2 files changed, 17 insertions, 2 deletions

diff --git a/roles/common-LDAP/templates/etc/default/slapd.j2 b/roles/common-LDAP/templates/etc/default/slapd.j2
index 80c1be1..fdd7481 100644
--- a/roles/common-LDAP/templates/etc/default/slapd.j2
+++ b/roles/common-LDAP/templates/etc/default/slapd.j2
@@ -3,41 +3,41 @@
 # /etc/ldap/slapd.conf).
 SLAPD_CONF=
 
 # System account to run the slapd server under. If empty the server
 # will run as root.
 SLAPD_USER="openldap"
 
 # System group to run the slapd server under. If empty the server will
 # run in the primary group of its user.
 SLAPD_GROUP="openldap"
 
 # Path to the pid file of the slapd server. If not set the init.d script
 # will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by
 # default)
 SLAPD_PIDFILE=
 
 # slapd normally serves ldap only on all TCP-ports 389. slapd can also
 # service requests on TCP-port 636 (ldaps) and requests via unix
 # sockets.
 SLAPD_SERVICES="ldapi:///"
-{% for i in group_names | intersect(['MX','lists']) | sort %}
+{% for i in group_names | intersect(['MX','lists','MSA']) | sort %}
 SLAPD_SERVICES="$SLAPD_SERVICES ldapi://%2Fvar%2Fspool%2Fpostfix-{{ postfix_instance[i].name }}%2Fprivate%2Fldapi/"
 {% endfor %}
 {% if 'LDAP-provider' in group_names %}
 SLAPD_SERVICES="$SLAPD_SERVICES ldaps:///"
 {% endif %}
 
 # If SLAPD_NO_START is set, the init script will not start or restart
 # slapd (but stop will still work).  Uncomment this if you are
 # starting slapd via some other means or if you don't want slapd normally
 # started at boot.
 #SLAPD_NO_START=1
 
 # If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
 # the init script will not start or restart slapd (but stop will still
 # work).  Use this for temporarily disabling startup of slapd (when doing
 # maintenance, for example, or through a configuration management system)
 # when you don't want to edit a configuration file.
 SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
 
 # For Kerberos authentication (via SASL), slapd by default uses the system
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 8310818..494888e 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -241,41 +241,41 @@ olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org"
     by dn.onelevel="ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd
     by group.exact="cn=admin,ou=groups,dc=fripost,dc=org"      =wrsd
     by users                                                   =0   break
 olcAccess: to dn.children="ou=virtual,dc=fripost,dc=org"
     by group.exact="cn=admin,ou=groups,dc=fripost,dc=org"      =wrsd
     by users                                                   =0   break
 {% endif -%}
 #
 # * Postfix may use the base as a searchBase on the MX:es, when
 #   connecting a local ldapi:// socket from the 'private' directory in
 #   one of the non-default instance's chroot.
 # * So may Dovecot on the MDA (needed for the iterate filter), when
 #   SASL-binding using the EXTERNAL mechanism and connecting to a local
 #   ldapi:// socket.
 olcAccess: to dn.exact="ou=virtual,dc=fripost,dc=org"
         attrs=entry,objectClass
         filter=(objectClass=FripostVirtual)
     {% if 'MDA' in group_names -%}
     by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://"                                                    =sd
     {% endif -%}
-    {% if 'MX' in group_names -%}
+    {% if 'MX' in group_names or 'MSA' in group_names -%}
     by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =sd
     {% endif -%}
     by users                                                                                                                                    =0 break
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # Domain entries
 #
 # * The SyncRepl replicates have read access to the entry itself, when
 #   using a TLS-protected connection.
 # * So has Postfix, when connecting a local ldapi:// socket from the
 #   'private' directory in one of the non-default instance's chroot.
 # * So has Dovecot on the MDA (for the iterate filter), when
 #   SASL-binding using the EXTERNAL mechanism and connecting to a local
 #   ldapi:// socket.
 # * Amavis may use the entry as searchBase (required to look for the
 #   per-user preferences) but doesn't have read access to the entry.
 # * The 'nobody' UNIX user has read access on the MX:es, when using
 #   SASL-binding using the EXTERNAL mechanism and connecting to a local
 #   ldapi:// socket.  This is required for the 'reserved-alias.pl'
 #   script.
@@ -459,37 +459,52 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
     by users                                                                                                                                    =0 break
 {% endif %}
 #
 # * The SyncRepl MX replicates can check whether a virtual list is
 #   active when using a TLS-protected connection.
 # * So can Postfix on the MX:es, when connecting a local ldapi:// socket
 #   from the 'private' directory in one of the non-default instance's
 #   chroot.
 {% if 'MX' in group_names or ('LDAP-provider' in group_names and groups.MX | difference([inventory_hostname])) %}
 olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
         attrs=fripostIsStatusActive
         filter=(&(objectClass=FripostVirtualList)(!(objectClass=FripostPendingEntry)))
     {% if 'LDAP-provider' in group_names and groups.MX | difference([inventory_hostname]) -%}
     by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org"              tls_ssf=128                                                                  =rsd
     {% endif -%}
     {% if 'MX' in group_names -%}
     by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
     {% endif -%}
     by users                                                                                                                                    =0 break
 {% endif %}
+#
+# * The MSA's postfix user can read entry ownership to dermine the SASL
+#   login name(s) owning a given sender address
+{% if 'MSA' in group_names %}
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
+        attrs=fripostOwner,fripostPostmaster
+        filter=(|(objectClass=FripostVirtualAliasDomain)(objectClass=FripostVirtualDomain))
+    by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
+    by users                                                                                                                                    =0 break
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,dc=fripost,dc=org$"
+        attrs=entry,objectClass,fvl,fripostOwner
+        filter=(|(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualUser))
+    by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://%2Fvar%2Fspool%2Fpostfix-[-[:alnum:]]+%2Fprivate%2F" =rsd
+    by users                                                                                                                                    =0 break
+{% endif %}
 {% if 'LDAP-provider' in group_names %}
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # TODO: allow users to edit their entry, etc
 #
 {% endif %}
 #
 # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
 # Catch-all
 #
 # * Catch all the breaks above.
 # * Deny any access to everyone else.
 olcAccess: to dn.subtree="dc=fripost,dc=org"
     by dn.children="ou=virtual,dc=fripost,dc=org" +0
     by *                                          =0
 
 # vim: set filetype=ldif :