Documenting LDAP replication; fixing SASLauth.

author: Guilhem Moulin <guilhem.moulin@fripost.org> 2012-04-28 17:50:11 +0200
committer: Guilhem Moulin <guilhem.moulin@fripost.org> 2012-04-28 17:50:11 +0200
commit: ad0038bb1fdd526a1cb2ae837a1d14b514c91384 (patch)
tree: a60375c8d4e02973408ba012494481d8adace79c
parent: 29c0d7c1c0f283c2c8caedef06be90cec3053c05 (diff)
1 files changed, 81 insertions, 25 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index 30eaa39..240c891 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -311,8 +311,8 @@ ORIGIN_PORT="1917"
 
 2b. Create a new user on the destination host:
 
-   sudo adduser --home=$TUNNEL_HOME --shell=`type rbash|cut -d' ' -f3` \
-                --system $TUNNEL_USER
+   sudo adduser --system --home=$TUNNEL_HOME --shell=`type rbash|cut -d' ' -f3` \
+                $TUNNEL_USER
    echo "exit" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.bash_profile
 
    # Note: We need bash, so we can not change the shell to something else.
@@ -878,12 +878,14 @@ http://www.openldap.org/doc/admin24/access-control.html for details.
         by * break
     -
     # Admins have writing rights on the branch. Authenticated users can read
-    # their entry. The SMTP server can read entries on the branch.
+    # their entry. The SMTP and SASLauthd servervices can read entries on the
+    # branch (but not the passwords). Other cannot access the branch.
     add: olcAccess
     olcAccess: {4}to dn.subtree="o=mailHosting,dc=fripost,dc=org"
         by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
         by self read
         by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" read
+        by dn.exact="cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org" read
 
 ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/acl.ldif
 
@@ -894,7 +896,7 @@ ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/acl.ldif
     olcAccess: {1}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=userPassword by self write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by anonymous auth
     olcAccess: {2}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=gn,sn by self write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
     olcAccess: {3}to dn.regex="(.+,)?(dc=[^,]+,ou=domains,o=mailHosting,dc=fripost,dc=org)$" by set.expand="[$2]/owner & user" write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by * break
-    olcAccess: {4}to dn.subtree="o=mailHosting,dc=fripost,dc=org" by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by self read by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" read
+    olcAccess: {4}to dn.subtree="o=mailHosting,dc=fripost,dc=org" by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by self read by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" read by dn.exact="cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org" read
     olcAccess: {5}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=fripost,dc=org" write by * none
     olcAccess: {6}to dn.base="" by * read
     olcAccess: {7}to * by self write by dn="cn=admin,dc=fripost,dc=org" write by * read
@@ -911,7 +913,7 @@ a new ACL with writable [ou=domains,...]/children, and [dc=...,ou=domains,...]/e
  :: /etc/ldap/fripost/base.ldif
 
     dn: o=mailHosting,dc=fripost,dc=org
-    objectClass: organizational
+    objectClass: organization
     description: Mail hosting
     
     dn: ou=domains,o=mailHosting,dc=fripost,dc=org
@@ -1018,8 +1020,8 @@ and
 
 ***** Anonymous user
 
-`ldapsearch -xLLL -b "ou=domains,o=mailHosting,dc=fripost,dc=org"' should exit with status 0, but not return
-anything.
+`ldapsearch -xLLL -b "ou=domains,o=mailHosting,dc=fripost,dc=org"' should exit
+with return status 0, but shouldn't print anything.
 
 ***** Services
 
@@ -1068,7 +1070,11 @@ should refuse with `Insufficient access (50)'.
 
 **** Partial replication on the MXs
 
-In case the LDAP goes down, we partly replicate the LDAP tree on the MXs.
+In case the LDAP goes down, we partly (e.g., we omit the passwords) replicate the LDAP
+tree on the MXs.
+
+Documentation: http://www.openldap.org/doc/admin22/syncrepl.html
+               http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
 
 ***** Installation
 
@@ -1081,15 +1087,61 @@ The slave may only listen on the UNIX socket; To specify that, in
 SLAPD_SERVICES="ldapi:///"
 
 In the rest of this section, we assume there is a tunnel from the master
-LDAP server to the slave (i.e., ldap://localhost:389 on the slaves actually
+LDAP server to the slave (i.e., ldap://127.0.0.1:3890 on the slaves actually
 speaks to the master).
 
 Following LDAP's terminology, the master server is also called "production",
 and the slave is known as "consumer".
 
-***** Using syncrepl
+***** Using syncprov (on the master)
+
+We first need to load the module `syncprov.la'.
+
+  :: /etc/ldap/fripost/modules.ldif
+  
+    dn: cn=module{0}, cn=config
+    changetype: modify
+    add: olcModuleLoad
+    olcModuleLoad: syncprov.la
+
+ldapmodify -QY EXTERNAL -H ldapi:/// -f modules.ldif
+
+The master can now define itself as the provider.
+
+  :: /etc/ldap/fripost/syncprov.ldif
+
+    dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
+    objectClass: olcOverlayConfig
+    objectClass: olcSyncProvConfig
+    olcOverlay: syncprov
+    # contextCSN saved to database every 50 updates or 5 minutes
+    olcSpCheckpoint: 50 5
+
+ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
 
-TODO
+***** Using syncrepl (on the slave)
+
+  :: /etc/ldap/fripost/syncrepl.ldif
+
+    dn: olcDatabase={1}hdb,cn=config
+    changetype: modify
+    replace: olcSyncRepl
+    olcSyncRepl: rid=000
+    provider=ldap://127.0.0.1:3890
+    type=refreshAndPersist
+    retry="5 5 300 +"
+    searchbase="o=mailHosting,dc=fripost,dc=org"
+    attrs="*,+"
+    scope=sub
+    schemachecking=off
+    bindmethod=simple
+    binddn="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org"
+    credentials="xxxxxx"
+
+ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/syncrepl.ldif
+
+(Since we in our case we have several slaves, we may want to increment the
+rid.)
 
 *** Configuring the main IMAP server
 **** Install packages
@@ -1173,13 +1225,11 @@ http://www.tehinterweb.co.uk/roundcube/#pisieverules
 
 :: /etc/postfix/ldap_virtual_mailbox_domains.cf
 
-    server_host = ldap://localhost/
+    server_host = ldapi://
     version = 3
-    search_base = ou=domains,o=mailHosting,dc=fripost,dc=org
-    scope = one
-    bind = yes
-    bind_dn = cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org
-    bind_pw = xxxxxx
+    search_base = dc=%s,ou=domains,o=mailHosting,dc=fripost,dc=org
+    scope = base
+    bind = no
     query_filter = (&(ObjectClass=virtualDomain)(dc=%s)(isActive=TRUE))
     result_attribute = dc
 
@@ -1191,13 +1241,11 @@ Test it:
 
 :: /etc/postfix/ldap_virtual_alias_maps.cf
 
-    server_host = ldap://localhost/
+    server_host = ldapi://
     version = 3
     search_base = dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org
     scope = one
-    bind = yes
-    bind_dn = cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org
-    bind_pw = smtp
+    bind = no
     query_filter = (&(ObjectClass=virtualAliases)(mailLocalAddress=%u)(isActive=TRUE))
     result_attribute = mailTarget
 
@@ -1205,6 +1253,8 @@ Test it:
     postmap -q user-alias@fripost.org ldap:/etc/postfix/ldap_virtual_alias_maps.cf
     postmap -q user@example.org ldap:/etc/postfix/ldap_virtual_alias_maps.cf
 
+(The main LDAP server is partly replicated on a UNIX socket on the MX's.)
+
 **** Test delivery
 
 sudo mkdir -p /home/mail/virtual/fripost.org/
@@ -1367,6 +1417,10 @@ sudo apt-get install sasl2-bin libsasl2-modules-ldap
 (Scrictly speaking sasl2-bin is not necessary, but it offers some programs to
 test our installation.)
 
+In the rest of this section, we assume there is a tunnel from the master
+LDAP server to the slave (i.e., ldap://127.0.0.1:3890 on the slaves actually
+speaks to the master).
+
 **** Configure saslauthd
 
  :: /etc/default/saslauthd
@@ -1380,12 +1434,14 @@ test our installation.)
 
  :: /etc/saslauthd.conf
 
-    ldap_servers: ldap://localhost
+    ldap_servers: ldap://127.0.0.1:3890/
     ldap_version: 3
+    ldap_bind_dn: cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org
+    ldap_bind_pw: d&KU0.n8Do225e(Tc[,3PF7|r+/hpQF6
     ldap_auth_method: bind
-    ldap_search_base: dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org
-    ldap_scope: one
-    ldap_filter: (&(objectClass=virtualMailbox)(uid=%u)(isActive=TRUE))
+    ldap_search_base: uid=%U,dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org
+    ldap_filter: (&(objectClass=virtualMailbox)(uid=%U)(isActive=TRUE))
+    ldap_scope: base
 
 After restarting saslauthd (`/etc/init.d/saslauthd restart'), we can test the
 authentication: `testsaslauthd -u user@fripost.org -p password'. (The password
author	Guilhem Moulin <guilhem.moulin@fripost.org>	2012-04-28 17:50:11 +0200
committer	Guilhem Moulin <guilhem.moulin@fripost.org>	2012-04-28 17:50:11 +0200
commit	ad0038bb1fdd526a1cb2ae837a1d14b514c91384 (patch)
tree	a60375c8d4e02973408ba012494481d8adace79c
parent	29c0d7c1c0f283c2c8caedef06be90cec3053c05 (diff)