diff options
author | Guilhem Moulin <guilhem.moulin@fripost.org> | 2012-04-13 21:47:58 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem.moulin@fripost.org> | 2012-04-13 21:48:04 +0200 |
commit | f9127856478b1d5fd216bb4578a746258e9537cf (patch) | |
tree | 4a31d301c01789b728336cd6f9f82f6608791951 | |
parent | 96cdf431400f5d60646ba10df8751252e75fce73 (diff) |
LDAP: fine-tuning the schema
-rw-r--r-- | fripost-docs.org | 437 |
1 files changed, 259 insertions, 178 deletions
diff --git a/fripost-docs.org b/fripost-docs.org index 91c2122..f6198ee 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -2,16 +2,16 @@ #+TITLE: Systems documentation #+AUTHOR: Fripost -- the Free E-mail Association #+DESCRIPTION: Systems documentation for Fripost, the Free E-mail Association -#+KEYWORDS: +#+KEYWORDS: #+LANGUAGE: en #+OPTIONS: H:3 num:t toc:t \n:nil @:t ::t |:t ^:t -:t f:t *:t <:t #+OPTIONS: TeX:t LaTeX:nil skip:nil d:nil todo:t pri:nil tags:not-in-toc #+INFOJS_OPT: view:nil toc:nil ltoc:t mouse:underline buttons:0 path:http://orgmode.org/org-info.js #+EXPORT_SELECT_TAGS: export #+EXPORT_EXCLUDE_TAGS: noexport -#+LINK_UP: -#+LINK_HOME: -#+XSLT: +#+LINK_UP: +#+LINK_HOME: +#+XSLT: #+DRAWERS: HIDDEN STATE PROPERTIES CONTENT #+STARTUP: indent @@ -86,7 +86,7 @@ sudo aptitude install harden-clients # something else, use the EDITOR environment variable. sudo update-alternatives --config editor - + ** Configure sudo # If you disabled root account during installation, the default account is @@ -106,18 +106,18 @@ Make sure your private key is in ~/.ssh/authorized_keys2 # Add relevant users here AllowUsers xx yy zz - + # Change these settings PermitRootLogin no PasswordAuthentication no X11Forwarding no - + sudo /etc/init.d/ssh restart - + # Without closing the current connection, try to connect to the server, # verifying that you can still connect. -** Forward root email +** Forward root email :: /etc/aliases @@ -186,7 +186,7 @@ sudo aptitude install logcheck syslog-summary Unattended-Upgrade "1"; } }; - + Aptitude { UI @@ -347,7 +347,7 @@ ORIGIN_PORT="1917" sudo aptitude install openbsd-inetd :: /etc/inetd.conf - + 127.0.0.1:$ORIGIN_PORT stream tcp nowait root /usr/bin/ssh -q -T -i /root/.ssh/$TUNNEL_KEY_FILE $TUNNEL_USER@example.com sudo service openbsd-inetd restart @@ -365,15 +365,15 @@ telnet localhost $ORIGIN_PORT **** Overview We will use four tables `alias', `domain', `log' and `mailbox'. - + ***** mysql> show tables; +----------------+ | Tables_in_mail | +----------------+ -| alias | -| domain | -| log | -| mailbox | +| alias | +| domain | +| log | +| mailbox | +----------------+ 4 rows in set (0.00 sec) @@ -381,12 +381,12 @@ We will use four tables `alias', `domain', `log' and `mailbox'. +-------------+--------------+------+-----+---------------------+-------+ | Field | Type | Null | Key | Default | Extra | +-------------+--------------+------+-----+---------------------+-------+ -| address | varchar(255) | NO | PRI | | | -| goto | text | NO | | NULL | | -| domain | varchar(255) | NO | | | | -| create_date | datetime | NO | | 0000-00-00 00:00:00 | | -| change_date | timestamp | NO | | CURRENT_TIMESTAMP | | -| active | tinyint(4) | NO | | 1 | | +| address | varchar(255) | NO | PRI | | | +| goto | text | NO | | NULL | | +| domain | varchar(255) | NO | | | | +| create_date | datetime | NO | | 0000-00-00 00:00:00 | | +| change_date | timestamp | NO | | CURRENT_TIMESTAMP | | +| active | tinyint(4) | NO | | 1 | | +-------------+--------------+------+-----+---------------------+-------+ 6 rows in set (0.00 sec) @@ -394,11 +394,11 @@ We will use four tables `alias', `domain', `log' and `mailbox'. +-------------+--------------+------+-----+---------------------+-------+ | Field | Type | Null | Key | Default | Extra | +-------------+--------------+------+-----+---------------------+-------+ -| domain | varchar(255) | NO | PRI | | | -| description | varchar(255) | NO | | | | -| create_date | datetime | NO | | 0000-00-00 00:00:00 | | -| change_date | timestamp | NO | | CURRENT_TIMESTAMP | | -| active | tinyint(4) | NO | | 1 | | +| domain | varchar(255) | NO | PRI | | | +| description | varchar(255) | NO | | | | +| create_date | datetime | NO | | 0000-00-00 00:00:00 | | +| change_date | timestamp | NO | | CURRENT_TIMESTAMP | | +| active | tinyint(4) | NO | | 1 | | +-------------+--------------+------+-----+---------------------+-------+ 5 rows in set (0.00 sec) @@ -406,10 +406,10 @@ We will use four tables `alias', `domain', `log' and `mailbox'. +-------+-------------+------+-----+-------------------+----------------+ | Field | Type | Null | Key | Default | Extra | +-------+-------------+------+-----+-------------------+----------------+ -| id | int(11) | NO | PRI | NULL | auto_increment | -| user | varchar(20) | NO | | | | -| event | text | NO | | NULL | | -| date | timestamp | NO | | CURRENT_TIMESTAMP | | +| id | int(11) | NO | PRI | NULL | auto_increment | +| user | varchar(20) | NO | | | | +| event | text | NO | | NULL | | +| date | timestamp | NO | | CURRENT_TIMESTAMP | | +-------+-------------+------+-----+-------------------+----------------+ 4 rows in set (0.00 sec) @@ -417,14 +417,14 @@ We will use four tables `alias', `domain', `log' and `mailbox'. +-------------+--------------+------+-----+---------------------+-------+ | Field | Type | Null | Key | Default | Extra | +-------------+--------------+------+-----+---------------------+-------+ -| username | varchar(255) | NO | PRI | | | -| password | varchar(255) | NO | | | | -| name | varchar(255) | NO | | | | -| maildir | varchar(255) | NO | | | | -| domain | varchar(255) | NO | | | | -| create_date | datetime | NO | | 0000-00-00 00:00:00 | | -| change_date | timestamp | NO | | CURRENT_TIMESTAMP | | -| active | tinyint(4) | NO | | 1 | | +| username | varchar(255) | NO | PRI | | | +| password | varchar(255) | NO | | | | +| name | varchar(255) | NO | | | | +| maildir | varchar(255) | NO | | | | +| domain | varchar(255) | NO | | | | +| create_date | datetime | NO | | 0000-00-00 00:00:00 | | +| change_date | timestamp | NO | | CURRENT_TIMESTAMP | | +| active | tinyint(4) | NO | | 1 | | +-------------+--------------+------+-----+---------------------+-------+ 8 rows in set (0.00 sec) @@ -503,10 +503,10 @@ mysql -u root -p for each row begin set new.create_date = current_timestamp; end$$ CREATE TRIGGER domain_set_created_on_insert before insert on domain for each row begin set new.create_date = current_timestamp; end$$ - CREATE TRIGGER mailbox_set_created_on_insert before insert on mailbox + CREATE TRIGGER mailbox_set_created_on_insert before insert on mailbox for each row begin set new.create_date = current_timestamp; end$$ DELIMITER ; - + # Create mail user CREATE USER 'mail'@'localhost' IDENTIFIED BY '<password>'; @@ -541,9 +541,9 @@ mysql -u root -p GRANT REPLICATION SLAVE ON *.* TO 'slave_user'@'localhost' IDENTIFIED BY '<password>'; FLUSH PRIVILEGES; - + ***** Configure the slave -****** Set up an SSH tunnel +****** Set up an SSH tunnel We begin by setting up an SSH tunnel from the slave to the master, as described [[Configuring an SSH tunnel between two hosts][above]]. @@ -573,7 +573,7 @@ mysql -u root -p # Create a new temporary directory. # NOTE: It has to be outside of /tmp so the replication is not screwed up on e.g. power outage. - + TMP_DIR=/var/lib/mysql/tmp sudo mkdir $TMP_DIR sudo chown mysql:mysql $TMP_DIR @@ -594,9 +594,9 @@ mysql -u root -p CREATE DATABASE mail; quit; - + mysql -u root -p --database=mail < mydump.sql - + # [[http://dev.mysql.com/doc/refman/5.0/en/change-master-to.html][12.5.2.1. CHANGE MASTER TO Syntax]] # NOTE: fill in these values using output from SHOW MASTER STATUS; above # NOTE: filling this in my.cnf is deprecated @@ -633,7 +633,7 @@ rewritten/compressed in a couple of months. /Guilhem, 2012-04-03.] Here is a basic installation tutorial for Debian Squeeze: http://www.rjsystems.nl/en/2100-d6-openldap-provider.php -sudo apt-get install slapd ldap-utils +sudo apt-get install slapd ldap-utils If it does not prompt for your domain, admin password, etc., run `dpkg-reconfigure -plow slapd'. Here is how we answer the questions: @@ -650,16 +650,16 @@ Allow LDAPv2 protocol? No We do not want to listen all the Internet: in `/etc/default/slapd', change `SLAPD_SERVICES' accordingly. E.g., to only listen to (non SSL) localhost and -unix sockets, specify +UNIX sockets, specify SLAPD_SERVICES="ldap:///127.0.0.1:389 ldapi:///%2fvar%2frun%2fopenldap%2fldapi/????x-mod=0777" -(This should be enough if the connection from the IMAP/SASL services are +(This should be enough if the connection from the IMAP/SMTP services are wrapped into SSH or SSL/TLS tunnels.) We can check the configuration with - ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" + ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" and modify a .ldif file with @@ -670,6 +670,37 @@ and modify a .ldif file with We base our schema on qmail's (http://dhits.nl/download/qmail.new.schema) and Jamm's (http://jamm.sourceforge.net/howto/html/implementation.html). + dc=mail, dc=fripost, dc=org + |- ou=mailboxes + | |- mail=user1@fripost.org + | | mail: user1@fripost.org + | | maildir: user1/ + | | mailLocalAddress: user1-alias@fripost.org + | | isActive: TRUE + | | + | `- mail=user2@fripost.org + | + |- ou=domains + | |- dc=fripost.org + | | dc: fripost.org + | | isActive: TRUE + | | + | `- dc=example.org + | dc: example.org + | owner: mail=user1@fripost.org, ou=mailboxes, dc=mail, dc=fripost, dc=org + | mailLocalAddress: user1@example.org + | isActive: TRUE + | + |- ou=managers + | |- cn=admin1 + | | cn: admin1 + | | userPassword: xxxxxx + | `- cn=admin2 + | + `- ou=services + `- cn=SMTP + cn: SMTP + userPassword: xxxxxx :: /etc/ldap/local/mail.fripost.org.ldif @@ -692,13 +723,13 @@ Jamm's (http://jamm.sourceforge.net/howto/html/implementation.html). SUP top STRUCTURAL DESC 'Virtual Domains' MUST ( dc $ isActive ) - MAY ( description ) ) + MAY ( owner $ mailLocalAddress $ description ) ) olcObjectclasses: ( 1.3.6.1.4.1.12461.1.2.2 NAME 'virtualMailbox' SUP top STRUCTURAL DESC 'Virtual Mailboxes' - MUST ( mail $ userPassword $ dc $ maildir $ isActive ) + MUST ( mail $ userPassword $ maildir $ isActive ) MAY ( mailLocalAddress $ gn $ sn $ quota ) ) - + Note: For the meaning of the sequences of digits above, grep the output of `ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"' (For instance, 1.3.6.1.4.1.1466.115.121.1.26 is a IA5String, meaning the spaces @@ -712,16 +743,20 @@ We can now add it to the schema list: `/etc/ldap/slapd.d/cn=config/cn=schema/' and to restart slapd.) -Note: Aliases have been inlined in the `virtualMailbox', and the column `alias.domain' -of the MySQL schema has been dropped. If we want to let users manage their aliases (for -the domains they manage), a possible solution is to add these managed virtual domains as -childrens of their owner. A suitable ACL would then define the rights properly: +Note: If the LDIF files our schema depends on are not in loaded (in `/etc/ldap/slapd.d/cn=config/cn=schema/'), +you may have to do it yourself. A dirty way is to create a file `/tmp/upgrade.conf' with the +following: + + include /etc/ldap/schema/core.schema + include /etc/ldap/schema/cosine.schema + include /etc/ldap/schema/nis.schema + include /etc/ldap/schema/misc.schema + +and a directory `/tmp/upgrade', then to run `slaptest -f /tmp/upgrade.conf -F /tmp/upgrade'. +It creates a bunch of LDIF files that you need to clean (cf. https://help.ubuntu.com/10.04/serverguide/C/samba-ldap.html) +and add with `ldapadd -Y EXTERNAL -H ldapi:/// -f <file.ldif>'. +[TODO: that's just ugly. Find a better way.] - olcAccess: to dn.regex="dc=[^,]+,mail=([^,]+),o=mailboxes,dc=mail,dc=fripost,dc=org" attrs=mailLocalAddress - by self write - by dn.expand="mail=$1,o=mailboxes,dc=mail,dc=fripost,dc=org" write - by dn="cn=admin,dc=fripost,dc=org" write - by * read ***** Add custom indexes @@ -731,7 +766,6 @@ be looking for e.g., the `mail' attribute. :: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)" [...] olcDbIndex: objectClass eq - olcDbIndex: uid eq olcDbIndex: cn eq olcDbIndex: ou eq olcDbIndex: dc eq @@ -742,31 +776,34 @@ be looking for e.g., the `mail' attribute. dn: olcDatabase={1}hdb,cn=config changetype: modify delete: olcDbIndex - olcDbIndex: objectClass eq + olcDbIndex: objectClass eq - add: olcDbIndex - olcDbIndex: objectClass pres,eq + olcDbIndex: objectClass pres,eq - delete: olcDbIndex - olcDbIndex: dc eq + olcDbIndex: dc eq - add: olcDbIndex - olcDbIndex: dc eq,sub + olcDbIndex: dc eq,sub + - + add: olcDbIndex + olcDbIndex: mail eq,sub - add: olcDbIndex - olcDbIndex: mail eq,sub + olcDbIndex: mailLocalAddress eq ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/local/mail.fripost.org-index.ldif :: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)" [...] - olcDbIndex: uid eq olcDbIndex: cn eq olcDbIndex: ou eq - olcDbIndex: objectClass pres,eq + olcDbIndex: objectClass pres,eq olcDbIndex: dc eq,sub - olcDbIndex: mail eq,sub + olcDbIndex: mail eq,sub + olcDbIndex: mailLocalAddress eq ***** Restrict the access @@ -789,45 +826,55 @@ first. add: olcAccess olcAccess: {0}to dn.children="dc=mail,dc=fripost,dc=org" attrs=userPassword by self write - by dn="cn=admin,dc=fripost,dc=org" write + by dn.one="ou=managers,dc=mail,dc=fripost,dc=org" write by anonymous auth - by * none - add: olcAccess - olcAccess: {1}to dn.children="o=mailboxes,dc=mail,dc=fripost,dc=org" attrs=gn,sn + olcAccess: {1}to dn.children="ou=mailboxes,dc=mail,dc=fripost,dc=org" attrs=gn,sn by self write - by dn="cn=admin,dc=fripost,dc=org" write - by * none + by dn.one="ou=managers,dc=mail,dc=fripost,dc=org" write + - + add: olcAccess + olcAccess: {2}to dn.children="ou=domains,dc=mail,dc=fripost,dc=org" attrs=mailLocalAddress + by dnattr=owner write + by dn.one="ou=managers,dc=mail,dc=fripost,dc=org" write + by * break + - + add: olcAccess + olcAccess: {3}to dn.children="ou=domains,dc=mail,dc=fripost,dc=org" + by dn="cn=SMTP,ou=services,dc=mail,dc=fripost,dc=org" read + by * break + - + add: olcAccess + olcAccess: {4}to dn.children="ou=mailboxes,dc=mail,dc=fripost,dc=org" + by dn="cn=SMTP,ou=services,dc=mail,dc=fripost,dc=org" read + by * break - add: olcAccess - olcAccess: {2}to dn.children="dc=mail,dc=fripost,dc=org" - by dn="cn=admin,dc=fripost,dc=org" write - by * read + olcAccess: {5}to dn.subtree="dc=mail,dc=fripost,dc=org" + by dn.one="ou=managers,dc=mail,dc=fripost,dc=org" write + by self read + by * search ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/local/mail.fripost.org-acl.ldif :: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)" [...] - olcAccess: {0}to dn.children="dc=mail,dc=fripost,dc=org" attrs=userPassword by self write by dn="cn=admin,dc=fripost,dc=org" write by anonymous auth by * none - olcAccess: {1}to dn.children="o=mailboxes,dc=mail,dc=fripost,dc=org" attrs=gn,sn by self write by dn="cn=admin,dc=fripost,dc=org" write by * none - olcAccess: {2}to dn.children="dc=mail,dc=fripost,dc=org" by dn="cn=admin,dc=fripost,dc=org" write by * read - olcAccess: {3}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=fripost,dc=org" write by * none - olcAccess: {4}to dn.base="" by * read - olcAccess: {5}to * by self write by dn="cn=admin,dc=fripost,dc=org" write by * read + olcAccess: {0}to dn.children="dc=mail,dc=fripost,dc=org" attrs=userPassword by self write by dn.one="ou=managers,dc=mail,dc=fripost,dc=org" write by anonymous auth + olcAccess: {1}to dn.children="ou=mailboxes,dc=mail,dc=fripost,dc=org" attrs=gn,sn by self write by dn.one="ou=managers,dc=mail,dc=fripost,dc=org" write + olcAccess: {2}to dn.children="ou=domains,dc=mail,dc=fripost,dc=org" attrs=mailLocalAddress by dnattr=owner write by dn.one="ou=managers,dc=mail,dc=fripost,dc=org" write + olcAccess: {3}to dn.children="ou=domains,dc=mail,dc=fripost,dc=org" by dn="cn=SMTP,ou=services,dc=mail,dc=fripost,dc=org" read by * break + olcAccess: {4}to dn.children="ou=mailboxes,dc=mail,dc=fripost,dc=org" by dn="cn=SMTP,ou=services,dc=mail,dc=fripost,dc=org" read by * break + olcAccess: {5}to dn.subtree="dc=mail,dc=fripost,dc=org" by dn.one="ou=managers,dc=mail,dc=fripost,dc=org" write by * search + olcAccess: {6}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=fripost,dc=org" write by * none + olcAccess: {7}to dn.base="" by * read + olcAccess: {8}to * by self write by dn="cn=admin,dc=fripost,dc=org" write by * read [...] -[TODO: The proper way to define admin rights would be to make a group "Admin".] - -Note: Attributes and entries here are world-readable (beside `userPassword' and names). -An other solution, more restrictive, would be to bind Postfix and Dovecots requests -to either `self' or a new dn "cn=mta,dc=mail,dc=fripost,dc=org" with a new ACL e.g., - - olcAccess: to dn.children="dc=mail,dc=fripost,dc=org" - by dn="cn=admin,dc=fripost,dc=org" write - by dn="cn=mta,dc=mail,dc=fripost,dc=org" read - by self read - by * none +Note: Users are here able to manage their aliases themselves. Before inserting, we should +ensure that aliases are fully qualified with the domain they own! Otherwise it'd be easy +to steal aliases and probably even spy on other users... **** Create the base tree @@ -836,75 +883,90 @@ to either `self' or a new dn "cn=mta,dc=mail,dc=fripost,dc=org" with a new ACL e dn: dc=mail,dc=fripost,dc=org objectClass: domain dc: mail - - dn: o=mailboxes,dc=mail,dc=fripost,dc=org - objectClass: organization - o: mailboxes + + dn: ou=mailboxes,dc=mail,dc=fripost,dc=org + objectClass: organizationalUnit + ou: mailboxes description: Virtual mailboxes - - dn: o=domains,dc=mail,dc=fripost,dc=org - objectClass: organization - o: domains + + dn: ou=domains,dc=mail,dc=fripost,dc=org + objectClass: organizationalUnit + ou: domains description: Virtual domains + dn: ou=managers,dc=mail,dc=fripost,dc=org + objectClass: organizationalUnit + ou: managers + description: Postmasters + + dn: ou=services,dc=mail,dc=fripost,dc=org + objectClass: organizationalUnit + ou: services + description: E-mail services + ldapadd -cxWD cn=admin,dc=fripost,dc=org -f /etc/ldap/local/mail.fripost.org-base.ldif To delete a leaf or a sub-tree: - ldapdelete -D cn=admin,dc=fripost,dc=org 'o=mailboxes,dc=mail,dc=fripost,dc=org' -W + ldapdelete -D cn=admin,dc=fripost,dc=org 'ou=mailboxes,dc=mail,dc=fripost,dc=org' -W **** Populate the tree :: /tmp/populate.ldif - - dn: dc=fripost.org,o=domains,dc=mail,dc=fripost,dc=org - objectClass: top - objectClass: virtualDomain - dc: fripost.org - isActive: TRUE - - dn: mail=user@fripost.org,o=mailboxes,dc=mail,dc=fripost,dc=org + dn: cn=SMTP,ou=services,dc=mail,dc=fripost,dc=org + cn: SMTP + objectClass: simpleSecurityObject + objectClass: organizationalRole + userPassword: {SSHA}xxxxxxx + + dn: cn=admin1,ou=managers,dc=mail,dc=fripost,dc=org + cn: admin1 + objectClass: simpleSecurityObject + objectClass: organizationalRole + userPassword: {SSHA}xxxxxxx + + dn: mail=user@fripost.org,ou=mailboxes,dc=mail,dc=fripost,dc=org + mail: user@fripost.org objectClass: top objectClass: inetLocalMailRecipient objectClass: virtualMailbox - mail: user@fripost.org gn: First Name sn: Last Name - userPassword: {SSHA}epZKWD1SiSe/dwL0to+jjnwFzxVUbFvg - dc: fripost.org + userPassword: {SSHA}xxxxxxx maildir: fripost.org/user/ isActive: TRUE mailLocalAddress: user-alias@fripost.org + + dn: dc=fripost.org,ou=domains,dc=mail,dc=fripost,dc=org + objectClass: top + objectClass: virtualDomain + dc: fripost.org + isActive: TRUE + + dn: dc=example.org,ou=domains,dc=mail,dc=fripost,dc=org + objectClass: top + objectClass: inetLocalMailRecipient + objectClass: virtualDomain + dc: example.org + isActive: TRUE + owner: mail=user@fripost.org,ou=mailboxes,dc=mail,dc=fripost,dc=org mailLocalAddress: user@example.org + mailLocalAddress: user-alias@example.org ldapadd -cxWD cn=admin,dc=fripost,dc=org -f /tmp/populate.ldif Note: This should obviously be wrapped in a script; `ldapadd' reads the standard -input, so there's no need to write on disk. The password here is a the S-SHA1 hash -of "hackme", created with `slappasswd -s "{SSHA}"'. - -Note: If the LDIF files our schema depends on are not in loaded (in `/etc/ldap/slapd.d/cn=config/cn=schema/'), -you may have to do it yourself. A dirty way is to create a file `/tmp/upgrade.conf' with the -following: - - include /etc/ldap/schema/core.schema - include /etc/ldap/schema/cosine.schema - include /etc/ldap/schema/nis.schema - include /etc/ldap/schema/misc.schema - -and a directory `/tmp/upgrade', then to run `slaptest -f /tmp/upgrade.conf -F /tmp/upgrade'. -It creates a bunch of LDIF files that you need to clean (cf. https://help.ubuntu.com/10.04/serverguide/C/samba-ldap.html) -and add with `ldapadd -Y EXTERNAL -H ldapi:/// -f <file.ldif>'. -[TODO: that's just ugly. Find a better way.] +input, so there's no need to write on disk. The salted SHA-1 can be created with +e.g., `slappasswd -h "{SSHA}"'. **** Check the SASL binds (authentication) -ldapwhoami -xD "mail=user@fripost.org,o=mailboxes,dc=mail,dc=fripost,dc=org" -W +ldapwhoami -xD "mail=user@fripost.org,ou=mailboxes,dc=mail,dc=fripost,dc=org" -W should return the whole dn: -"mail=user@fripost.org,o=mailboxes,dc=mail,dc=fripost,dc=org" +"mail=user@fripost.org,ou=mailboxes,dc=mail,dc=fripost,dc=org" **** Check the ACL @@ -913,41 +975,53 @@ should return the whole dn: `slpacat' (run as root) dumps everything in the tree, including the (hashed) passwords. So should - ldapsearch -xLLL -D "cn=admin,dc=fripost,dc=org" -b 'o=mailboxes,dc=mail,dc=fripost,dc=org' -W + ldapsearch -xLLL -D "cn=admin,dc=fripost,dc=org" -b 'ou=mailboxes,dc=mail,dc=fripost,dc=org' -W + +and + + ldapsearch -xLLL -D "cn=admin1,ou=managers,dc=mail,dc=fripost,dc=org" -b 'ou=mailboxes,dc=mail,dc=fripost,dc=org' -W ***** Anonymous user -`ldapsearch -xLLL' should not return the user's name, or the (hashed) password. +`ldapsearch -xLLL -b "ou=mailboxes,dc=mail,dc=fripost,dc=org"' should not return anything. ***** Self -ldapsearch -xLLL -D "mail=user@fripost.org,o=mailboxes,dc=mail,dc=fripost,dc=org" -b 'o=mailboxes,dc=mail,dc=fripost,dc=org' -W +ldapsearch -xLLL -D "mail=user@fripost.org,ou=mailboxes,dc=mail,dc=fripost,dc=org" -b 'ou=mailboxes,dc=mail,dc=fripost,dc=org' -W should return all the information for this very user, but not e.g., the password of the other users. -The user should be able to change his/her password: +The user should be able to change his/her password, and aliases in his/her own domain: :: /tmp/usermod.ldif - dn: mail=user@fripost.org,o=mailboxes,dc=mail,dc=fripost,dc=org + dn: mail=user@fripost.org,ou=mailboxes,dc=mail,dc=fripost,dc=org changetype: modify replace: userPassword userPassword: hop -ldapmodify -D "mail=user@fripost.org,o=mailboxes,dc=mail,dc=fripost,dc=org" -W -f /tmp/usermod.ldif + dn: dc=example.org,ou=domains,dc=mail,dc=fripost,dc=org + changetype: modify + add: mailLocalAddress + mailLocalAddress: user-alias2@example.org + +ldapmodify -D "mail=user@fripost.org,ou=mailboxes,dc=mail,dc=fripost,dc=org" -W -f /tmp/usermod.ldif [Note: Still that should be wrapped up in a script, and there is no need to write on disk since the data is read from the standard input.] [Note: If the task is merely to change the password, there is also `ldappasswd'.] +Note: This not a safe way to let the user choose his/her aliases! Nothing prevents +from having "mailLocalAddress: admin@fripost.org" for example! + We now ensure that the leaf has been updated: - :: slapcat -s "mail=user@fripost.org,o=mailboxes,dc=mail,dc=fripost,dc=org" + :: slapcat -s "mail=user@fripost.org,ou=mailboxes,dc=mail,dc=fripost,dc=org" [...] userPassword:: aG9w entryCSN: 20120404215647.957317Z#000000#000#000000 - modifiersName: mail=user@fripost.org,o=mailboxes,dc=mail,dc=fripost,dc=org + modifiersName: mail=user@fripost.org,ou=mailboxes,dc=mail,dc=fripost,dc=org modifyTimestamp: 20120404215647Z @@ -981,22 +1055,22 @@ sudo aptitude install dovecot-imapd protocol lda { # Address to use when sending rejection mails. postmaster_address = postmaster@fripost.org - + # Hostname to use in various parts of sent mails, eg. in Message-Id. # Default is the system's real hostname. hostname = imap.fripost.org - + # Support for dynamically loadable plugins. mail_plugins is a space separated # list of plugins to load. #mail_plugins = #mail_plugin_dir = /usr/lib/dovecot/modules/lda - + # Binary to use for sending mails. sendmail_path = /usr/lib/sendmail - + # UNIX socket path to master authentication server to find users. auth_socket_path = /var/run/dovecot/auth-master - + # Enabling Sieve plugin for server-side mail filtering mail_plugins = cmusieve } @@ -1018,7 +1092,7 @@ sudo aptitude install dovecot-imapd dovecot unix - n n - - pipe flags=DRhu user=xxx:xxx argv=/usr/lib/dovecot/deliver -f ${sender} -d ${recipient} -n - + :: /etc/postfix/main.cf @@ -1039,8 +1113,10 @@ http://www.tehinterweb.co.uk/roundcube/#pisieverules server_host = ldap://localhost/ version = 3 - search_base = o=domains,dc=mail,dc=fripost,dc=org - bind = no + search_base = ou=domains,dc=mail,dc=fripost,dc=org + bind = yes + bind_dn = cn=SMTP,ou=services,dc=mail,dc=fripost,dc=org + bind_pw = xxxxxx query_filter = (&(ObjectClass=virtualDomain)(dc=%s)(isActive=TRUE)) result_attribute = dc @@ -1053,25 +1129,30 @@ Test it: server_host = ldap://localhost/ version = 3 - search_base = o=mailboxes,dc=mail,dc=fripost,dc=org - bind = no + search_base = ou=mailboxes,dc=mail,dc=fripost,dc=org + bind = yes + bind_dn = cn=SMTP,ou=services,dc=mail,dc=fripost,dc=org + bind_pw = xxxxxx query_filter = (&(ObjectClass=virtualMailbox)(mail=%s)(isActive=TRUE)) result_attribute = maildir -Test it: - postmap -q user@fripost.org ldap:/etc/ldap/local/ldap_virtual_mailbox_maps.cf +Test it: + postmap -q user@fripost.org ldap:/etc/postfix/ldap_virtual_mailbox_maps.cf :: /etc/postfix/ldap_virtual_alias_maps.cf server_host = ldap://localhost/ version = 3 - search_base = o=mailboxes,dc=mail,dc=fripost,dc=org - bind = no - query_filter = (&(ObjectClass=virtualMailbox)(mailLocalAddress=%s)(isActive=TRUE)) + search_base = dc=mail,dc=fripost,dc=org + bind = yes + bind_dn = cn=SMTP,ou=services,dc=mail,dc=fripost,dc=org + bind_pw = xxxxxx + query_filter = (&(|(ObjectClass=virtualMailbox)(ObjectClass=virtualDomain))(mailLocalAddress=%s)(isActive=TRUE)) result_attribute = mail + special_result_attribute = owner -Test it: +Test it: postmap -q user-alias@fripost.org ldap:/etc/postfix/ldap_virtual_alias_maps.cf postmap -q user@example.org ldap:/etc/postfix/ldap_virtual_alias_maps.cf @@ -1175,8 +1256,8 @@ Copy this file in /etc/dovecot, and chmod 600 it. Uncomment the following lines: hosts = localhost # Or wherever is our LDAP server ldap_version = 3 auth_bind = yes - auth_bind_userdn = mail=%u,o=mailboxes,dc=mail,dc=fripost,dc=org - base = o=mailboxes,dc=mail,dc=fripost,dc=org + auth_bind_userdn = mail=%u,ou=mailboxes,dc=mail,dc=fripost,dc=org + base = ou=mailboxes,dc=mail,dc=fripost,dc=org deref = never scope = subtree user_attrs = maildir=home=/home/mail/virtual/%$ @@ -1185,7 +1266,7 @@ Copy this file in /etc/dovecot, and chmod 600 it. Uncomment the following lines: pass_filter = (&(objectClass=virtualMailbox)(mail=%u)(dc=%d)(isActive=TRUE)) (And the TLS-related lines in case we are not using a tunnel.) The "base" is the root -of our tree structure, in our case dn="o=mailboxes,dc=mail,dc=fripost,dc=org". +of our tree structure, in our case dn="ou=mailboxes,dc=mail,dc=fripost,dc=org". [Note: the `user_attrs' and `user_filter' are only relevant if the result of the query is used in the `dovecot.conf', for instance with mail_location = maildir:~. Otherwise, the @@ -1215,7 +1296,7 @@ This is to avoid having a single poin of failure and to separate concerns. The IMAP server then only needs to deal with authenticated clients and the smarthosts. -**** Prerequisites +**** Prerequisites Before this can work we must make sure that: - the MySQL replication is working @@ -1254,7 +1335,7 @@ test our installation.) ldap_servers: ldap://localhost ldap_version: 3 ldap_auth_method: bind - ldap_search_base: o=mailboxes,dc=mail,dc=fripost,dc=org + ldap_search_base: ou=mailboxes,dc=mail,dc=fripost,dc=org ldap_scope: sub ldap_filter: (&(objectClass=virtualMailbox)(mail=%u)(dc=%d)(isActive=TRUE)) @@ -1300,7 +1381,7 @@ Finally, we can add the submission service to our master.cf, with customized pol submission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes - + -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING [...] @@ -1329,7 +1410,7 @@ to track the sender. (SquirrelMail authenticated user username) by webmail.fripost.org with HTTP; Thu, 22 Mar 2012 16:27:56 +0100 - + Received: from localhost (smtp.fripost.org [127.0.0.1]) by fripost.org (Postfix) with ESMTP id 2D1098243D for <recipient@example.org>; Thu, 22 Mar 2012 16:36:36 +0100 (CET) @@ -1344,7 +1425,7 @@ to track the sender. for <recipient@example.org>; Thu, 22 Mar 2012 16:36:35 +0100 (CET) Received: (nullmailer pid 5057 invoked by uid 0); Thu, 22 Mar 2012 15:36:34 -0000 - + Received: from localhost (smtp.fripost.org [127.0.0.1]) by fripost.org (Postfix) with ESMTP id DBAFE816BB for <recipient@example.org>; Thu, 22 Mar 2012 14:48:01 +0100 (CET) @@ -1477,7 +1558,7 @@ sudo apt-get install roundcube # timezone $rcmail_config['timezone'] = 'CET'; - + # compose html formatted messages by default $rcmail_config['htmleditor'] = TRUE; @@ -1494,26 +1575,26 @@ sudo chmod 0644 /var/lib/roundcube/skins/default/images/roundcube_logo.png Before this -: <roundcube:object name="preloader" images=" +: <roundcube:object name="preloader" images=" -in +in :: /usr/share/roundcube/skins/default/templates/login.html <div style="margin: 20px;"/> <div style="max-width: 45em; margin: 0px auto; border: dotted 3px red; padding:1em;"> - + <h3>Important message</h3> - + <p align="left"><strong>Mon Feb 13 12:55:30 CET 2012</strong> </p> <p> Lorem ipsum dolor sit amet, consectetur adipiscing elit. Pellentesque molestie, velit vel tristique iaculis, massa diam viverra arcu, sit amet pellentesque dui enim vitae ipsum.</p> - + <p>J. Random Hacker</p> - + </div> *** ikiwiki @@ -1583,17 +1664,17 @@ mv hooks/post-update.sample hooks/post-update :: /etc/apache2/sites-available/default - AliasMatch ^/pub(/.*\.git)(/.*)? /var/cache/git$1$2 + AliasMatch ^/pub(/.*\.git)(/.*)? /var/cache/git$1$2 :: /usr/share/gitweb/indextext.html För att klona ett av dessa träd, installera <a href="http:///">git</a> och kör: - + <blockquote><code>git clone http://git.fripost.org/pub/</code> + projektets sökväg</blockquote> - + <p> För mer information om <a href="http://www.kernel.org/pub/software/scm/git/">git</a>, se en - <a href="http://git.or.cz/">överblick</a>, en + <a href="http://git.or.cz/">överblick</a>, en <a href="http://www.kernel.org/pub/software/scm/git/docs/gittutorial.html">tutorial</a> eller <a href="http://www.kernel.org/pub/software/scm/git/docs">manualsidorna</a>. @@ -1684,7 +1765,7 @@ sudo rkhunter -c --nomow --rwo # something like: (adapt port as needed) INETD_ALLOWED_SVC=127.0.0.1:2000 - + # in case whitelisting is needed, use something like: # (whitespace important) APP_WHITELIST=" openssl:0.9.8g sshd:4.7p1 " |