summaryrefslogtreecommitdiffstats
path: root/roles/common-LDAP
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common-LDAP')
-rw-r--r--roles/common-LDAP/files/etc/ldap/schema/fripost.ldif6
-rw-r--r--roles/common-LDAP/files/var/lib/ldap/DB_CONFIG (renamed from roles/common-LDAP/files/var/lib/ldap/fripost/DB_CONFIG)8
-rw-r--r--roles/common-LDAP/tasks/main.yml36
-rw-r--r--roles/common-LDAP/templates/etc/ldap/database.ldif.j2143
4 files changed, 90 insertions, 103 deletions
diff --git a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
index 54f3037..a26f249 100644
--- a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
+++ b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
@@ -3,51 +3,51 @@
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Load this file with
#
# ldapadd -Y EXTERNAL -H ldapi:/// -f fripost.ldif
#
# It will load the schema. To perform modifications, the easiest way is to
#
-# * Save the database: slapcat -b 'o=mailHosting,dc=fripost,dc=dev' > /tmp/db.ldif
+# * Save the database: slapcat -b 'dc=fripost,dc=org' > /tmp/db.ldif
# * Save the configuration: slapcat -n0 > /tmp/config.ldif
# * Backup slap.d: cp -a /etc/ldap/slapd.d/ /tmp/slap.d_back
# * Edit the schema in /tmp/config.ldif
# * Load the new config: mkdir -m 0700 /tmp/slapd.d_new && slapadd -F /tmp/slapd.d_new -n0 -l /tmp/config.ldif
# * Stop slapd: /etc/init.d/slapd stop
# * Load the new config: rm -rf /etc/ldap/slapd.d/ && mv /tmp/slapd.d_new /etc/ldap/slapd.d && chown -R openldap:openldap /etc/ldap/slapd.d
-# * Create indexes: sudo -u openldap slapindex -b 'o=mailHosting,dc=fripost,dc=dev'
+# * Create indexes: sudo -u openldap slapindex -b 'dc=fripost,dc=org'
# * Start slapd: /etc/init.d/slapd start
# If it fails, remove the existing database and see what's wrong
-# rm -rf /var/lib/ldap/dev/* && sudo -u openldap slapadd -b 'o=mailHosting,dc=fripost,dc=org' -l /tmp/db.ldif
+# rm -rf /var/lib/ldap/dev/* && sudo -u openldap slapadd -b 'dc=fripost,dc=org' -l /tmp/db.ldif
#
#
# /!\ WARN: All modification to the ACL should be reflected to the test
# /!\ suite as well!
#
#
# References:
# - http://courier.svn.sourceforge.net/svnroot/courier/trunk/courier-authlib/authldap.schema
# - http://www.qmail-ldap.org/wiki/index.php/Qmail.schema
# - http://www.wanderingbarque.com/howtos/mailserver/mailserver.html
# 1.3.6.1.4.1.40011 Fripost's OID
# 1.3.6.1.4.1.40011.1
# 1.3.6.1.4.1.40011.1.2 fripost LDAP Elements
# 1.3.6.1.4.1.40011.1.2.1 AttributeTypes
# 1.3.6.1.4.1.40011.1.2.2 ObjectClasses
# 1.3.6.1.4.1.40011.1.2.3 Syntax Definitions
# This schema depends on:
diff --git a/roles/common-LDAP/files/var/lib/ldap/fripost/DB_CONFIG b/roles/common-LDAP/files/var/lib/ldap/DB_CONFIG
index c7072dc..07738c2 100644
--- a/roles/common-LDAP/files/var/lib/ldap/fripost/DB_CONFIG
+++ b/roles/common-LDAP/files/var/lib/ldap/DB_CONFIG
@@ -1,20 +1,20 @@
# It may be a good idea to modify this file, depending on the output of
#
-# db_stat -mh /var/lib/ldap/fripost | head -16
+# db_stat -mh /var/lib/ldap | head -16
#
# (For optimal performance, the Requested pages found in the cache
# should be above 95%, and the dirty/clean pages forced from the cache
# should be 0.)
#
# and
#
-# db_stat -ch /var/lib/ldap/fripost | head -16
+# db_stat -ch /var/lib/ldap | head -16
#
# (For optimal performance, usage should be within 85% of the configured
# values.)
#
-set_cachesize 0 5242880 1
-# 5MB cachesize, allow defragmentation
+# 5MB cachesize
+set_cachesize 0 5242880 0
set_lk_max_objects 1500
set_lk_max_locks 1500
set_lk_max_lockers 1500
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 43c6bfb..3b8b36c 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -1,88 +1,69 @@
# XXX If #742056 gets fixed, we should preseed slapd to use peercreds as
# RootDN once the fix enters stable.
- name: Install OpenLDAP
apt: pkg={{ item }}
with_items:
- slapd
- ldap-utils
- ldapvi
- db-util
- python-ldap
- name: Configure slapd
template: src=etc/default/slapd.j2
dest=/etc/default/slapd
owner=root group=root
mode=0644
register: r1
notify:
- Restart slapd
-# Upon install slapd create and populate a database under /var/lib/ldap.
-# We clear it up and create a children directory to get finer-grain
-# control.
-- name: Clear empty /var/lib/ldap
- # Don't remove the database (and fail) if it contains something else
- # than its suffix or cn=admin,...
- openldap: dbdirectory=/var/lib/ldap ignoredn=cn=admin
- state=absent
-
-- name: Create directory /var/lib/ldap/fripost
- file: path=/var/lib/ldap/fripost
- state=directory
+- name: Copy DB_CONFIG
+ copy: src=var/lib/ldap/DB_CONFIG
+ dest=/var/lib/ldap/DB_CONFIG
owner=openldap group=openldap
- mode=0700
-
-- name: Copy /var/lib/ldap/fripost/DB_CONFIG
- copy: src=var/lib/ldap/fripost/DB_CONFIG
- dest=/var/lib/ldap/fripost/DB_CONFIG
- owner=openldap group=openldap
- mode=0600
- register: r2
- notify:
- # Not sure if required
- - Restart slapd
+ mode=0644
- name: Create directory /etc/ldap/ssl
file: path=/etc/ldap/ssl
state=directory
owner=root group=root
mode=0755
tags:
- genkey
- name: Generate a private key and a X.509 certificate for slapd
# XXX: GnuTLS (libgnutls26 2.12.20-8+deb7u2, found in Wheezy) doesn't
# support ECDSA; and slapd doesn't seem to support DHE (!?) so
# we're stuck with "plain RSA" Key-Exchange. Also, there is a bug with
# SHA-512.
command: genkeypair.sh x509
--pubkey=/etc/ldap/ssl/{{ item.name }}.pem
--privkey=/etc/ldap/ssl/{{ item.name }}.key
--ou=LDAP {{ item.ou }} --cn={{ item.name }}
--usage=digitalSignature,keyEncipherment
-t rsa -b 4096 -h sha256
--chown="root:openldap" --chmod=0640
- register: r3
- changed_when: r3.rc == 0
- failed_when: r3.rc > 1
+ register: r2
+ changed_when: r2.rc == 0
+ failed_when: r2.rc > 1
with_items:
- { group: 'LDAP-provider', name: ldap.fripost.org, ou: }
- { group: 'MX', name: mx, ou: --ou=SyncRepl }
- { group: 'lists', name: lists, ou: --ou=SyncRepl }
when: "item.group in group_names"
tags:
- genkey
- name: Fetch slapd's X.509 certificate
# Ensure we don't fetch private data
sudo: False
fetch: src=/etc/ldap/ssl/{{ item.name }}.pem
dest=certs/ldap/
fail_on_missing=yes
flat=yes
with_items:
- { group: 'LDAP-provider', name: ldap.fripost.org }
- { group: 'MX', name: mx }
- { group: 'lists', name: lists }
when: "item.group in group_names"
@@ -106,29 +87,30 @@
# It'd certainly be nicer if we didn't have to deploy amavis' schema
# everywhere, but we need the 'objectClass' in our replicates, hence
# they need to be aware of the 'amavisAccount' class.
with_items:
- fripost.ldif
- amavis.schema
tags:
- amavis
- name: Load amavis' schema
openldap: target=/etc/ldap/schema/amavis.schema state=present
format=slapd.conf name=amavis
tags:
- ldap
- name: Load Fripost' schema
openldap: target=/etc/ldap/schema/fripost.ldif state=present
tags:
- ldap
+# We assume a clean (=stock) cn=config
- name: Configure the LDAP database
openldap: target=etc/ldap/database.ldif.j2 local=template
state=present
- name: Start slapd
service: name=slapd state=started
- when: not (r1.changed or r2.changed or r3.changed)
+ when: not (r1.changed or r2.changed)
- meta: flush_handlers
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 308bece..f633692 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -17,163 +17,168 @@
# There are a couple of XXX in this file, due to Postfix not supporting
# SASL binds in Wheezy.
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcPidFile: /var/run/slapd/slapd.pid
olcLogLevel: none
olcToolThreads: 1
{% if ansible_processor_vcpus > 4 %}
olcThreads: {{ 2 * ansible_processor_vcpus }}
{% else %}
olcThreads: 8
{% endif %}
{% if 'LDAP-provider' in group_names %}
olcTLSCertificateFile: /etc/ldap/ssl/ldap.fripost.org.pem
olcTLSCertificateKeyFile: /etc/ldap/ssl/ldap.fripost.org.key
olcTLSCACertificateFile: /etc/ldap/ssl/clients.pem
olcTLSVerifyClient: allow
-olcAuthzRegexp: "^cn=([^,]+),ou=SyncRepl,ou=LDAP,ou=SSLcerts,o=Fripost$"
- "cn=$1,ou=replicates,o=mailHosting,dc=fripost,dc=org"
+olcAuthzRegexp: "^(cn=[^,]+,ou=syncRepl),ou=LDAP,ou=SSLcerts,o=Fripost$"
+ "$1,dc=fripost,dc=org"
olcSaslSecProps: minssf=128,noanonymous,noplain,nodict
# XXX We would like to say 'PFS' here, but Wheezy'z GnuTLS (libgnutls26
# 2.12.20-8+deb7u2) is too old :-( (Also, DHE/ECDHE are not supported.)
olcTLSCipherSuite: SECURE128:!CIPHER-ALL:+AES-128-CBC:+AES-256-CBC:!MD5
{% endif %}
olcLocalSSF: 128
# /!\ This is not portable! But we only use glibc's crypt(3), which
# supports (salted, streched) SHA512
olcPasswordHash: {CRYPT}
olcPasswordCryptSaltFormat: $6$%s
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
-olcDbDirectory: /var/lib/ldap/fripost
-olcSuffix: o=mailHosting,dc=fripost,dc=org
+olcDbDirectory: /var/lib/ldap
+olcSuffix: dc=fripost,dc=org
{% if 'LDAP-provider' not in group_names and ('MX' in group_names or 'lists' in group_names) %}
olcReadOnly: TRUE
{% endif %}
{% if 'LDAP-provider' in group_names %}
olcLastMod: TRUE
olcDbCheckpoint: 512 15
{% else %}
olcLastMod: FALSE
{% endif %}
+# See DB_CONFIG
+olcDbConfig: set_cachesize 0 5242880 0
+olcDbConfig: set_lk_max_objects 1500
+olcDbConfig: set_lk_max_locks 1500
+olcDbConfig: set_lk_max_lockers 1500
# The root user has all rights on the whole database (when SASL-binding
# on a UNIX socket).
olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
# Ensure that all DIT access is made according to the LDAPv3 protocol,
# and must use 1/ authentication, and 2/ SASL or TLS. (Local clients
# should use ldapi:// and SASL/EXERNAL, while remote clients should use
# TLS.)
# XXX: olcRequires: none LDAPv3 authc strong
olcRequires: none LDAPv3 authc
olcSecurity: simple_bind=128 ssf=128 update_ssf=128
#
#
########################################################################
# Performance considerations
#
# To reindex an existing database, you have to
# * Stop slapd sudo service slapd stop
-# * Reindex su openldap -c "slapindex -b 'o=mailHosting,dc=fripost,dc=org'"
+# * Reindex su openldap -c "slapindex -b 'dc=fripost,dc=org'"
# * Restart slapd sudo service slapd start
#
olcDbIndex: objectClass eq
# Let us make Postfix's life easier.
{% if 'MX' in group_names or 'MDA' in group_names %}
olcDbIndex: fripostIsStatusActive,fvd,fvl eq
{% endif %}
{% if 'MX' in group_names %}
olcDbIndex: fripostOptionalMaildrop pres
{% endif %}
{% if ('LDAP-provider' not in group_names and
('MX' in group_names or 'lists' in group_names)) or
'LDAP-provider' in group_names and
(groups.MX | difference([inventory_hostname]) or
groups.lists | difference([inventory_hostname])) %}
# SyncProv/SyncRepl specific indexing.
olcDbIndex: entryCSN,entryUUID eq
{% endif%}
#
#
# References
# - https://wiki.zimbra.com/wiki/OpenLDAP_Performance_Tuning_5.0
# - http://www.openldap.org/doc/admin24/tuning.html
# - http://www.openldap.org/faq/data/cache/42.html
# - http://www.openldap.org/faq/data/cache/136.html
# - http://www.zytrax.com/books/ldap/apa/indeces.html
#
#
########################################################################
# Sync Replication
#
# References:
# - http://www.openldap.org/doc/admin24/replication.html#Syncrepl
# - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
#
{% if 'LDAP-provider' in group_names %}
{% if groups.MX | difference([inventory_hostname]) %}
-olcLimits: dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org"
+olcLimits: dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org"
time.soft=unlimited
time.hard=unlimited
size.soft=unlimited
size.hard=unlimited
{% endif %}
{% if groups.lists | difference([inventory_hostname]) %}
-olcLimits: dn.exact="cn=lists,ou=replicates,o=mailHosting,dc=fripost,dc=org"
+olcLimits: dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org"
time.soft=unlimited
time.hard=unlimited
size.soft=unlimited
size.hard=unlimited
{% endif %}
{% endif %}
{% if 'MX' in group_names and 'LDAP-provider' not in group_names %}
# Test it:
# LDAPSASL_MECH=external LDAPTLS_CACERT=/etc/ldap/ssl/ldap.fripost.org.pem LDAPTLS_CERT=/etc/ldap/ssl/mx.pem LDAPTLS_KEY=/etc/ldap/ssl/mx.key sudo -u openldap ldapwhoami -H ldaps://ldap.fripost.org/
-# LDAPSASL_MECH=external LDAPTLS_CACERT=/etc/ldap/ssl/ldap.fripost.org.pem LDAPTLS_CERT=/etc/ldap/ssl/mx.pem LDAPTLS_KEY=/etc/ldap/ssl/mx.key sudo -u openldap ldapsearch -H ldaps://ldap.fripost.org/ -b ou=virtual,o=mailHosting,dc=fripost,dc=org
+# LDAPSASL_MECH=external LDAPTLS_CACERT=/etc/ldap/ssl/ldap.fripost.org.pem LDAPTLS_CERT=/etc/ldap/ssl/mx.pem LDAPTLS_KEY=/etc/ldap/ssl/mx.key sudo -u openldap ldapsearch -H ldaps://ldap.fripost.org/ -b ou=virtual,dc=fripost,dc=org
olcSyncrepl: rid=000
provider=ldaps://ldap.fripost.org
type=refreshAndPersist
retry="10 30 300 +"
- searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+ searchbase="ou=virtual,dc=fripost,dc=org"
attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostPostmaster,fripostOwner
scope=sub
sizelimit=unlimited
schemachecking=off
bindmethod=sasl
saslmech=external
tls_cert=/etc/ldap/ssl/mx.pem
tls_key=/etc/ldap/ssl/mx.key
tls_cacert=/etc/ldap/ssl/ldap.fripost.org.pem
tls_reqcert=hard
{% endif %}
{% if 'lists' in group_names and 'LDAP-provider' not in group_names %}
olcSyncrepl: rid=001
provider=ldaps://ldap.fripost.org
type=refreshAndPersist
retry="10 30 300 +"
- searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+ searchbase="ou=virtual,dc=fripost,dc=org"
attrs=objectClass,fvd,fvl,fripostListManager,fripostOwner
scope=sub
sizelimit=unlimited
schemachecking=off
bindmethod=sasl
saslmech=external
tls_cert=/etc/ldap/ssl/lists.pem
tls_key=/etc/ldap/ssl/lists.key
tls_cacert=/etc/ldap/ssl/ldap.fripost.org.pem
tls_reqcert=hard
{% endif %}
#
#
########################################################################
# Access control
# /!\ WARN: All modification to the ACL should be reflected to the test
# /!\ suite as well!
olcAddContentAcl: TRUE
#
# Overview:
@@ -200,324 +205,324 @@ olcAddContentAcl: TRUE
# - http://www.openldap.org/faq/data/cache/1140.html
# - http://www.openldap.org/faq/data/cache/1133.html
# - man 5 slapd.access
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# User Passwords:
#
# * Anonymous users are allowed to simple bind through TLS-protected
# connections.
# * Anonymous users are allowed to simple bind when connecting to a
# local ldapi:// socket (when using auth_binds, Dovecot delegates
# authentication to the LDAP server).
# * Authenticated users are allowed to change (ie replace) their
# password through TLS-protected connections, but read access is not
# granted.
# * Domain postmasters are allowed to change (ie replace) their users'
# password through TLS-protected connections, but read access is not
# granted.
# * The same goes for general admins.
# * The same goes for local admins.
-olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$"
+olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,dc=fripost,dc=org)$"
filter=(objectClass=FripostVirtualUser)
attrs=userPassword
by realanonymous tls_ssf=128 =xd
by realanonymous sockurl.regex="^ldapi://" =xd
by realself tls_ssf=128 =w
by group/FripostVirtualDomain/fripostPostmaster.expand="$1" tls_ssf=128 =w
- by dn.onelevel="ou=admins,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =w
+ by dn.onelevel="ou=admins,dc=fripost,dc=org" tls_ssf=128 =w
by dn.exact="username=guilhem,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =w
#
# XXX
# * Anonymous users are allowed to simple bind as Postfix, but only when
# using a local ldapi:// listener from one of the Postfix instance
# (which should be accessible by the 'postfix' UNIX user only).
-olcAccess: to dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.exact="cn=postfix,ou=services,dc=fripost,dc=org"
attrs=userPassword
by realanonymous sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =xd
#
# TODO: are there other services which need to be able to simple bind?
#
# * Catch-all: no one else may access the passwords (including for
# simple bind).
-olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.subtree="dc=fripost,dc=org"
attrs=userPassword
by * =0
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Base
#
# * The SyncRepl replicates may use the base as a searchBase, when using
# a TLS-protected connection.
# * So can Dovecot on the MDA (for the iterate filter), when
# SASL-binding using the EXTERNAL mechanism and connecting to a local
# ldapi:// socket.
-olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.exact="ou=virtual,dc=fripost,dc=org"
attrs=entry,objectClass
filter=(objectClass=FripostVirtual)
{% if 'LDAP-provider' in group_names -%}
{% if groups.MX | difference([inventory_hostname]) -%}
- by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% if groups.lists | difference([inventory_hostname]) -%}
- by dn.exact="cn=lists,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% endif -%}
{% if 'MDA' in group_names -%}
- by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =sd
+ by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =sd
{% endif -%}
- by users =0 break
+ by users =0 break
#
# * Only SyncRepl replicates may access operational attributes in the
# subtree, when using a TLS-protected connection.
-olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org"
attrs=structuralObjectClass,createTimestamp,creatorsName,entryDN,entryUUID,modifiersName,modifyTimestamp,hasSubordinates,subschemaSubentry
{% if 'LDAP-provider' in group_names -%}
{% if groups.MX | difference([inventory_hostname]) -%}
- by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% if groups.lists | difference([inventory_hostname]) -%}
- by dn.exact="cn=lists,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% endif -%}
- by * =0
+ by * =0
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Domain entries
#
# * The SyncRepl replicates have read access to the entry itself, when
# using a TLS-protected connection.
# * So has Postfix, when connecting a local ldapi:// socket from the
# 'private' directory in one of the non-default instance's chroot.
# * So has Dovecot on the MDA (for the iterate filter), when
# SASL-binding using the EXTERNAL mechanism and connecting to a local
# ldapi:// socket.
# * Amavis may use the entry as searchBase (required to look for the
# per-user preferences) but doesn't have read access to the entry.
# * The 'nobody' UNIX user has read access on the MX:es, when using
# SASL-binding using the EXTERNAL mechanism and connecting to a local
# ldapi:// socket. This is required for the 'reserved-alias.pl'
# script.
-olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=entry,objectClass,fvd
filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry)))
{% if 'LDAP-provider' in group_names -%}
{% if groups.MX | difference([inventory_hostname]) -%}
- by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% if groups.lists | difference([inventory_hostname]) -%}
- by dn.exact="cn=lists,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% endif -%}
- by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
+ by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
{% if 'MDA' in group_names -%}
- by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
- by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =sd
+ by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
+ by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =sd
{% endif -%}
{% if 'MX' in group_names -%}
- by dn.exact="username=nobody,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
+ by dn.exact="username=nobody,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
{% endif -%}
- by users =0 break
+ by users =0 break
#
# * The SyncRepl MX replicates can check whether a virtual domain is
# active, and read the destination address for catch-alls, when using
# a TLS-protected connection.
# * So can Postfix on the MX:es, when connecting a local ldapi:// socket
# from the 'private' directory in one of the non-default instance's
# chroot.
{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
-olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=fripostIsStatusActive,fripostOptionalMaildrop
filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry)))
{% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
- by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% if 'MX' in group_names -%}
- by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
+ by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
{% endif -%}
- by users =0 break
+ by users =0 break
{% endif %}
#
# * The 'nobody' UNIX user can list the domain owners and postmasters on
# the MX:es, when SASL-binding using the EXTERNAL mechanism and
# connecting to a local ldapi:// socket. This is required for the
# 'reserved-alias.pl' script.
{% if 'MX' in group_names %}
-olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=fripostOwner,fripostPostmaster
filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry)))
by dn.exact="username=nobody,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
- by users =0 break
+ by users =0 break
{% endif %}
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Alias domain entries
#
# * The SyncRepl MX replicates have read access to the entry itself and
# the destination domain it aliases to, when using a TLS-protected
# connection.
# * So has Postfix on the MX:es, when connecting a local ldapi:// socket
# from the 'private' directory in one of the non-default instance's
# chroot.
{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
-olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=entry,fripostMaildrop
filter=(&(objectClass=FripostVirtualAliasDomain)(!(objectClass=FripostPendingEntry)))
{% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
- by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% if 'MX' in group_names -%}
- by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
+ by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
{% endif -%}
- by users =0 break
+ by users =0 break
{% endif %}
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# User entries
#
# * The SyncRepl replicates have read access to the entry itself, when
# using a TLS-protected connection.
# * So has Postfix, when connecting a local ldapi:// socket from the
# 'private' directory in one of the non-default instance's chroot.
# * So has Dovecot on the MDA (for the iterate filter), when
# SASL-binding using the EXTERNAL mechanism and connecting to a local
# ldapi:// socket.
# * So has Amavis on the MDA, when SASL-binding using the EXTERNAL
# mechanism and connecting to a local ldapi:// socket.
-olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=entry,objectClass,fvl
filter=(objectClass=FripostVirtualUser)
{% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
- by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
- by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
+ by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
{% if 'MDA' in group_names -%}
- by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
- by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
+ by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
+ by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
{% endif -%}
- by users =0 break
+ by users =0 break
#
# * The SyncRepl MX replicates can check whether a virtual user is
# active, when using a TLS-protected connection.
# * So can Postfix on the MX:es, when connecting a local ldapi:// socket
# from the 'private' directory in one of the non-default instance's
# chroot.
{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
-olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=fripostIsStatusActive
filter=(objectClass=FripostVirtualUser)
{% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
- by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% if 'MX' in group_names -%}
- by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
+ by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
{% endif -%}
- by users =0 break
+ by users =0 break
{% endif %}
{% if 'MDA' in group_names %}
#
# * Amavis can look for per-user configuration options, when
# SASL-binding using the EXTERNAL mechanism and connecting to a local
# ldapi:// socket.
# TODO: we need a fripostUseContentFilter here
# filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE)(fripostUseContentFilter=TRUE))
# TODO: only allow it to read the configuration options users are allowed
# to set and modify.
-olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=@AmavisAccount
filter=(&(objectClass=FripostVirtualUser)(objectClass=AmavisAccount)(fripostIsStatusActive=TRUE))
by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
by users =0 break
#
# * Dovecot can look for user quotas, when SASL-binding using the
# EXTERNAL mechanism and connecting to a local ldapi:// socket.
-olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=fripostUserQuota
filter=(objectClass=FripostVirtualUser)
by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =rsd
by users =0 break
{% endif %}
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Alias entries
#
# * The SyncRepl MX replicates can read the entry itelf, whether it
# is active, and the address(es) it aliases to, when using a
# TLS-protected connection.
# * So can Postfix on the MX:es, when connecting a local ldapi:// socket
# from the 'private' directory in one of the non-default instance's
# chroot.
{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
-olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=entry,objectClass,fvl,fripostMaildrop,fripostIsStatusActive
filter=(objectClass=FripostVirtualAlias)
{% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
- by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% if 'MX' in group_names -%}
- by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
+ by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
{% endif -%}
- by users =0 break
+ by users =0 break
{% endif %}
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# List entries
#
# * The SyncRepl replicates can read the entry itelf and the list manager, when
# using a TLS-protected connection.
# * So can Postfix on the MX:es and lists managers, when connecting a local
# ldapi:// socket from the 'private' directory in one of the non-default
# instance's chroot.
# XXX: where does sympa enter the picture? we really don't want to reintroduce listcomands...
{% if 'MX' in group_names or 'lists' in group_names or ('LDAP-provider' in group_names and
(groups.lists | difference([inventory_hostname]) or groups.MX | difference([inventory_hostname]))) %}
-olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=entry,objectClass,fvl,fripostListManager
filter=(&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry)))
{% if 'LDAP-provider' in group_names -%}
{% if groups.MX | difference([inventory_hostname]) -%}
- by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% if groups.lists | difference([inventory_hostname]) -%}
- by dn.exact="cn=lists,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% endif -%}
{% if 'MX' in group_names or 'lists' in group_names -%}
- by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
+ by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
{% endif -%}
- by users =0 break
+ by users =0 break
{% endif %}
#
# * The SyncRepl MX replicates can check whether a virtual list is
# active when using a TLS-protected connection.
# * So can Postfix on the MX:es, when connecting a local ldapi:// socket
# from the 'private' directory in one of the non-default instance's
# chroot.
{% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
-olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
attrs=fripostIsStatusActive
filter=(&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry)))
{% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
- by dn.exact="cn=mx,ou=replicates,o=mailHosting,dc=fripost,dc=org" tls_ssf=128 =rsd
+ by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
{% endif -%}
{% if 'MX' in group_names -%}
- by dn.exact="cn=postfix,ou=services,o=mailHosting,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
+ by dn.exact="cn=postfix,ou=services,dc=fripost,dc=org" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
{% endif -%}
- by users =0 break
+ by users =0 break
{% endif %}
{% if 'LDAP-provider' in group_names %}
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# TODO: allow users to edit their entry, etc
#
{% endif %}
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Catch-all
#
# * Catch all the breaks above.
# * Deny any access to everyone else.
-olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=org"
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" +0
- by * =0
+olcAccess: to dn.subtree="dc=fripost,dc=org"
+ by dn.children="ou=virtual,dc=fripost,dc=org" +0
+ by * =0
# vim: set filetype=ldif :
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-11 23:07:43 +0000