Fix issue with delete entries in the replication.

It looks as if the SyncRepl need read access on the 'entry' and
'objectClass' attributes of the entry being deleted, and the entry being
deleted no longer matches the ACL filters, so we have to grant access
globally. (We still have fine-grain control on the other attributes
which are not disclosed, though.)

1 files changed, 23 insertions, 29 deletions

diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 6680462..d3915df 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -246,40 +246,34 @@ olcAccess: to dn.subtree="dc=fripost,dc=org"
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # Base
 #
-# * The SyncRepl replicates may use the base as a searchBase, when using
-#   a TLS-protected connection.
-# * So can Dovecot on the MDA (for the iterate filter), when
-#   SASL-binding using the EXTERNAL mechanism and connecting to a local
-#   ldapi:// socket.
+# * Only SyncRepl replicates may access operational attributes in the
+#   subtree, when using a TLS-protected connection.
+{% if 'LDAP-provider' in group_names -%}
+olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org"
+        attrs=entryDN,entryCSN,entryUUID,structuralObjectClass,hasSubordinates,subschemaSubentry
+    by dn.onelevel="ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
+    by *                                                       =0
+#
+# * They may also read entries (ie, the attributes they have access to
+#   as per the ACL below) in that subtree, when using a TLS-protected
+#   connection.  Listing entries (their DN) is required to replicate
+#   deletions properly.
+olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org"
+        attrs=entry,objectClass
+    by dn.onelevel="ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
+    by users                                                   =0   break
+{% endif -%}
+#
+# * Dovecot may use the base as a searchBase on the MDA (for the iterate
+#   filter), when SASL-binding using the EXTERNAL mechanism and
+#   connecting to a local ldapi:// socket.
+{% if 'MDA' in group_names -%}
 olcAccess: to dn.exact="ou=virtual,dc=fripost,dc=org"
         attrs=entry,objectClass
         filter=(objectClass=FripostVirtual)
-    {% if 'LDAP-provider' in group_names -%}
-    {% if groups.MX | difference([inventory_hostname]) -%}
-    by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org"              tls_ssf=128               =rsd
-    {% endif -%}
-    {% if groups.lists | difference([inventory_hostname]) -%}
-    by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org"           tls_ssf=128               =rsd
-    {% endif -%}
-    {% endif -%}
-    {% if 'MDA' in group_names -%}
     by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =sd
-    {% endif -%}
     by users                                                                                 =0 break
-#
-# * Only SyncRepl replicates may access operational attributes in the
-#   subtree, when using a TLS-protected connection.
-olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org"
-        attrs=structuralObjectClass,createTimestamp,creatorsName,entryDN,entryUUID,modifiersName,modifyTimestamp,hasSubordinates,subschemaSubentry
-    {% if 'LDAP-provider' in group_names -%}
-    {% if groups.MX | difference([inventory_hostname]) -%}
-    by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org"    tls_ssf=128 =rsd
-    {% endif -%}
-    {% if groups.lists | difference([inventory_hostname]) -%}
-    by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
-    {% endif -%}
-    {% endif -%}
-    by *                                                             =0
+{% endif -%}
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # Domain entries