summaryrefslogtreecommitdiffstats
path: root/roles/common-LDAP
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2014-07-08 01:34:37 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:52:45 +0200
commit4a322932eb63901fa53a46c10f268eb870de70a3 (patch)
tree80532850c83b3b063cb24d1c6e2da830bf268b66 /roles/common-LDAP
parent84b0e246987f1d72d0b7bcc3f6f9665c97e8e009 (diff)
Add an LDAP attribute to check if the user wants to use the content filter.
This decision is left to the MX (as for 'fripostIsStatusActive'), which will set the envelope recipient accordingly.
Diffstat (limited to 'roles/common-LDAP')
-rw-r--r--roles/common-LDAP/files/etc/ldap/schema/fripost.ldif21
-rw-r--r--roles/common-LDAP/templates/etc/ldap/database.ldif.j219
2 files changed, 17 insertions, 23 deletions
diff --git a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
index a26f249..0475d20 100644
--- a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
+++ b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
@@ -68,7 +68,7 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.1 NAME 'fvd'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
#
olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.2 NAME 'fvl'
- DESC 'The local part of a virtual user, alias, list or list command'
+ DESC 'The local part of a virtual user, alias or list'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
@@ -89,7 +89,7 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.4 NAME 'fripostOptionalMaildrop'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
#
olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.5 NAME 'fripostIsStatusActive'
- DESC 'When present, a token locking the entry in an inactive state'
+ DESC 'Is the entry active?'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
#
@@ -104,23 +104,23 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.7 NAME 'fripostUserQuota'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32} SINGLE-VALUE )
#
olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.8 NAME 'fripostCanAddDomain'
- DESC 'A user/domain that can add domains'
+ DESC 'A user/domain allowed to add domains'
SUP distinguishedName )
#
olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.9 NAME 'fripostCanAddAlias'
- DESC 'A user/domain that can add aliases under the parent domain'
+ DESC 'A user/domain allowed to add aliases under the parent domain'
SUP distinguishedName )
#
olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostCanAddList'
- DESC 'A user/domain that can add lists under the parent domain'
+ DESC 'A user/domain allowed to add lists under the parent domain'
SUP distinguishedName )
#
olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostOwner'
- DESC 'A user that owns under parent domain'
+ DESC 'A user being the owner of the parent domain'
SUP distinguishedName )
#
olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostPostmaster'
- DESC 'A user that is a postmaster of the parent domain'
+ DESC 'A user being the postmaster of the parent domain'
SUP distinguishedName )
#
olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostListManager'
@@ -129,6 +129,11 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostListManager'
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} SINGLE-VALUE )
#
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.14 NAME 'fripostUseContentFilter'
+ DESC 'Does the user want to use the content filter?'
+ EQUALITY booleanMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+#
#
# Objects: 1.3.6.1.4.1.40011.1.2
#
@@ -155,7 +160,7 @@ olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualAliasDomain'
olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualUser'
SUP top STRUCTURAL
DESC 'Virtual user'
- MUST ( fvl $ userPassword $ fripostIsStatusActive )
+ MUST ( fvl $ userPassword $ fripostIsStatusActive $ fripostUseContentFilter )
MAY ( fripostUserQuota $ description) )
#
olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualAlias'
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 9df56f7..6680462 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -125,21 +125,12 @@ olcDbIndex: entryCSN,entryUUID eq
# - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
#
{% if 'LDAP-provider' in group_names %}
-{% if groups.MX | difference([inventory_hostname]) %}
-olcLimits: dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org"
+olcLimits: dn.onelevel="ou=syncRepl,dc=fripost,dc=org"
time.soft=unlimited
time.hard=unlimited
size.soft=unlimited
size.hard=unlimited
{% endif %}
-{% if groups.lists | difference([inventory_hostname]) %}
-olcLimits: dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org"
- time.soft=unlimited
- time.hard=unlimited
- size.soft=unlimited
- size.hard=unlimited
-{% endif %}
-{% endif %}
{% if 'MX' in group_names and 'LDAP-provider' not in group_names %}
# Test it:
# LDAPSASL_MECH=external LDAPTLS_CACERT=/etc/ldap/ssl/ldap.fripost.org.pem LDAPTLS_CERT=/etc/ldap/ssl/mx.pem LDAPTLS_KEY=/etc/ldap/ssl/mx.key sudo -u openldap ldapwhoami -H ldaps://ldap.fripost.org/
@@ -149,7 +140,7 @@ olcSyncrepl: rid=000
type=refreshAndPersist
retry="10 30 300 +"
searchbase="ou=virtual,dc=fripost,dc=org"
- attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostPostmaster,fripostOwner
+ attrs=objectClass,fvd,fvl,fripostIsStatusActive,fripostMaildrop,fripostOptionalMaildrop,fripostPostmaster,fripostOwner,fripostUseContentFilter
scope=sub
sizelimit=unlimited
schemachecking=off
@@ -412,7 +403,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
# chroot.
{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
- attrs=fripostIsStatusActive
+ attrs=fripostIsStatusActive,fripostUseContentFilter
filter=(objectClass=FripostVirtualUser)
{% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
@@ -427,13 +418,11 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
# * Amavis can look for per-user configuration options, when
# SASL-binding using the EXTERNAL mechanism and connecting to a local
# ldapi:// socket.
-# TODO: we need a fripostUseContentFilter here
-# filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE)(fripostUseContentFilter=TRUE))
# TODO: only allow it to read the configuration options users are allowed
# to set and modify.
olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=@AmavisAccount
- filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE))
+ filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE)(fripostUseContentFilter=TRUE))
by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
by users =0 break
#