diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2014-01-14 07:12:07 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:51:37 +0200 |
commit | 97352d1452917fdcd81da0e209aed6e735c00961 (patch) | |
tree | c1ad41eed8fcbae6bcfa49a391c833d81b3ce526 /roles/common-LDAP | |
parent | 88c64118976a8b5c3dd1575756aae242a6fef8c1 (diff) |
Remove list commands.
They were only a dirty hack for list commands à la Mailman such as
mylist-request. If we are to use another list manager such as mlmmj,
which uses a VERP delimiter instead, the problem disappears.
Diffstat (limited to 'roles/common-LDAP')
-rw-r--r-- | roles/common-LDAP/files/etc/ldap/schema/fripost.ldif | 7 | ||||
-rw-r--r-- | roles/common-LDAP/templates/etc/ldap/database.ldif.j2 | 59 |
2 files changed, 39 insertions, 27 deletions
diff --git a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif index 514b6fa..72695ab 100644 --- a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif +++ b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif @@ -164,12 +164,7 @@ olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualList' MUST ( fvl $ fripostListManager $ fripostIsStatusActive ) MAY ( fripostOwner $ description ) ) # -olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostVirtualListCommand' - SUP top STRUCTURAL - DESC 'Virtual list command' - MUST ( fvl ) ) -# -olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.7 NAME 'FripostPendingEntry' +olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostPendingEntry' SUP top AUXILIARY DESC 'Virtual pending entry' MAY ( fripostPendingToken ) ) diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index 3752f9f..b4c2c4f 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -79,6 +79,11 @@ olcLimits: dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org time.hard=unlimited size.soft=unlimited size.hard=unlimited +olcLimits: dn.exact="cn=lists-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" + time.soft=unlimited + time.hard=unlimited + size.soft=unlimited + size.hard=unlimited {% elif 'MX' in group_names %} olcSyncrepl: rid=000 provider=ldap://{{ LDAP_provider }} @@ -91,6 +96,18 @@ olcSyncrepl: rid=000 bindmethod=simple binddn="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" credentials=mx +{% elif 'lists' in group_names %} +olcSyncrepl: rid=001 + provider=ldap://{{ LDAP_provider }} + type=refreshAndPersist + retry="5 5 300 +" + searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org" + attrs=objectClass,fvd,fvl,fripostListManager,fripostOwner + scope=sub + schemachecking=off + bindmethod=simple + binddn="cn=lists-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" + credentials=lists {% endif %} # # @@ -116,7 +133,7 @@ olcSyncrepl: rid=000 # alias resolution. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" attrs=entry,objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop - filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE))) + filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList))(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE))) by dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd by realanonymous =rsd by users =0 break @@ -126,14 +143,22 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" attrs=entry,objectClass,fvd,fvl,fripostPostmaster,fripostOwner filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE))) by dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd - by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =rsd + by dn.exact="username=nobody,cn=peercred,cn=external,cn=auth" =rsd + by users =0 break +# +# List replicates +olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" + attrs=entry,objectClass,fvd,fvl,fripostListManager,fripostOwner + filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualList))(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE))) + by dn.exact="cn=lists-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd + by realanonymous =rsd by users =0 break # # The following is required for the content filter {% if 'MDA' in group_names %} olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" attrs=entry - filter=(&(objectClass=FripostVirtualDomain)(fripostIsStatusActive=TRUE)) + filter=(&(objectClass=FripostVirtualDomain)(!(fripostIsStatusActive=FALSE))) by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" =s by users =0 break olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" @@ -162,9 +187,16 @@ olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc # # The following is required for Sync Replication. {% if 'LDAP-provider' in group_names %} +olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org" + attrs=entry,objectClass + filter=(objectClass=FripostVirtual) + by dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd + by dn.exact="cn=lists-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd + by users =0 break olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org" - attrs=entry,objectClass,structuralObjectClass,createTimestamp,creatorsName,entryDN,entryUUID,modifiersName,modifyTimestamp,hasSubordinates,subschemaSubentry + attrs=structuralObjectClass,createTimestamp,creatorsName,entryDN,entryUUID,modifiersName,modifyTimestamp,hasSubordinates,subschemaSubentry by dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd + by dn.exact="cn=lists-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd by users =0 break {% endif %} # @@ -214,7 +246,7 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" # # The list creation service can delete the 'pending' status on lists and list commands. olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" - filter=(&(|(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(objectClass=FripostPendingEntry)) + filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry)) attrs=objectClass val=FripostPendingEntry by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=org" =z break by * +0 break @@ -235,7 +267,7 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" # # The list creation service can delete the 'pending' status on lists and list commands. olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" - filter=(&(|(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(objectClass=FripostPendingEntry)) + filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry)) attrs=fripostPendingToken by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=org" +z by * +0 @@ -483,21 +515,6 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=org" +rd by * +0 break # -# 1. The domain owner can create and delete list commands, but only those with a 'pending' status -# 2. So can the domain postmaster. -# 3. The entry creator can delete pending list commands (needed to be able to rollback). -# 4. People with "canAddList" access can create list commands, but only with a 'pending' status. -# 5. The list creation service can search and browse the entry. -olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$" - filter=(&(objectClass=FripostVirtualListCommand)(objectClass=FripostPendingEntry)) - attrs=entry - by group/FripostVirtualDomain/fripostOwner.expand="$1" +w - by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +w - by dnattr=creatorsName +z continue - by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a - by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=org" +rd - by * +0 -# # 1. The list owners can read the entry. # 2. So can the domain's Owner. # 3. So can the domain's Postmaster. |