summaryrefslogtreecommitdiffstats
path: root/roles/common-LDAP/templates/etc/ldap
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2013-11-29 22:41:56 +0100
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:50:58 +0200
commit89958abf4bc85a4e376cc68d98a721604af1ea77 (patch)
tree19b8930f0291518a0038e37fd605ed156a0bd21f /roles/common-LDAP/templates/etc/ldap
parent3d8b0ac104dee68b47d9a4d2ef622e7f1acdd7a4 (diff)
Allow flexible ACLs for SASL's EXTERNAL mechanism.
"username=postfix,cn=peercred,cn=external,cn=auth" is replaced by "gidNumber=106+uidNumber=102,cn=peercred,cn=external,cn=auth" where 102 is postfix's UID and 106 its primary GID (looked up from /etc/passwd).
Diffstat (limited to 'roles/common-LDAP/templates/etc/ldap')
-rw-r--r--roles/common-LDAP/templates/etc/ldap/database.ldif.j24
1 files changed, 2 insertions, 2 deletions
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 19fcdd0..1970a99 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -111,14 +111,14 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
attrs=entry
by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =s
- by dn.exact="gidNumber=8+uidNumber=8,cn=peercred,cn=external,cn=auth" =s
+ by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =s
by users =0 break
#
# Search domain owners / postmasters
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
attrs=entry,objectClass,fvd,fvl,fripostPostmaster,fripostOwner
filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE)))
- by dn.exact="gidNumber=8+uidNumber=8,cn=peercred,cn=external,cn=auth" =rsd
+ by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =rsd
by users =0 break
#
# Anonymous can authenticate into the services. (But not read or write the password.)