diff options
Diffstat (limited to 'roles/common-LDAP/templates/etc/ldap/database.ldif.j2')
| -rw-r--r-- | roles/common-LDAP/templates/etc/ldap/database.ldif.j2 | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index 8333032..03691f9 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -6,44 +6,43 @@ # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDbDirectory: /var/lib/ldap/fripost olcSuffix: o=mailHosting,dc=fripost,dc=org olcLastMod: TRUE olcDbCheckpoint: 512 15 # Require LDAPv3 protocol and authentication prior to directory # operations. -olcRequires: LDAPv3 authc -# We don't want to give "canAdd{Alias,List}" write access to alias/list -# attributes. -olcAddContentAcl: FALSE +olcRequires: LDAPv3 +# TODO: how 'olcAddContentAcl' affects the test suite? +olcAddContentAcl: TRUE # The root user has all rights on the whole database (when SASL-binding # on a UNIX socket). olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth # # ######################################################################## ######################################################################## # Performance considerations # # To reindex an existing database, you have to # * Stop slapd sudo service slapd stop # * Reindex su openldap -c "slapindex -b 'o=mailHosting,dc=fripost,dc=org'" # * Restart slapd sudo service slapd start # # References # - https://wiki.zimbra.com/wiki/OpenLDAP_Performance_Tuning_5.0 # - http://www.openldap.org/doc/admin24/tuning.html # - http://www.openldap.org/faq/data/cache/42.html # - http://www.openldap.org/faq/data/cache/136.html # - http://www.zytrax.com/books/ldap/apa/indeces.html @@ -81,71 +80,72 @@ olcDbIndex: entryCSN,entryUUID eq # # (For optimal performance, usage should be within 85% of the configured # values.) # # ######################################################################## ######################################################################## # Access control # /!\ WARN: All modification to the ACL should be reflected to the test # /!\ suite as well! # # References: # - http://www.openldap.org/doc/admin24/access-control.html # - http://www.openldap.org/faq/data/cache/189.html # - http://www.openldap.org/faq/data/cache/1140.html # - http://www.openldap.org/faq/data/cache/1133.html # - man 5 slapd.access # # ######################################################################## -# Most common services: Postfix, Amavis, SASLauth, Dovecot +# Most common services: Postfix, Amavis, Dovecot # (Most used ACLs are cheaper when written first.) # -# Postfix have read access to the attribute they need. +# Postfix have read access to the attribute it needs when eg, doing +# alias resolution. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" attrs=entry,objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE))) by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd - by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =rsd + by realanonymous =rsd by users =0 break # -# Search lists and domain owners +# Postfix needs to look up lists' local aliases. olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org" attrs=entry - by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =s + by realanonymous =s by users =0 break # -# Search domain owners / postmasters +# Search domain owners / postmasters (used by reserved-alias.pl). olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" attrs=entry,objectClass,fvd,fvl,fripostPostmaster,fripostOwner filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE))) by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =rsd by users =0 break # # Anonymous can authenticate into the services. (But not read or write the password.) olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=org" attrs=userPassword by realanonymous =xd # -# That's necessary for SASL proxy Authorize the web application. +# The following is required for SASL proxy Authorize the web application. olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=org" attrs=entry,objectClass,authzTo by realanonymous =x # # 1. The WebPanel itself cannot bind, read or write passwords. This # guarantees that, if an attacker gains its priviledge, it will *not* be # able to change user passwords (which would allow him/her to read every # emails). This is a trick to tackle the absence of 'realgroup'. # 2. Anonymous users can bind. # 3. Users can change their password (but not read it). # 4. The postmaster of a domain can change (replace) his/her users' password (but not read it). olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$" filter=(objectClass=FripostVirtualUser) attrs=userPassword by realdn.exact="uid=AdminWebPanel@fripost.org,cn=auth" =0 by realanonymous =xd by realself =w by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =w by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" =w # |