wibble

2 files changed, 6 insertions, 6 deletions

diff --git a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
index 851988e..2e5bb1f 100644
--- a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
+++ b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
@@ -39,41 +39,41 @@
 #
 # References:
 # - http://courier.svn.sourceforge.net/svnroot/courier/trunk/courier-authlib/authldap.schema
 # - http://www.qmail-ldap.org/wiki/index.php/Qmail.schema
 # - http://www.wanderingbarque.com/howtos/mailserver/mailserver.html
 
 
 # 1.3.6.1.4.1.40011        Fripost's OID
 # 1.3.6.1.4.1.40011.1
 # 1.3.6.1.4.1.40011.1.2    fripost LDAP Elements
 # 1.3.6.1.4.1.40011.1.2.1  AttributeTypes
 # 1.3.6.1.4.1.40011.1.2.2  ObjectClasses
 # 1.3.6.1.4.1.40011.1.2.3  Syntax Definitions
 
 # This schema depends on:
 # - core.schema
 # - cosine.schema
 # - nis.schema
 
 
-dn: cn=fripost-master,cn=schema,cn=config
+dn: cn=fripost,cn=schema,cn=config
 objectClass: olcSchemaConfig
 #
 # Attributes: 1.3.6.1.4.1.40011.1.1
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.1 NAME 'fvd'
     DESC 'A virtual mail domain'
     EQUALITY caseIgnoreIA5Match
     SUBSTR caseIgnoreIA5SubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.2 NAME 'fvl'
     DESC 'The local part of a virtual user, alias, list or list command'
     EQUALITY caseIgnoreIA5Match
     SUBSTR caseIgnoreIA5SubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
 #
 # This is redundant since we always use DNs of the form
 #     fvl=localpart,fvd=domainpart.tld,...
 # (But Postfix doesn't allow the use of '%u' and '%d' from the query in
 # its 'result_format'.)
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index f76eb78..c7a4379 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -72,115 +72,115 @@ olcDbIndex: entryCSN,entryUUID eq
 # References:
 # - http://www.openldap.org/doc/admin24/replication.html#Syncrepl
 # - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
 #
 {% if 'LDAP-provider' in group_names %}
 olcLimits: dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org"
   time.soft=unlimited
   time.hard=unlimited
   size.soft=unlimited
   size.hard=unlimited
 {% elif 'MX' in group_names %}
 olcSyncrepl: rid=000
   provider=ldap://{{ LDAP_provider }}
   type=refreshAndPersist
   retry="5 5 300 +"
   searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org"
   attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias,fripostPostmaster,fripostOwner
   scope=sub
   schemachecking=off
   bindmethod=simple
-  binddn="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org"
-  credentials=postfix
+  binddn="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org"
+  credentials=mx
 {% endif %}
 #
 #
 ########################################################################
 ########################################################################
 # Access control
 # /!\ WARN: All modification to the ACL should be reflected to the test
 # /!\ suite as well!
 #
 # References:
 # - http://www.openldap.org/doc/admin24/access-control.html
 # - http://www.openldap.org/faq/data/cache/189.html
 # - http://www.openldap.org/faq/data/cache/1140.html
 # - http://www.openldap.org/faq/data/cache/1133.html
 # - man 5 slapd.access
 #
 #
 ########################################################################
 # Most common services: Postfix, Amavis, Dovecot
 # (Most used ACLs are cheaper when written first.)
 #
 # Postfix have read access to the attribute it needs when eg, doing
 # alias resolution.
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         attrs=entry,objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias
         filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE)))
-    by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
+    by dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
     by realanonymous =rsd
     by users =0 break
 #
 # Postfix needs to look up lists' local aliases.
 olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         attrs=entry
     by realanonymous =s
     by users =0 break
 #
 # Search domain owners / postmasters (used by reserved-alias.pl).
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         attrs=entry,objectClass,fvd,fvl,fripostPostmaster,fripostOwner
         filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE)))
-    by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
+    by dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
     by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =rsd
     by users =0 break
 #
 # The following is required for the content filter
 {% if 'MDA' in group_names %}
 olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
         attrs=entry
         filter=(&(objectClass=FripostVirtualDomain)(fripostIsStatusActive=TRUE))
     by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" =s
     by users =0 break
 olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
         attrs=entry,objectClass,fvl,@AmavisAccount
         filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE))
     by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" =rsd
     by users =0 break
 {% endif %}
 #
 # Anonymous can authenticate into the services. (But not read or write the password.)
 olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=org"
         attrs=userPassword
     by realanonymous =xd
 #
 # The following is required for SASL proxy Authorize the web application.
 olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=org"
         attrs=entry,objectClass,authzTo
     by realanonymous =x
 #
 # The following is required for Sync Replication.
 {% if 'LDAP-provider' in group_names %}
 olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         attrs=entry,objectClass,structuralObjectClass,createTimestamp,creatorsName,entryDN,entryUUID,modifiersName,modifyTimestamp,hasSubordinates,subschemaSubentry
-    by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
+    by dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
     by users =0 break
 {% endif %}
 #
 # 1. The WebPanel itself cannot bind, read or write passwords. This
 # guarantees that, if an attacker gains its priviledge, it will *not* be
 # able to change user passwords (which would allow him/her to read every
 # emails). This is a trick to tackle the absence of 'realgroup'.
 # 2. Anonymous users can bind.
 # 3. Users can change their password (but not read it).
 # 4. The postmaster of a domain can change (replace) his/her users' password (but not read it).
 olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$"
         filter=(objectClass=FripostVirtualUser)
         attrs=userPassword
     by realdn.exact="uid=AdminWebPanel@fripost.org,cn=auth" =0
     by realanonymous =xd
     by realself =w
     by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =w
     by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" =w
 #
 # A catch-all, to be sure that noone else have access to the passwords.