diff options
author | Guilhem Moulin <guilhem.moulin@fripost.org> | 2012-04-03 02:14:31 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem.moulin@fripost.org> | 2012-04-03 02:17:11 +0200 |
commit | 45768c5c537c0fa418fb45015f46fd5764022dd1 (patch) | |
tree | 6a8cccaec23d3291b03ff679bacde30a2782e87f | |
parent | b090cf1444342b20a1cfdd3ea01c602d1988f121 (diff) |
A first schema for the table that maintains users informations.
-rw-r--r-- | fripost-docs.org | 145 |
1 files changed, 135 insertions, 10 deletions
diff --git a/fripost-docs.org b/fripost-docs.org index 91c8943..abed845 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -632,16 +632,26 @@ http://www.rjsystems.nl/en/2100-d6-openldap-provider.php sudo apt-get install slapd ldap-utils If it does not prompt for your domain, admin password, etc., run -`dpkg-reconfigure -plow slapd'. +`dpkg-reconfigure -plow slapd'. Here is how we answer the questions: + +Omit OpenLDAP server configuration? No +DNS domain name: fripost.org +Organization name: Fripost +Administrator password: ********* +Database backend to use: HDB +Do you want the database to be removed when slapd is purged? No +Move old database? Yes +Allow LDAPv2 protocol? No + We do not want to listen all the Internet: in `/etc/default/slapd', change -`SLAPD_SERVICES' accordingly. E.g., to only listen to localhost (non SSL) and +`SLAPD_SERVICES' accordingly. E.g., to only listen to (non SSL) localhost and unix sockets, specify SLAPD_SERVICES="ldap:///127.0.0.1:389 ldapi:///%2fvar%2frun%2fopenldap%2fldapi/????x-mod=0777" (This should be enough if the connection from the IMAP/SASL services are -wrapped into SSH or SSL tunnels.) +wrapped into SSH or SSL/TLS tunnels.) We can check the configuration with @@ -651,17 +661,132 @@ and modify a .ldif file with ldapmodify -Y EXTERNAL -H ldapi:/// -f "<file.ldif>" -**** Our schema +**** Fripost's schema + +We base our schema on qmail's: http://dhits.nl/download/qmail.new.schema . +Note: our schema is not standalone, see the section below. + +Put the code below into `/tmp/fripost.ldif', and run + ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/fripost.ldif + +dn: cn=mailAccount,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: mailAccount +olcAttributeTypes: ( 1.3.6.1.4.1.12461.1.1.1 NAME 'mailbox' + DESC 'The path to the mailbox.' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.12461.1.1.2 NAME 'domain' + DESC 'The path to the mailbox.' + EQUALITY caseIgnoreIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.12461.1.1.3 NAME 'quota' + DESC 'The quota on a mailbox e.g., "50MB".' + EQUALITY caseExactIA5Match + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) + + +# Note: For the meaning of the sequences of digits above, grep the output of +# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" +# (For instance, 1.3.6.1.4.1.1466.115.121.1.26 is a IA5String, meaning the spaces +# doesn't matter) + + +# We will also use other attributes, coming from imported schemas: +# * uid, userid: RFC4519: user identifier. +# Usernames. Note that the case is ignored. +# * cn, commonName: RFC4519: common name(s) for which the entity is known by +# First name of the user. +# * sn, surName: RFC2256: last (family) name(s) for which the entity is known by +# +# Also, some attributes will be set automatically, see below. + + +[TODO: This is only an attempt to subsume the MySQL table `mailbox'. Do the same +for the 3 others.] + +**** Add a custom ACL + +The ACL is already properly defined (check it with `ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}hdb))"'). + +olcAccess: {0}to attrs=userPassword,shadowLastChange + by self write + by anonymous auth + by dn="cn=admin,dc=fripost,dc=org" write + by * none +olcAccess: {1}to dn.base="" + by * read +olcAccess: {2}to * + by self write + by dn="cn=admin,dc=fripost,dc=org" write + by * read + +But we may want to hide the users' name to anyone but the admin. To this end, create a file +`/tmp/bigbrother.ldif' with the following content: + +dn: olcDatabase={1}hdb,cn=config +changetype: modify +add: olcAccess +olcAccess: {1}to dn.base="o=mailAccount,dc=fripost,dc=org" attrs=cn,sn by dn="cn=admin,dc=fripost,dc=org" write by * none + +and run `ldapmodify -QY EXTERNAL -H ldapi:/// -f /tmp/bigbrother.ldif'. We can +now check `ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}hdb))"' +the difference: + +olcAccess: {0}to attrs=userPassword,shadowLastChange + by self write + by anonymous auth + by dn="cn=admin,dc=fripost,dc=org" write + by * none +olcAccess: {1}to dn.base="o=mailAccount,dc=fripost,dc=org" attrs=cn,sn + by dn="cn=admin,dc=fripost,dc=org" write + by * none +olcAccess: {2}to dn.base="" + by * read +olcAccess: {3}to * + by self write + by dn="cn=admin,dc=fripost,dc=org" write + by * read + +[TODO: The proper way to define admin rights would be to make a group "Admin".] + +**** Add a user + +We start by creating our base tree, in `/tmp/base.ldif': + +dn: o=mailAccount,dc=fripost,dc=org +o: Mail Users +objectClass: organization + +(Run `ldapadd -cxWD cn=admin,dc=fripost,dc=org -f /tmp/base.ldif' to attach the tree'.) + + +We are now ready to create a user. Open a file `/tmp/user.ldif', with the following content: + +dn: uid=user,o=mailAccount,dc=fripost,dc=org +objectClass: top +objectClass: mailAccount +uid: user +cn: secret +userPassword: {SSHA}ByzkkO0jNcDwx3+1wZi6FVm0WoEI5Ivo +domain: fripost.org +mailbox: /hop/ +accountActive: TRUE + +And add it with `ldapadd -cxWD cn=admin,dc=fripost,dc=org -f /tmp/user.ldif'. (Note: this should +obviously be wrapped in a script; `ldapadd' reads the standard input, so there's no need to write +on disk.) Where the password is a the S-SHA1 hash of "hackme". + -[TODO: find something suitable to subsume the MySQL databases; we could find some -inspiration here: http://dhits.nl/download/qmail.new.schema] +To delete a user, you can run + ldapdelete -D cn=admin,dc=fripost,dc=org 'uid=user,o=mailAccount,dc=fripost,dc=org' -W -If the task is only to provide a secure way to authenticate, the "basic tree" of -http://www.rjsystems.nl/en/2100-d6-openldap-provider.php#tree is good enough. +`slapcat', run as root, dums everything in the tree, including the (hashed) passwords. However, run as a +non-authenticated user, the target's name remains hidden. -After adding an user, we can check that the authentication works properly: +We can check that the SASL binds work as excected: -ldapwhoami -xD uid=myuserid,ou=account,dc=fripost,dc=org -W + ldapwhoami -xD uid=user,ou=mailAccount,dc=fripost,dc=org -W *** Configuring the main IMAP server **** Install packages |