path: root/lib
Commit message (Collapse)AuthorAgeFiles
* dovecot-auth-proxy: replace directory traversal with LDAP lookups.Guilhem Moulin2020-05-211
| | | | | | | | | | | | | This provides better isolation opportunity as the service doesn't need to run as ‘vmail’ user. We use a dedicated system user instead, and LDAP ACLs to limit its access to the strict minimum. The new solution is also more robust to quoting/escaping, and doesn't depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID instead of %d/%n at some point to make user renaming simpler). OTOH we no longer lists users that have been removed from LDAP but still have a mailstore lingering around. This is fair.
* mysql_user2: Explicitly set type to Bool.Guilhem Moulin2020-01-221
| | | | | | | | This avoids the [WARNING]: The value False (type bool) in a string field was converted to u'False' (type string). If this does not look like what you expect, quote the entire value to ensure it does not change.
* Port custom modules to python3.Guilhem Moulin2019-02-055
* Update 'IMAP', 'MSA' and 'LDAP-provider' roles to Debian Stretch.Guilhem Moulin2018-12-091
* Remove trailing spaces.Guilhem Moulin2018-12-052
* Postfix: replace cdb & btree tables with lmdb ones.Guilhem Moulin2018-12-031
| | | | Cf. lmdb_table(5).
* Upgrade syntax to Ansible 2.5.Guilhem Moulin2018-04-041
* Upgrade syntax to Ansible 2.4.Guilhem Moulin2017-11-231
* Use MariaDB as default MySQL flavor.Guilhem Moulin2017-07-291
* Make Ansible modules compatible with Ansible Moulin2016-12-082
* ansible: _make_tmp_path now takes an argument.Guilhem Moulin2016-06-292
* Add an ansible module 'fetch_cmd' to fetch the output of a remote command ↵Guilhem Moulin2016-05-182
| | | | | | locally. And use this to fetch all X.509 leaf certificates.
* Upgrade playbooks to Ansible 2.0.Guilhem Moulin2016-02-121
* Rename 'mysql_user' plugin to 'mysql_user2' to avoid name collisions.Guilhem Moulin2015-07-121
* slapd monitoring.Guilhem Moulin2015-06-101
| | | | | We don't use the provided 'slapd_' Munin plugin because it doesn't support SASL binds.
* typoGuilhem Moulin2015-06-071
* Upgrade the LDAP config to Jessie.Guilhem Moulin2015-06-071
* Make the Ansible LDAP plugin able to delete entries and attributes.Guilhem Moulin2015-06-072
| | | | | Use it to delete cn=admin,dc=fripost,dc=org, and to remove the rootDN on the 'config' database.
* Remove o=mailHosting from the LDAP directory suffix.Guilhem Moulin2015-06-071
| | | | | | So our suffix is now a mere 'dc=fripost,dc=org'. We're also using the default '/var/lib/ldap' as olcDbDirectory (hence we don't clear it before hand).
* Configure SyncRepl (OpenLDAP replication) and related ACLs.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | | | | | | | | | | The clients are identified using their certificate, and connect securely to the SyncProv. There are a few workarounds (XXX) in the ACLs due to Postfix not supporting SASL binds in Wheezy. Overview: - Authentication (XXX: strong authentication) is required prior to any DIT operation (see 'olcRequires'). - We force a Security Strength Factor of 128 or above for all operations (see 'olcSecurity'), meaning one must use either a local connection (eg, ldapi://, possible since we set the 'olcLocalSSF' to 128), or TLS with at least 128 bits of security. - XXX: Services may not simple bind other than locally on a ldapi:// socket. If no remote access is needed, they should use SASL/EXTERNAL on a ldapi:// socket whenever possible (if the service itself supports SASL binds). If remote access is needed, they should use SASL/EXTERNAL on a ldaps:// socket, and their identity should be derived from the CN of the client certificate only (hence services may not simple bind). - Admins have restrictions similar to that of the services. - User access is only restricted by our global 'olcSecurity' attribute.
* Enable zero-copy updates to the LDAP directory.Guilhem Moulin2015-06-072
* Move ansible modules to another directory.Guilhem Moulin2015-06-074
* Remove useless spaces in LDAP attribute values.Guilhem Moulin2015-06-071
* Explain how to destroy existing Postfix instances.Guilhem Moulin2015-06-071
* Use postmulti to run postconf per instance.Guilhem Moulin2015-06-072
* bugfixGuilhem Moulin2015-06-071
* Convert legacy *.schema into *.ldif.Guilhem Moulin2015-06-071
* Automatically configure Overlays.Guilhem Moulin2015-06-071
| | | | | | | | | | | A 'suffix=' parameter has been added to choose the database to configure the overlay for. The ability to delete overlays would be desirable, but sadly there is no cleane way to remove/replace overlays, short of stopping slapd and digging into the slapd.d directory:
* LDAP Sync Replication.Guilhem Moulin2015-06-071
* Not all LDAPError's have an 'info' key.Guilhem Moulin2015-06-071
* wibbleGuilhem Moulin2015-06-071
* Allow flexible ACLs for SASL's EXTERNAL mechanism.Guilhem Moulin2015-06-071
| | | | | | "username=postfix,cn=peercred,cn=external,cn=auth" is replaced by "gidNumber=106+uidNumber=102,cn=peercred,cn=external,cn=auth" where 102 is postfix's UID and 106 its primary GID (looked up from /etc/passwd).
* Optimize LDAP modifications.Guilhem Moulin2015-06-071
| | | | | | | For non-indexed attributes, do not ask the LDAP server to modify values in the symmetric difference of A (the entry found in the directory) and B (the target). That is, we replace A by B only when they are disjoint; otherwise we remove values in A-B and add those in B-A.
* Deal with python strange support of encodings.Guilhem Moulin2015-06-073
| | | | | | | It's not happy with non-ASCII characters in comments, unless the encoding is made explicit…
* Reformulate the headers showing the license.Guilhem Moulin2015-06-073
| | | | | To be clearer, and to follow the recommendation of the FSF, we include a full header rather than a single sentence.
* Common LDAP (slapd) configuration.Guilhem Moulin2015-06-071
* Remove spaces in MySQL privileges strings.Guilhem Moulin2015-06-071
| | | | | | | In order to allow strings of the form: priv="db.table1:SELECT, UPDATE,DELETE /db.table2:SELECT,INSERT, DELETE"
* Add support for MySQL's Authentication Plugins.Guilhem Moulin2015-06-071
| | | | | | | | | | | | | | A.k.a "IDENTIFIED WITH ...". The plugin is automatically loaded on first use. References: - - Sadly as of MySQL 5.5, the "ALTER USER" command does not allow changing the Authentication Plugin, so we have to manually manipulate `mysql.user` (and FLUSH PRIVILEGES) instead. See also
* Imported Ansible's 'mysql_user' module.Guilhem Moulin2015-06-071
| | | | | | From ref origin/release1.4.0, commit 2a58c2bbe33236ccfdde9fe7466d8a65956f21a5
* Postfix master (nullmailer) configurationGuilhem Moulin2015-06-072
We use a dedicated instance for each role: MDA, MTA out, MX, etc.