summaryrefslogtreecommitdiffstats
path: root/roles/common-LDAP
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common-LDAP')
-rw-r--r--roles/common-LDAP/files/etc/ldap/schema/fripost.ldif7
-rw-r--r--roles/common-LDAP/templates/etc/ldap/database.ldif.j259
2 files changed, 39 insertions, 27 deletions
diff --git a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
index 514b6fa..72695ab 100644
--- a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
+++ b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
@@ -164,12 +164,7 @@ olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualList'
MUST ( fvl $ fripostListManager $ fripostIsStatusActive )
MAY ( fripostOwner $ description ) )
#
-olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostVirtualListCommand'
- SUP top STRUCTURAL
- DESC 'Virtual list command'
- MUST ( fvl ) )
-#
-olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.7 NAME 'FripostPendingEntry'
+olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostPendingEntry'
SUP top AUXILIARY
DESC 'Virtual pending entry'
MAY ( fripostPendingToken ) )
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 3752f9f..b4c2c4f 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -79,6 +79,11 @@ olcLimits: dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org
time.hard=unlimited
size.soft=unlimited
size.hard=unlimited
+olcLimits: dn.exact="cn=lists-replicate,ou=services,o=mailHosting,dc=fripost,dc=org"
+ time.soft=unlimited
+ time.hard=unlimited
+ size.soft=unlimited
+ size.hard=unlimited
{% elif 'MX' in group_names %}
olcSyncrepl: rid=000
provider=ldap://{{ LDAP_provider }}
@@ -91,6 +96,18 @@ olcSyncrepl: rid=000
bindmethod=simple
binddn="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org"
credentials=mx
+{% elif 'lists' in group_names %}
+olcSyncrepl: rid=001
+ provider=ldap://{{ LDAP_provider }}
+ type=refreshAndPersist
+ retry="5 5 300 +"
+ searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+ attrs=objectClass,fvd,fvl,fripostListManager,fripostOwner
+ scope=sub
+ schemachecking=off
+ bindmethod=simple
+ binddn="cn=lists-replicate,ou=services,o=mailHosting,dc=fripost,dc=org"
+ credentials=lists
{% endif %}
#
#
@@ -116,7 +133,7 @@ olcSyncrepl: rid=000
# alias resolution.
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
attrs=entry,objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop
- filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE)))
+ filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList))(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE)))
by dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
by realanonymous =rsd
by users =0 break
@@ -126,14 +143,22 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
attrs=entry,objectClass,fvd,fvl,fripostPostmaster,fripostOwner
filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE)))
by dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
- by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =rsd
+ by dn.exact="username=nobody,cn=peercred,cn=external,cn=auth" =rsd
+ by users =0 break
+#
+# List replicates
+olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+ attrs=entry,objectClass,fvd,fvl,fripostListManager,fripostOwner
+ filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualList))(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE)))
+ by dn.exact="cn=lists-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
+ by realanonymous =rsd
by users =0 break
#
# The following is required for the content filter
{% if 'MDA' in group_names %}
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
attrs=entry
- filter=(&(objectClass=FripostVirtualDomain)(fripostIsStatusActive=TRUE))
+ filter=(&(objectClass=FripostVirtualDomain)(!(fripostIsStatusActive=FALSE)))
by dn.exact="username=amavis,cn=peercred,cn=external,cn=auth" =s
by users =0 break
olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
@@ -162,9 +187,16 @@ olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc
#
# The following is required for Sync Replication.
{% if 'LDAP-provider' in group_names %}
+olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+ attrs=entry,objectClass
+ filter=(objectClass=FripostVirtual)
+ by dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
+ by dn.exact="cn=lists-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
+ by users =0 break
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org"
- attrs=entry,objectClass,structuralObjectClass,createTimestamp,creatorsName,entryDN,entryUUID,modifiersName,modifyTimestamp,hasSubordinates,subschemaSubentry
+ attrs=structuralObjectClass,createTimestamp,creatorsName,entryDN,entryUUID,modifiersName,modifyTimestamp,hasSubordinates,subschemaSubentry
by dn.exact="cn=MX-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
+ by dn.exact="cn=lists-replicate,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
by users =0 break
{% endif %}
#
@@ -214,7 +246,7 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
#
# The list creation service can delete the 'pending' status on lists and list commands.
olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
- filter=(&(|(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(objectClass=FripostPendingEntry))
+ filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry))
attrs=objectClass val=FripostPendingEntry
by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=org" =z break
by * +0 break
@@ -235,7 +267,7 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
#
# The list creation service can delete the 'pending' status on lists and list commands.
olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org$"
- filter=(&(|(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(objectClass=FripostPendingEntry))
+ filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry))
attrs=fripostPendingToken
by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=org" +z
by * +0
@@ -483,21 +515,6 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=org" +rd
by * +0 break
#
-# 1. The domain owner can create and delete list commands, but only those with a 'pending' status
-# 2. So can the domain postmaster.
-# 3. The entry creator can delete pending list commands (needed to be able to rollback).
-# 4. People with "canAddList" access can create list commands, but only with a 'pending' status.
-# 5. The list creation service can search and browse the entry.
-olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$"
- filter=(&(objectClass=FripostVirtualListCommand)(objectClass=FripostPendingEntry))
- attrs=entry
- by group/FripostVirtualDomain/fripostOwner.expand="$1" +w
- by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +w
- by dnattr=creatorsName +z continue
- by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a
- by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=org" +rd
- by * +0
-#
# 1. The list owners can read the entry.
# 2. So can the domain's Owner.
# 3. So can the domain's Postmaster.