aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem.moulin@fripost.org>2012-05-02 16:02:59 +0200
committerGuilhem Moulin <guilhem.moulin@fripost.org>2012-05-02 16:02:59 +0200
commitd9d2d7c673163ebb4427e12b0390865874274c43 (patch)
tree98124415ac3dfdab44ac6f07bf462d45de4ec049
parentfc8b126d953a38a747a4c821d5fd3246066ec627 (diff)
ou=domains → ou=virtual
-rw-r--r--fripost-docs.org68
1 files changed, 34 insertions, 34 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index aa1abb3..ff5fe1b 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -683,7 +683,7 @@ Jamm's (http://jamm.sourceforge.net/howto/html/implementation.html).
| `- cn=SMTP
| userPassword: xxxxxx
|
- `- ou=domains
+ `- ou=virtual
|- dc=fripost.org
| isActive: TRUE
| |- mailTarget=user1@fripost.org
@@ -696,7 +696,7 @@ Jamm's (http://jamm.sourceforge.net/howto/html/implementation.html).
| `- uid=user2
|
`- dc=example.org
- owner: uid=user1,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org
+ owner: uid=user1,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
isActive: TRUE
`- mailTarget=user1@fripost.org
| mailLocalAddress: user1
@@ -884,7 +884,7 @@ http://www.openldap.org/doc/admin24/access-control.html for details.
# Users are allowed to manage (create/delete/toggle activation) the
# the domains they own.
add: olcAccess
- olcAccess: {3}to dn.regex="(.+,)?(dc=[^,]+,ou=domains,o=mailHosting,dc=fripost,dc=org)$"
+ olcAccess: {3}to dn.regex="(.+,)?(dc=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$"
by set.expand="[$2]/owner & user" write
by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
by * break
@@ -907,7 +907,7 @@ ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/acl.ldif
olcAccess: {0}to dn.one="ou=services,o=mailHosting,dc=fripost,dc=org" attrs=userPassword by self read by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by anonymous auth
olcAccess: {1}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=userPassword by self write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by anonymous auth
olcAccess: {2}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=gn,sn by self write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write
- olcAccess: {3}to dn.regex="(.+,)?(dc=[^,]+,ou=domains,o=mailHosting,dc=fripost,dc=org)$" by set.expand="[$2]/owner & user" write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by * break
+ olcAccess: {3}to dn.regex="(.+,)?(dc=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$" by set.expand="[$2]/owner & user" write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by * break
olcAccess: {4}to dn.subtree="o=mailHosting,dc=fripost,dc=org" by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by self read by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" read by dn.exact="cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org" read
olcAccess: {5}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=fripost,dc=org" write by * none
olcAccess: {6}to dn.base="" by * read
@@ -917,7 +917,7 @@ ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/acl.ldif
Note: Users are allowed to manage their domain, but an admin is needed to add a domain to the
tree. A possibility to avoid that with a web-form is to send a mail to the postmaster@example.org
(or even to the mail that appears in the WHOIS) with a confirmation hash. That would simply require
-a new ACL with writable [ou=domains,...]/children, and [dc=...,ou=domains,...]/entry. (And probably a
+a new ACL with writable [ou=virtual,...]/children, and [dc=...,ou=virtual,...]/entry. (And probably a
"semi-admin" with only these rights.)
**** Create the base tree
@@ -928,7 +928,7 @@ a new ACL with writable [ou=domains,...]/children, and [dc=...,ou=domains,...]/e
objectClass: organization
description: Mail hosting
- dn: ou=domains,o=mailHosting,dc=fripost,dc=org
+ dn: ou=virtual,o=mailHosting,dc=fripost,dc=org
objectClass: organizationalUnit
description: Virtual Hosting
@@ -944,7 +944,7 @@ ldapadd -cxWD cn=admin,dc=fripost,dc=org -f /etc/ldap/fripost/base.ldif
To delete a leaf (`-r' to delete the whole sub-tree):
- ldapdelete -r -D cn=admin,dc=fripost,dc=org 'dc=example.org,ou=domains,o=mailHosting,dc=fripost,dc=org' -W
+ ldapdelete -r -D cn=admin,dc=fripost,dc=org 'dc=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=org' -W
**** Populate the tree
@@ -960,37 +960,37 @@ To delete a leaf (`-r' to delete the whole sub-tree):
objectClass: organizationalRole
userPassword: {SSHA}xxxxxx
- dn: dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org
+ dn: dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
objectClass: virtualDomain
isActive: TRUE
- dn: uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org
+ dn: uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
objectClass: virtualMailbox
gn: First Name
sn: Last Name
userPassword: {SSHA}xxxxxx
isActive: TRUE
- dn: dc=example.org,ou=domains,o=mailHosting,dc=fripost,dc=org
+ dn: dc=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
objectClass: virtualDomain
- owner: uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org
+ owner: uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
isActive: TRUE
- dn: mailTarget=user-alias@fripost.org,dc=example.org,ou=domains,o=mailHosting,dc=fripost, dc=org
+ dn: mailTarget=user-alias@fripost.org,dc=example.org,ou=virtual,o=mailHosting,dc=fripost, dc=org
objectClass: inetLocalMailRecipient
objectClass: virtualAliases
isActive: TRUE
mailLocalAddress: user
mailLocalAddress: user-alias
- dn: uid=user2,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org
+ dn: uid=user2,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
objectClass: virtualMailbox
gn: First Name
sn: Last Name
userPassword: {SSHA}xxxxxx
isActive: FALSE
- dn: mailTarget=user@fripost.org,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org
+ dn: mailTarget=user@fripost.org,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
objectClass: inetLocalMailRecipient
objectClass: virtualAliases
mailLocalAddress: user-alias
@@ -1007,15 +1007,15 @@ e.g., `slappasswd -h "{SSHA}"'.
`slapacl' is an helpful tool to debugs the ACLS. For instance, to check what are
the rights of user@fripost.org on the domain example.org, we can run:
- slapacl -b 'dc=example.org,ou=domains,o=mailHosting,dc=fripost,dc=org' -D 'uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org'
+ slapacl -b 'dc=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=org' -D 'uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org'
We can also check ACLs with concrete examples:
-ldapwhoami -xD "uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org" -W
+ldapwhoami -xD "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -W
should return the whole dn:
-"uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org"
+"uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org"
**** Check the ACL
@@ -1024,26 +1024,26 @@ should return the whole dn:
`slpacat' (run as root) dumps everything in the tree, including the (hashed)
passwords. So should
- ldapsearch -xLLL -D "cn=admin,dc=fripost,dc=org" -b 'ou=domains,o=mailHosting,dc=fripost,dc=org' -W
+ ldapsearch -xLLL -D "cn=admin,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' -W
and
- ldapsearch -xLLL -D "cn=admin1,ou=managers,o=mailHosting,dc=fripost,dc=org" -b 'ou=domains,o=mailHosting,dc=fripost,dc=org' -W
+ ldapsearch -xLLL -D "cn=admin1,ou=managers,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' -W
***** Anonymous user
-`ldapsearch -xLLL -b "ou=domains,o=mailHosting,dc=fripost,dc=org"' should exit
+`ldapsearch -xLLL -b "ou=virtual,o=mailHosting,dc=fripost,dc=org"' should exit
with return status 0, but shouldn't print anything.
***** Services
-ldapsearch -xLLL -D "cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" -b 'ou=domains,o=mailHosting,dc=fripost,dc=org' -W
+ldapsearch -xLLL -D "cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' -W
should not disclose the passwords.
***** Self
-ldapsearch -xLLL -D "uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org" -b 'ou=domains,o=mailHosting,dc=fripost,dc=org' -W
+ldapsearch -xLLL -D "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' -W
should return all the information for this very user, but not e.g., the password of the other users.
@@ -1052,7 +1052,7 @@ The user should be able to change his/her password, and aliases in his/her own d
:: /tmp/usermod.ldif
- dn: uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org
+ dn: uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
changetype: modify
replace: userPassword
userPassword: xxxxxx
@@ -1062,7 +1062,7 @@ The user should be able to change his/her password, and aliases in his/her own d
add: mailLocalAddress
mailLocalAddress: user-alias2@example.org
-ldapmodify -D "uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org" -W -f /tmp/usermod.ldif
+ldapmodify -D "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -W -f /tmp/usermod.ldif
[Note: Still that should be wrapped up in a script, and there is no need to write on
disk since the data is read from the standard input.]
@@ -1070,11 +1070,11 @@ disk since the data is read from the standard input.]
We now ensure that the leaf has been updated:
- :: slapcat -s "uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org"
+ :: slapcat -s "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org"
[...]
userPassword:: aG9w
entryCSN: 20120404215647.957317Z#000000#000#000000
- modifiersName: uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org
+ modifiersName: uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org
modifyTimestamp: 20120404215647Z
On other modifications, for instance of `maildir', `ldapmodify'
@@ -1240,7 +1240,7 @@ http://www.tehinterweb.co.uk/roundcube/#pisieverules
server_host = ldapi://
version = 3
- search_base = dc=%s,ou=domains,o=mailHosting,dc=fripost,dc=org
+ search_base = dc=%s,ou=virtual,o=mailHosting,dc=fripost,dc=org
scope = base
bind = no
query_filter = (&(ObjectClass=virtualDomain)(dc=%s)(isActive=TRUE))
@@ -1255,7 +1255,7 @@ Test it:
:: /etc/postfix/ldap_virtual_mailbox_maps.cf
server_host = ldapi://
version = 3
- search_base = uid=%u,dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org
+ search_base = uid=%u,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
scope = base
bind = no
query_filter = (&(ObjectClass=virtualMailbox)(uid=%u)(isActive=TRUE))
@@ -1270,7 +1270,7 @@ Test it:
server_host = ldapi://
version = 3
- search_base = dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org
+ search_base = dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
scope = one
bind = no
query_filter = (&(ObjectClass=virtualAliases)(mailLocalAddress=%u)(isActive=TRUE))
@@ -1382,8 +1382,8 @@ Copy this file in /etc/dovecot, and chmod 600 it. Uncomment the following lines:
hosts = localhost # Or wherever is our LDAP server
ldap_version = 3
auth_bind = yes
- auth_bind_userdn = uid=%n,dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org
- base = uid=%n,dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org
+ auth_bind_userdn = uid=%n,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
+ base = uid=%n,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
deref = never
scope = base
pass_filter = (&(objectClass=virtualMailbox)(uid=%n)(isActive=TRUE))
@@ -1459,7 +1459,7 @@ speaks to the master).
ldap_bind_dn: cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org
ldap_bind_pw: d&KU0.n8Do225e(Tc[,3PF7|r+/hpQF6
ldap_auth_method: bind
- ldap_search_base: uid=%U,dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org
+ ldap_search_base: uid=%U,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
ldap_filter: (&(objectClass=virtualMailbox)(uid=%U)(isActive=TRUE))
ldap_scope: base
@@ -1738,11 +1738,11 @@ $rcmail_config['password_ldap_host'] = '127.0.0.1';
$rcmail_config['password_ldap_port'] = '389';
$rcmail_config['password_ldap_starttls'] = false;
$rcmail_config['password_ldap_version'] = '3';
-$rcmail_config['password_ldap_basedn'] = 'dc=domains,o=mailHosting,dc=fripost,dc=org'
+$rcmail_config['password_ldap_basedn'] = 'ou=virtual,o=mailHosting,dc=fripost,dc=org'
$rcmail_config['password_ldap_method'] = 'user';
$rcmail_config['password_ldap_adminDN'] = null;
$rcmail_config['password_ldap_adminPW'] = null;
-$rcmail_config['password_ldap_userDN_mask'] = 'uid=%name,dc=%domain,ou=domains,o=mailHosting,dc=fripost,dc=org';
+$rcmail_config['password_ldap_userDN_mask'] = 'uid=%name,dc=%domain,ou=virtual,o=mailHosting,dc=fripost,dc=org';
$rcmail_config['password_ldap_searchDN'] = null
$rcmail_config['password_ldap_searchPW'] = null
$rcmail_config['password_ldap_search_base'] = null