diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2014-07-08 01:34:37 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:52:45 +0200 |
commit | 4a322932eb63901fa53a46c10f268eb870de70a3 (patch) | |
tree | 80532850c83b3b063cb24d1c6e2da830bf268b66 /roles/common-LDAP/templates/etc/ldap | |
parent | 84b0e246987f1d72d0b7bcc3f6f9665c97e8e009 (diff) |
Add an LDAP attribute to check if the user wants to use the content filter.
This decision is left to the MX (as for 'fripostIsStatusActive'), which
will set the envelope recipient accordingly.
Diffstat (limited to 'roles/common-LDAP/templates/etc/ldap')
-rw-r--r-- | roles/common-LDAP/templates/etc/ldap/database.ldif.j2 | 19 |
1 files changed, 4 insertions, 15 deletions
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index 9df56f7..6680462 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -125,21 +125,12 @@ olcDbIndex: entryCSN,entryUUID eq # - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap # {% if 'LDAP-provider' in group_names %} -{% if groups.MX | difference([inventory_hostname]) %} -olcLimits: dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" +olcLimits: dn.onelevel="ou=syncRepl,dc=fripost,dc=org" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited {% endif %} -{% if groups.lists | difference([inventory_hostname]) %} -olcLimits: dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" - time.soft=unlimited - time.hard=unlimited - size.soft=unlimited - size.hard=unlimited -{% endif %} -{% endif %} {% if 'MX' in group_names and 'LDAP-provider' not in group_names %} # Test it: # LDAPSASL_MECH=external LDAPTLS_CACERT=/etc/ldap/ssl/ldap.fripost.org.pem LDAPTLS_CERT=/etc/ldap/ssl/mx.pem LDAPTLS_KEY=/etc/ldap/ssl/mx.key sudo -u openldap ldapwhoami -H ldaps://ldap.fripost.org/ @@ -149,7 +140,7 @@ olcSyncrepl: rid=000 type=refreshAndPersist retry="10 30 300 +" searchbase="ou=virtual,dc=fripost,dc=org" - attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostPostmaster,fripostOwner + attrs=objectClass,fvd,fvl,fripostIsStatusActive,fripostMaildrop,fripostOptionalMaildrop,fripostPostmaster,fripostOwner,fripostUseContentFilter scope=sub sizelimit=unlimited schemachecking=off @@ -412,7 +403,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$" # chroot. {% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %} olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$" - attrs=fripostIsStatusActive + attrs=fripostIsStatusActive,fripostUseContentFilter filter=(objectClass=FripostVirtualUser) {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%} by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd @@ -427,13 +418,11 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$" # * Amavis can look for per-user configuration options, when # SASL-binding using the EXTERNAL mechanism and connecting to a local # ldapi:// socket. -# TODO: we need a fripostUseContentFilter here -# filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE)(fripostUseContentFilter=TRUE)) # TODO: only allow it to read the configuration options users are allowed # to set and modify. olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$" attrs=@AmavisAccount - filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE)) + filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE)(fripostUseContentFilter=TRUE)) by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd by users =0 break # |