summaryrefslogtreecommitdiffstats
path: root/roles/common-LDAP
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2014-07-08 06:55:58 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:52:46 +0200
commit15197cf98d0ba1029ad770a192a3b405ebc32204 (patch)
tree04b4bfc618a0b0ea05155a392e700076c1426c85 /roles/common-LDAP
parent4a322932eb63901fa53a46c10f268eb870de70a3 (diff)
Fix issue with delete entries in the replication.
It looks as if the SyncRepl need read access on the 'entry' and 'objectClass' attributes of the entry being deleted, and the entry being deleted no longer matches the ACL filters, so we have to grant access globally. (We still have fine-grain control on the other attributes which are not disclosed, though.)
Diffstat (limited to 'roles/common-LDAP')
-rw-r--r--roles/common-LDAP/templates/etc/ldap/database.ldif.j252
1 files changed, 23 insertions, 29 deletions
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 6680462..d3915df 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -246,40 +246,34 @@ olcAccess: to dn.subtree="dc=fripost,dc=org"
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Base
#
-# * The SyncRepl replicates may use the base as a searchBase, when using
-# a TLS-protected connection.
-# * So can Dovecot on the MDA (for the iterate filter), when
-# SASL-binding using the EXTERNAL mechanism and connecting to a local
-# ldapi:// socket.
+# * Only SyncRepl replicates may access operational attributes in the
+# subtree, when using a TLS-protected connection.
+{% if 'LDAP-provider' in group_names -%}
+olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org"
+ attrs=entryDN,entryCSN,entryUUID,structuralObjectClass,hasSubordinates,subschemaSubentry
+ by dn.onelevel="ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by * =0
+#
+# * They may also read entries (ie, the attributes they have access to
+# as per the ACL below) in that subtree, when using a TLS-protected
+# connection. Listing entries (their DN) is required to replicate
+# deletions properly.
+olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org"
+ attrs=entry,objectClass
+ by dn.onelevel="ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by users =0 break
+{% endif -%}
+#
+# * Dovecot may use the base as a searchBase on the MDA (for the iterate
+# filter), when SASL-binding using the EXTERNAL mechanism and
+# connecting to a local ldapi:// socket.
+{% if 'MDA' in group_names -%}
olcAccess: to dn.exact="ou=virtual,dc=fripost,dc=org"
attrs=entry,objectClass
filter=(objectClass=FripostVirtual)
- {% if 'LDAP-provider' in group_names -%}
- {% if groups.MX | difference([inventory_hostname]) -%}
- by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
- {% endif -%}
- {% if groups.lists | difference([inventory_hostname]) -%}
- by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
- {% endif -%}
- {% endif -%}
- {% if 'MDA' in group_names -%}
by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =sd
- {% endif -%}
by users =0 break
-#
-# * Only SyncRepl replicates may access operational attributes in the
-# subtree, when using a TLS-protected connection.
-olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org"
- attrs=structuralObjectClass,createTimestamp,creatorsName,entryDN,entryUUID,modifiersName,modifyTimestamp,hasSubordinates,subschemaSubentry
- {% if 'LDAP-provider' in group_names -%}
- {% if groups.MX | difference([inventory_hostname]) -%}
- by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
- {% endif -%}
- {% if groups.lists | difference([inventory_hostname]) -%}
- by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
- {% endif -%}
- {% endif -%}
- by * =0
+{% endif -%}
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Domain entries