1 files changed, 23 insertions, 29 deletions

diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 6680462..d3915df 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -229,74 +229,68 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,dc=fripost,dc=org)$"
 #
 # XXX
 # * Anonymous users are allowed to simple bind as Postfix, but only when
 #   using a local ldapi:// listener from one of the Postfix instance
 #   (which should be accessible by the 'postfix' UNIX user only).
 olcAccess: to dn.exact="cn=postfix,ou=services,dc=fripost,dc=org"
         attrs=userPassword
     by realanonymous sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =xd
 #
 # TODO: are there other services which need to be able to simple bind?
 #
 # * Catch-all: no one else may access the passwords (including for
 #   simple bind).
 olcAccess: to dn.subtree="dc=fripost,dc=org"
         attrs=userPassword
     by * =0
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # Base
 #
-# * The SyncRepl replicates may use the base as a searchBase, when using
-#   a TLS-protected connection.
-# * So can Dovecot on the MDA (for the iterate filter), when
-#   SASL-binding using the EXTERNAL mechanism and connecting to a local
-#   ldapi:// socket.
+# * Only SyncRepl replicates may access operational attributes in the
+#   subtree, when using a TLS-protected connection.
+{% if 'LDAP-provider' in group_names -%}
+olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org"
+        attrs=entryDN,entryCSN,entryUUID,structuralObjectClass,hasSubordinates,subschemaSubentry
+    by dn.onelevel="ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
+    by *                                                       =0
+#
+# * They may also read entries (ie, the attributes they have access to
+#   as per the ACL below) in that subtree, when using a TLS-protected
+#   connection.  Listing entries (their DN) is required to replicate
+#   deletions properly.
+olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org"
+        attrs=entry,objectClass
+    by dn.onelevel="ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
+    by users                                                   =0   break
+{% endif -%}
+#
+# * Dovecot may use the base as a searchBase on the MDA (for the iterate
+#   filter), when SASL-binding using the EXTERNAL mechanism and
+#   connecting to a local ldapi:// socket.
+{% if 'MDA' in group_names -%}
 olcAccess: to dn.exact="ou=virtual,dc=fripost,dc=org"
         attrs=entry,objectClass
         filter=(objectClass=FripostVirtual)
-    {% if 'LDAP-provider' in group_names -%}
-    {% if groups.MX | difference([inventory_hostname]) -%}
-    by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org"              tls_ssf=128               =rsd
-    {% endif -%}
-    {% if groups.lists | difference([inventory_hostname]) -%}
-    by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org"           tls_ssf=128               =rsd
-    {% endif -%}
-    {% endif -%}
-    {% if 'MDA' in group_names -%}
     by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =sd
-    {% endif -%}
     by users                                                                                 =0 break
-#
-# * Only SyncRepl replicates may access operational attributes in the
-#   subtree, when using a TLS-protected connection.
-olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org"
-        attrs=structuralObjectClass,createTimestamp,creatorsName,entryDN,entryUUID,modifiersName,modifyTimestamp,hasSubordinates,subschemaSubentry
-    {% if 'LDAP-provider' in group_names -%}
-    {% if groups.MX | difference([inventory_hostname]) -%}
-    by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org"    tls_ssf=128 =rsd
-    {% endif -%}
-    {% if groups.lists | difference([inventory_hostname]) -%}
-    by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
-    {% endif -%}
-    {% endif -%}
-    by *                                                             =0
+{% endif -%}
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # Domain entries
 #
 # * The SyncRepl replicates have read access to the entry itself, when
 #   using a TLS-protected connection.
 # * So has Postfix, when connecting a local ldapi:// socket from the
 #   'private' directory in one of the non-default instance's chroot.
 # * So has Dovecot on the MDA (for the iterate filter), when
 #   SASL-binding using the EXTERNAL mechanism and connecting to a local
 #   ldapi:// socket.
 # * Amavis may use the entry as searchBase (required to look for the
 #   per-user preferences) but doesn't have read access to the entry.
 # * The 'nobody' UNIX user has read access on the MX:es, when using
 #   SASL-binding using the EXTERNAL mechanism and connecting to a local
 #   ldapi:// socket.  This is required for the 'reserved-alias.pl'
 #   script.
 olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
         attrs=entry,objectClass,fvd
         filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry)))