From 5a7bec1a590e20e263d41eaf414cfe9b5ba48a75 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 2 Dec 2013 03:42:57 +0100 Subject: LDAP Sync Replication. --- common.yml | 2 +- group_vars/all.yml | 2 ++ lib/openldap | 1 + roles/common-LDAP/tasks/main.yml | 2 +- roles/common-LDAP/templates/etc/default/slapd.j2 | 2 +- .../templates/etc/ldap/database.ldif.j2 | 34 +++++++++++++++++++++- 6 files changed, 39 insertions(+), 4 deletions(-) diff --git a/common.yml b/common.yml index cea8611..ab8ab1d 100644 --- a/common.yml +++ b/common.yml @@ -20,7 +20,7 @@ - common-SQL - name: Common LDAP tasks - hosts: MDA:MSA:lists:LDAP-producer:MX + hosts: MDA:MSA:lists:LDAP-provider:MX gather_facts: False tags: slapd,ldap roles: diff --git a/group_vars/all.yml b/group_vars/all.yml index fb7feb8..b9e025f 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -10,3 +10,5 @@ postfix_instance: MTA_out: { IPv4: outgoing.fripost.org, port: 2525 } LDA: { IPv4: lda.fripost.org, port: 2526 } + +LDAP_provider: host1.libvirt.guilhem.org diff --git a/lib/openldap b/lib/openldap index 020017c..a90a386 100644 --- a/lib/openldap +++ b/lib/openldap @@ -33,6 +33,7 @@ indexedAttributes = frozenset([ 'olcAttributeTypes', 'olcObjectClasses', 'olcAccess', + 'olcSyncrepl', ]) diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml index 270924c..27a0298 100644 --- a/roles/common-LDAP/tasks/main.yml +++ b/roles/common-LDAP/tasks/main.yml @@ -80,4 +80,4 @@ - meta: flush_handlers -# TODO: authz constraint syncprov syncrepl +# TODO: authz constraint syncprov diff --git a/roles/common-LDAP/templates/etc/default/slapd.j2 b/roles/common-LDAP/templates/etc/default/slapd.j2 index 7eea421..92b3b22 100644 --- a/roles/common-LDAP/templates/etc/default/slapd.j2 +++ b/roles/common-LDAP/templates/etc/default/slapd.j2 @@ -23,7 +23,7 @@ SLAPD_SERVICES="ldapi:///" {% for i in postfix_instance.keys() | intersect(group_names) | list %} SLAPD_SERVICES="$SLAPD_SERVICES ldapi://%2Fvar%2Fspool%2Fpostfix-{{ postfix_instance[i].name }}%2Fprivate%2Fldapi/" {% endfor %} -{% if 'LDAP-producer' in group_names %} +{% if 'LDAP-provider' in group_names %} SLAPD_SERVICES="$SLAPD_SERVICES ldap://172.16.0.1:389/" {% endif %} diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index 03691f9..5a8674a 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -51,7 +51,7 @@ olcDbIndex: objectClass eq # Let us make Postfix's life easier. TODO: only if MX, lists.f.o, MDA, etc. olcDbIndex: fripostIsStatusActive,fvd,fvl,fripostLocalAlias eq olcDbIndex: fripostOptionalMaildrop pres -# SyncProv/SyncRepl specific indexing. TODO: only if SyncProv/SyncRepl +# SyncProv/SyncRepl specific indexing. olcDbIndex: entryCSN,entryUUID eq # # @@ -84,6 +84,30 @@ olcDbIndex: entryCSN,entryUUID eq # ######################################################################## ######################################################################## +# Sync Replication +# TODO: replace the simple bind by Kerberos/GSSAPI +# +# References: +# - http://www.openldap.org/doc/admin24/replication.html#Syncrepl +# - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap +# +{% if 'LDAP_provider' not in group_names %} +olcSyncrepl: rid=000 + provider=ldap://{{ LDAP_provider }} + type=refreshAndPersist + retry="5 5 300 +" + searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org" + attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias,fripostPostmaster,fripostOwner + scope=sub + schemachecking=off + bindmethod=simple + binddn="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" + credentials=postfix +{% endif %} +# +# +######################################################################## +######################################################################## # Access control # /!\ WARN: All modification to the ACL should be reflected to the test # /!\ suite as well! @@ -133,6 +157,14 @@ olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc attrs=entry,objectClass,authzTo by realanonymous =x # +# The following is required for Sync Replication. +{% if 'LDAP-provider' in group_names %} +olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org" + attrs=entry,objectClass,structuralObjectClass,createTimestamp,creatorsName,entryDN,entryUUID,modifiersName,modifyTimestamp,hasSubordinates,subschemaSubentry + by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd + by users =0 break +{% endif %} +# # 1. The WebPanel itself cannot bind, read or write passwords. This # guarantees that, if an attacker gains its priviledge, it will *not* be # able to change user passwords (which would allow him/her to read every -- cgit v1.2.3