From 9304813d505baaa50294ed0d37a11d9e3f0f6c79 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 15 Jan 2014 07:32:20 +0100
Subject: Fix the catch-all resolution again.

We introduce a limitation on the domain-aliases: they can't have
children (e.g., lists or users) any longer.

The whole alias resolution, including catch-alls and domain aliases, is
now done in 'virtual_alias_maps'. We stop the resolution by returning a
dummy alias A -> A for mailboxes, before trying the catch-all maps.

We're still using transport_maps for lists. If it turns out to be a
bottleneck due to the high-latency coming from LDAP maps, (and the fact
that there is a single qmgr(8) daemon), we could rewrite lists to a
dummy subdomain and use a static transport_maps instead:

  virtual_alias_maps:
    mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain

  transport_maps:
    mlmmj.localhost.localdomain mlmmj:
---
 roles/common-LDAP/templates/etc/ldap/database.ldif.j2 | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'roles/common-LDAP/templates')

diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 6e5961b..33ef108 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -289,7 +289,7 @@ olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org"
 #
 # We're giving away create/delete access on the children attributes, but we will be carefull
 # with the 'entry' permissions.
-olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         filter=(objectClass=FripostVirtual)
         attrs=children
     by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" =w
@@ -300,7 +300,7 @@ olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=org"
     by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" =z
     by * break
 olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=org"
-        filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry)))
+        filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(!(objectClass=FripostVirtualAliasDomain)))
         attrs=children
     by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" =w
 #
@@ -534,11 +534,11 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
 #
 # Users with "canAddDomain" access can see that they have the right
 # to create domains.
-olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         filter=(objectClass=FripostVirtual)
         attrs=entry
     by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" +rd
-olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         filter=(objectClass=FripostVirtual)
         attrs=fripostCanAddDomain
     by set.exact="this/fripostCanAddDomain & (user | user/-1)" =rscd
-- 
cgit v1.2.3