From 5a7bec1a590e20e263d41eaf414cfe9b5ba48a75 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Mon, 2 Dec 2013 03:42:57 +0100
Subject: LDAP Sync Replication.

---
 common.yml                                         |  2 +-
 group_vars/all.yml                                 |  2 ++
 lib/openldap                                       |  1 +
 roles/common-LDAP/tasks/main.yml                   |  2 +-
 roles/common-LDAP/templates/etc/default/slapd.j2   |  2 +-
 .../templates/etc/ldap/database.ldif.j2            | 34 +++++++++++++++++++++-
 6 files changed, 39 insertions(+), 4 deletions(-)

diff --git a/common.yml b/common.yml
index cea8611..ab8ab1d 100644
--- a/common.yml
+++ b/common.yml
@@ -20,7 +20,7 @@
     - common-SQL
 
 - name: Common LDAP tasks
-  hosts: MDA:MSA:lists:LDAP-producer:MX
+  hosts: MDA:MSA:lists:LDAP-provider:MX
   gather_facts: False
   tags: slapd,ldap
   roles:
diff --git a/group_vars/all.yml b/group_vars/all.yml
index fb7feb8..b9e025f 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -10,3 +10,5 @@ postfix_instance:
 
 MTA_out: { IPv4: outgoing.fripost.org, port: 2525 }
 LDA:     { IPv4: lda.fripost.org,      port: 2526 }
+
+LDAP_provider: host1.libvirt.guilhem.org
diff --git a/lib/openldap b/lib/openldap
index 020017c..a90a386 100644
--- a/lib/openldap
+++ b/lib/openldap
@@ -33,6 +33,7 @@ indexedAttributes = frozenset([
     'olcAttributeTypes',
     'olcObjectClasses',
     'olcAccess',
+    'olcSyncrepl',
 ])
 
 
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 270924c..27a0298 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -80,4 +80,4 @@
 
 - meta: flush_handlers
 
-# TODO: authz constraint syncprov syncrepl
+# TODO: authz constraint syncprov
diff --git a/roles/common-LDAP/templates/etc/default/slapd.j2 b/roles/common-LDAP/templates/etc/default/slapd.j2
index 7eea421..92b3b22 100644
--- a/roles/common-LDAP/templates/etc/default/slapd.j2
+++ b/roles/common-LDAP/templates/etc/default/slapd.j2
@@ -23,7 +23,7 @@ SLAPD_SERVICES="ldapi:///"
 {% for i in postfix_instance.keys() | intersect(group_names) | list %}
 SLAPD_SERVICES="$SLAPD_SERVICES ldapi://%2Fvar%2Fspool%2Fpostfix-{{ postfix_instance[i].name }}%2Fprivate%2Fldapi/"
 {% endfor %}
-{% if 'LDAP-producer' in group_names %}
+{% if 'LDAP-provider' in group_names %}
 SLAPD_SERVICES="$SLAPD_SERVICES ldap://172.16.0.1:389/"
 {% endif %}
 
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 03691f9..5a8674a 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -51,7 +51,7 @@ olcDbIndex: objectClass eq
 # Let us make Postfix's life easier. TODO: only if MX, lists.f.o, MDA, etc.
 olcDbIndex: fripostIsStatusActive,fvd,fvl,fripostLocalAlias eq
 olcDbIndex: fripostOptionalMaildrop pres
-# SyncProv/SyncRepl specific indexing. TODO: only if SyncProv/SyncRepl
+# SyncProv/SyncRepl specific indexing.
 olcDbIndex: entryCSN,entryUUID eq
 #
 #
@@ -84,6 +84,30 @@ olcDbIndex: entryCSN,entryUUID eq
 #
 ########################################################################
 ########################################################################
+# Sync Replication
+# TODO: replace the simple bind by Kerberos/GSSAPI
+#
+# References:
+# - http://www.openldap.org/doc/admin24/replication.html#Syncrepl
+# - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
+#
+{% if 'LDAP_provider' not in group_names %}
+olcSyncrepl: rid=000
+  provider=ldap://{{ LDAP_provider }}
+  type=refreshAndPersist
+  retry="5 5 300 +"
+  searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+  attrs=objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias,fripostPostmaster,fripostOwner
+  scope=sub
+  schemachecking=off
+  bindmethod=simple
+  binddn="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org"
+  credentials=postfix
+{% endif %}
+#
+#
+########################################################################
+########################################################################
 # Access control
 # /!\ WARN: All modification to the ACL should be reflected to the test
 # /!\ suite as well!
@@ -133,6 +157,14 @@ olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc
         attrs=entry,objectClass,authzTo
     by realanonymous =x
 #
+# The following is required for Sync Replication.
+{% if 'LDAP-provider' in group_names %}
+olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+        attrs=entry,objectClass,structuralObjectClass,createTimestamp,creatorsName,entryDN,entryUUID,modifiersName,modifyTimestamp,hasSubordinates,subschemaSubentry
+    by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
+    by users =0 break
+{% endif %}
+#
 # 1. The WebPanel itself cannot bind, read or write passwords. This
 # guarantees that, if an attacker gains its priviledge, it will *not* be
 # able to change user passwords (which would allow him/her to read every
-- 
cgit v1.2.3