aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem.moulin@fripost.org>2012-04-03 02:14:31 +0200
committerGuilhem Moulin <guilhem.moulin@fripost.org>2012-04-03 02:17:11 +0200
commit45768c5c537c0fa418fb45015f46fd5764022dd1 (patch)
tree6a8cccaec23d3291b03ff679bacde30a2782e87f
parentb090cf1444342b20a1cfdd3ea01c602d1988f121 (diff)
A first schema for the table that maintains users informations.
-rw-r--r--fripost-docs.org145
1 files changed, 135 insertions, 10 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index 91c8943..abed845 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -632,16 +632,26 @@ http://www.rjsystems.nl/en/2100-d6-openldap-provider.php
sudo apt-get install slapd ldap-utils
If it does not prompt for your domain, admin password, etc., run
-`dpkg-reconfigure -plow slapd'.
+`dpkg-reconfigure -plow slapd'. Here is how we answer the questions:
+
+Omit OpenLDAP server configuration? No
+DNS domain name: fripost.org
+Organization name: Fripost
+Administrator password: *********
+Database backend to use: HDB
+Do you want the database to be removed when slapd is purged? No
+Move old database? Yes
+Allow LDAPv2 protocol? No
+
We do not want to listen all the Internet: in `/etc/default/slapd', change
-`SLAPD_SERVICES' accordingly. E.g., to only listen to localhost (non SSL) and
+`SLAPD_SERVICES' accordingly. E.g., to only listen to (non SSL) localhost and
unix sockets, specify
SLAPD_SERVICES="ldap:///127.0.0.1:389 ldapi:///%2fvar%2frun%2fopenldap%2fldapi/????x-mod=0777"
(This should be enough if the connection from the IMAP/SASL services are
-wrapped into SSH or SSL tunnels.)
+wrapped into SSH or SSL/TLS tunnels.)
We can check the configuration with
@@ -651,17 +661,132 @@ and modify a .ldif file with
ldapmodify -Y EXTERNAL -H ldapi:/// -f "<file.ldif>"
-**** Our schema
+**** Fripost's schema
+
+We base our schema on qmail's: http://dhits.nl/download/qmail.new.schema .
+Note: our schema is not standalone, see the section below.
+
+Put the code below into `/tmp/fripost.ldif', and run
+ ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/fripost.ldif
+
+dn: cn=mailAccount,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: mailAccount
+olcAttributeTypes: ( 1.3.6.1.4.1.12461.1.1.1 NAME 'mailbox'
+ DESC 'The path to the mailbox.'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.12461.1.1.2 NAME 'domain'
+ DESC 'The path to the mailbox.'
+ EQUALITY caseIgnoreIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.12461.1.1.3 NAME 'quota'
+ DESC 'The quota on a mailbox e.g., "50MB".'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+
+# Note: For the meaning of the sequences of digits above, grep the output of
+# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
+# (For instance, 1.3.6.1.4.1.1466.115.121.1.26 is a IA5String, meaning the spaces
+# doesn't matter)
+
+
+# We will also use other attributes, coming from imported schemas:
+# * uid, userid: RFC4519: user identifier.
+# Usernames. Note that the case is ignored.
+# * cn, commonName: RFC4519: common name(s) for which the entity is known by
+# First name of the user.
+# * sn, surName: RFC2256: last (family) name(s) for which the entity is known by
+#
+# Also, some attributes will be set automatically, see below.
+
+
+[TODO: This is only an attempt to subsume the MySQL table `mailbox'. Do the same
+for the 3 others.]
+
+**** Add a custom ACL
+
+The ACL is already properly defined (check it with `ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}hdb))"').
+
+olcAccess: {0}to attrs=userPassword,shadowLastChange
+ by self write
+ by anonymous auth
+ by dn="cn=admin,dc=fripost,dc=org" write
+ by * none
+olcAccess: {1}to dn.base=""
+ by * read
+olcAccess: {2}to *
+ by self write
+ by dn="cn=admin,dc=fripost,dc=org" write
+ by * read
+
+But we may want to hide the users' name to anyone but the admin. To this end, create a file
+`/tmp/bigbrother.ldif' with the following content:
+
+dn: olcDatabase={1}hdb,cn=config
+changetype: modify
+add: olcAccess
+olcAccess: {1}to dn.base="o=mailAccount,dc=fripost,dc=org" attrs=cn,sn by dn="cn=admin,dc=fripost,dc=org" write by * none
+
+and run `ldapmodify -QY EXTERNAL -H ldapi:/// -f /tmp/bigbrother.ldif'. We can
+now check `ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}hdb))"'
+the difference:
+
+olcAccess: {0}to attrs=userPassword,shadowLastChange
+ by self write
+ by anonymous auth
+ by dn="cn=admin,dc=fripost,dc=org" write
+ by * none
+olcAccess: {1}to dn.base="o=mailAccount,dc=fripost,dc=org" attrs=cn,sn
+ by dn="cn=admin,dc=fripost,dc=org" write
+ by * none
+olcAccess: {2}to dn.base=""
+ by * read
+olcAccess: {3}to *
+ by self write
+ by dn="cn=admin,dc=fripost,dc=org" write
+ by * read
+
+[TODO: The proper way to define admin rights would be to make a group "Admin".]
+
+**** Add a user
+
+We start by creating our base tree, in `/tmp/base.ldif':
+
+dn: o=mailAccount,dc=fripost,dc=org
+o: Mail Users
+objectClass: organization
+
+(Run `ldapadd -cxWD cn=admin,dc=fripost,dc=org -f /tmp/base.ldif' to attach the tree'.)
+
+
+We are now ready to create a user. Open a file `/tmp/user.ldif', with the following content:
+
+dn: uid=user,o=mailAccount,dc=fripost,dc=org
+objectClass: top
+objectClass: mailAccount
+uid: user
+cn: secret
+userPassword: {SSHA}ByzkkO0jNcDwx3+1wZi6FVm0WoEI5Ivo
+domain: fripost.org
+mailbox: /hop/
+accountActive: TRUE
+
+And add it with `ldapadd -cxWD cn=admin,dc=fripost,dc=org -f /tmp/user.ldif'. (Note: this should
+obviously be wrapped in a script; `ldapadd' reads the standard input, so there's no need to write
+on disk.) Where the password is a the S-SHA1 hash of "hackme".
+
-[TODO: find something suitable to subsume the MySQL databases; we could find some
-inspiration here: http://dhits.nl/download/qmail.new.schema]
+To delete a user, you can run
+ ldapdelete -D cn=admin,dc=fripost,dc=org 'uid=user,o=mailAccount,dc=fripost,dc=org' -W
-If the task is only to provide a secure way to authenticate, the "basic tree" of
-http://www.rjsystems.nl/en/2100-d6-openldap-provider.php#tree is good enough.
+`slapcat', run as root, dums everything in the tree, including the (hashed) passwords. However, run as a
+non-authenticated user, the target's name remains hidden.
-After adding an user, we can check that the authentication works properly:
+We can check that the SASL binds work as excected:
-ldapwhoami -xD uid=myuserid,ou=account,dc=fripost,dc=org -W
+ ldapwhoami -xD uid=user,ou=mailAccount,dc=fripost,dc=org -W
*** Configuring the main IMAP server
**** Install packages