summaryrefslogtreecommitdiffstats
path: root/lib/modules
Commit message (Collapse)AuthorAgeFiles
* dovecot-auth-proxy: replace directory traversal with LDAP lookups.Guilhem Moulin2020-05-211
| | | | | | | | | | | | | This provides better isolation opportunity as the service doesn't need to run as ‘vmail’ user. We use a dedicated system user instead, and LDAP ACLs to limit its access to the strict minimum. The new solution is also more robust to quoting/escaping, and doesn't depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID instead of %d/%n at some point to make user renaming simpler). OTOH we no longer lists users that have been removed from LDAP but still have a mailstore lingering around. This is fair.
* mysql_user2: Explicitly set type to Bool.Guilhem Moulin2020-01-221
| | | | | | | | This avoids the [WARNING]: The value False (type bool) in a string field was converted to u'False' (type string). If this does not look like what you expect, quote the entire value to ensure it does not change.
* Port custom modules to python3.Guilhem Moulin2019-02-055
|
* Remove trailing spaces.Guilhem Moulin2018-12-051
|
* Postfix: replace cdb & btree tables with lmdb ones.Guilhem Moulin2018-12-031
| | | | Cf. lmdb_table(5).
* Upgrade syntax to Ansible 2.4.Guilhem Moulin2017-11-231
|
* Use MariaDB as default MySQL flavor.Guilhem Moulin2017-07-291
|
* Make Ansible modules compatible with Ansible 2.2.0.0.Guilhem Moulin2016-12-081
|
* Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵Guilhem Moulin2016-05-181
| | | | | | locally. And use this to fetch all X.509 leaf certificates.
* Rename 'mysql_user' plugin to 'mysql_user2' to avoid name collisions.Guilhem Moulin2015-07-121
|
* slapd monitoring.Guilhem Moulin2015-06-101
| | | | | We don't use the provided 'slapd_' Munin plugin because it doesn't support SASL binds.
* typoGuilhem Moulin2015-06-071
|
* Upgrade the LDAP config to Jessie.Guilhem Moulin2015-06-071
|
* Make the Ansible LDAP plugin able to delete entries and attributes.Guilhem Moulin2015-06-071
| | | | | Use it to delete cn=admin,dc=fripost,dc=org, and to remove the rootDN on the 'config' database.
* Remove o=mailHosting from the LDAP directory suffix.Guilhem Moulin2015-06-071
| | | | | | So our suffix is now a mere 'dc=fripost,dc=org'. We're also using the default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it before hand).
* Configure SyncRepl (OpenLDAP replication) and related ACLs.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | | | | | | | | | | The clients are identified using their certificate, and connect securely to the SyncProv. There are a few workarounds (XXX) in the ACLs due to Postfix not supporting SASL binds in Wheezy. Overview: - Authentication (XXX: strong authentication) is required prior to any DIT operation (see 'olcRequires'). - We force a Security Strength Factor of 128 or above for all operations (see 'olcSecurity'), meaning one must use either a local connection (eg, ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at least 128 bits of security. - XXX: Services may not simple bind other than locally on a ldapi:// socket. If no remote access is needed, they should use SASL/EXTERNAL on a ldapi:// socket whenever possible (if the service itself supports SASL binds). If remote access is needed, they should use SASL/EXTERNAL on a ldaps:// socket, and their identity should be derived from the CN of the client certificate only (hence services may not simple bind). - Admins have restrictions similar to that of the services. - User access is only restricted by our global 'olcSecurity' attribute.
* Enable zero-copy updates to the LDAP directory.Guilhem Moulin2015-06-071
|
* Move ansible modules to another directory.Guilhem Moulin2015-06-074