LDAP Sync Replication.

3 files changed, 35 insertions, 3 deletions

diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 270924c..27a0298 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -80,4 +80,4 @@
 
 - meta: flush_handlers
 
-# TODO: authz constraint syncprov syncrepl
+# TODO: authz constraint syncprov
diff --git a/roles/common-LDAP/templates/etc/default/slapd.j2 b/roles/common-LDAP/templates/etc/default/slapd.j2
index 7eea421..92b3b22 100644
--- a/roles/common-LDAP/templates/etc/default/slapd.j2
+++ b/roles/common-LDAP/templates/etc/default/slapd.j2
@@ -23,7 +23,7 @@ SLAPD_SERVICES="ldapi:///"
 {% for i in postfix_instance.keys() | intersect(group_names) | list %}
 SLAPD_SERVICES="$SLAPD_SERVICES ldapi://%2Fvar%2Fspool%2Fpostfix-{{ postfix_instance[i].name }}%2Fprivate%2Fldapi/"
 {% endfor %}
-{% if 'LDAP-producer' in group_names %}
+{% if 'LDAP-provider' in group_names %}
 SLAPD_SERVICES="$SLAPD_SERVICES ldap://172.16.0.1:389/"
 {% endif %}
 
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 03691f9..5a8674a 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -51,7 +51,7 @@ olcDbIndex: objectClass eq
 # Let us make Postfix's life easier. TODO: only if MX, lists.f.o, MDA, etc.
 olcDbIndex: fripostIsStatusActive,fvd,fvl,fripostLocalAlias eq
 olcDbIndex: fripostOptionalMaildrop pres
-# SyncProv/SyncRepl specific indexing. TODO: only if SyncProv/SyncRepl
+# SyncProv/SyncRepl specific indexing.
 olcDbIndex: entryCSN,entryUUID eq
 #
 #
@@ -84,6 +84,30 @@ olcDbIndex: entryCSN,entryUUID eq
 #
 ########################################################################
 ########################################################################
+# Sync Replication
+# TODO: replace the simple bind by Kerberos/GSSAPI
+#
+# References:
+# - http://www.openldap.org/doc/admin24/replication.html#Syncrepl
+# - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
+#
+{% if 'LDAP_provider' not in group_names %}
+olcSyncrepl: rid=000
+  provider=ldap://{{ LDAP_provider }}
+  type=refreshAndPersist
+  retry="5 5 300 +"
+  searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+  attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias,fripostPostmaster,fripostOwner
+  scope=sub
+  schemachecking=off
+  bindmethod=simple
+  binddn="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org"
+  credentials=postfix
+{% endif %}
+#
+#
+########################################################################
+########################################################################
 # Access control
 # /!\ WARN: All modification to the ACL should be reflected to the test
 # /!\ suite as well!
@@ -133,6 +157,14 @@ olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc
         attrs=entry,objectClass,authzTo
     by realanonymous =x
 #
+# The following is required for Sync Replication.
+{% if 'LDAP-provider' in group_names %}
+olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+        attrs=entry,objectClass,structuralObjectClass,createTimestamp,creatorsName,entryDN,entryUUID,modifiersName,modifyTimestamp,hasSubordinates,subschemaSubentry
+    by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
+    by users =0 break
+{% endif %}
+#
 # 1. The WebPanel itself cannot bind, read or write passwords. This
 # guarantees that, if an attacker gains its priviledge, it will *not* be
 # able to change user passwords (which would allow him/her to read every