diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2014-07-07 18:37:30 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2015-06-07 02:52:39 +0200 |
commit | 2dfe29dfcd35fae7160178e329fb0647cc896e3b (patch) | |
tree | 87670f8e62e07dceea26a58cf7aeaf0a57fb62af /roles | |
parent | ddf4de6593756993f859c020bc6db046ca869846 (diff) |
Remove o=mailHosting from the LDAP directory suffix.
So our suffix is now a mere 'dc=fripost,dc=org'. We're also using the
default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it
before hand).
Diffstat (limited to 'roles')
19 files changed, 107 insertions, 120 deletions
diff --git a/roles/IMAP/files/etc/dovecot/dovecot-ldap-userdb.conf.ext b/roles/IMAP/files/etc/dovecot/dovecot-ldap-userdb.conf.ext index 6c39bf6..c455c07 100644 --- a/roles/IMAP/files/etc/dovecot/dovecot-ldap-userdb.conf.ext +++ b/roles/IMAP/files/etc/dovecot/dovecot-ldap-userdb.conf.ext @@ -53,7 +53,7 @@ ldap_version = 3 # LDAP base. %variables can be used here. # For example: dc=mail, dc=example, dc=org -base = fvl=%n,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +base = fvl=%n,fvd=%d,ou=virtual,dc=fripost,dc=org # Dereference: never, searching, finding, always deref = never diff --git a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext index 77edba8..1ffa73d 100644 --- a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext +++ b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext @@ -80,14 +80,14 @@ auth_bind = yes # For example: # auth_bind_userdn = cn=%u,ou=people,o=org # -auth_bind_userdn = fvl=%n,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +auth_bind_userdn = fvl=%n,fvd=%d,ou=virtual,dc=fripost,dc=org # LDAP protocol version to use. Likely 2 or 3. ldap_version = 3 # LDAP base. %variables can be used here. # For example: dc=mail, dc=example, dc=org -base = fvl=%n,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +base = fvl=%n,fvd=%d,ou=virtual,dc=fripost,dc=org # Dereference: never, searching, finding, always deref = never diff --git a/roles/IMAP/files/etc/postfix/virtual/mailbox.cf b/roles/IMAP/files/etc/postfix/virtual/mailbox.cf index 009dd98..e69343b 100644 --- a/roles/IMAP/files/etc/postfix/virtual/mailbox.cf +++ b/roles/IMAP/files/etc/postfix/virtual/mailbox.cf @@ -1,6 +1,6 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 -search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +search_base = fvl=%u,fvd=%d,ou=virtual,dc=fripost,dc=org domain = static:all scope = base bind = none diff --git a/roles/IMAP/files/etc/postfix/virtual/transport_content_filter.cf b/roles/IMAP/files/etc/postfix/virtual/transport_content_filter.cf index b082f69..642b722 100644 --- a/roles/IMAP/files/etc/postfix/virtual/transport_content_filter.cf +++ b/roles/IMAP/files/etc/postfix/virtual/transport_content_filter.cf @@ -1,6 +1,6 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 -search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +search_base = fvl=%u,fvd=%d,ou=virtual,dc=fripost,dc=org domain = static:all scope = base bind = none diff --git a/roles/LDAP-provider/tasks/main.yml b/roles/LDAP-provider/tasks/main.yml index 48cc8d2..d221486 100644 --- a/roles/LDAP-provider/tasks/main.yml +++ b/roles/LDAP-provider/tasks/main.yml @@ -1,6 +1,6 @@ - name: Load and configure the syncprov overlay openldap: module=syncprov state=present - suffix=o=mailHosting,dc=fripost,dc=org + suffix=dc=fripost,dc=org target=etc/ldap/syncprov.ldif local=file diff --git a/roles/MX/files/usr/local/sbin/reserved-alias.pl b/roles/MX/files/usr/local/sbin/reserved-alias.pl index 603d773..517e51b 100755 --- a/roles/MX/files/usr/local/sbin/reserved-alias.pl +++ b/roles/MX/files/usr/local/sbin/reserved-alias.pl @@ -67,7 +67,7 @@ if (defined $domain) { my @attrs = ( 'fripostPostmaster', 'fripostOwner' ); my $mesg = $ldap->search( base => 'fvd='.escape_dn_value($domain).',' - .'ou=virtual,o=mailHosting,dc=fripost,dc=org' + .'ou=virtual,dc=fripost,dc=org' , scope => 'base' , deref => 'never' , filter => '(&(objectClass=FripostVirtualDomain)' diff --git a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 index c7d2f0a..2e80d45 100644 --- a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 @@ -1,6 +1,6 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 -search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +search_base = fvl=%u,fvd=%d,ou=virtual,dc=fripost,dc=org domain = static:all scope = base bind = none diff --git a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 index dec8bce..bdfa802 100644 --- a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 @@ -1,6 +1,6 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 -search_base = fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +search_base = fvd=%d,ou=virtual,dc=fripost,dc=org domain = static:all scope = base bind = none diff --git a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 index 8ac40fd..398e530 100644 --- a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 @@ -1,6 +1,6 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 -search_base = fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +search_base = fvd=%d,ou=virtual,dc=fripost,dc=org domain = static:all scope = base bind = none diff --git a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 b/roles/MX/templates/etc/postfix/virtual/list.cf.j2 index 5988159..4020b42 100644 --- a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/list.cf.j2 @@ -1,6 +1,6 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 -search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +search_base = fvl=%u,fvd=%d,ou=virtual,dc=fripost,dc=org domain = static:all scope = base bind = none diff --git a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 index a108c0d..118e17a 100644 --- a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 @@ -1,6 +1,6 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 -search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +search_base = fvl=%u,fvd=%d,ou=virtual,dc=fripost,dc=org domain = static:all scope = base bind = none diff --git a/roles/MX/templates/etc/postfix/virtual/mailbox_domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/mailbox_domains.cf.j2 index 74304a4..43b7f3a 100644 --- a/roles/MX/templates/etc/postfix/virtual/mailbox_domains.cf.j2 +++ b/roles/MX/templates/etc/postfix/virtual/mailbox_domains.cf.j2 @@ -1,6 +1,6 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 -search_base = fvd=%s,ou=virtual,o=mailHosting,dc=fripost,dc=org +search_base = fvd=%s,ou=virtual,dc=fripost,dc=org scope = base bind = none query_filter = (&(objectClass=FripostVirtualDomain)(fvd=%s)) diff --git a/roles/amavis/templates/etc/amavis/conf.d/50-user.j2 b/roles/amavis/templates/etc/amavis/conf.d/50-user.j2 index 200ce90..3595331 100644 --- a/roles/amavis/templates/etc/amavis/conf.d/50-user.j2 +++ b/roles/amavis/templates/etc/amavis/conf.d/50-user.j2 @@ -79,7 +79,7 @@ $default_ldap = { deref => 'never', timeout => 5, scope => 'one', - base => 'fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org', + base => 'fvd=%d,ou=virtual,dc=fripost,dc=org', # XXX: ideally we would use %u in the base and the query_filter, but # it's not supported as of amavis 2.7 (see the 'lookup_ldap' # subroutine in /usr/sbin/amavisd-new) diff --git a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif index 54f3037..a26f249 100644 --- a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif +++ b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif @@ -20,17 +20,17 @@ # # It will load the schema. To perform modifications, the easiest way is to # -# * Save the database: slapcat -b 'o=mailHosting,dc=fripost,dc=dev' > /tmp/db.ldif +# * Save the database: slapcat -b 'dc=fripost,dc=org' > /tmp/db.ldif # * Save the configuration: slapcat -n0 > /tmp/config.ldif # * Backup slap.d: cp -a /etc/ldap/slapd.d/ /tmp/slap.d_back # * Edit the schema in /tmp/config.ldif # * Load the new config: mkdir -m 0700 /tmp/slapd.d_new && slapadd -F /tmp/slapd.d_new -n0 -l /tmp/config.ldif # * Stop slapd: /etc/init.d/slapd stop # * Load the new config: rm -rf /etc/ldap/slapd.d/ && mv /tmp/slapd.d_new /etc/ldap/slapd.d && chown -R openldap:openldap /etc/ldap/slapd.d -# * Create indexes: sudo -u openldap slapindex -b 'o=mailHosting,dc=fripost,dc=dev' +# * Create indexes: sudo -u openldap slapindex -b 'dc=fripost,dc=org' # * Start slapd: /etc/init.d/slapd start # If it fails, remove the existing database and see what's wrong -# rm -rf /var/lib/ldap/dev/* && sudo -u openldap slapadd -b 'o=mailHosting,dc=fripost,dc=org' -l /tmp/db.ldif +# rm -rf /var/lib/ldap/dev/* && sudo -u openldap slapadd -b 'dc=fripost,dc=org' -l /tmp/db.ldif # # # /!\ WARN: All modification to the ACL should be reflected to the test diff --git a/roles/common-LDAP/files/var/lib/ldap/fripost/DB_CONFIG b/roles/common-LDAP/files/var/lib/ldap/DB_CONFIG index c7072dc..07738c2 100644 --- a/roles/common-LDAP/files/var/lib/ldap/fripost/DB_CONFIG +++ b/roles/common-LDAP/files/var/lib/ldap/DB_CONFIG @@ -1,6 +1,6 @@ # It may be a good idea to modify this file, depending on the output of # -# db_stat -mh /var/lib/ldap/fripost | head -16 +# db_stat -mh /var/lib/ldap | head -16 # # (For optimal performance, the Requested pages found in the cache # should be above 95%, and the dirty/clean pages forced from the cache @@ -8,13 +8,13 @@ # # and # -# db_stat -ch /var/lib/ldap/fripost | head -16 +# db_stat -ch /var/lib/ldap | head -16 # # (For optimal performance, usage should be within 85% of the configured # values.) # -set_cachesize 0 5242880 1 -# 5MB cachesize, allow defragmentation +# 5MB cachesize +set_cachesize 0 5242880 0 set_lk_max_objects 1500 set_lk_max_locks 1500 set_lk_max_lockers 1500 diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml index 43c6bfb..3b8b36c 100644 --- a/roles/common-LDAP/tasks/main.yml +++ b/roles/common-LDAP/tasks/main.yml @@ -18,30 +18,11 @@ notify: - Restart slapd -# Upon install slapd create and populate a database under /var/lib/ldap. -# We clear it up and create a children directory to get finer-grain -# control. -- name: Clear empty /var/lib/ldap - # Don't remove the database (and fail) if it contains something else - # than its suffix or cn=admin,... - openldap: dbdirectory=/var/lib/ldap ignoredn=cn=admin - state=absent - -- name: Create directory /var/lib/ldap/fripost - file: path=/var/lib/ldap/fripost - state=directory +- name: Copy DB_CONFIG + copy: src=var/lib/ldap/DB_CONFIG + dest=/var/lib/ldap/DB_CONFIG owner=openldap group=openldap - mode=0700 - -- name: Copy /var/lib/ldap/fripost/DB_CONFIG - copy: src=var/lib/ldap/fripost/DB_CONFIG - dest=/var/lib/ldap/fripost/DB_CONFIG - owner=openldap group=openldap - mode=0600 - register: r2 - notify: - # Not sure if required - - Restart slapd + mode=0644 - name: Create directory /etc/ldap/ssl file: path=/etc/ldap/ssl @@ -63,9 +44,9 @@ --usage=digitalSignature,keyEncipherment -t rsa -b 4096 -h sha256 --chown="root:openldap" --chmod=0640 - register: r3 - changed_when: r3.rc == 0 - failed_when: r3.rc > 1 + register: r2 + changed_when: r2.rc == 0 + failed_when: r2.rc > 1 with_items: - { group: 'LDAP-provider', name: ldap.fripost.org, ou: } - { group: 'MX', name: mx, ou: --ou=SyncRepl } @@ -123,12 +104,13 @@ tags: - ldap +# We assume a clean (=stock) cn=config - name: Configure the LDAP database openldap: target=etc/ldap/database.ldif.j2 local=template state=present - name: Start slapd service: name=slapd state=started - when: not (r1.changed or r2.changed or r3.changed) + when: not (r1.changed or r2.changed) - meta: flush_handlers diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index 308bece..f633692 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -34,8 +34,8 @@ olcTLSCertificateFile: /etc/ldap/ssl/ldap.fripost.org.pem olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.fripost.org.key olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem olcTLSVerifyClient: allow -olcAuthzRegexp: "^cn=([^,]+),ou=SyncRepl,ou=LDAP,ou=SSLcerts,o=Fripost$" - "cn=$1,ou=replicates,o=mailHosting,dc=fripost,dc=org" +olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$" + "$1,dc=fripost,dc=org" olcSaslSecProps: minssf=128,noanonymous,noplain,nodict # XXX We would like to say 'PFS' here, but Wheezy'z GnuTLS (libgnutls26 # 2.12.20-8+deb7u2) is too old :-( (Also, DHE/ECDHE are not supported.) @@ -51,8 +51,8 @@ olcPasswordCryptSaltFormat: $6$%s dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig -olcDbDirectory: /var/lib/ldap/fripost -olcSuffix: o=mailHosting,dc=fripost,dc=org +olcDbDirectory: /var/lib/ldap +olcSuffix: dc=fripost,dc=org {% if 'LDAP-provider' not in group_names and ('MX' in group_names or 'lists' in group_names) %} olcReadOnly: TRUE {% endif %} @@ -62,6 +62,11 @@ olcDbCheckpoint: 512 15 {% else %} olcLastMod: FALSE {% endif %} +# See DB_CONFIG +olcDbConfig: set_cachesize 0 5242880 0 +olcDbConfig: set_lk_max_objects 1500 +olcDbConfig: set_lk_max_locks 1500 +olcDbConfig: set_lk_max_lockers 1500 # The root user has all rights on the whole database (when SASL-binding # on a UNIX socket). olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth @@ -79,7 +84,7 @@ olcSecurity: simple_bind=128 ssf=128 update_ssf=128 # # To reindex an existing database, you have to # * Stop slapd sudo service slapd stop -# * Reindex su openldap -c "slapindex -b 'o=mailHosting,dc=fripost,dc=org'" +# * Reindex su openldap -c "slapindex -b 'dc=fripost,dc=org'" # * Restart slapd sudo service slapd start # olcDbIndex: objectClass eq @@ -117,14 +122,14 @@ olcDbIndex: entryCSN,entryUUID eq # {% if 'LDAP-provider' in group_names %} {% if groups.MX | difference([inventory_hostname]) %} -olcLimits: dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" +olcLimits: dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited {% endif %} {% if groups.lists | difference([inventory_hostname]) %} -olcLimits: dn.exact="cn=lists,ou=replicates,o=mailHosting,dc=fripost,dc=org" +olcLimits: dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" time.soft=unlimited time.hard=unlimited size.soft=unlimited @@ -134,12 +139,12 @@ olcLimits: dn.exact="cn=lists,ou=replicates,o=mailHosting,dc=fripost,dc=org" {% if 'MX' in group_names and 'LDAP-provider' not in group_names %} # Test it: # LDAPSASL_MECH=external LDAPTLS_CACERT=/etc/ldap/ssl/ldap.fripost.org.pem LDAPTLS_CERT=/etc/ldap/ssl/mx.pem LDAPTLS_KEY=/etc/ldap/ssl/mx.key sudo -u openldap ldapwhoami -H ldaps://ldap.fripost.org/ -# LDAPSASL_MECH=external LDAPTLS_CACERT=/etc/ldap/ssl/ldap.fripost.org.pem LDAPTLS_CERT=/etc/ldap/ssl/mx.pem LDAPTLS_KEY=/etc/ldap/ssl/mx.key sudo -u openldap ldapsearch -H ldaps://ldap.fripost.org/ -b ou=virtual,o=mailHosting,dc=fripost,dc=org +# LDAPSASL_MECH=external LDAPTLS_CACERT=/etc/ldap/ssl/ldap.fripost.org.pem LDAPTLS_CERT=/etc/ldap/ssl/mx.pem LDAPTLS_KEY=/etc/ldap/ssl/mx.key sudo -u openldap ldapsearch -H ldaps://ldap.fripost.org/ -b ou=virtual,dc=fripost,dc=org olcSyncrepl: rid=000 provider=ldaps://ldap.fripost.org type=refreshAndPersist retry="10 30 300 +" - searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org" + searchbase="ou=virtual,dc=fripost,dc=org" attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostPostmaster,fripostOwner scope=sub sizelimit=unlimited @@ -156,7 +161,7 @@ olcSyncrepl: rid=001 provider=ldaps://ldap.fripost.org type=refreshAndPersist retry="10 30 300 +" - searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org" + searchbase="ou=virtual,dc=fripost,dc=org" attrs=objectClass,fvd,fvl,fripostListManager,fripostOwner scope=sub sizelimit=unlimited @@ -217,21 +222,21 @@ olcAddContentAcl: TRUE # granted. # * The same goes for general admins. # * The same goes for local admins. -olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$" +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,dc=fripost,dc=org)$" filter=(objectClass=FripostVirtualUser) attrs=userPassword by realanonymous tls_ssf=128 =xd by realanonymous sockurl.regex="^ldapi://" =xd by realself tls_ssf=128 =w by group/FripostVirtualDomain/fripostPostmaster.expand="$1" tls_ssf=128 =w - by dn.onelevel="ou=admins,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =w + by dn.onelevel="ou=admins,dc=fripost,dc=org" tls_ssf=128 =w by dn.exact="username=guilhem,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =w # # XXX # * Anonymous users are allowed to simple bind as Postfix, but only when # using a local ldapi:// listener from one of the Postfix instance # (which should be accessible by the 'postfix' UNIX user only). -olcAccess: to dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" +olcAccess: to dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" attrs=userPassword by realanonymous sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =xd # @@ -239,7 +244,7 @@ olcAccess: to dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" # # * Catch-all: no one else may access the passwords (including for # simple bind). -olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=org" +olcAccess: to dn.subtree="dc=fripost,dc=org" attrs=userPassword by * =0 # @@ -251,35 +256,35 @@ olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=org" # * So can Dovecot on the MDA (for the iterate filter), when # SASL-binding using the EXTERNAL mechanism and connecting to a local # ldapi:// socket. -olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org" +olcAccess: to dn.exact="ou=virtual,dc=fripost,dc=org" attrs=entry,objectClass filter=(objectClass=FripostVirtual) {% if 'LDAP-provider' in group_names -%} {% if groups.MX | difference([inventory_hostname]) -%} - by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd + by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd {% endif -%} {% if groups.lists | difference([inventory_hostname]) -%} - by dn.exact="cn=lists,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd + by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd {% endif -%} {% endif -%} {% if 'MDA' in group_names -%} - by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =sd + by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =sd {% endif -%} - by users =0 break + by users =0 break # # * Only SyncRepl replicates may access operational attributes in the # subtree, when using a TLS-protected connection. -olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org" +olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org" attrs=structuralObjectClass,createTimestamp,creatorsName,entryDN,entryUUID,modifiersName,modifyTimestamp,hasSubordinates,subschemaSubentry {% if 'LDAP-provider' in group_names -%} {% if groups.MX | difference([inventory_hostname]) -%} - by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd + by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd {% endif -%} {% if groups.lists | difference([inventory_hostname]) -%} - by dn.exact="cn=lists,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd + by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd {% endif -%} {% endif -%} - by * =0 + by * =0 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Domain entries @@ -297,26 +302,26 @@ olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org" # SASL-binding using the EXTERNAL mechanism and connecting to a local # ldapi:// socket. This is required for the 'reserved-alias.pl' # script. -olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" +olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$" attrs=entry,objectClass,fvd filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))) {% if 'LDAP-provider' in group_names -%} {% if groups.MX | difference([inventory_hostname]) -%} - by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd + by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd {% endif -%} {% if groups.lists | difference([inventory_hostname]) -%} - by dn.exact="cn=lists,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd + by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd {% endif -%} {% endif -%} - by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd + by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd {% if 'MDA' in group_names -%} - by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd - by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =sd + by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd + by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =sd {% endif -%} {% if 'MX' in group_names -%} - by dn.exact="username=nobody,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd + by dn.exact="username=nobody,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd {% endif -%} - by users =0 break + by users =0 break # # * The SyncRepl MX replicates can check whether a virtual domain is # active, and read the destination address for catch-alls, when using @@ -325,16 +330,16 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" # from the 'private' directory in one of the non-default instance's # chroot. {% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %} -olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" +olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$" attrs=fripostIsStatusActive,fripostOptionalMaildrop filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))) {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%} - by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd + by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd {% endif -%} {% if 'MX' in group_names -%} - by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd + by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd {% endif -%} - by users =0 break + by users =0 break {% endif %} # # * The 'nobody' UNIX user can list the domain owners and postmasters on @@ -342,11 +347,11 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" # connecting to a local ldapi:// socket. This is required for the # 'reserved-alias.pl' script. {% if 'MX' in group_names %} -olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" +olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$" attrs=fripostOwner,fripostPostmaster filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))) by dn.exact="username=nobody,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd - by users =0 break + by users =0 break {% endif %} # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # @@ -359,16 +364,16 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" # from the 'private' directory in one of the non-default instance's # chroot. {% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %} -olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" +olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$" attrs=entry,fripostMaildrop filter=(&(objectClass=FripostVirtualAliasDomain)(!(objectClass=FripostPendingEntry))) {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%} - by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd + by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd {% endif -%} {% if 'MX' in group_names -%} - by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd + by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd {% endif -%} - by users =0 break + by users =0 break {% endif %} # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # @@ -383,18 +388,18 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" # ldapi:// socket. # * So has Amavis on the MDA, when SASL-binding using the EXTERNAL # mechanism and connecting to a local ldapi:// socket. -olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" +olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$" attrs=entry,objectClass,fvl filter=(objectClass=FripostVirtualUser) {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%} - by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd + by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd {% endif -%} - by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd + by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd {% if 'MDA' in group_names -%} - by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd - by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd + by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd + by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd {% endif -%} - by users =0 break + by users =0 break # # * The SyncRepl MX replicates can check whether a virtual user is # active, when using a TLS-protected connection. @@ -402,16 +407,16 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost # from the 'private' directory in one of the non-default instance's # chroot. {% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %} -olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" +olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$" attrs=fripostIsStatusActive filter=(objectClass=FripostVirtualUser) {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%} - by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd + by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd {% endif -%} {% if 'MX' in group_names -%} - by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd + by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd {% endif -%} - by users =0 break + by users =0 break {% endif %} {% if 'MDA' in group_names %} # @@ -422,7 +427,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost # filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE)(fripostUseContentFilter=TRUE)) # TODO: only allow it to read the configuration options users are allowed # to set and modify. -olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" +olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$" attrs=@AmavisAccount filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE)) by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd @@ -430,7 +435,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost # # * Dovecot can look for user quotas, when SASL-binding using the # EXTERNAL mechanism and connecting to a local ldapi:// socket. -olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" +olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$" attrs=fripostUserQuota filter=(objectClass=FripostVirtualUser) by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd @@ -447,16 +452,16 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost # from the 'private' directory in one of the non-default instance's # chroot. {% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %} -olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" +olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$" attrs=entry,objectClass,fvl,fripostMaildrop,fripostIsStatusActive filter=(objectClass=FripostVirtualAlias) {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%} - by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd + by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd {% endif -%} {% if 'MX' in group_names -%} - by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd + by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd {% endif -%} - by users =0 break + by users =0 break {% endif %} # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # @@ -470,21 +475,21 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost # XXX: where does sympa enter the picture? we really don't want to reintroduce listcomands... {% if 'MX' in group_names or 'lists' in group_names or ('LDAP-provider' in group_names and (groups.lists | difference([inventory_hostname]) or groups.MX | difference([inventory_hostname]))) %} -olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" +olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$" attrs=entry,objectClass,fvl,fripostListManager filter=(&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry))) {% if 'LDAP-provider' in group_names -%} {% if groups.MX | difference([inventory_hostname]) -%} - by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd + by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd {% endif -%} {% if groups.lists | difference([inventory_hostname]) -%} - by dn.exact="cn=lists,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd + by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd {% endif -%} {% endif -%} {% if 'MX' in group_names or 'lists' in group_names -%} - by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd + by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd {% endif -%} - by users =0 break + by users =0 break {% endif %} # # * The SyncRepl MX replicates can check whether a virtual list is @@ -493,16 +498,16 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost # from the 'private' directory in one of the non-default instance's # chroot. {% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %} -olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$" +olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$" attrs=fripostIsStatusActive filter=(&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry))) {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%} - by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd + by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd {% endif -%} {% if 'MX' in group_names -%} - by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd + by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd {% endif -%} - by users =0 break + by users =0 break {% endif %} {% if 'LDAP-provider' in group_names %} # @@ -516,8 +521,8 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost # # * Catch all the breaks above. # * Deny any access to everyone else. -olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=org" - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" +0 - by * =0 +olcAccess: to dn.subtree="dc=fripost,dc=org" + by dn.children="ou=virtual,dc=fripost,dc=org" +0 + by * =0 # vim: set filetype=ldif : diff --git a/roles/lists/files/etc/postfix/virtual/transport_list.cf b/roles/lists/files/etc/postfix/virtual/transport_list.cf index f85c4f8..384b832 100644 --- a/roles/lists/files/etc/postfix/virtual/transport_list.cf +++ b/roles/lists/files/etc/postfix/virtual/transport_list.cf @@ -1,6 +1,6 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 -search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org +search_base = fvl=%u,fvd=%d,ou=virtual,dc=fripost,dc=org domain = static:all scope = base bind = none diff --git a/roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2 b/roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2 index a661909..06f1556 100644 --- a/roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2 +++ b/roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2 @@ -45,7 +45,7 @@ $rcmail_config['password_ldap_version'] = '3'; // LDAP base name (root directory) // Exemple: 'dc=exemple,dc=com' -$rcmail_config['password_ldap_basedn'] = 'ou=virtual,o=mailHosting,dc=fripost,dc=org'; +$rcmail_config['password_ldap_basedn'] = 'ou=virtual,dc=fripost,dc=org'; // LDAP connection method // There is two connection method for changing a user's LDAP password. @@ -72,7 +72,7 @@ $rcmail_config['password_ldap_adminPW'] = null; // '%domain' will be replaced by the current roundcube user's domain part // '%dc' will be replaced by domain name hierarchal string e.g. "dc=test,dc=domain,dc=com" // Exemple: 'uid=%login,ou=people,dc=exemple,dc=com' -$rcmail_config['password_ldap_userDN_mask'] = 'fvl=%name,fvd=%domain,ou=virtual,o=mailHosting,dc=fripost,dc=org'; +$rcmail_config['password_ldap_userDN_mask'] = 'fvl=%name,fvd=%domain,ou=virtual,dc=fripost,dc=org'; // LDAP search DN // The DN roundcube should bind with to find out user's DN |