summaryrefslogtreecommitdiffstats
path: root/lib
Commit message (Collapse)AuthorAgeFiles
* Configure SyncRepl (OpenLDAP replication) and related ACLs.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | | | | | | | | | | The clients are identified using their certificate, and connect securely to the SyncProv. There are a few workarounds (XXX) in the ACLs due to Postfix not supporting SASL binds in Wheezy. Overview: - Authentication (XXX: strong authentication) is required prior to any DIT operation (see 'olcRequires'). - We force a Security Strength Factor of 128 or above for all operations (see 'olcSecurity'), meaning one must use either a local connection (eg, ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at least 128 bits of security. - XXX: Services may not simple bind other than locally on a ldapi:// socket. If no remote access is needed, they should use SASL/EXTERNAL on a ldapi:// socket whenever possible (if the service itself supports SASL binds). If remote access is needed, they should use SASL/EXTERNAL on a ldaps:// socket, and their identity should be derived from the CN of the client certificate only (hence services may not simple bind). - Admins have restrictions similar to that of the services. - User access is only restricted by our global 'olcSecurity' attribute.
* Enable zero-copy updates to the LDAP directory.Guilhem Moulin2015-06-072
|
* Move ansible modules to another directory.Guilhem Moulin2015-06-074
|
* Remove useless spaces in LDAP attribute values.Guilhem Moulin2015-06-071
|
* Explain how to destroy existing Postfix instances.Guilhem Moulin2015-06-071
|
* Use postmulti to run postconf per instance.Guilhem Moulin2015-06-072
|
* bugfixGuilhem Moulin2015-06-071
|
* Convert legacy *.schema into *.ldif.Guilhem Moulin2015-06-071
|
* Automatically configure Overlays.Guilhem Moulin2015-06-071
| | | | | | | | | | | A 'suffix=' parameter has been added to choose the database to configure the overlay for. The ability to delete overlays would be desirable, but sadly there is no cleane way to remove/replace overlays, short of stopping slapd and digging into the slapd.d directory: http://www.zytrax.com/books/ldap/ch6/slapd-config.html#use-overlays
* LDAP Sync Replication.Guilhem Moulin2015-06-071
|
* Not all LDAPError's have an 'info' key.Guilhem Moulin2015-06-071
|
* wibbleGuilhem Moulin2015-06-071
|
* Allow flexible ACLs for SASL's EXTERNAL mechanism.Guilhem Moulin2015-06-071
| | | | | | "username=postfix,cn=peercred,cn=external,cn=auth" is replaced by "gidNumber=106+uidNumber=102,cn=peercred,cn=external,cn=auth" where 102 is postfix's UID and 106 its primary GID (looked up from /etc/passwd).
* Optimize LDAP modifications.Guilhem Moulin2015-06-071
| | | | | | | For non-indexed attributes, do not ask the LDAP server to modify values in the symmetric difference of A (the entry found in the directory) and B (the target). That is, we replace A by B only when they are disjoint; otherwise we remove values in A-B and add those in B-A.
* Deal with python strange support of encodings.Guilhem Moulin2015-06-073
| | | | | | | It's not happy with non-ASCII characters in comments, unless the encoding is made explicit… http://www.python.org/dev/peps/pep-0263/
* Reformulate the headers showing the license.Guilhem Moulin2015-06-073
| | | | | To be clearer, and to follow the recommendation of the FSF, we include a full header rather than a single sentence.
* Common LDAP (slapd) configuration.Guilhem Moulin2015-06-071
|
* Remove spaces in MySQL privileges strings.Guilhem Moulin2015-06-071
| | | | | | | In order to allow strings of the form: priv="db.table1:SELECT, UPDATE,DELETE /db.table2:SELECT,INSERT, DELETE"
* Add support for MySQL's Authentication Plugins.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | A.k.a "IDENTIFIED WITH ...". The plugin is automatically loaded on first use. References: - https://dev.mysql.com/doc/refman/5.5/en/pluggable-authentication.html - https://dev.mysql.com/doc/refman/5.5/en/socket-authentication-plugin.html Sadly as of MySQL 5.5, the "ALTER USER" command does not allow changing the Authentication Plugin, so we have to manually manipulate `mysql.user` (and FLUSH PRIVILEGES) instead. See also http://bugs.mysql.com/bug.php?id=67449
* Imported Ansible's 'mysql_user' module.Guilhem Moulin2015-06-071
| | | | | | From ref origin/release1.4.0, commit 2a58c2bbe33236ccfdde9fe7466d8a65956f21a5
* Postfix master (nullmailer) configurationGuilhem Moulin2015-06-072
We use a dedicated instance for each role: MDA, MTA out, MX, etc.