From 15197cf98d0ba1029ad770a192a3b405ebc32204 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 8 Jul 2014 06:55:58 +0200 Subject: Fix issue with delete entries in the replication. It looks as if the SyncRepl need read access on the 'entry' and 'objectClass' attributes of the entry being deleted, and the entry being deleted no longer matches the ACL filters, so we have to grant access globally. (We still have fine-grain control on the other attributes which are not disclosed, though.) --- .../templates/etc/ldap/database.ldif.j2 | 52 ++++++++++------------ 1 file changed, 23 insertions(+), 29 deletions(-) (limited to 'roles/common-LDAP') diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 index 6680462..d3915df 100644 --- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 +++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 @@ -246,40 +246,34 @@ olcAccess: to dn.subtree="dc=fripost,dc=org" # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Base # -# * The SyncRepl replicates may use the base as a searchBase, when using -# a TLS-protected connection. -# * So can Dovecot on the MDA (for the iterate filter), when -# SASL-binding using the EXTERNAL mechanism and connecting to a local -# ldapi:// socket. +# * Only SyncRepl replicates may access operational attributes in the +# subtree, when using a TLS-protected connection. +{% if 'LDAP-provider' in group_names -%} +olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org" + attrs=entryDN,entryCSN,entryUUID,structuralObjectClass,hasSubordinates,subschemaSubentry + by dn.onelevel="ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd + by * =0 +# +# * They may also read entries (ie, the attributes they have access to +# as per the ACL below) in that subtree, when using a TLS-protected +# connection. Listing entries (their DN) is required to replicate +# deletions properly. +olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org" + attrs=entry,objectClass + by dn.onelevel="ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd + by users =0 break +{% endif -%} +# +# * Dovecot may use the base as a searchBase on the MDA (for the iterate +# filter), when SASL-binding using the EXTERNAL mechanism and +# connecting to a local ldapi:// socket. +{% if 'MDA' in group_names -%} olcAccess: to dn.exact="ou=virtual,dc=fripost,dc=org" attrs=entry,objectClass filter=(objectClass=FripostVirtual) - {% if 'LDAP-provider' in group_names -%} - {% if groups.MX | difference([inventory_hostname]) -%} - by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd - {% endif -%} - {% if groups.lists | difference([inventory_hostname]) -%} - by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd - {% endif -%} - {% endif -%} - {% if 'MDA' in group_names -%} by dn.exact="username=dovecot,cn=peercred,cn=external,cn=auth" sockurl.regex="^ldapi://" =sd - {% endif -%} by users =0 break -# -# * Only SyncRepl replicates may access operational attributes in the -# subtree, when using a TLS-protected connection. -olcAccess: to dn.subtree="ou=virtual,dc=fripost,dc=org" - attrs=structuralObjectClass,createTimestamp,creatorsName,entryDN,entryUUID,modifiersName,modifyTimestamp,hasSubordinates,subschemaSubentry - {% if 'LDAP-provider' in group_names -%} - {% if groups.MX | difference([inventory_hostname]) -%} - by dn.exact="cn=mX,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd - {% endif -%} - {% if groups.lists | difference([inventory_hostname]) -%} - by dn.exact="cn=lists,ou=syncRepl,dc=fripost,dc=org" tls_ssf=128 =rsd - {% endif -%} - {% endif -%} - by * =0 +{% endif -%} # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # Domain entries -- cgit v1.2.3