| Commit message (Collapse) | Author | Age | Files |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This provides better isolation opportunity as the service doesn't need
to run as ‘vmail’ user. We use a dedicated system user instead, and
LDAP ACLs to limit its access to the strict minimum.
The new solution is also more robust to quoting/escaping, and doesn't
depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID
instead of %d/%n at some point to make user renaming simpler).
OTOH we no longer lists users that have been removed from LDAP but still
have a mailstore lingering around. This is fair.
|
|
|
|
|
|
|
|
| |
This avoids the
[WARNING]: The value False (type bool) in a string field was converted
to u'False' (type string). If this does not look like what you expect,
quote the entire value to ensure it does not change.
|
| |
|
| |
|
| |
|
|
|
|
| |
Cf. lmdb_table(5).
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
locally.
And use this to fetch all X.509 leaf certificates.
|
| |
|
| |
|
|
|
|
|
| |
We don't use the provided 'slapd_' Munin plugin because it doesn't
support SASL binds.
|
| |
|
| |
|
|
|
|
|
| |
Use it to delete cn=admin,dc=fripost,dc=org, and to remove the rootDN on
the 'config' database.
|
|
|
|
|
|
| |
So our suffix is now a mere 'dc=fripost,dc=org'. We're also using the
default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it
before hand).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The clients are identified using their certificate, and connect securely
to the SyncProv.
There are a few workarounds (XXX) in the ACLs due to Postfix not
supporting SASL binds in Wheezy.
Overview:
- Authentication (XXX: strong authentication) is required prior to any DIT
operation (see 'olcRequires').
- We force a Security Strength Factor of 128 or above for all operations (see
'olcSecurity'), meaning one must use either a local connection (eg,
ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at
least 128 bits of security.
- XXX: Services may not simple bind other than locally on a ldapi:// socket.
If no remote access is needed, they should use SASL/EXTERNAL on a ldapi://
socket whenever possible (if the service itself supports SASL binds).
If remote access is needed, they should use SASL/EXTERNAL on a ldaps://
socket, and their identity should be derived from the CN of the client
certificate only (hence services may not simple bind).
- Admins have restrictions similar to that of the services.
- User access is only restricted by our global 'olcSecurity' attribute.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A 'suffix=' parameter has been added to choose the database to configure
the overlay for.
The ability to delete overlays would be desirable, but sadly there is no
cleane way to remove/replace overlays, short of stopping slapd and
digging into the slapd.d directory:
http://www.zytrax.com/books/ldap/ch6/slapd-config.html#use-overlays
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
"username=postfix,cn=peercred,cn=external,cn=auth" is replaced by
"gidNumber=106+uidNumber=102,cn=peercred,cn=external,cn=auth" where 102
is postfix's UID and 106 its primary GID (looked up from /etc/passwd).
|
|
|
|
|
|
|
| |
For non-indexed attributes, do not ask the LDAP server to modify values
in the symmetric difference of A (the entry found in the directory) and
B (the target). That is, we replace A by B only when they are disjoint;
otherwise we remove values in A-B and add those in B-A.
|
|
|
|
|
|
|
| |
It's not happy with non-ASCII characters in comments, unless the
encoding is made explicit…
http://www.python.org/dev/peps/pep-0263/
|
|
|
|
|
| |
To be clearer, and to follow the recommendation of the FSF, we include
a full header rather than a single sentence.
|
| |
|
|
|
|
|
|
|
| |
In order to allow strings of the form:
priv="db.table1:SELECT, UPDATE,DELETE
/db.table2:SELECT,INSERT, DELETE"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A.k.a "IDENTIFIED WITH ...". The plugin is automatically loaded on first
use.
References:
- https://dev.mysql.com/doc/refman/5.5/en/pluggable-authentication.html
- https://dev.mysql.com/doc/refman/5.5/en/socket-authentication-plugin.html
Sadly as of MySQL 5.5, the "ALTER USER" command does not allow changing
the Authentication Plugin, so we have to manually manipulate
`mysql.user` (and FLUSH PRIVILEGES) instead. See also
http://bugs.mysql.com/bug.php?id=67449
|
|
|
|
|
|
| |
From ref origin/release1.4.0, commit
2a58c2bbe33236ccfdde9fe7466d8a65956f21a5
|
|
We use a dedicated instance for each role: MDA, MTA out, MX, etc.
|