summaryrefslogtreecommitdiffstats
path: root/roles/common-LDAP
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2013-12-02 03:42:57 +0100
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:51:05 +0200
commit5a7bec1a590e20e263d41eaf414cfe9b5ba48a75 (patch)
tree9c3ffabaed59ab3a0a5d324b5f2d74a200f4f4a2 /roles/common-LDAP
parent7275b307b8e26e60392e600a3de0671d0aa49043 (diff)
LDAP Sync Replication.
Diffstat (limited to 'roles/common-LDAP')
-rw-r--r--roles/common-LDAP/tasks/main.yml2
-rw-r--r--roles/common-LDAP/templates/etc/default/slapd.j22
-rw-r--r--roles/common-LDAP/templates/etc/ldap/database.ldif.j234
3 files changed, 35 insertions, 3 deletions
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 270924c..27a0298 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -80,4 +80,4 @@
- meta: flush_handlers
-# TODO: authz constraint syncprov syncrepl
+# TODO: authz constraint syncprov
diff --git a/roles/common-LDAP/templates/etc/default/slapd.j2 b/roles/common-LDAP/templates/etc/default/slapd.j2
index 7eea421..92b3b22 100644
--- a/roles/common-LDAP/templates/etc/default/slapd.j2
+++ b/roles/common-LDAP/templates/etc/default/slapd.j2
@@ -23,7 +23,7 @@ SLAPD_SERVICES="ldapi:///"
{% for i in postfix_instance.keys() | intersect(group_names) | list %}
SLAPD_SERVICES="$SLAPD_SERVICES ldapi://%2Fvar%2Fspool%2Fpostfix-{{ postfix_instance[i].name }}%2Fprivate%2Fldapi/"
{% endfor %}
-{% if 'LDAP-producer' in group_names %}
+{% if 'LDAP-provider' in group_names %}
SLAPD_SERVICES="$SLAPD_SERVICES ldap://172.16.0.1:389/"
{% endif %}
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 03691f9..5a8674a 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -51,7 +51,7 @@ olcDbIndex: objectClass eq
# Let us make Postfix's life easier. TODO: only if MX, lists.f.o, MDA, etc.
olcDbIndex: fripostIsStatusActive,fvd,fvl,fripostLocalAlias eq
olcDbIndex: fripostOptionalMaildrop pres
-# SyncProv/SyncRepl specific indexing. TODO: only if SyncProv/SyncRepl
+# SyncProv/SyncRepl specific indexing.
olcDbIndex: entryCSN,entryUUID eq
#
#
@@ -84,6 +84,30 @@ olcDbIndex: entryCSN,entryUUID eq
#
########################################################################
########################################################################
+# Sync Replication
+# TODO: replace the simple bind by Kerberos/GSSAPI
+#
+# References:
+# - http://www.openldap.org/doc/admin24/replication.html#Syncrepl
+# - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
+#
+{% if 'LDAP_provider' not in group_names %}
+olcSyncrepl: rid=000
+ provider=ldap://{{ LDAP_provider }}
+ type=refreshAndPersist
+ retry="5 5 300 +"
+ searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+ attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias,fripostPostmaster,fripostOwner
+ scope=sub
+ schemachecking=off
+ bindmethod=simple
+ binddn="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org"
+ credentials=postfix
+{% endif %}
+#
+#
+########################################################################
+########################################################################
# Access control
# /!\ WARN: All modification to the ACL should be reflected to the test
# /!\ suite as well!
@@ -133,6 +157,14 @@ olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc
attrs=entry,objectClass,authzTo
by realanonymous =x
#
+# The following is required for Sync Replication.
+{% if 'LDAP-provider' in group_names %}
+olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+ attrs=entry,objectClass,structuralObjectClass,createTimestamp,creatorsName,entryDN,entryUUID,modifiersName,modifyTimestamp,hasSubordinates,subschemaSubentry
+ by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
+ by users =0 break
+{% endif %}
+#
# 1. The WebPanel itself cannot bind, read or write passwords. This
# guarantees that, if an attacker gains its priviledge, it will *not* be
# able to change user passwords (which would allow him/her to read every