summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--lib/modules/openldap96
-rw-r--r--roles/IMAP/files/etc/dovecot/dovecot-ldap-userdb.conf.ext2
-rw-r--r--roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext4
-rw-r--r--roles/IMAP/files/etc/postfix/virtual/mailbox.cf2
-rw-r--r--roles/IMAP/files/etc/postfix/virtual/transport_content_filter.cf2
-rw-r--r--roles/LDAP-provider/tasks/main.yml2
-rwxr-xr-xroles/MX/files/usr/local/sbin/reserved-alias.pl2
-rw-r--r--roles/MX/templates/etc/postfix/virtual/alias.cf.j22
-rw-r--r--roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j22
-rw-r--r--roles/MX/templates/etc/postfix/virtual/catchall.cf.j22
-rw-r--r--roles/MX/templates/etc/postfix/virtual/list.cf.j22
-rw-r--r--roles/MX/templates/etc/postfix/virtual/mailbox.cf.j22
-rw-r--r--roles/MX/templates/etc/postfix/virtual/mailbox_domains.cf.j22
-rw-r--r--roles/amavis/templates/etc/amavis/conf.d/50-user.j22
-rw-r--r--roles/common-LDAP/files/etc/ldap/schema/fripost.ldif6
-rw-r--r--roles/common-LDAP/files/var/lib/ldap/DB_CONFIG (renamed from roles/common-LDAP/files/var/lib/ldap/fripost/DB_CONFIG)8
-rw-r--r--roles/common-LDAP/tasks/main.yml36
-rw-r--r--roles/common-LDAP/templates/etc/ldap/database.ldif.j2143
-rw-r--r--roles/lists/files/etc/postfix/virtual/transport_list.cf2
-rw-r--r--roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j24
20 files changed, 110 insertions, 213 deletions
diff --git a/lib/modules/openldap b/lib/modules/openldap
index 0f0bc9a..1e84c32 100644
--- a/lib/modules/openldap
+++ b/lib/modules/openldap
@@ -38,6 +38,7 @@ indexedAttributes = frozenset([
'olcOverlay',
'olcLimits',
'olcAuthzRegexp',
+ 'olcDbConfig',
])
@@ -91,34 +92,6 @@ class LDIFCallback(LDIFParser):
self.changed |= b
-# Run slapcat(8) on the given suffix or DB number (suffix takes
-# precedence) with an optional filter. (This is useful for offline
-# searches, or one needs to bypass ACLs.) Returns an open pipe to the
-# subprocess.
-def slapcat(filter=None, suffix=None, idx=0):
- cmd = [ os.path.join(os.sep, 'usr', 'sbin', 'slapcat') ]
-
- if filter is not None:
- cmd.extend([ '-a', filter ])
-
- if suffix is not None:
- if type(suffix) is not str:
- suffix = dn2str(suffix)
- cmd.extend([ '-b', suffix ])
- else:
- cmd.append( '-n%d' % idx )
-
- return subprocess.Popen( cmd, stdout=subprocess.PIPE
- , stderr=open(os.devnull, 'wb') )
-
-
-# Start / stop / whatever a service.
-def service(name, state):
- cmd = [ os.path.join(os.sep, 'usr', 'sbin', 'service'), name, state ]
- subprocess.check_call( cmd, stdout=open(os.devnull, 'wb')
- , stderr=subprocess.STDOUT )
-
-
# Check if the given dn is already present in the directory.
# Returns None if doesn't exist, and give the dn,entry otherwise
def flexibleSearch(module, l, dn, entry):
@@ -254,58 +227,6 @@ def getDN_DB(module, l, a, v, attrlist=['']):
, attrlist = attrlist )
-# Clear the given DB directory and delete the associated database. Fail
-# if non empty, unless all existing DNS are in skipdns.
-def wontRemove(module, skipdns, d, _):
- if d not in skipdns:
- module.fail_json(msg="won't remove '%s'" % d)
-def removeDB(module, dbdir, skipdn=None):
- changed = False
- if not os.path.exists(dbdir):
- return False
-
- l = ldap.initialize( 'ldapi://' )
- l.sasl_interactive_bind_s('', ldap.sasl.external())
- r = getDN_DB( module, l, 'olcDbDirectory', dbdir, attrlist=['olcSuffix'] )
- l.unbind_s()
-
- if len(r) > 1:
- module.fail_json(msg="Multiple results found! This is a bug. Please report.")
- elif r:
- dn,entry = r.pop()
- suffix = entry['olcSuffix'][0]
-
- skipdns = [suffix]
- if skipdn is not None:
- skipdns.extend([ "%s,%s" % (s,suffix) for s in skipdn ])
- # here we need to use slapcat not search_s, because we may
- # not have read access on the database (even though we're
- # root!).
- p = slapcat( suffix=suffix )
- parser = LDIFCallback( module, p.stdout
- , partial(wontRemove,module,skipdns) )
- parser.parse()
-
- changed = True
- if module.check_mode:
- module.exit_json(changed=changed, msg="remove dir %s" % dbdir)
-
- # slapd doesn't support database deletion, so we need to turn it
- # off and remove it from slapd.d manually.
- service( 'slapd', 'stop' )
- path = [ os.sep, 'etc', 'ldap', 'slapd.d' ]
- ldif = explode_dn(dn)[::-1]
- ldif[-1] += ".ldif"
- path.extend( ldif )
- os.unlink( os.path.join(*path) )
-
- # delete all children in path, but not the path directory itself.
- for file in os.listdir(dbdir):
- os.unlink( os.path.join(dbdir, file) )
- service( 'slapd', 'start' )
- return changed
-
-
# Convert a *.schema file into *.ldif format. The algorithm can be found
# in /etc/ldap/schema/openldap.ldif .
def slapd_to_ldif(src, name):
@@ -344,9 +265,7 @@ def slapd_to_ldif(src, name):
def main():
module = AnsibleModule(
argument_spec = dict(
- dbdirectory = dict( default=None ),
- ignoredn = dict( default=None ),
- state = dict( default="present", choices=["absent", "present"]),
+ state = dict( default="present", choices=["absent","present"]),
target = dict( default=None ),
module = dict( default=None ),
suffix = dict( default=None ),
@@ -359,25 +278,16 @@ def main():
params = module.params
state = params['state']
- dbdirectory = params['dbdirectory']
- ignoredn = params['ignoredn']
target = params['target']
mod = params['module']
suffix = params['suffix']
form = params['format']
name = params['name']
- if ignoredn is not None:
- ignoredn = ignoredn.split(':')
-
changed = False
try:
if state == "absent":
- if dbdirectory is not None:
- changed = removeDB(module,dbdirectory,skipdn=ignoredn)
- # TODO: might be useful to be able remove DNs
- else:
- module.fail_json(msg="missing dbdirectory")
+ module.fail_json(msg="OpenLDAP's ansible: unsupported feature")
elif state == "present":
if form == 'slapd.conf':
diff --git a/roles/IMAP/files/etc/dovecot/dovecot-ldap-userdb.conf.ext b/roles/IMAP/files/etc/dovecot/dovecot-ldap-userdb.conf.ext
index 6c39bf6..c455c07 100644
--- a/roles/IMAP/files/etc/dovecot/dovecot-ldap-userdb.conf.ext
+++ b/roles/IMAP/files/etc/dovecot/dovecot-ldap-userdb.conf.ext
@@ -53,7 +53,7 @@ ldap_version = 3
# LDAP base. %variables can be used here.
# For example: dc=mail, dc=example, dc=org
-base = fvl=%n,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
+base = fvl=%n,fvd=%d,ou=virtual,dc=fripost,dc=org
# Dereference: never, searching, finding, always
deref = never
diff --git a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext
index 77edba8..1ffa73d 100644
--- a/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext
+++ b/roles/IMAP/files/etc/dovecot/dovecot-ldap.conf.ext
@@ -80,14 +80,14 @@ auth_bind = yes
# For example:
# auth_bind_userdn = cn=%u,ou=people,o=org
#
-auth_bind_userdn = fvl=%n,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
+auth_bind_userdn = fvl=%n,fvd=%d,ou=virtual,dc=fripost,dc=org
# LDAP protocol version to use. Likely 2 or 3.
ldap_version = 3
# LDAP base. %variables can be used here.
# For example: dc=mail, dc=example, dc=org
-base = fvl=%n,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
+base = fvl=%n,fvd=%d,ou=virtual,dc=fripost,dc=org
# Dereference: never, searching, finding, always
deref = never
diff --git a/roles/IMAP/files/etc/postfix/virtual/mailbox.cf b/roles/IMAP/files/etc/postfix/virtual/mailbox.cf
index 009dd98..e69343b 100644
--- a/roles/IMAP/files/etc/postfix/virtual/mailbox.cf
+++ b/roles/IMAP/files/etc/postfix/virtual/mailbox.cf
@@ -1,6 +1,6 @@
server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
-search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
+search_base = fvl=%u,fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
scope = base
bind = none
diff --git a/roles/IMAP/files/etc/postfix/virtual/transport_content_filter.cf b/roles/IMAP/files/etc/postfix/virtual/transport_content_filter.cf
index b082f69..642b722 100644
--- a/roles/IMAP/files/etc/postfix/virtual/transport_content_filter.cf
+++ b/roles/IMAP/files/etc/postfix/virtual/transport_content_filter.cf
@@ -1,6 +1,6 @@
server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
-search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
+search_base = fvl=%u,fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
scope = base
bind = none
diff --git a/roles/LDAP-provider/tasks/main.yml b/roles/LDAP-provider/tasks/main.yml
index 48cc8d2..d221486 100644
--- a/roles/LDAP-provider/tasks/main.yml
+++ b/roles/LDAP-provider/tasks/main.yml
@@ -1,6 +1,6 @@
- name: Load and configure the syncprov overlay
openldap: module=syncprov state=present
- suffix=o=mailHosting,dc=fripost,dc=org
+ suffix=dc=fripost,dc=org
target=etc/ldap/syncprov.ldif
local=file
diff --git a/roles/MX/files/usr/local/sbin/reserved-alias.pl b/roles/MX/files/usr/local/sbin/reserved-alias.pl
index 603d773..517e51b 100755
--- a/roles/MX/files/usr/local/sbin/reserved-alias.pl
+++ b/roles/MX/files/usr/local/sbin/reserved-alias.pl
@@ -67,7 +67,7 @@ if (defined $domain) {
my @attrs = ( 'fripostPostmaster', 'fripostOwner' );
my $mesg = $ldap->search( base => 'fvd='.escape_dn_value($domain).','
- .'ou=virtual,o=mailHosting,dc=fripost,dc=org'
+ .'ou=virtual,dc=fripost,dc=org'
, scope => 'base'
, deref => 'never'
, filter => '(&(objectClass=FripostVirtualDomain)'
diff --git a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
index c7d2f0a..2e80d45 100644
--- a/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/alias.cf.j2
@@ -1,6 +1,6 @@
server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
-search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
+search_base = fvl=%u,fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
scope = base
bind = none
diff --git a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
index dec8bce..bdfa802 100644
--- a/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/alias_domains.cf.j2
@@ -1,6 +1,6 @@
server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
-search_base = fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
+search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
scope = base
bind = none
diff --git a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2 b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
index 8ac40fd..398e530 100644
--- a/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/catchall.cf.j2
@@ -1,6 +1,6 @@
server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
-search_base = fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
+search_base = fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
scope = base
bind = none
diff --git a/roles/MX/templates/etc/postfix/virtual/list.cf.j2 b/roles/MX/templates/etc/postfix/virtual/list.cf.j2
index 5988159..4020b42 100644
--- a/roles/MX/templates/etc/postfix/virtual/list.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/list.cf.j2
@@ -1,6 +1,6 @@
server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
-search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
+search_base = fvl=%u,fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
scope = base
bind = none
diff --git a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2 b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
index a108c0d..118e17a 100644
--- a/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/mailbox.cf.j2
@@ -1,6 +1,6 @@
server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
-search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
+search_base = fvl=%u,fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
scope = base
bind = none
diff --git a/roles/MX/templates/etc/postfix/virtual/mailbox_domains.cf.j2 b/roles/MX/templates/etc/postfix/virtual/mailbox_domains.cf.j2
index 74304a4..43b7f3a 100644
--- a/roles/MX/templates/etc/postfix/virtual/mailbox_domains.cf.j2
+++ b/roles/MX/templates/etc/postfix/virtual/mailbox_domains.cf.j2
@@ -1,6 +1,6 @@
server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
-search_base = fvd=%s,ou=virtual,o=mailHosting,dc=fripost,dc=org
+search_base = fvd=%s,ou=virtual,dc=fripost,dc=org
scope = base
bind = none
query_filter = (&(objectClass=FripostVirtualDomain)(fvd=%s))
diff --git a/roles/amavis/templates/etc/amavis/conf.d/50-user.j2 b/roles/amavis/templates/etc/amavis/conf.d/50-user.j2
index 200ce90..3595331 100644
--- a/roles/amavis/templates/etc/amavis/conf.d/50-user.j2
+++ b/roles/amavis/templates/etc/amavis/conf.d/50-user.j2
@@ -79,7 +79,7 @@ $default_ldap = {
deref => 'never',
timeout => 5,
scope => 'one',
- base => 'fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org',
+ base => 'fvd=%d,ou=virtual,dc=fripost,dc=org',
# XXX: ideally we would use %u in the base and the query_filter, but
# it's not supported as of amavis 2.7 (see the 'lookup_ldap'
# subroutine in /usr/sbin/amavisd-new)
diff --git a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
index 54f3037..a26f249 100644
--- a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
+++ b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
@@ -20,17 +20,17 @@
#
# It will load the schema. To perform modifications, the easiest way is to
#
-# * Save the database: slapcat -b 'o=mailHosting,dc=fripost,dc=dev' > /tmp/db.ldif
+# * Save the database: slapcat -b 'dc=fripost,dc=org' > /tmp/db.ldif
# * Save the configuration: slapcat -n0 > /tmp/config.ldif
# * Backup slap.d: cp -a /etc/ldap/slapd.d/ /tmp/slap.d_back
# * Edit the schema in /tmp/config.ldif
# * Load the new config: mkdir -m 0700 /tmp/slapd.d_new && slapadd -F /tmp/slapd.d_new -n0 -l /tmp/config.ldif
# * Stop slapd: /etc/init.d/slapd stop
# * Load the new config: rm -rf /etc/ldap/slapd.d/ && mv /tmp/slapd.d_new /etc/ldap/slapd.d && chown -R openldap:openldap /etc/ldap/slapd.d
-# * Create indexes: sudo -u openldap slapindex -b 'o=mailHosting,dc=fripost,dc=dev'
+# * Create indexes: sudo -u openldap slapindex -b 'dc=fripost,dc=org'
# * Start slapd: /etc/init.d/slapd start
# If it fails, remove the existing database and see what's wrong
-# rm -rf /var/lib/ldap/dev/* && sudo -u openldap slapadd -b 'o=mailHosting,dc=fripost,dc=org' -l /tmp/db.ldif
+# rm -rf /var/lib/ldap/dev/* && sudo -u openldap slapadd -b 'dc=fripost,dc=org' -l /tmp/db.ldif
#
#
# /!\ WARN: All modification to the ACL should be reflected to the test
diff --git a/roles/common-LDAP/files/var/lib/ldap/fripost/DB_CONFIG b/roles/common-LDAP/files/var/lib/ldap/DB_CONFIG
index c7072dc..07738c2 100644
--- a/roles/common-LDAP/files/var/lib/ldap/fripost/DB_CONFIG
+++ b/roles/common-LDAP/files/var/lib/ldap/DB_CONFIG
@@ -1,6 +1,6 @@
# It may be a good idea to modify this file, depending on the output of
#
-# db_stat -mh /var/lib/ldap/fripost | head -16
+# db_stat -mh /var/lib/ldap | head -16
#
# (For optimal performance, the Requested pages found in the cache
# should be above 95%, and the dirty/clean pages forced from the cache
@@ -8,13 +8,13 @@
#
# and
#
-# db_stat -ch /var/lib/ldap/fripost | head -16
+# db_stat -ch /var/lib/ldap | head -16
#
# (For optimal performance, usage should be within 85% of the configured
# values.)
#
-set_cachesize 0 5242880 1
-# 5MB cachesize, allow defragmentation
+# 5MB cachesize
+set_cachesize 0 5242880 0
set_lk_max_objects 1500
set_lk_max_locks 1500
set_lk_max_lockers 1500
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 43c6bfb..3b8b36c 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -18,30 +18,11 @@
notify:
- Restart slapd
-# Upon install slapd create and populate a database under /var/lib/ldap.
-# We clear it up and create a children directory to get finer-grain
-# control.
-- name: Clear empty /var/lib/ldap
- # Don't remove the database (and fail) if it contains something else
- # than its suffix or cn=admin,...
- openldap: dbdirectory=/var/lib/ldap ignoredn=cn=admin
- state=absent
-
-- name: Create directory /var/lib/ldap/fripost
- file: path=/var/lib/ldap/fripost
- state=directory
+- name: Copy DB_CONFIG
+ copy: src=var/lib/ldap/DB_CONFIG
+ dest=/var/lib/ldap/DB_CONFIG
owner=openldap group=openldap
- mode=0700
-
-- name: Copy /var/lib/ldap/fripost/DB_CONFIG
- copy: src=var/lib/ldap/fripost/DB_CONFIG
- dest=/var/lib/ldap/fripost/DB_CONFIG
- owner=openldap group=openldap
- mode=0600
- register: r2
- notify:
- # Not sure if required
- - Restart slapd
+ mode=0644
- name: Create directory /etc/ldap/ssl
file: path=/etc/ldap/ssl
@@ -63,9 +44,9 @@
--usage=digitalSignature,keyEncipherment
-t rsa -b 4096 -h sha256
--chown="root:openldap" --chmod=0640
- register: r3
- changed_when: r3.rc == 0
- failed_when: r3.rc > 1
+ register: r2
+ changed_when: r2.rc == 0
+ failed_when: r2.rc > 1
with_items:
- { group: 'LDAP-provider', name: ldap.fripost.org, ou: }
- { group: 'MX', name: mx, ou: --ou=SyncRepl }
@@ -123,12 +104,13 @@
tags:
- ldap
+# We assume a clean (=stock) cn=config
- name: Configure the LDAP database
openldap: target=etc/ldap/database.ldif.j2 local=template
state=present
- name: Start slapd
service: name=slapd state=started
- when: not (r1.changed or r2.changed or r3.changed)
+ when: not (r1.changed or r2.changed)
- meta: flush_handlers
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 308bece..f633692 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -34,8 +34,8 @@ olcTLSCertificateFile: /etc/ldap/ssl/ldap.fripost.org.pem
olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.fripost.org.key
olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem
olcTLSVerifyClient: allow
-olcAuthzRegexp: "^cn=([^,]+),ou=SyncRepl,ou=LDAP,ou=SSLcerts,o=Fripost$"
- "cn=$1,ou=replicates,o=mailHosting,dc=fripost,dc=org"
+olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$"
+ "$1,dc=fripost,dc=org"
olcSaslSecProps: minssf=128,noanonymous,noplain,nodict
# XXX We would like to say 'PFS' here, but Wheezy'z GnuTLS (libgnutls26
# 2.12.20-8+deb7u2) is too old :-( (Also, DHE/ECDHE are not supported.)
@@ -51,8 +51,8 @@ olcPasswordCryptSaltFormat: $6$%s
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
-olcDbDirectory: /var/lib/ldap/fripost
-olcSuffix: o=mailHosting,dc=fripost,dc=org
+olcDbDirectory: /var/lib/ldap
+olcSuffix: dc=fripost,dc=org
{% if 'LDAP-provider' not in group_names and ('MX' in group_names or 'lists' in group_names) %}
olcReadOnly: TRUE
{% endif %}
@@ -62,6 +62,11 @@ olcDbCheckpoint: 512 15
{% else %}
olcLastMod: FALSE
{% endif %}
+# See DB_CONFIG
+olcDbConfig: set_cachesize 0 5242880 0
+olcDbConfig: set_lk_max_objects 1500
+olcDbConfig: set_lk_max_locks 1500
+olcDbConfig: set_lk_max_lockers 1500
# The root user has all rights on the whole database (when SASL-binding
# on a UNIX socket).
olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
@@ -79,7 +84,7 @@ olcSecurity: simple_bind=128 ssf=128 update_ssf=128
#
# To reindex an existing database, you have to
# * Stop slapd sudo service slapd stop
-# * Reindex su openldap -c "slapindex -b 'o=mailHosting,dc=fripost,dc=org'"
+# * Reindex su openldap -c "slapindex -b 'dc=fripost,dc=org'"
# * Restart slapd sudo service slapd start
#
olcDbIndex: objectClass eq
@@ -117,14 +122,14 @@ olcDbIndex: entryCSN,entryUUID eq
#
{% if 'LDAP-provider' in group_names %}
{% if groups.MX | difference([inventory_hostname]) %}
-olcLimits: dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org"
+olcLimits: dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org"
time.soft=unlimited
time.hard=unlimited
size.soft=unlimited
size.hard=unlimited
{% endif %}
{% if groups.lists | difference([inventory_hostname]) %}
-olcLimits: dn.exact="cn=lists,ou=replicates,o=mailHosting,dc=fripost,dc=org"
+olcLimits: dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org"
time.soft=unlimited
time.hard=unlimited
size.soft=unlimited
@@ -134,12 +139,12 @@ olcLimits: dn.exact="cn=lists,ou=replicates,o=mailHosting,dc=fripost,dc=org"
{% if 'MX' in group_names and 'LDAP-provider' not in group_names %}
# Test it:
# LDAPSASL_MECH=external LDAPTLS_CACERT=/etc/ldap/ssl/ldap.fripost.org.pem LDAPTLS_CERT=/etc/ldap/ssl/mx.pem LDAPTLS_KEY=/etc/ldap/ssl/mx.key sudo -u openldap ldapwhoami -H ldaps://ldap.fripost.org/
-# LDAPSASL_MECH=external LDAPTLS_CACERT=/etc/ldap/ssl/ldap.fripost.org.pem LDAPTLS_CERT=/etc/ldap/ssl/mx.pem LDAPTLS_KEY=/etc/ldap/ssl/mx.key sudo -u openldap ldapsearch -H ldaps://ldap.fripost.org/ -b ou=virtual,o=mailHosting,dc=fripost,dc=org
+# LDAPSASL_MECH=external LDAPTLS_CACERT=/etc/ldap/ssl/ldap.fripost.org.pem LDAPTLS_CERT=/etc/ldap/ssl/mx.pem LDAPTLS_KEY=/etc/ldap/ssl/mx.key sudo -u openldap ldapsearch -H ldaps://ldap.fripost.org/ -b ou=virtual,dc=fripost,dc=org
olcSyncrepl: rid=000
provider=ldaps://ldap.fripost.org
type=refreshAndPersist
retry="10 30 300 +"
- searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+ searchbase="ou=virtual,dc=fripost,dc=org"
attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostPostmaster,fripostOwner
scope=sub
sizelimit=unlimited
@@ -156,7 +161,7 @@ olcSyncrepl: rid=001
provider=ldaps://ldap.fripost.org
type=refreshAndPersist
retry="10 30 300 +"
- searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+ searchbase="ou=virtual,dc=fripost,dc=org"
attrs=objectClass,fvd,fvl,fripostListManager,fripostOwner
scope=sub
sizelimit=unlimited
@@ -217,21 +222,21 @@ olcAddContentAcl: TRUE
# granted.
# * The same goes for general admins.
# * The same goes for local admins.
-olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$"
+olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,dc=fripost,dc=org)$"
filter=(objectClass=FripostVirtualUser)
attrs=userPassword
by realanonymous tls_ssf=128 =xd
by realanonymous sockurl.regex="^ldapi://" =xd
by realself tls_ssf=128 =w
by group/FripostVirtualDomain/fripostPostmaster.expand="$1" tls_ssf=128 =w
- by dn.onelevel="ou=admins,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =w
+ by dn.onelevel="ou=admins,dc=fripost,dc=org" tls_ssf=128 =w
by dn.exact="username=guilhem,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =w
#
# XXX
# * Anonymous users are allowed to simple bind as Postfix, but only when
# using a local ldapi:// listener from one of the Postfix instance
# (which should be accessible by the 'postfix' UNIX user only).
-olcAccess: to dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.exact="cn=postfix,ou=services,dc=fripost,dc=org"
attrs=userPassword
by realanonymous sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =xd
#
@@ -239,7 +244,7 @@ olcAccess: to dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org"
#
# * Catch-all: no one else may access the passwords (including for
# simple bind).
-olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.subtree="dc=fripost,dc=org"
attrs=userPassword
by * =0
#
@@ -251,35 +256,35 @@ olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=org"
# * So can Dovecot on the MDA (for the iterate filter), when
# SASL-binding using the EXTERNAL mechanism and connecting to a local
# ldapi:// socket.
-olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.exact="ou=virtual,dc=fripost,dc=org"
attrs=entry,objectClass
filter=(objectClass=FripostVirtual)
{% if 'LDAP-provider' in group_names -%}
{% if groups.MX | difference([inventory_hostname]) -%}
- by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% if groups.lists | difference([inventory_hostname]) -%}
- by dn.exact="cn=lists,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% endif -%}
{% if 'MDA' in group_names -%}
- by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =sd
+ by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =sd
{% endif -%}
- by users =0 break
+ by users =0 break
#
# * Only SyncRepl replicates may access operational attributes in the
# subtree, when using a TLS-protected connection.
-olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org"
attrs=structuralObjectClass,createTimestamp,creatorsName,entryDN,entryUUID,modifiersName,modifyTimestamp,hasSubordinates,subschemaSubentry
{% if 'LDAP-provider' in group_names -%}
{% if groups.MX | difference([inventory_hostname]) -%}
- by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% if groups.lists | difference([inventory_hostname]) -%}
- by dn.exact="cn=lists,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% endif -%}
- by * =0
+ by * =0
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Domain entries
@@ -297,26 +302,26 @@ olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org"
# SASL-binding using the EXTERNAL mechanism and connecting to a local
# ldapi:// socket. This is required for the 'reserved-alias.pl'
# script.
-olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=entry,objectClass,fvd
filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry)))
{% if 'LDAP-provider' in group_names -%}
{% if groups.MX | difference([inventory_hostname]) -%}
- by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% if groups.lists | difference([inventory_hostname]) -%}
- by dn.exact="cn=lists,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% endif -%}
- by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
+ by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
{% if 'MDA' in group_names -%}
- by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
- by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =sd
+ by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
+ by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =sd
{% endif -%}
{% if 'MX' in group_names -%}
- by dn.exact="username=nobody,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
+ by dn.exact="username=nobody,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
{% endif -%}
- by users =0 break
+ by users =0 break
#
# * The SyncRepl MX replicates can check whether a virtual domain is
# active, and read the destination address for catch-alls, when using
@@ -325,16 +330,16 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
# from the 'private' directory in one of the non-default instance's
# chroot.
{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
-olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=fripostIsStatusActive,fripostOptionalMaildrop
filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry)))
{% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
- by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% if 'MX' in group_names -%}
- by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
+ by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
{% endif -%}
- by users =0 break
+ by users =0 break
{% endif %}
#
# * The 'nobody' UNIX user can list the domain owners and postmasters on
@@ -342,11 +347,11 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
# connecting to a local ldapi:// socket. This is required for the
# 'reserved-alias.pl' script.
{% if 'MX' in group_names %}
-olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=fripostOwner,fripostPostmaster
filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry)))
by dn.exact="username=nobody,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
- by users =0 break
+ by users =0 break
{% endif %}
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
@@ -359,16 +364,16 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
# from the 'private' directory in one of the non-default instance's
# chroot.
{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
-olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=entry,fripostMaildrop
filter=(&(objectClass=FripostVirtualAliasDomain)(!(objectClass=FripostPendingEntry)))
{% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
- by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% if 'MX' in group_names -%}
- by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
+ by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
{% endif -%}
- by users =0 break
+ by users =0 break
{% endif %}
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
@@ -383,18 +388,18 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
# ldapi:// socket.
# * So has Amavis on the MDA, when SASL-binding using the EXTERNAL
# mechanism and connecting to a local ldapi:// socket.
-olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=entry,objectClass,fvl
filter=(objectClass=FripostVirtualUser)
{% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
- by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
- by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
+ by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
{% if 'MDA' in group_names -%}
- by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
- by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
+ by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
+ by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
{% endif -%}
- by users =0 break
+ by users =0 break
#
# * The SyncRepl MX replicates can check whether a virtual user is
# active, when using a TLS-protected connection.
@@ -402,16 +407,16 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost
# from the 'private' directory in one of the non-default instance's
# chroot.
{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
-olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=fripostIsStatusActive
filter=(objectClass=FripostVirtualUser)
{% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
- by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% if 'MX' in group_names -%}
- by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
+ by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
{% endif -%}
- by users =0 break
+ by users =0 break
{% endif %}
{% if 'MDA' in group_names %}
#
@@ -422,7 +427,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost
# filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE)(fripostUseContentFilter=TRUE))
# TODO: only allow it to read the configuration options users are allowed
# to set and modify.
-olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=@AmavisAccount
filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE))
by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
@@ -430,7 +435,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost
#
# * Dovecot can look for user quotas, when SASL-binding using the
# EXTERNAL mechanism and connecting to a local ldapi:// socket.
-olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=fripostUserQuota
filter=(objectClass=FripostVirtualUser)
by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
@@ -447,16 +452,16 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost
# from the 'private' directory in one of the non-default instance's
# chroot.
{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
-olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=entry,objectClass,fvl,fripostMaildrop,fripostIsStatusActive
filter=(objectClass=FripostVirtualAlias)
{% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
- by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% if 'MX' in group_names -%}
- by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
+ by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
{% endif -%}
- by users =0 break
+ by users =0 break
{% endif %}
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
@@ -470,21 +475,21 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost
# XXX: where does sympa enter the picture? we really don't want to reintroduce listcomands...
{% if 'MX' in group_names or 'lists' in group_names or ('LDAP-provider' in group_names and
(groups.lists | difference([inventory_hostname]) or groups.MX | difference([inventory_hostname]))) %}
-olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=entry,objectClass,fvl,fripostListManager
filter=(&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry)))
{% if 'LDAP-provider' in group_names -%}
{% if groups.MX | difference([inventory_hostname]) -%}
- by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% if groups.lists | difference([inventory_hostname]) -%}
- by dn.exact="cn=lists,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% endif -%}
{% if 'MX' in group_names or 'lists' in group_names -%}
- by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
+ by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
{% endif -%}
- by users =0 break
+ by users =0 break
{% endif %}
#
# * The SyncRepl MX replicates can check whether a virtual list is
@@ -493,16 +498,16 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost
# from the 'private' directory in one of the non-default instance's
# chroot.
{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
-olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=fripostIsStatusActive
filter=(&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry)))
{% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
- by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% if 'MX' in group_names -%}
- by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
+ by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
{% endif -%}
- by users =0 break
+ by users =0 break
{% endif %}
{% if 'LDAP-provider' in group_names %}
#
@@ -516,8 +521,8 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost
#
# * Catch all the breaks above.
# * Deny any access to everyone else.
-olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=org"
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" +0
- by * =0
+olcAccess: to dn.subtree="dc=fripost,dc=org"
+ by dn.children="ou=virtual,dc=fripost,dc=org" +0
+ by * =0
# vim: set filetype=ldif :
diff --git a/roles/lists/files/etc/postfix/virtual/transport_list.cf b/roles/lists/files/etc/postfix/virtual/transport_list.cf
index f85c4f8..384b832 100644
--- a/roles/lists/files/etc/postfix/virtual/transport_list.cf
+++ b/roles/lists/files/etc/postfix/virtual/transport_list.cf
@@ -1,6 +1,6 @@
server_host = ldapi://%2Fprivate%2Fldapi/
version = 3
-search_base = fvl=%u,fvd=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
+search_base = fvl=%u,fvd=%d,ou=virtual,dc=fripost,dc=org
domain = static:all
scope = base
bind = none
diff --git a/roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2 b/roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2
index a661909..06f1556 100644
--- a/roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2
+++ b/roles/webmail/templates/usr/share/roundcube/plugins/password/config.inc.php.j2
@@ -45,7 +45,7 @@ $rcmail_config['password_ldap_version'] = '3';
// LDAP base name (root directory)
// Exemple: 'dc=exemple,dc=com'
-$rcmail_config['password_ldap_basedn'] = 'ou=virtual,o=mailHosting,dc=fripost,dc=org';
+$rcmail_config['password_ldap_basedn'] = 'ou=virtual,dc=fripost,dc=org';
// LDAP connection method
// There is two connection method for changing a user's LDAP password.
@@ -72,7 +72,7 @@ $rcmail_config['password_ldap_adminPW'] = null;
// '%domain' will be replaced by the current roundcube user's domain part
// '%dc' will be replaced by domain name hierarchal string e.g. "dc=test,dc=domain,dc=com"
// Exemple: 'uid=%login,ou=people,dc=exemple,dc=com'
-$rcmail_config['password_ldap_userDN_mask'] = 'fvl=%name,fvd=%domain,ou=virtual,o=mailHosting,dc=fripost,dc=org';
+$rcmail_config['password_ldap_userDN_mask'] = 'fvl=%name,fvd=%domain,ou=virtual,dc=fripost,dc=org';
// LDAP search DN
// The DN roundcube should bind with to find out user's DN