Add an LDAP attribute to check if the user wants to use the content filter.

This decision is left to the MX (as for 'fripostIsStatusActive'), which
will set the envelope recipient accordingly.

2 files changed, 17 insertions, 23 deletions

diff --git a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
index a26f249..0475d20 100644
--- a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
+++ b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
@@ -51,126 +51,131 @@
 # 1.3.6.1.4.1.40011.1.2.3  Syntax Definitions
 
 # This schema depends on:
 # - core.schema
 # - cosine.schema
 # - nis.schema
 
 
 dn: cn=fripost,cn=schema,cn=config
 objectClass: olcSchemaConfig
 #
 # Attributes: 1.3.6.1.4.1.40011.1.1
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.1 NAME 'fvd'
     DESC 'A virtual mail domain'
     EQUALITY caseIgnoreIA5Match
     SUBSTR caseIgnoreIA5SubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.2 NAME 'fvl'
-    DESC 'The local part of a virtual user, alias, list or list command'
+    DESC 'The local part of a virtual user, alias or list'
     EQUALITY caseIgnoreIA5Match
     SUBSTR caseIgnoreIA5SubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.3 NAME 'fripostMaildrop'
     DESC 'An email address the virtual alias should be mapped to'
     EQUALITY caseIgnoreIA5Match
     SUBSTR caseIgnoreIA5SubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
 #
 # We are creating a new attribute, optional in virtual domains and
 # users, because the presence index should *not* apply to the
 # mandatory attribute above.
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.4 NAME 'fripostOptionalMaildrop'
     DESC 'An optional email address for catch-all or domain aliases'
     EQUALITY caseIgnoreIA5Match
     SUBSTR caseIgnoreIA5SubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.5 NAME 'fripostIsStatusActive'
-    DESC 'When present, a token locking the entry in an inactive state'
+    DESC 'Is the entry active?'
     EQUALITY booleanMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.6 NAME 'fripostPendingToken'
     DESC 'Is the entry pending?'
     EQUALITY caseExactMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} SINGLE-VALUE )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.7 NAME 'fripostUserQuota'
     DESC 'The quota on a user e.g., "50MB"'
     EQUALITY caseExactMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32} SINGLE-VALUE )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.8 NAME 'fripostCanAddDomain'
-    DESC 'A user/domain that can add domains'
+    DESC 'A user/domain allowed to add domains'
     SUP distinguishedName )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.9 NAME 'fripostCanAddAlias'
-    DESC 'A user/domain that can add aliases under the parent domain'
+    DESC 'A user/domain allowed to add aliases under the parent domain'
     SUP distinguishedName )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostCanAddList'
-    DESC 'A user/domain that can add lists under the parent domain'
+    DESC 'A user/domain allowed to add lists under the parent domain'
     SUP distinguishedName )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostOwner'
-    DESC 'A user that owns under parent domain'
+    DESC 'A user being the owner of the parent domain'
     SUP distinguishedName )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostPostmaster'
-    DESC 'A user that is a postmaster of the parent domain'
+    DESC 'A user being the postmaster of the parent domain'
     SUP distinguishedName )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostListManager'
     DESC 'The list manager'
     EQUALITY caseIgnoreMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} SINGLE-VALUE )
 #
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.14 NAME 'fripostUseContentFilter'
+    DESC 'Does the user want to use the content filter?'
+    EQUALITY booleanMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+#
 #
 # Objects: 1.3.6.1.4.1.40011.1.2
 #
 olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.1 NAME 'FripostVirtual'
     AUXILIARY
     DESC 'Virtual mail hosting'
     MAY ( fripostCanAddDomain ) )
 #
 olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualDomain'
     SUP top STRUCTURAL
     DESC 'Virtual domain'
     MUST ( fvd $ fripostIsStatusActive )
     MAY ( fripostCanAddAlias $ fripostCanAddList $
           fripostOwner $ fripostPostmaster $
           fripostOptionalMaildrop $ description ) )
 #
 # Domain alias (for the domain given by fripostMaildrop). Children are ignored.
 olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualAliasDomain'
     SUP FripostVirtualDomain STRUCTURAL
     DESC 'Virtual alias domain'
     MUST ( fripostMaildrop ) )
 #
 # | TODO: add limits here
 olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualUser'
     SUP top STRUCTURAL
     DESC 'Virtual user'
-    MUST ( fvl $ userPassword $ fripostIsStatusActive )
+    MUST ( fvl $ userPassword $ fripostIsStatusActive $ fripostUseContentFilter )
     MAY ( fripostUserQuota $ description) )
 #
 olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualAlias'
     SUP top STRUCTURAL
     DESC 'Virtual alias'
     MUST ( fvl $ fripostMaildrop $ fripostIsStatusActive )
     MAY ( fripostOwner $ description ) )
 #
 olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostVirtualList'
     SUP top STRUCTURAL
     DESC 'Virtual list'
     MUST ( fvl $ fripostListManager $ fripostIsStatusActive )
     MAY ( fripostOwner $ description ) )
 #
 olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.7 NAME 'FripostPendingEntry'
     SUP top AUXILIARY
     DESC 'Virtual pending entry'
     MAY ( fripostPendingToken ) )
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 9df56f7..6680462 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -108,65 +108,56 @@ olcDbIndex: fripostOptionalMaildrop pres
 olcDbIndex: entryCSN,entryUUID eq
 {% endif%}
 #
 #
 # References
 # - https://wiki.zimbra.com/wiki/OpenLDAP_Performance_Tuning_5.0
 # - http://www.openldap.org/doc/admin24/tuning.html
 # - http://www.openldap.org/faq/data/cache/42.html
 # - http://www.openldap.org/faq/data/cache/136.html
 # - http://www.zytrax.com/books/ldap/apa/indeces.html
 #
 #
 ########################################################################
 # Sync Replication
 #
 # References:
 # - http://www.openldap.org/doc/admin24/replication.html#Syncrepl
 # - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
 #
 {% if 'LDAP-provider' in group_names %}
-{% if groups.MX | difference([inventory_hostname]) %}
-olcLimits: dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org"
+olcLimits: dn.onelevel="ou=syncRepl,dc=fripost,dc=org"
   time.soft=unlimited
   time.hard=unlimited
   size.soft=unlimited
   size.hard=unlimited
 {% endif %}
-{% if groups.lists | difference([inventory_hostname]) %}
-olcLimits: dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org"
-  time.soft=unlimited
-  time.hard=unlimited
-  size.soft=unlimited
-  size.hard=unlimited
-{% endif %}
-{% endif %}
 {% if 'MX' in group_names and 'LDAP-provider' not in group_names %}
 # Test it:
 #   LDAPSASL_MECH=external LDAPTLS_CACERT=/etc/ldap/ssl/ldap.fripost.org.pem LDAPTLS_CERT=/etc/ldap/ssl/mx.pem LDAPTLS_KEY=/etc/ldap/ssl/mx.key sudo -u openldap ldapwhoami -H ldaps://ldap.fripost.org/
 #   LDAPSASL_MECH=external LDAPTLS_CACERT=/etc/ldap/ssl/ldap.fripost.org.pem LDAPTLS_CERT=/etc/ldap/ssl/mx.pem LDAPTLS_KEY=/etc/ldap/ssl/mx.key sudo -u openldap ldapsearch -H ldaps://ldap.fripost.org/ -b ou=virtual,dc=fripost,dc=org
 olcSyncrepl: rid=000
   provider=ldaps://ldap.fripost.org
   type=refreshAndPersist
   retry="10 30 300 +"
   searchbase="ou=virtual,dc=fripost,dc=org"
-  attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostPostmaster,fripostOwner
+  attrs=objectClass,fvd,fvl,fripostIsStatusActive,fripostMaildrop,fripostOptionalMaildrop,fripostPostmaster,fripostOwner,fripostUseContentFilter
   scope=sub
   sizelimit=unlimited
   schemachecking=off
   bindmethod=sasl
   saslmech=external
   tls_cert=/etc/ldap/ssl/mx.pem
   tls_key=/etc/ldap/ssl/mx.key
   tls_cacert=/etc/ldap/ssl/ldap.fripost.org.pem
   tls_reqcert=hard
 {% endif %}
 {% if 'lists' in group_names and 'LDAP-provider' not in group_names %}
 olcSyncrepl: rid=001
   provider=ldaps://ldap.fripost.org
   type=refreshAndPersist
   retry="10 30 300 +"
   searchbase="ou=virtual,dc=fripost,dc=org"
   attrs=objectClass,fvd,fvl,fripostListManager,fripostOwner
   scope=sub
   sizelimit=unlimited
   schemachecking=off
@@ -395,62 +386,60 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
 olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
         attrs=entry,objectClass,fvl
         filter=(objectClass=FripostVirtualUser)
     {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
     by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org"              tls_ssf=128                                                                  =rsd
     {% endif -%}
     by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org"         sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
     {% if 'MDA' in group_names -%}
     by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://"                                                    =rsd
     by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth"  sockurl.regex="^ldapi://"                                                    =rsd
     {% endif -%}
     by users                                                                                                                                    =0 break
 #
 # * The SyncRepl MX replicates can check whether a virtual user is
 #   active, when using a TLS-protected connection.
 # * So can Postfix on the MX:es, when connecting a local ldapi:// socket
 #   from the 'private' directory in one of the non-default instance's
 #   chroot.
 {% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
 olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
-        attrs=fripostIsStatusActive
+        attrs=fripostIsStatusActive,fripostUseContentFilter
         filter=(objectClass=FripostVirtualUser)
     {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
     by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org"      tls_ssf=128                                                                  =rsd
     {% endif -%}
     {% if 'MX' in group_names -%}
     by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
     {% endif -%}
     by users                                                                                                                            =0 break
 {% endif %}
 {% if 'MDA' in group_names %}
 #
 # * Amavis can look for per-user configuration options, when
 #   SASL-binding using the EXTERNAL mechanism and connecting to a local
 #   ldapi:// socket.
-# TODO: we need a fripostUseContentFilter here
-#       filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE)(fripostUseContentFilter=TRUE))
 # TODO: only allow it to read the configuration options users are allowed
 #       to set and modify.
 olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
         attrs=@AmavisAccount
-        filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE))
+        filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE)(fripostUseContentFilter=TRUE))
     by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
     by users                                                                                =0 break
 #
 # * Dovecot can look for user quotas, when SASL-binding using the
 #   EXTERNAL mechanism and connecting to a local ldapi:// socket.
 olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
         attrs=fripostUserQuota
         filter=(objectClass=FripostVirtualUser)
     by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
     by users                                                                                 =0 break
 {% endif %}
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # Alias entries
 #
 # * The SyncRepl MX replicates can read the entry itelf, whether it
 #   is active, and the address(es) it aliases to, when using a
 #   TLS-protected connection.
 # * So can Postfix on the MX:es, when connecting a local ldapi:// socket
 #   from the 'private' directory in one of the non-default instance's