From 9304813d505baaa50294ed0d37a11d9e3f0f6c79 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 15 Jan 2014 07:32:20 +0100 Subject: Fix the catch-all resolution again. We introduce a limitation on the domain-aliases: they can't have children (e.g., lists or users) any longer. The whole alias resolution, including catch-alls and domain aliases, is now done in 'virtual_alias_maps'. We stop the resolution by returning a dummy alias A -> A for mailboxes, before trying the catch-all maps. We're still using transport_maps for lists. If it turns out to be a bottleneck due to the high-latency coming from LDAP maps, (and the fact that there is a single qmgr(8) daemon), we could rewrite lists to a dummy subdomain and use a static transport_maps instead: virtual_alias_maps: mylist@example.org -> mylist#example.org@mlmmj.localhost.localdomain transport_maps: mlmmj.localhost.localdomain mlmmj: --- roles/common-LDAP/templates/etc/ldap/database.ldif.j2 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'roles/common-LDAP/templates') diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index 6e5961b..33ef108 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -289,7 +289,7 @@ olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org" # # We're giving away create/delete access on the children attributes, but we will be carefull # with the 'entry' permissions. -olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org" +olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org" filter=(objectClass=FripostVirtual) attrs=children by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" =w @@ -300,7 +300,7 @@ olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=org" by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" =z by * break olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=org" - filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))) + filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(!(objectClass=FripostVirtualAliasDomain))) attrs=children by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" =w # @@ -534,11 +534,11 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos # # Users with "canAddDomain" access can see that they have the right # to create domains. -olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org" +olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org" filter=(objectClass=FripostVirtual) attrs=entry by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" +rd -olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org" +olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org" filter=(objectClass=FripostVirtual) attrs=fripostCanAddDomain by set.exact="this/fripostCanAddDomain & (user | user/-1)" =rscd -- cgit v1.2.3