diff options
7 files changed, 17 insertions, 23 deletions
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index 8333032..03691f9 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -6,44 +6,43 @@ # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDbDirectory: /var/lib/ldap/fripost olcSuffix: o=mailHosting,dc=fripost,dc=org olcLastMod: TRUE olcDbCheckpoint: 512 15 # Require LDAPv3 protocol and authentication prior to directory # operations. -olcRequires: LDAPv3 authc -# We don't want to give "canAdd{Alias,List}" write access to alias/list -# attributes. -olcAddContentAcl: FALSE +olcRequires: LDAPv3 +# TODO: how 'olcAddContentAcl' affects the test suite? +olcAddContentAcl: TRUE # The root user has all rights on the whole database (when SASL-binding # on a UNIX socket). olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth # # ######################################################################## ######################################################################## # Performance considerations # # To reindex an existing database, you have to # * Stop slapd sudo service slapd stop # * Reindex su openldap -c "slapindex -b 'o=mailHosting,dc=fripost,dc=org'" # * Restart slapd sudo service slapd start # # References # - https://wiki.zimbra.com/wiki/OpenLDAP_Performance_Tuning_5.0 # - http://www.openldap.org/doc/admin24/tuning.html # - http://www.openldap.org/faq/data/cache/42.html # - http://www.openldap.org/faq/data/cache/136.html # - http://www.zytrax.com/books/ldap/apa/indeces.html @@ -81,71 +80,72 @@ olcDbIndex: entryCSN,entryUUID eq # # (For optimal performance, usage should be within 85% of the configured # values.) # # ######################################################################## ######################################################################## # Access control # /!\ WARN: All modification to the ACL should be reflected to the test # /!\ suite as well! # # References: # - http://www.openldap.org/doc/admin24/access-control.html # - http://www.openldap.org/faq/data/cache/189.html # - http://www.openldap.org/faq/data/cache/1140.html # - http://www.openldap.org/faq/data/cache/1133.html # - man 5 slapd.access # # ######################################################################## -# Most common services: Postfix, Amavis, SASLauth, Dovecot +# Most common services: Postfix, Amavis, Dovecot # (Most used ACLs are cheaper when written first.) # -# Postfix have read access to the attribute they need. +# Postfix have read access to the attribute it needs when eg, doing +# alias resolution. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" attrs=entry,objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE))) by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd - by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =rsd + by realanonymous =rsd by users =0 break # -# Search lists and domain owners +# Postfix needs to look up lists' local aliases. olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org" attrs=entry - by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =s + by realanonymous =s by users =0 break # -# Search domain owners / postmasters +# Search domain owners / postmasters (used by reserved-alias.pl). olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" attrs=entry,objectClass,fvd,fvl,fripostPostmaster,fripostOwner filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE))) by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =rsd by users =0 break # # Anonymous can authenticate into the services. (But not read or write the password.) olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=org" attrs=userPassword by realanonymous =xd # -# That's necessary for SASL proxy Authorize the web application. +# The following is required for SASL proxy Authorize the web application. olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=org" attrs=entry,objectClass,authzTo by realanonymous =x # # 1. The WebPanel itself cannot bind, read or write passwords. This # guarantees that, if an attacker gains its priviledge, it will *not* be # able to change user passwords (which would allow him/her to read every # emails). This is a trick to tackle the absence of 'realgroup'. # 2. Anonymous users can bind. # 3. Users can change their password (but not read it). # 4. The postmaster of a domain can change (replace) his/her users' password (but not read it). olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$" filter=(objectClass=FripostVirtualUser) attrs=userPassword by realdn.exact="uid=AdminWebPanel@fripost.org,cn=auth" =0 by realanonymous =xd by realself =w by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =w by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" =w # diff --git a/roles/mx/files/etc/postfix/virtual/alias_catchall_maps.cf b/roles/mx/files/etc/postfix/virtual/alias_catchall_maps.cf index 2de4667..c405f47 100644 --- a/roles/mx/files/etc/postfix/virtual/alias_catchall_maps.cf +++ b/roles/mx/files/etc/postfix/virtual/alias_catchall_maps.cf @@ -1,8 +1,7 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org scope = base -bind = sasl -sasl_mechs = EXTERNAL +bind = none query_filter = (&(ObjectClass=FripostVirtualDomain)(fvd=%d)(fripostOptionalMaildrop=*)) result_attribute = fripostOptionalMaildrop diff --git a/roles/mx/files/etc/postfix/virtual/alias_maps.cf b/roles/mx/files/etc/postfix/virtual/alias_maps.cf index aa26e18..9265d0b 100644 --- a/roles/mx/files/etc/postfix/virtual/alias_maps.cf +++ b/roles/mx/files/etc/postfix/virtual/alias_maps.cf @@ -1,7 +1,6 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org -bind = sasl -sasl_mechs = EXTERNAL +scope = base query_filter = (&(ObjectClass=FripostVirtualAlias)(fvl=%u)) result_attribute = fripostMaildrop diff --git a/roles/mx/files/etc/postfix/virtual/lists_maps.cf b/roles/mx/files/etc/postfix/virtual/lists_maps.cf index a4657ec..b60dcf6 100644 --- a/roles/mx/files/etc/postfix/virtual/lists_maps.cf +++ b/roles/mx/files/etc/postfix/virtual/lists_maps.cf @@ -1,8 +1,7 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org scope = base -bind = sasl -sasl_mechs = EXTERNAL +bind = none query_filter = (&(|(ObjectClass=FripostVirtualList)(ObjectClass=FripostVirtualListCommand))(fvl=%u)(fripostLocalAlias=%u#%d)) result_attribute = fripostLocalAlias diff --git a/roles/mx/files/etc/postfix/virtual/mailbox_domains.cf b/roles/mx/files/etc/postfix/virtual/mailbox_domains.cf index d580cb9..22d6be3 100644 --- a/roles/mx/files/etc/postfix/virtual/mailbox_domains.cf +++ b/roles/mx/files/etc/postfix/virtual/mailbox_domains.cf @@ -1,9 +1,8 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvd=%s,ou=virtual,o=mailHosting,dc=fripost,dc=org scope = base -bind = sasl -sasl_mechs = EXTERNAL +bind = none query_filter = (&(ObjectClass=FripostVirtualDomain)(fvd=%s)) result_attribute = fvd result_format = OK diff --git a/roles/mx/files/etc/postfix/virtual/mailbox_maps.cf b/roles/mx/files/etc/postfix/virtual/mailbox_maps.cf index 0f0e0e4..dc97177 100644 --- a/roles/mx/files/etc/postfix/virtual/mailbox_maps.cf +++ b/roles/mx/files/etc/postfix/virtual/mailbox_maps.cf @@ -1,9 +1,8 @@ server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org scope = base -bind = sasl -sasl_mechs = EXTERNAL +bind = none query_filter = (&(ObjectClass=FripostVirtualUser)(fvl=%u)) result_attribute = fvl result_format = OK diff --git a/roles/mx/files/etc/postfix/virtual/transport_lists_maps.cf b/roles/mx/files/etc/postfix/virtual/transport_lists_maps.cf index 3cca999..9a7bca0 100644 --- a/roles/mx/files/etc/postfix/virtual/transport_lists_maps.cf +++ b/roles/mx/files/etc/postfix/virtual/transport_lists_maps.cf @@ -1,12 +1,11 @@ # Despite the index on 'fripostLocalAlias' it's a bit more inefficient, # but more precise, than the alternative of using regexes here, and a # plain hash on the list managers' side. server_host = ldapi://%2Fprivate%2Fldapi/ version = 3 search_base = ou=virtual,o=mailHosting,dc=fripost,dc=org scope = sub -bind = sasl -sasl_mechs = EXTERNAL +bind = none query_filter = (&(|(ObjectClass=FripostVirtualList)(ObjectClass=FripostVirtualListCommand))(fripostLocalAlias=%s)) result_attribute = fripostLocalAlias result_format = smtp:[127.0.0.1]:2345 |