Add an LDAP attribute to check if the user wants to use the content filter.

This decision is left to the MX (as for 'fripostIsStatusActive'), which
will set the envelope recipient accordingly.

1 files changed, 4 insertions, 15 deletions

diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 9df56f7..6680462 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -108,65 +108,56 @@ olcDbIndex: fripostOptionalMaildrop pres
 olcDbIndex: entryCSN,entryUUID eq
 {% endif%}
 #
 #
 # References
 # - https://wiki.zimbra.com/wiki/OpenLDAP_Performance_Tuning_5.0
 # - http://www.openldap.org/doc/admin24/tuning.html
 # - http://www.openldap.org/faq/data/cache/42.html
 # - http://www.openldap.org/faq/data/cache/136.html
 # - http://www.zytrax.com/books/ldap/apa/indeces.html
 #
 #
 ########################################################################
 # Sync Replication
 #
 # References:
 # - http://www.openldap.org/doc/admin24/replication.html#Syncrepl
 # - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
 #
 {% if 'LDAP-provider' in group_names %}
-{% if groups.MX | difference([inventory_hostname]) %}
-olcLimits: dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org"
+olcLimits: dn.onelevel="ou=syncRepl,dc=fripost,dc=org"
   time.soft=unlimited
   time.hard=unlimited
   size.soft=unlimited
   size.hard=unlimited
 {% endif %}
-{% if groups.lists | difference([inventory_hostname]) %}
-olcLimits: dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org"
-  time.soft=unlimited
-  time.hard=unlimited
-  size.soft=unlimited
-  size.hard=unlimited
-{% endif %}
-{% endif %}
 {% if 'MX' in group_names and 'LDAP-provider' not in group_names %}
 # Test it:
 #   LDAPSASL_MECH=external LDAPTLS_CACERT=/etc/ldap/ssl/ldap.fripost.org.pem LDAPTLS_CERT=/etc/ldap/ssl/mx.pem LDAPTLS_KEY=/etc/ldap/ssl/mx.key sudo -u openldap ldapwhoami -H ldaps://ldap.fripost.org/
 #   LDAPSASL_MECH=external LDAPTLS_CACERT=/etc/ldap/ssl/ldap.fripost.org.pem LDAPTLS_CERT=/etc/ldap/ssl/mx.pem LDAPTLS_KEY=/etc/ldap/ssl/mx.key sudo -u openldap ldapsearch -H ldaps://ldap.fripost.org/ -b ou=virtual,dc=fripost,dc=org
 olcSyncrepl: rid=000
   provider=ldaps://ldap.fripost.org
   type=refreshAndPersist
   retry="10 30 300 +"
   searchbase="ou=virtual,dc=fripost,dc=org"
-  attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostPostmaster,fripostOwner
+  attrs=objectClass,fvd,fvl,fripostIsStatusActive,fripostMaildrop,fripostOptionalMaildrop,fripostPostmaster,fripostOwner,fripostUseContentFilter
   scope=sub
   sizelimit=unlimited
   schemachecking=off
   bindmethod=sasl
   saslmech=external
   tls_cert=/etc/ldap/ssl/mx.pem
   tls_key=/etc/ldap/ssl/mx.key
   tls_cacert=/etc/ldap/ssl/ldap.fripost.org.pem
   tls_reqcert=hard
 {% endif %}
 {% if 'lists' in group_names and 'LDAP-provider' not in group_names %}
 olcSyncrepl: rid=001
   provider=ldaps://ldap.fripost.org
   type=refreshAndPersist
   retry="10 30 300 +"
   searchbase="ou=virtual,dc=fripost,dc=org"
   attrs=objectClass,fvd,fvl,fripostListManager,fripostOwner
   scope=sub
   sizelimit=unlimited
   schemachecking=off
@@ -395,62 +386,60 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
 olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
         attrs=entry,objectClass,fvl
         filter=(objectClass=FripostVirtualUser)
     {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
     by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org"              tls_ssf=128                                                                  =rsd
     {% endif -%}
     by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org"         sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
     {% if 'MDA' in group_names -%}
     by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://"                                                    =rsd
     by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth"  sockurl.regex="^ldapi://"                                                    =rsd
     {% endif -%}
     by users                                                                                                                                    =0 break
 #
 # * The SyncRepl MX replicates can check whether a virtual user is
 #   active, when using a TLS-protected connection.
 # * So can Postfix on the MX:es, when connecting a local ldapi:// socket
 #   from the 'private' directory in one of the non-default instance's
 #   chroot.
 {% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
 olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
-        attrs=fripostIsStatusActive
+        attrs=fripostIsStatusActive,fripostUseContentFilter
         filter=(objectClass=FripostVirtualUser)
     {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
     by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org"      tls_ssf=128                                                                  =rsd
     {% endif -%}
     {% if 'MX' in group_names -%}
     by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
     {% endif -%}
     by users                                                                                                                            =0 break
 {% endif %}
 {% if 'MDA' in group_names %}
 #
 # * Amavis can look for per-user configuration options, when
 #   SASL-binding using the EXTERNAL mechanism and connecting to a local
 #   ldapi:// socket.
-# TODO: we need a fripostUseContentFilter here
-#       filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE)(fripostUseContentFilter=TRUE))
 # TODO: only allow it to read the configuration options users are allowed
 #       to set and modify.
 olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
         attrs=@AmavisAccount
-        filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE))
+        filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE)(fripostUseContentFilter=TRUE))
     by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
     by users                                                                                =0 break
 #
 # * Dovecot can look for user quotas, when SASL-binding using the
 #   EXTERNAL mechanism and connecting to a local ldapi:// socket.
 olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
         attrs=fripostUserQuota
         filter=(objectClass=FripostVirtualUser)
     by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
     by users                                                                                 =0 break
 {% endif %}
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # Alias entries
 #
 # * The SyncRepl MX replicates can read the entry itelf, whether it
 #   is active, and the address(es) it aliases to, when using a
 #   TLS-protected connection.
 # * So can Postfix on the MX:es, when connecting a local ldapi:// socket
 #   from the 'private' directory in one of the non-default instance's