aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem.moulin@fripost.org>2012-04-05 15:24:11 +0200
committerGuilhem Moulin <guilhem.moulin@fripost.org>2012-04-05 15:24:11 +0200
commit609d690fa33cd526c71f5e73939a2912939f73e2 (patch)
tree67db868322c31a8da3c1dcc07bd9d602fa00febd
parent7dbac18ed15f419790bc33dec6a3f5f7b4346c8e (diff)
LDAP: Fixing saslauthd; Adding more ACLs and discussion.
-rw-r--r--fripost-docs.org44
1 files changed, 34 insertions, 10 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index 172c1fe..79c08a4 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -695,11 +695,10 @@ Jamm's (http://jamm.sourceforge.net/howto/html/implementation.html).
MAY ( description ) )
olcObjectclasses: ( 1.3.6.1.4.1.12461.1.2.2 NAME 'virtualMailbox'
SUP top STRUCTURAL
- DESC 'Mail Account Object'
+ DESC 'Virtual Mailboxes'
MUST ( mail $ userPassword $ dc $ maildir $ isActive )
MAY ( mailLocalAddress $ gn $ sn $ quota ) )
-
Note: For the meaning of the sequences of digits above, grep the output of
`ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"'
(For instance, 1.3.6.1.4.1.1466.115.121.1.26 is a IA5String, meaning the spaces
@@ -712,6 +711,18 @@ We can now add it to the schema list:
(A [dirty] way to delete the schema is to remove the coresponding file in
`/etc/ldap/slapd.d/cn=config/cn=schema/' and to restart slapd.)
+
+Note: Aliases have been inlined in the `virtualMailbox', and the column `alias.domain'
+of the MySQL schema has been dropped. If we want to let users manage their aliases (for
+the domains they manage), a possible solution is to add these managed virtual domains as
+childrens of their owner. A suitable ACL would then define the rights properly:
+
+ olcAccess: to dn.regex="dc=[^,]+,mail=([^,]+),o=mailboxes,dc=mail,dc=fripost,dc=org" attrs=mailLocalAddress
+ by self write
+ by dn.expand="mail=$1,o=mailboxes,dc=mail,dc=fripost,dc=org" write
+ by dn="cn=admin,dc=fripost,dc=org" write
+ by * read
+
***** Add custom indexes
The default indexes below are not enough for our purpose, since we will heavily
@@ -800,7 +811,7 @@ ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/local/mail.fripost.org-acl.ldi
[...]
olcAccess: {0}to dn.children="dc=mail,dc=fripost,dc=org" attrs=userPassword by self write by dn="cn=admin,dc=fripost,dc=org" write by anonymous auth by * none
olcAccess: {1}to dn.children="o=mailboxes,dc=mail,dc=fripost,dc=org" attrs=gn,sn by self write by dn="cn=admin,dc=fripost,dc=org" write by * none
- olcAccess: {2}to dn.children="dc=mail,dc=fripost,dc=org" by dn="cn=admin,dc=fripost,dc=org" write by * read
+ olcAccess: {2}to dn.children="dc=mail,dc=fripost,dc=org" by dn="cn=admin,dc=fripost,dc=org" write by * read
olcAccess: {3}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=fripost,dc=org" write by * none
olcAccess: {4}to dn.base="" by * read
olcAccess: {5}to * by self write by dn="cn=admin,dc=fripost,dc=org" write by * read
@@ -808,6 +819,16 @@ ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/local/mail.fripost.org-acl.ldi
[TODO: The proper way to define admin rights would be to make a group "Admin".]
+Note: Attributes and entries here are world-readable (beside `userPassword' and names).
+An other solution, more restrictive, would be to bind Postfix and Dovecots requests
+to either `self' or a new dn "cn=mta,dc=mail,dc=fripost,dc=org" with a new ACL e.g.,
+
+ olcAccess: to dn.children="dc=mail,dc=fripost,dc=org"
+ by dn="cn=admin,dc=fripost,dc=org" write
+ by dn="cn=mta,dc=mail,dc=fripost,dc=org" read
+ by self read
+ by * none
+
**** Create the base tree
:: /etc/ldap/local/mail.fripost.org-base.ldif
@@ -1159,9 +1180,9 @@ Copy this file in /etc/dovecot, and chmod 600 it. Uncomment the following lines:
deref = never
scope = subtree
user_attrs = maildir=home=/home/mail/virtual/%$
- user_filter = (&(objectClass=virtualMailbox)(mail=%u)(domain=%d)(isActive=TRUE))
+ user_filter = (&(objectClass=virtualMailbox)(mail=%u)(dc=%d)(isActive=TRUE))
pass_attrs = mail=user
- pass_filter = (&(objectClass=virtualMailbox)(mail=%u)(domain=%d)(isActive=TRUE))
+ pass_filter = (&(objectClass=virtualMailbox)(mail=%u)(dc=%d)(isActive=TRUE))
(And the TLS-related lines in case we are not using a tunnel.) The "base" is the root
of our tree structure, in our case dn="o=mailboxes,dc=mail,dc=fripost,dc=org".
@@ -1226,20 +1247,23 @@ test our installation.)
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
[...]
-(The socket has to be readable by postfix.)
+(Note: The socket has to be readable by postfix.)
:: /etc/saslauthd.conf
ldap_servers: ldap://localhost
ldap_version: 3
+ ldap_auth_method: bind
ldap_search_base: o=mailboxes,dc=mail,dc=fripost,dc=org
ldap_scope: sub
- ldap_filter: mail=%u
- ldap_auth_method: bind
+ ldap_filter: (&(objectClass=virtualMailbox)(mail=%u)(dc=%d)(isActive=TRUE))
After restarting saslauthd (`/etc/init.d/saslauthd restart'), we can test the
-authentication: testsaslauthd -u userid -p password. (The password cannot be
-prompted, so you may want to create a dummy user.)
+authentication: `testsaslauthd -u user@fripost.org -p password'. (The password
+cannot be prompted, so you may want to create a dummy user.)
+
+[Note: for `testsaslauthd' to work, you have to set OPTIONS="-c -m /var/run/saslauthd"
+in `/etc/default/saslauthd'.]
**** Configure Postfix