summaryrefslogtreecommitdiffstats
path: root/roles/common-LDAP
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2014-01-15 07:32:20 +0100
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:51:38 +0200
commit9304813d505baaa50294ed0d37a11d9e3f0f6c79 (patch)
tree450f263fb6e9d7cfa67cf2e1235c2c593bad14ab /roles/common-LDAP
parentab83789bd70d294623e62e0b366b6b649cb5b0af (diff)
Fix the catch-all resolution again.
We introduce a limitation on the domain-aliases: they can't have children (e.g., lists or users) any longer. The whole alias resolution, including catch-alls and domain aliases, is now done in 'virtual_alias_maps'. We stop the resolution by returning a dummy alias A -> A for mailboxes, before trying the catch-all maps. We're still using transport_maps for lists. If it turns out to be a bottleneck due to the high-latency coming from LDAP maps, (and the fact that there is a single qmgr(8) daemon), we could rewrite lists to a dummy subdomain and use a static transport_maps instead: virtual_alias_maps: mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain transport_maps: mlmmj.localhost.localdomain mlmmj:
Diffstat (limited to 'roles/common-LDAP')
-rw-r--r--roles/common-LDAP/files/etc/ldap/schema/fripost.ldif18
-rw-r--r--roles/common-LDAP/templates/etc/ldap/database.ldif.j28
2 files changed, 16 insertions, 10 deletions
diff --git a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
index 72695ab..54f3037 100644
--- a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
+++ b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
@@ -83,7 +83,7 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.3 NAME 'fripostMaildrop'
# users, because the presence index should *not* apply to the
# mandatory attribute above.
olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.4 NAME 'fripostOptionalMaildrop'
- DESC 'An optional email address for catch-all aliases on domains and users'
+ DESC 'An optional email address for catch-all or domain aliases'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
@@ -145,26 +145,32 @@ olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualDomain'
fripostOwner $ fripostPostmaster $
fripostOptionalMaildrop $ description ) )
#
+# Domain alias (for the domain given by fripostMaildrop). Children are ignored.
+olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualAliasDomain'
+ SUP FripostVirtualDomain STRUCTURAL
+ DESC 'Virtual alias domain'
+ MUST ( fripostMaildrop ) )
+#
# | TODO: add limits here
-olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualUser'
+olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualUser'
SUP top STRUCTURAL
DESC 'Virtual user'
MUST ( fvl $ userPassword $ fripostIsStatusActive )
- MAY ( fripostUserQuota $ fripostOptionalMaildrop $ description) )
+ MAY ( fripostUserQuota $ description) )
#
-olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualAlias'
+olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualAlias'
SUP top STRUCTURAL
DESC 'Virtual alias'
MUST ( fvl $ fripostMaildrop $ fripostIsStatusActive )
MAY ( fripostOwner $ description ) )
#
-olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualList'
+olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostVirtualList'
SUP top STRUCTURAL
DESC 'Virtual list'
MUST ( fvl $ fripostListManager $ fripostIsStatusActive )
MAY ( fripostOwner $ description ) )
#
-olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostPendingEntry'
+olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.7 NAME 'FripostPendingEntry'
SUP top AUXILIARY
DESC 'Virtual pending entry'
MAY ( fripostPendingToken ) )
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 6e5961b..33ef108 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -289,7 +289,7 @@ olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org"
#
# We're giving away create/delete access on the children attributes, but we will be carefull
# with the 'entry' permissions.
-olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
filter=(objectClass=FripostVirtual)
attrs=children
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" =w
@@ -300,7 +300,7 @@ olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=org"
by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" =z
by * break
olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=org"
- filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry)))
+ filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(!(objectClass=FripostVirtualAliasDomain)))
attrs=children
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" =w
#
@@ -534,11 +534,11 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
#
# Users with "canAddDomain" access can see that they have the right
# to create domains.
-olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
filter=(objectClass=FripostVirtual)
attrs=entry
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" +rd
-olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
filter=(objectClass=FripostVirtual)
attrs=fripostCanAddDomain
by set.exact="this/fripostCanAddDomain & (user | user/-1)" =rscd