diff options
Diffstat (limited to 'roles/common-LDAP/templates/etc/ldap')
| -rw-r--r-- | roles/common-LDAP/templates/etc/ldap/database.ldif.j2 | 34 |
1 files changed, 33 insertions, 1 deletions
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index 03691f9..5a8674a 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -34,73 +34,97 @@ olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth ######################################################################## ######################################################################## # Performance considerations # # To reindex an existing database, you have to # * Stop slapd sudo service slapd stop # * Reindex su openldap -c "slapindex -b 'o=mailHosting,dc=fripost,dc=org'" # * Restart slapd sudo service slapd start # # References # - https://wiki.zimbra.com/wiki/OpenLDAP_Performance_Tuning_5.0 # - http://www.openldap.org/doc/admin24/tuning.html # - http://www.openldap.org/faq/data/cache/42.html # - http://www.openldap.org/faq/data/cache/136.html # - http://www.zytrax.com/books/ldap/apa/indeces.html # olcDbIndex: objectClass eq # Let us make Postfix's life easier. TODO: only if MX, lists.f.o, MDA, etc. olcDbIndex: fripostIsStatusActive,fvd,fvl,fripostLocalAlias eq olcDbIndex: fripostOptionalMaildrop pres -# SyncProv/SyncRepl specific indexing. TODO: only if SyncProv/SyncRepl +# SyncProv/SyncRepl specific indexing. olcDbIndex: entryCSN,entryUUID eq # # # # 1. On single- and dual-core systems, change the maximum number of # threads to 8. (The default, 16, is fine for 4- and 8-core systems.) # # dn: cn=config # changetype: modify # add: olcThreads # olcThreads: 8 # # # 2. It may be a good idea to modify DB_CONFIG, depending on the output # of # # db_stat -mh /var/lib/ldap/fripost | head -16 # # (For optimal performance, the Requested pages found in the cache # should be above 95%, and the dirty/clean pages forced from the cache # should be 0.) # # and # # db_stat -ch /var/lib/ldap/fripost | head -16 # # (For optimal performance, usage should be within 85% of the configured # values.) # # ######################################################################## ######################################################################## +# Sync Replication +# TODO: replace the simple bind by Kerberos/GSSAPI +# +# References: +# - http://www.openldap.org/doc/admin24/replication.html#Syncrepl +# - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap +# +{% if 'LDAP_provider' not in group_names %} +olcSyncrepl: rid=000 + provider=ldap://{{ LDAP_provider }} + type=refreshAndPersist + retry="5 5 300 +" + searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org" + attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias,fripostPostmaster,fripostOwner + scope=sub + schemachecking=off + bindmethod=simple + binddn="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" + credentials=postfix +{% endif %} +# +# +######################################################################## +######################################################################## # Access control # /!\ WARN: All modification to the ACL should be reflected to the test # /!\ suite as well! # # References: # - http://www.openldap.org/doc/admin24/access-control.html # - http://www.openldap.org/faq/data/cache/189.html # - http://www.openldap.org/faq/data/cache/1140.html # - http://www.openldap.org/faq/data/cache/1133.html # - man 5 slapd.access # # ######################################################################## # Most common services: Postfix, Amavis, Dovecot # (Most used ACLs are cheaper when written first.) # # Postfix have read access to the attribute it needs when eg, doing # alias resolution. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" attrs=entry,objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias @@ -116,40 +140,48 @@ olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org" by users =0 break # # Search domain owners / postmasters (used by reserved-alias.pl). olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" attrs=entry,objectClass,fvd,fvl,fripostPostmaster,fripostOwner filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE))) by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =rsd by users =0 break # # Anonymous can authenticate into the services. (But not read or write the password.) olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=org" attrs=userPassword by realanonymous =xd # # The following is required for SASL proxy Authorize the web application. olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=org" attrs=entry,objectClass,authzTo by realanonymous =x # +# The following is required for Sync Replication. +{% if 'LDAP-provider' in group_names %} +olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org" + attrs=entry,objectClass,structuralObjectClass,createTimestamp,creatorsName,entryDN,entryUUID,modifiersName,modifyTimestamp,hasSubordinates,subschemaSubentry + by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd + by users =0 break +{% endif %} +# # 1. The WebPanel itself cannot bind, read or write passwords. This # guarantees that, if an attacker gains its priviledge, it will *not* be # able to change user passwords (which would allow him/her to read every # emails). This is a trick to tackle the absence of 'realgroup'. # 2. Anonymous users can bind. # 3. Users can change their password (but not read it). # 4. The postmaster of a domain can change (replace) his/her users' password (but not read it). olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$" filter=(objectClass=FripostVirtualUser) attrs=userPassword by realdn.exact="uid=AdminWebPanel@fripost.org,cn=auth" =0 by realanonymous =xd by realself =w by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =w by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" =w # # A catch-all, to be sure that noone else have access to the passwords. olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=org" attrs=userPassword by * =0 |