typo

author: Guilhem Moulin <guilhem@fripost.org> 2014-07-07 15:52:36 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2015-06-07 02:52:38 +0200
commit: 889def3fa23e168515b7467b7711bbacae08d0da (patch)
tree: 19816f7adb25f16b762c613e5ad0101dd24a831e /roles
parent: e6b66f93ab6ce2741e514753fc747f4cde0f595e (diff)
1 files changed, 30 insertions, 29 deletions
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 291b5cb..cba0eb0 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -75,72 +75,72 @@ olcSecurity: simple_bind=128 ssf=128 update_ssf=128
 #
 #
 ########################################################################
 # Performance considerations
 #
 # To reindex an existing database, you have to
 #  * Stop slapd     sudo service slapd stop
 #  * Reindex        su openldap -c "slapindex -b 'o=mailHosting,dc=fripost,dc=org'"
 #  * Restart slapd  sudo service slapd start
 #
 olcDbIndex: objectClass eq
 # Let us make Postfix's life easier.
 {% if 'MX' in group_names or 'MDA' in group_names %}
 olcDbIndex: fripostIsStatusActive,fvd,fvl eq
 {% endif %}
 {% if 'MX' in group_names %}
 olcDbIndex: fripostOptionalMaildrop pres
 {% endif %}
 {% if ('LDAP-provider' not in group_names and
        ('MX' in group_names or 'lists' in group_names)) or
-       'LDAP-provider'     in group_names and
-       (groups.MX    | difference([inventory_hostname]) > 1 or
-        groups.lists | difference([inventory_hostname]) > 1) %}
+       'LDAP-provider' in group_names and
+       (groups.MX    | difference([inventory_hostname]) or
+        groups.lists | difference([inventory_hostname])) %}
 # SyncProv/SyncRepl specific indexing.
 olcDbIndex: entryCSN,entryUUID eq
 {% endif%}
 #
 #
 # References
 # - https://wiki.zimbra.com/wiki/OpenLDAP_Performance_Tuning_5.0
 # - http://www.openldap.org/doc/admin24/tuning.html
 # - http://www.openldap.org/faq/data/cache/42.html
 # - http://www.openldap.org/faq/data/cache/136.html
 # - http://www.zytrax.com/books/ldap/apa/indeces.html
 #
 #
 ########################################################################
 # Sync Replication
 #
 # References:
 # - http://www.openldap.org/doc/admin24/replication.html#Syncrepl
 # - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
 #
 {% if 'LDAP-provider' in group_names %}
-{% if groups.MX | difference([inventory_hostname]) > 1 %}
+{% if groups.MX | difference([inventory_hostname]) %}
 olcLimits: dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org"
   time.soft=unlimited
   time.hard=unlimited
   size.soft=unlimited
   size.hard=unlimited
 {% endif %}
-{% if groups.lists | difference([inventory_hostname]) > 1 %}
+{% if groups.lists | difference([inventory_hostname]) %}
 olcLimits: dn.exact="cn=lists,ou=replicates,o=mailHosting,dc=fripost,dc=org"
   time.soft=unlimited
   time.hard=unlimited
   size.soft=unlimited
   size.hard=unlimited
 {% endif %}
 {% endif %}
 {% if 'MX' in group_names and 'LDAP-provider' not in group_names %}
 olcSyncrepl: rid=000
   provider=ldaps://ldap.fripost.org
   type=refreshAndPersist
   retry="10 30 300 +"
   searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org"
   attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostPostmaster,fripostOwner
   scope=sub
   sizelimit=unlimited
   schemachecking=off
   bindmethod=sasl
   saslmech=external
   tls_cert=/etc/ldap/ssl/mx.pem
@@ -167,42 +167,43 @@ olcSyncrepl: rid=001
 {% endif %}
 #
 #
 ########################################################################
 # Access control
 # /!\ WARN: All modification to the ACL should be reflected to the test
 # /!\ suite as well!
 olcAddContentAcl: TRUE
 #
 # Overview:
 # - Authentication (XXX: strong authentication) is required prior to any DIT
 #   operation (see 'olcRequires').
 # - We force a Security Strength Factor of 128 or above for all operations (see
 #   'olcSecurity'), meaning one must use either a local connection (eg,
 #   ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
 #   least 128 bits of security.
 # - XXX: Services may not simple bind other than locally on a ldapi:// socket.
 #   If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
 #   socket whenever possible (if the service itself supports SASL binds).
 #   If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
-#   socket, and their identity should be derived from the CN of the client
-#   certificate only (hence services may not simple bind).
+#   socket, and their identity should be derived from the Subject of the
+#   client certificate (the cert should be added to 'olcTLSCACertificateFile',
+#   and 'olcAuthzRegexp' should map the X.509 subject to the LDAP DN).
 # - Admins have restrictions similar to that of the services.
 # - User access is only restricted by our global 'olcSecurity' attribute.
 #
 #
 # References:
 # - http://www.openldap.org/doc/admin24/access-control.html
 # - http://www.openldap.org/faq/data/cache/189.html
 # - http://www.openldap.org/faq/data/cache/1140.html
 # - http://www.openldap.org/faq/data/cache/1133.html
 # - man 5 slapd.access
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # User Passwords:
 #
 # * Anonymous users are allowed to simple bind through TLS-protected
 #   connections.
 # * Anonymous users are allowed to simple bind when connecting to a
 #   local ldapi:// socket (when using auth_binds, Dovecot delegates
 #   authentication to the LDAP server).
 # * Authenticated users are allowed to change (ie replace) their
@@ -216,300 +217,300 @@ olcAddContentAcl: TRUE
 olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$"
         filter=(objectClass=FripostVirtualUser)
         attrs=userPassword
     by realanonymous                                                tls_ssf=128               =xd
     by realanonymous                                                sockurl.regex="^ldapi://" =xd
     by realself                                                     tls_ssf=128               =w
     by group/FripostVirtualDomain/fripostPostmaster.expand="$1"     tls_ssf=128               =w
     by dn.onelevel="ou=admins,o=mailHosting,dc=fripost,dc=org"      tls_ssf=128               =w
     by dn.exact="username=guilhem,cn=peercred,cn=external,cn=auth"  sockurl.regex="^ldapi://" =w
 #
 # XXX
 # * Anonymous users are allowed to simple bind as Postfix, but only when
 #   using a local ldapi:// listener from one of the Postfix instance
 #   (which should be accessible by the 'postfix' UNIX user only).
 olcAccess: to dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org"
         attrs=userPassword
     by realanonymous sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =xd
 #
 # TODO: are there other services which need to be able to simple bind?
 #
-# * Catch-all: no one else may access the passwords (including simple
-#   bind).
+# * Catch-all: no one else may access the passwords (including for
+#   simple bind).
 olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=org"
         attrs=userPassword
     by * =0
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # Base
 #
 # * The SyncRepl replicates may use the base as a searchBase, when using
 #   a TLS-protected connection.
 # * So can Dovecot on the MDA (for the iterate filter), when
 #   SASL-binding using the EXTERNAL mechanism and connecting to a local
 #   ldapi:// socket.
 olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         attrs=entry,objectClass
         filter=(objectClass=FripostVirtual)
     {% if 'LDAP-provider' in group_names -%}
-    {% if groups.MX | difference([inventory_hostname]) > 1 -%}
+    {% if groups.MX | difference([inventory_hostname]) -%}
     by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org"    tls_ssf=128               =rsd
     {% endif -%}
-    {% if groups.lists | difference([inventory_hostname]) > 1 -%}
+    {% if groups.lists | difference([inventory_hostname]) -%}
     by dn.exact="cn=lists,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128               =rsd
     {% endif -%}
     {% endif -%}
     {% if 'MDA' in group_names -%}
     by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth"       sockurl.regex="^ldapi://" =sd
     {% endif -%}
     by users                                                                                       =0 break
 #
 # * Only SyncRepl replicates may access operational attributes in the
 #   subtree, when using a TLS-protected connection.
 olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         attrs=structuralObjectClass,createTimestamp,creatorsName,entryDN,entryUUID,modifiersName,modifyTimestamp,hasSubordinates,subschemaSubentry
     {% if 'LDAP-provider' in group_names -%}
-    {% if groups.MX | difference([inventory_hostname]) > 1 -%}
+    {% if groups.MX | difference([inventory_hostname]) -%}
     by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org"    tls_ssf=128 =rsd
     {% endif -%}
-    {% if groups.lists | difference([inventory_hostname]) > 1 -%}
+    {% if groups.lists | difference([inventory_hostname]) -%}
     by dn.exact="cn=lists,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
     {% endif -%}
     {% endif -%}
     by *                                                                             =0
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # Domain entries
 #
 # * The SyncRepl replicates have read access to the entry itself, when
 #   using a TLS-protected connection.
 # * So has Postfix, when connecting a local ldapi:// socket from the
 #   'private' directory in one of the non-default instance's chroot.
 # * So has Dovecot on the MDA (for the iterate filter), when
 #   SASL-binding using the EXTERNAL mechanism and connecting to a local
 #   ldapi:// socket.
 # * Amavis may use the entry as searchBase (required to look for the
 #   per-user preferences) but doesn't have read access to the entry.
 # * The 'nobody' UNIX user has read access on the MX:es, when using
 #   SASL-binding using the EXTERNAL mechanism and connecting to a local
 #   ldapi:// socket.  This is required for the 'reserved-alias.pl'
 #   script.
 olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
         attrs=entry,objectClass,fvd
         filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry)))
     {% if 'LDAP-provider' in group_names -%}
-    {% if groups.MX | difference([inventory_hostname]) > 1 -%}
+    {% if groups.MX | difference([inventory_hostname]) -%}
     by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org"    tls_ssf=128                                                                  =rsd
     {% endif -%}
-    {% if groups.lists | difference([inventory_hostname]) > 1 -%}
+    {% if groups.lists | difference([inventory_hostname]) -%}
     by dn.exact="cn=lists,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128                                                                  =rsd
     {% endif -%}
     {% endif -%}
     by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
     {% if 'MDA' in group_names -%}
     by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth"       sockurl.regex="^ldapi://"                                                    =rsd
     by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth"        sockurl.regex="^ldapi://"                                                    =sd
     {% endif -%}
     {% if 'MX' in group_names -%}
     by dn.exact="username=nobody,cn=peercred,cn=external,cn=auth"        sockurl.regex="^ldapi://"                                                    =rsd
     {% endif -%}
     by users                                                                                                                                          =0 break
 #
 # * The SyncRepl MX replicates can check whether a virtual domain is
 #   active, and read the destination address for catch-alls, when using
 #   a TLS-protected connection.
 # * So can Postfix on the MX:es, when connecting a local ldapi:// socket
 #   from the 'private' directory in one of the non-default instance's
 #   chroot.
-{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) > 1) %}
+{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
 olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
         attrs=fripostIsStatusActive,fripostOptionalMaildrop
         filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry)))
-    {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) > 1 -%}
+    {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
     by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org"    tls_ssf=128                                                                  =rsd
     {% endif -%}
     {% if 'MX' in group_names -%}
     by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
     {% endif -%}
     by users                                                                                                                                          =0 break
 {% endif %}
 #
 # * The 'nobody' UNIX user can list the domain owners and postmasters on
 #   the MX:es, when SASL-binding using the EXTERNAL mechanism and
 #   connecting to a local ldapi:// socket.  This is required for the
 #   'reserved-alias.pl' script.
 {% if 'MX' in group_names %}
 olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
         attrs=fripostOwner,fripostPostmaster
         filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry)))
     by dn.exact="username=nobody,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
     by users =0 break
 {% endif %}
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # Alias domain entries
 #
 # * The SyncRepl MX replicates have read access to the entry itself and
 #   the destination domain it aliases to, when using a TLS-protected
 #   connection.
 # * So has Postfix on the MX:es, when connecting a local ldapi:// socket
 #   from the 'private' directory in one of the non-default instance's
 #   chroot.
-{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) > 1) %}
+{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
 olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
         attrs=entry,fripostMaildrop
         filter=(&(objectClass=FripostVirtualAliasDomain)(!(objectClass=FripostPendingEntry)))
-    {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) > 1 -%}
+    {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
     by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org"    tls_ssf=128                                                                  =rsd
     {% endif -%}
     {% if 'MX' in group_names -%}
     by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
     {% endif -%}
     by users                                                                                                                                          =0 break
 {% endif %}
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # User entries
 #
 # * The SyncRepl replicates have read access to the entry itself, when
 #   using a TLS-protected connection.
 # * So has Postfix, when connecting a local ldapi:// socket from the
 #   'private' directory in one of the non-default instance's chroot.
 # * So has Dovecot on the MDA (for the iterate filter), when
 #   SASL-binding using the EXTERNAL mechanism and connecting to a local
 #   ldapi:// socket.
 # * So has Amavis on the MDA, when SASL-binding using the EXTERNAL
 #   mechanism and connecting to a local ldapi:// socket.
 olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
         attrs=entry,objectClass,fvl
         filter=(objectClass=FripostVirtualUser)
-    {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) > 1 -%}
+    {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
     by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org"    tls_ssf=128                                                                  =rsd
     {% endif -%}
     by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
     {% if 'MDA' in group_names -%}
     by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth"       sockurl.regex="^ldapi://"                                                    =rsd
     by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth"        sockurl.regex="^ldapi://"                                                    =rsd
     {% endif -%}
     by users                                                                                                                                          =0 break
 #
 # * The SyncRepl MX replicates can check whether a virtual user is
 #   active, when using a TLS-protected connection.
 # * So can Postfix on the MX:es, when connecting a local ldapi:// socket
 #   from the 'private' directory in one of the non-default instance's
 #   chroot.
-{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) > 1) %}
+{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
 olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
         attrs=fripostIsStatusActive
         filter=(objectClass=FripostVirtualUser)
-    {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) > 1 -%}
+    {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
     by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org"    tls_ssf=128                                                                  =rsd
     {% endif -%}
     {% if 'MX' in group_names -%}
     by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
     {% endif -%}
     by users                                                                                                                                          =0 break
 {% endif %}
 {% if 'MDA' in group_names %}
 #
 # * Amavis can look for per-user configuration options, when
 #   SASL-binding using the EXTERNAL mechanism and connecting to a local
 #   ldapi:// socket.
 # TODO: we need a fripostUseContentFilter here
 #       filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE)(fripostUseContentFilter=TRUE))
 # TODO: only allow it to read the configuration options users are allowed
 #       to set and modify.
 olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
         attrs=@AmavisAccount
         filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE))
     by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
     by users                                                                                =0 break
 #
 # * Dovecot can look for user quotas, when SASL-binding using the
 #   EXTERNAL mechanism and connecting to a local ldapi:// socket.
 olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
         attrs=fripostUserQuota
         filter=(objectClass=FripostVirtualUser)
     by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
     by users                                                                                 =0 break
 {% endif %}
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # Alias entries
 #
 # * The SyncRepl MX replicates can read the entry itelf, whether it
 #   is active, and the address(es) it aliases to, when using a
 #   TLS-protected connection.
 # * So can Postfix on the MX:es, when connecting a local ldapi:// socket
 #   from the 'private' directory in one of the non-default instance's
 #   chroot.
-{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) > 1) %}
+{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
 olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
         attrs=entry,objectClass,fvl,fripostMaildrop,fripostIsStatusActive
         filter=(objectClass=FripostVirtualAlias)
-    {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) > 1 -%}
+    {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
     by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org"    tls_ssf=128                                                                  =rsd
     {% endif -%}
     {% if 'MX' in group_names -%}
     by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
     {% endif -%}
     by users                                                                                                                                          =0 break
 {% endif %}
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # List entries
 #
 # * The SyncRepl replicates can read the entry itelf and the list manager, when
 #   using a TLS-protected connection.
 # * So can Postfix on the MX:es and lists managers, when connecting a local
 #   ldapi:// socket from the 'private' directory in one of the non-default
 #   instance's chroot.
 # XXX: where does sympa enter the picture? we really don't want to reintroduce listcomands...
 {% if 'MX' in group_names or 'lists' in group_names or ('LDAP-provider' in group_names and
-       (groups.lists | difference([inventory_hostname]) > 1 or groups.MX | difference([inventory_hostname]) > 1)) %}
+       (groups.lists | difference([inventory_hostname]) or groups.MX | difference([inventory_hostname]))) %}
 olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
         attrs=entry,objectClass,fvl,fripostListManager
         filter=(&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry)))
     {% if 'LDAP-provider' in group_names -%}
-    {% if groups.MX | difference([inventory_hostname]) > 1 -%}
+    {% if groups.MX | difference([inventory_hostname]) -%}
     by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org"    tls_ssf=128                                                                  =rsd
     {% endif -%}
-    {% if groups.lists | difference([inventory_hostname]) > 1 -%}
+    {% if groups.lists | difference([inventory_hostname]) -%}
     by dn.exact="cn=lists,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128                                                                  =rsd
     {% endif -%}
     {% endif -%}
     {% if 'MX' in group_names or 'lists' in group_names -%}
     by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
     {% endif -%}
     by users                                                                                                                                          =0 break
 {% endif %}
 #
 # * The SyncRepl MX replicates can check whether a virtual list is
 #   active when using a TLS-protected connection.
 # * So can Postfix on the MX:es, when connecting a local ldapi:// socket
 #   from the 'private' directory in one of the non-default instance's
 #   chroot.
-{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) > 1) %}
+{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
 olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
         attrs=fripostIsStatusActive
         filter=(&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry)))
-    {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) > 1 -%}
+    {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
     by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org"    tls_ssf=128                                                                  =rsd
     {% endif -%}
     {% if 'MX' in group_names -%}
     by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
     {% endif -%}
     by users                                                                                                                                          =0 break
 {% endif %}
 {% if 'LDAP-provider' in group_names %}
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # TODO: allow users to edit their entry, etc
 #
 {% endif %}
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # Catch-all
 #
 # * Catch all the breaks above.
 # * Deny any access to everyone else.
 olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=org"
author	Guilhem Moulin <guilhem@fripost.org>	2014-07-07 15:52:36 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2015-06-07 02:52:38 +0200
commit	889def3fa23e168515b7467b7711bbacae08d0da (patch)
tree	19816f7adb25f16b762c613e5ad0101dd24a831e /roles
parent	e6b66f93ab6ce2741e514753fc747f4cde0f595e (diff)