summaryrefslogtreecommitdiffstats
path: root/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common-LDAP/templates/etc/ldap/database.ldif.j2')
-rw-r--r--roles/common-LDAP/templates/etc/ldap/database.ldif.j247
1 files changed, 8 insertions, 39 deletions
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 48758be..a7e4fa2 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -38,41 +38,41 @@ olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.fripost.org.key
# TLS-protected simple binds, though.
olcTLSVerifyClient: try
olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem
olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$"
"$1,dc=fripost,dc=org"
olcSaslSecProps: minssf=128,noanonymous,noplain,nodict
olcTLSCipherSuite: PFS:%LATEST_RECORD_VERSION:!VERS-SSL3.0:!VERS-TLS1.0:!VERS-TLS1.1:!CIPHER-ALL:+AES-128-GCM:+AES-256-GCM
{% endif %}
olcLocalSSF: 128
# /!\ This is not portable! But we only use glibc's crypt(3), which
# supports (salted, streched) SHA512
olcPasswordHash: {CRYPT}
olcPasswordCryptSaltFormat: $6$%s
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=fripost,dc=org
-{% if 'LDAP-provider' not in group_names and ('MX' in group_names or 'lists' in group_names) %}
+{% if 'LDAP-provider' not in group_names and 'MX' in group_names %}
olcReadOnly: TRUE
{% endif %}
{% if 'LDAP-provider' in group_names %}
olcLastMod: TRUE
olcDbCheckpoint: 512 15
{% else %}
olcLastMod: FALSE
{% endif %}
# The root user has all rights on the whole database (when SASL-binding
# on a UNIX socket).
olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
# Ensure that all DIT access is made according to the LDAPv3 protocol,
# and must use 1/ authentication, and 2/ SASL or TLS. (Local clients
# should use ldapi:// and SASL/EXERNAL, while remote clients should use
# TLS.)
# XXX: olcRequires: none LDAPv3 authc strong
olcRequires: none LDAPv3 authc
olcSecurity: simple_bind=128 ssf=128 update_ssf=128
#
#
@@ -83,45 +83,42 @@ olcSecurity: simple_bind=128 ssf=128 update_ssf=128
# * Stop slapd sudo service slapd stop
# * Reindex sudo -u openldap slapindex -b 'dc=fripost,dc=org'
# * Restart slapd sudo service slapd start
#
olcDbIndex: objectClass eq
# Let us make Postfix's life easier.
{% if 'LDAP-provider' in group_names %}
olcDbIndex: fvd,fvl eq,sub
olcDbIndex: fripostIsStatusActive eq
{% elif 'MX' in group_names or 'MDA' in group_names %}
olcDbIndex: fripostIsStatusActive,fvd,fvl eq
{% endif %}
{% if 'LDAP-provider' in group_names %}
olcDbIndex: fripostOptionalMaildrop,fripostMaildrop eq,sub
olcDbIndex: fripostCanAddDomain,fripostCanAddAlias,fripostCanAddList,fripostOwner,fripostPostmaster,fripostListManager eq
{% elif 'MX' in group_names %}
olcDbIndex: fripostOptionalMaildrop pres
{% endif %}
{% if 'LDAP-provider' in group_names %}
{% endif %}
-{% if ('LDAP-provider' not in group_names and
- ('MX' in group_names or 'lists' in group_names)) or
- 'LDAP-provider' in group_names and
- (groups.MX | difference([inventory_hostname]) or
- groups.lists | difference([inventory_hostname])) %}
+{% if ('LDAP-provider' not in group_names and 'MX' in group_names) or
+ ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) %}
# SyncProv/SyncRepl specific indexing.
olcDbIndex: entryCSN,entryUUID eq
{% endif%}
#
#
# References
# - https://wiki.zimbra.com/wiki/OpenLDAP_Performance_Tuning_5.0
# - http://www.openldap.org/doc/admin24/tuning.html
# - http://www.openldap.org/faq/data/cache/42.html
# - http://www.openldap.org/faq/data/cache/136.html
# - http://www.zytrax.com/books/ldap/apa/indeces.html
#
#
########################################################################
# Sync Replication
#
# References:
# - http://www.openldap.org/doc/admin24/replication.html#Syncrepl
# - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
#
@@ -135,57 +132,40 @@ olcLimits: dn.onelevel="ou=syncRepl,dc=fripost,dc=org"
{% if 'MX' in group_names and 'LDAP-provider' not in group_names %}
# Test it:
# LDAPSASL_MECH=external LDAPTLS_CACERT=/etc/ldap/ssl/ldap.fripost.org.pem LDAPTLS_CERT=/etc/ldap/ssl/mx.pem LDAPTLS_KEY=/etc/ldap/ssl/mx.key sudo -u openldap ldapwhoami -H ldaps://ldap.fripost.org/
# LDAPSASL_MECH=external LDAPTLS_CACERT=/etc/ldap/ssl/ldap.fripost.org.pem LDAPTLS_CERT=/etc/ldap/ssl/mx.pem LDAPTLS_KEY=/etc/ldap/ssl/mx.key sudo -u openldap ldapsearch -H ldaps://ldap.fripost.org/ -b ou=virtual,dc=fripost,dc=org
olcSyncrepl: rid=000
provider=ldaps://ldap.fripost.org
type=refreshAndPersist
retry="10 30 300 +"
searchbase="ou=virtual,dc=fripost,dc=org"
attrs=objectClass,fvd,fvl,fripostIsStatusActive,fripostMaildrop,fripostOptionalMaildrop,fripostPostmaster,fripostOwner,fripostUseContentFilter,fripostListManager
scope=sub
sizelimit=unlimited
schemachecking=off
bindmethod=sasl
saslmech=external
tls_cert=/etc/ldap/ssl/mx.pem
tls_key=/etc/ldap/ssl/mx.key
tls_cacert=/etc/ldap/ssl/ldap.fripost.org.pem
tls_reqcert=hard
{% endif %}
-{% if 'lists' in group_names and 'LDAP-provider' not in group_names %}
-olcSyncrepl: rid=001
- provider=ldaps://ldap.fripost.org
- type=refreshAndPersist
- retry="10 30 300 +"
- searchbase="ou=virtual,dc=fripost,dc=org"
- attrs=objectClass,fvd,fvl,fripostListManager,fripostOwner
- scope=sub
- sizelimit=unlimited
- schemachecking=off
- bindmethod=sasl
- saslmech=external
- tls_cert=/etc/ldap/ssl/lists.pem
- tls_key=/etc/ldap/ssl/lists.key
- tls_cacert=/etc/ldap/ssl/ldap.fripost.org.pem
- tls_reqcert=hard
-{% endif %}
#
#
########################################################################
# Access control
# /!\ WARN: All modification to the ACL should be reflected to the test
# /!\ suite as well!
olcAddContentAcl: TRUE
#
# Overview:
# - Authentication (XXX: strong authentication) is required prior to any DIT
# operation (see 'olcRequires').
# - We force a Security Strength Factor of 128 or above for all operations (see
# 'olcSecurity'), meaning one must use either a local connection (eg,
# ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
# least 128 bits of security.
# - XXX: Services may not simple bind other than locally on a ldapi:// socket.
# If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
# socket whenever possible (if the service itself supports SASL binds).
# If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
# socket, and their identity should be derived from the Subject of the
@@ -292,43 +272,40 @@ olcAccess: to dn.exact="ou=virtual,dc=fripost,dc=org"
# * The SyncRepl replicates have read access to the entry itself, when
# using a TLS-protected connection.
# * So has Postfix, when connecting a local ldapi:// socket from the
# 'private' directory in one of the non-default instance's chroot.
# * So has Dovecot on the MDA (for the iterate filter), when
# SASL-binding using the EXTERNAL mechanism and connecting to a local
# ldapi:// socket.
# * Amavis may use the entry as searchBase (required to look for the
# per-user preferences) but doesn't have read access to the entry.
# * The 'nobody' UNIX user has read access on the MX:es, when using
# SASL-binding using the EXTERNAL mechanism and connecting to a local
# ldapi:// socket. This is required for the 'reserved-alias.pl'
# script.
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=entry,objectClass,fvd
filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry)))
{% if 'LDAP-provider' in group_names -%}
{% if groups.MX | difference([inventory_hostname]) -%}
by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
- {% if groups.lists | difference([inventory_hostname]) -%}
- by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
- {% endif -%}
{% endif -%}
by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
{% if 'MDA' in group_names -%}
by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =sd
{% endif -%}
{% if 'MX' in group_names -%}
by dn.exact="username=nobody,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
{% endif -%}
by users =0 break
#
# * The SyncRepl MX replicates can check whether a virtual domain is
# active, and read the destination address for catch-alls, when using
# a TLS-protected connection.
# * So can Postfix on the MX:es, when connecting a local ldapi:// socket
# from the 'private' directory in one of the non-default instance's
# chroot.
{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=fripostIsStatusActive,fripostOptionalMaildrop
@@ -453,58 +430,50 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
# from the 'private' directory in one of the non-default instance's
# chroot.
{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=entry,objectClass,fvl,fripostMaildrop,fripostIsStatusActive
filter=(objectClass=FripostVirtualAlias)
{% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% if 'MX' in group_names -%}
by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
{% endif -%}
by users =0 break
{% endif %}
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# List entries
#
# * The SyncRepl replicates can read the entry itelf and the list manager, when
# using a TLS-protected connection.
-# * So can Postfix on the MX:es and lists managers, when connecting a local
-# ldapi:// socket from the 'private' directory in one of the non-default
-# instance's chroot.
-# XXX: where does sympa enter the picture? we really don't want to reintroduce listcomands...
-{% if 'MX' in group_names or 'lists' in group_names or ('LDAP-provider' in group_names and
- (groups.lists | difference([inventory_hostname]) or groups.MX | difference([inventory_hostname]))) %}
+# * So can Postfix on the MX:es, when connecting a local ldapi:// socket
+# from the 'private' directory in one of the non-default instance's chroot.
+{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=entry,objectClass,fvl,fripostListManager
filter=(&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry)))
- {% if 'LDAP-provider' in group_names -%}
- {% if groups.MX | difference([inventory_hostname]) -%}
+ {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
- {% if groups.lists | difference([inventory_hostname]) -%}
- by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
- {% endif -%}
- {% endif -%}
- {% if 'MX' in group_names or 'lists' in group_names -%}
+ {% if 'MX' in group_names -%}
by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
{% endif -%}
by users =0 break
{% endif %}
#
# * The SyncRepl MX replicates can check whether a virtual list is
# active when using a TLS-protected connection.
# * So can Postfix on the MX:es, when connecting a local ldapi:// socket
# from the 'private' directory in one of the non-default instance's
# chroot.
{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=fripostIsStatusActive
filter=(&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry)))
{% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% if 'MX' in group_names -%}
by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
{% endif -%}
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-27 22:53:26 +0000