance, usage should be within 85% of the configured
 # values.)
 #
 #
 ########################################################################
 ########################################################################
 # Access control
 # /!\ WARN: All modification to the ACL should be reflected to the test
 # /!\ suite as well!
 #
 # References:
 # - http://www.openldap.org/doc/admin24/access-control.html
 # - http://www.openldap.org/faq/data/cache/189.html
 # - http://www.openldap.org/faq/data/cache/1140.html
 # - http://www.openldap.org/faq/data/cache/1133.html
 # - man 5 slapd.access
 #
 #
 ########################################################################
-# Most common services: Postfix, Amavis, SASLauth, Dovecot
+# Most common services: Postfix, Amavis, Dovecot
 # (Most used ACLs are cheaper when written first.)
 #
-# Postfix have read access to the attribute they need.
+# Postfix have read access to the attribute it needs when eg, doing
+# alias resolution.
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         attrs=entry,objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias
         filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE)))
     by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
-    by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =rsd
+    by realanonymous =rsd
     by users =0 break
 #
-# Search lists and domain owners
+# Postfix needs to look up lists' local aliases.
 olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         attrs=entry
-    by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =s
+    by realanonymous =s
     by users =0 break
 #
-# Search domain owners / postmasters
+# Search domain owners / postmasters (used by reserved-alias.pl).
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         attrs=entry,objectClass,fvd,fvl,fripostPostmaster,fripostOwner
         filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE)))
     by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
     by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =rsd
     by users =0 break
 #
 # Anonymous can authenticate into the services. (But not read or write the password.)
 olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=org"
         attrs=userPassword
     by realanonymous =xd
 #
-# That's necessary for SASL proxy Authorize the web application.
+# The following is required for SASL proxy Authorize the web application.
 olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=org"
         attrs=entry,objectClass,authzTo
     by realanonymous =x
 #
 # 1. The WebPanel itself cannot bind, read or write passwords. This
 # guarantees that, if an attacker gains its priviledge, it will *not* be
 # able to change user passwords (which would allow him/her to read every
 # emails). This is a trick to tackle the absence of 'realgroup'.
 # 2. Anonymous users can bind.
 # 3. Users can change their password (but not read it).
 # 4. The postmaster of a domain can change (replace) his/her users' password (but not read it).
 olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$"
         filter=(objectClass=FripostVirtualUser)
         attrs=userPassword
     by realdn.exact="uid=AdminWebPanel@fripost.org,cn=auth" =0
     by realanonymous =xd
     by realself =w
     by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =w
     by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" =w
 #
author	Guilhem Moulin <guilhem@fripost.org>	2013-12-01 23:54:28 +0100
committer	Guilhem Moulin <guilhem@fripost.org>	2015-06-07 02:51:04 +0200
commit	7275b307b8e26e60392e600a3de0671d0aa49043 (patch)
tree	8442ab8d0a2fa78381b5ba6e6f865b75f345290a /roles/common-LDAP/templates/etc/ldap/database.ldif.j2
parent	d363522c15b1d1ce61b2780a539dd09e2e679d34 (diff)