Add an LDAP attribute to check if the user wants to use the content filter.

This decision is left to the MX (as for 'fripostIsStatusActive'), which will set the envelope recipient accordingly.
author: Guilhem Moulin <guilhem@fripost.org> 2014-07-08 01:34:37 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2015-06-07 02:52:45 +0200
commit: 4a322932eb63901fa53a46c10f268eb870de70a3 (patch)
tree: 80532850c83b3b063cb24d1c6e2da830bf268b66 /roles/common-LDAP
parent: 84b0e246987f1d72d0b7bcc3f6f9665c97e8e009 (diff)
2 files changed, 17 insertions, 23 deletions
diff --git a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
index a26f249..0475d20 100644
--- a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
+++ b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
@@ -68,7 +68,7 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.1 NAME 'fvd'
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.2 NAME 'fvl'
-    DESC 'The local part of a virtual user, alias, list or list command'
+    DESC 'The local part of a virtual user, alias or list'
     EQUALITY caseIgnoreIA5Match
     SUBSTR caseIgnoreIA5SubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
@@ -89,7 +89,7 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.4 NAME 'fripostOptionalMaildrop'
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.5 NAME 'fripostIsStatusActive'
-    DESC 'When present, a token locking the entry in an inactive state'
+    DESC 'Is the entry active?'
     EQUALITY booleanMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
 #
@@ -104,23 +104,23 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.7 NAME 'fripostUserQuota'
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32} SINGLE-VALUE )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.8 NAME 'fripostCanAddDomain'
-    DESC 'A user/domain that can add domains'
+    DESC 'A user/domain allowed to add domains'
     SUP distinguishedName )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.9 NAME 'fripostCanAddAlias'
-    DESC 'A user/domain that can add aliases under the parent domain'
+    DESC 'A user/domain allowed to add aliases under the parent domain'
     SUP distinguishedName )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostCanAddList'
-    DESC 'A user/domain that can add lists under the parent domain'
+    DESC 'A user/domain allowed to add lists under the parent domain'
     SUP distinguishedName )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostOwner'
-    DESC 'A user that owns under parent domain'
+    DESC 'A user being the owner of the parent domain'
     SUP distinguishedName )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostPostmaster'
-    DESC 'A user that is a postmaster of the parent domain'
+    DESC 'A user being the postmaster of the parent domain'
     SUP distinguishedName )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostListManager'
@@ -129,6 +129,11 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostListManager'
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} SINGLE-VALUE )
 #
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.14 NAME 'fripostUseContentFilter'
+    DESC 'Does the user want to use the content filter?'
+    EQUALITY booleanMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+#
 #
 # Objects: 1.3.6.1.4.1.40011.1.2
 #
@@ -155,7 +160,7 @@ olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualAliasDomain'
 olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualUser'
     SUP top STRUCTURAL
     DESC 'Virtual user'
-    MUST ( fvl $ userPassword $ fripostIsStatusActive )
+    MUST ( fvl $ userPassword $ fripostIsStatusActive $ fripostUseContentFilter )
     MAY ( fripostUserQuota $ description) )
 #
 olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualAlias'
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 9df56f7..6680462 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -125,21 +125,12 @@ olcDbIndex: entryCSN,entryUUID eq
 # - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
 #
 {% if 'LDAP-provider' in group_names %}
-{% if groups.MX | difference([inventory_hostname]) %}
-olcLimits: dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org"
+olcLimits: dn.onelevel="ou=syncRepl,dc=fripost,dc=org"
   time.soft=unlimited
   time.hard=unlimited
   size.soft=unlimited
   size.hard=unlimited
 {% endif %}
-{% if groups.lists | difference([inventory_hostname]) %}
-olcLimits: dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org"
-  time.soft=unlimited
-  time.hard=unlimited
-  size.soft=unlimited
-  size.hard=unlimited
-{% endif %}
-{% endif %}
 {% if 'MX' in group_names and 'LDAP-provider' not in group_names %}
 # Test it:
 #   LDAPSASL_MECH=external LDAPTLS_CACERT=/etc/ldap/ssl/ldap.fripost.org.pem LDAPTLS_CERT=/etc/ldap/ssl/mx.pem LDAPTLS_KEY=/etc/ldap/ssl/mx.key sudo -u openldap ldapwhoami -H ldaps://ldap.fripost.org/
@@ -149,7 +140,7 @@ olcSyncrepl: rid=000
   type=refreshAndPersist
   retry="10 30 300 +"
   searchbase="ou=virtual,dc=fripost,dc=org"
-  attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostPostmaster,fripostOwner
+  attrs=objectClass,fvd,fvl,fripostIsStatusActive,fripostMaildrop,fripostOptionalMaildrop,fripostPostmaster,fripostOwner,fripostUseContentFilter
   scope=sub
   sizelimit=unlimited
   schemachecking=off
@@ -412,7 +403,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
 #   chroot.
 {% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
 olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
-        attrs=fripostIsStatusActive
+        attrs=fripostIsStatusActive,fripostUseContentFilter
         filter=(objectClass=FripostVirtualUser)
     {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
     by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org"      tls_ssf=128                                                                  =rsd
@@ -427,13 +418,11 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
 # * Amavis can look for per-user configuration options, when
 #   SASL-binding using the EXTERNAL mechanism and connecting to a local
 #   ldapi:// socket.
-# TODO: we need a fripostUseContentFilter here
-#       filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE)(fripostUseContentFilter=TRUE))
 # TODO: only allow it to read the configuration options users are allowed
 #       to set and modify.
 olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
         attrs=@AmavisAccount
-        filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE))
+        filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE)(fripostUseContentFilter=TRUE))
     by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
     by users                                                                                =0 break
 #
author	Guilhem Moulin <guilhem@fripost.org>	2014-07-08 01:34:37 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2015-06-07 02:52:45 +0200
commit	4a322932eb63901fa53a46c10f268eb870de70a3 (patch)
tree	80532850c83b3b063cb24d1c6e2da830bf268b66 /roles/common-LDAP
parent	84b0e246987f1d72d0b7bcc3f6f9665c97e8e009 (diff)