summaryrefslogtreecommitdiffstats
path: root/roles/common-LDAP/templates
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2014-07-08 01:34:37 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:52:45 +0200
commit4a322932eb63901fa53a46c10f268eb870de70a3 (patch)
tree80532850c83b3b063cb24d1c6e2da830bf268b66 /roles/common-LDAP/templates
parent84b0e246987f1d72d0b7bcc3f6f9665c97e8e009 (diff)
Add an LDAP attribute to check if the user wants to use the content filter.
This decision is left to the MX (as for 'fripostIsStatusActive'), which will set the envelope recipient accordingly.
Diffstat (limited to 'roles/common-LDAP/templates')
-rw-r--r--roles/common-LDAP/templates/etc/ldap/database.ldif.j219
1 files changed, 4 insertions, 15 deletions
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 9df56f7..6680462 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -125,21 +125,12 @@ olcDbIndex: entryCSN,entryUUID eq
# - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
#
{% if 'LDAP-provider' in group_names %}
-{% if groups.MX | difference([inventory_hostname]) %}
-olcLimits: dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org"
+olcLimits: dn.onelevel="ou=syncRepl,dc=fripost,dc=org"
time.soft=unlimited
time.hard=unlimited
size.soft=unlimited
size.hard=unlimited
{% endif %}
-{% if groups.lists | difference([inventory_hostname]) %}
-olcLimits: dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org"
- time.soft=unlimited
- time.hard=unlimited
- size.soft=unlimited
- size.hard=unlimited
-{% endif %}
-{% endif %}
{% if 'MX' in group_names and 'LDAP-provider' not in group_names %}
# Test it:
# LDAPSASL_MECH=external LDAPTLS_CACERT=/etc/ldap/ssl/ldap.fripost.org.pem LDAPTLS_CERT=/etc/ldap/ssl/mx.pem LDAPTLS_KEY=/etc/ldap/ssl/mx.key sudo -u openldap ldapwhoami -H ldaps://ldap.fripost.org/
@@ -149,7 +140,7 @@ olcSyncrepl: rid=000
type=refreshAndPersist
retry="10 30 300 +"
searchbase="ou=virtual,dc=fripost,dc=org"
- attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostPostmaster,fripostOwner
+ attrs=objectClass,fvd,fvl,fripostIsStatusActive,fripostMaildrop,fripostOptionalMaildrop,fripostPostmaster,fripostOwner,fripostUseContentFilter
scope=sub
sizelimit=unlimited
schemachecking=off
@@ -412,7 +403,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
# chroot.
{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
- attrs=fripostIsStatusActive
+ attrs=fripostIsStatusActive,fripostUseContentFilter
filter=(objectClass=FripostVirtualUser)
{% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
@@ -427,13 +418,11 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
# * Amavis can look for per-user configuration options, when
# SASL-binding using the EXTERNAL mechanism and connecting to a local
# ldapi:// socket.
-# TODO: we need a fripostUseContentFilter here
-# filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE)(fripostUseContentFilter=TRUE))
# TODO: only allow it to read the configuration options users are allowed
# to set and modify.
olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=@AmavisAccount
- filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE))
+ filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE)(fripostUseContentFilter=TRUE))
by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
by users =0 break
#