aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem.moulin@fripost.org>2012-04-28 17:50:11 +0200
committerGuilhem Moulin <guilhem.moulin@fripost.org>2012-04-28 17:50:11 +0200
commitad0038bb1fdd526a1cb2ae837a1d14b514c91384 (patch)
treea60375c8d4e02973408ba012494481d8adace79c
parent29c0d7c1c0f283c2c8caedef06be90cec3053c05 (diff)
Documenting LDAP replication; fixing SASLauth.
-rw-r--r--fripost-docs.org106
1 files changed, 81 insertions, 25 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index 30eaa39..240c891 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -311,8 +311,8 @@ ORIGIN_PORT="1917"
2b. Create a new user on the destination host:
- sudo adduser --home=$TUNNEL_HOME --shell=`type rbash|cut -d' ' -f3` \
- --system $TUNNEL_USER
+ sudo adduser --system --home=$TUNNEL_HOME --shell=`type rbash|cut -d' ' -f3` \
+ $TUNNEL_USER
echo "exit" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.bash_profile
# Note: We need bash, so we can not change the shell to something else.
@@ -878,12 +878,14 @@ http://www.openldap.org/doc/admin24/access-control.html for details.
by * break
-
# Admins have writing rights on the branch. Authenticated users can read
- # their entry. The SMTP server can read entries on the branch.
+ # their entry. The SMTP and SASLauthd servervices can read entries on the
+ # branch (but not the passwords). Other cannot access the branch.
add: olcAccess
olcAccess: {4}to dn.subtree="o=mailHosting,dc=fripost,dc=org"
by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
by self read
by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" read
+ by dn.exact="cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org" read
ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/acl.ldif
@@ -894,7 +896,7 @@ ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/acl.ldif
olcAccess: {1}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=userPassword by self write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by anonymous auth
olcAccess: {2}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=gn,sn by self write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
olcAccess: {3}to dn.regex="(.+,)?(dc=[^,]+,ou=domains,o=mailHosting,dc=fripost,dc=org)$" by set.expand="[$2]/owner & user" write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by * break
- olcAccess: {4}to dn.subtree="o=mailHosting,dc=fripost,dc=org" by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by self read by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" read
+ olcAccess: {4}to dn.subtree="o=mailHosting,dc=fripost,dc=org" by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by self read by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" read by dn.exact="cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org" read
olcAccess: {5}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=fripost,dc=org" write by * none
olcAccess: {6}to dn.base="" by * read
olcAccess: {7}to * by self write by dn="cn=admin,dc=fripost,dc=org" write by * read
@@ -911,7 +913,7 @@ a new ACL with writable [ou=domains,...]/children, and [dc=...,ou=domains,...]/e
:: /etc/ldap/fripost/base.ldif
dn: o=mailHosting,dc=fripost,dc=org
- objectClass: organizational
+ objectClass: organization
description: Mail hosting
dn: ou=domains,o=mailHosting,dc=fripost,dc=org
@@ -1018,8 +1020,8 @@ and
***** Anonymous user
-`ldapsearch -xLLL -b "ou=domains,o=mailHosting,dc=fripost,dc=org"' should exit with status 0, but not return
-anything.
+`ldapsearch -xLLL -b "ou=domains,o=mailHosting,dc=fripost,dc=org"' should exit
+with return status 0, but shouldn't print anything.
***** Services
@@ -1068,7 +1070,11 @@ should refuse with `Insufficient access (50)'.
**** Partial replication on the MXs
-In case the LDAP goes down, we partly replicate the LDAP tree on the MXs.
+In case the LDAP goes down, we partly (e.g., we omit the passwords) replicate the LDAP
+tree on the MXs.
+
+Documentation: http://www.openldap.org/doc/admin22/syncrepl.html
+ http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
***** Installation
@@ -1081,15 +1087,61 @@ The slave may only listen on the UNIX socket; To specify that, in
SLAPD_SERVICES="ldapi:///"
In the rest of this section, we assume there is a tunnel from the master
-LDAP server to the slave (i.e., ldap://localhost:389 on the slaves actually
+LDAP server to the slave (i.e., ldap://127.0.0.1:3890 on the slaves actually
speaks to the master).
Following LDAP's terminology, the master server is also called "production",
and the slave is known as "consumer".
-***** Using syncrepl
+***** Using syncprov (on the master)
+
+We first need to load the module `syncprov.la'.
+
+ :: /etc/ldap/fripost/modules.ldif
+
+ dn: cn=module{0}, cn=config
+ changetype: modify
+ add: olcModuleLoad
+ olcModuleLoad: syncprov.la
+
+ldapmodify -QY EXTERNAL -H ldapi:/// -f modules.ldif
+
+The master can now define itself as the provider.
+
+ :: /etc/ldap/fripost/syncprov.ldif
+
+ dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
+ objectClass: olcOverlayConfig
+ objectClass: olcSyncProvConfig
+ olcOverlay: syncprov
+ # contextCSN saved to database every 50 updates or 5 minutes
+ olcSpCheckpoint: 50 5
+
+ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
-TODO
+***** Using syncrepl (on the slave)
+
+ :: /etc/ldap/fripost/syncrepl.ldif
+
+ dn: olcDatabase={1}hdb,cn=config
+ changetype: modify
+ replace: olcSyncRepl
+ olcSyncRepl: rid=000
+ provider=ldap://127.0.0.1:3890
+ type=refreshAndPersist
+ retry="5 5 300 +"
+ searchbase="o=mailHosting,dc=fripost,dc=org"
+ attrs="*,+"
+ scope=sub
+ schemachecking=off
+ bindmethod=simple
+ binddn="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org"
+ credentials="xxxxxx"
+
+ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/syncrepl.ldif
+
+(Since we in our case we have several slaves, we may want to increment the
+rid.)
*** Configuring the main IMAP server
**** Install packages
@@ -1173,13 +1225,11 @@ http://www.tehinterweb.co.uk/roundcube/#pisieverules
:: /etc/postfix/ldap_virtual_mailbox_domains.cf
- server_host = ldap://localhost/
+ server_host = ldapi://
version = 3
- search_base = ou=domains,o=mailHosting,dc=fripost,dc=org
- scope = one
- bind = yes
- bind_dn = cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org
- bind_pw = xxxxxx
+ search_base = dc=%s,ou=domains,o=mailHosting,dc=fripost,dc=org
+ scope = base
+ bind = no
query_filter = (&(ObjectClass=virtualDomain)(dc=%s)(isActive=TRUE))
result_attribute = dc
@@ -1191,13 +1241,11 @@ Test it:
:: /etc/postfix/ldap_virtual_alias_maps.cf
- server_host = ldap://localhost/
+ server_host = ldapi://
version = 3
search_base = dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org
scope = one
- bind = yes
- bind_dn = cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org
- bind_pw = smtp
+ bind = no
query_filter = (&(ObjectClass=virtualAliases)(mailLocalAddress=%u)(isActive=TRUE))
result_attribute = mailTarget
@@ -1205,6 +1253,8 @@ Test it:
postmap -q user-alias@fripost.org ldap:/etc/postfix/ldap_virtual_alias_maps.cf
postmap -q user@example.org ldap:/etc/postfix/ldap_virtual_alias_maps.cf
+(The main LDAP server is partly replicated on a UNIX socket on the MX's.)
+
**** Test delivery
sudo mkdir -p /home/mail/virtual/fripost.org/
@@ -1367,6 +1417,10 @@ sudo apt-get install sasl2-bin libsasl2-modules-ldap
(Scrictly speaking sasl2-bin is not necessary, but it offers some programs to
test our installation.)
+In the rest of this section, we assume there is a tunnel from the master
+LDAP server to the slave (i.e., ldap://127.0.0.1:3890 on the slaves actually
+speaks to the master).
+
**** Configure saslauthd
:: /etc/default/saslauthd
@@ -1380,12 +1434,14 @@ test our installation.)
:: /etc/saslauthd.conf
- ldap_servers: ldap://localhost
+ ldap_servers: ldap://127.0.0.1:3890/
ldap_version: 3
+ ldap_bind_dn: cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org
+ ldap_bind_pw: d&KU0.n8Do225e(Tc[,3PF7|r+/hpQF6
ldap_auth_method: bind
- ldap_search_base: dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org
- ldap_scope: one
- ldap_filter: (&(objectClass=virtualMailbox)(uid=%u)(isActive=TRUE))
+ ldap_search_base: uid=%U,dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org
+ ldap_filter: (&(objectClass=virtualMailbox)(uid=%U)(isActive=TRUE))
+ ldap_scope: base
After restarting saslauthd (`/etc/init.d/saslauthd restart'), we can test the
authentication: `testsaslauthd -u user@fripost.org -p password'. (The password