aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--fripost-docs.org94
1 files changed, 59 insertions, 35 deletions
diff --git a/fripost-docs.org b/fripost-docs.org
index f3fecc3..7c58c19 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -773,7 +773,7 @@ and add with `ldapadd -Y EXTERNAL -H ldapi:/// -f <file.ldif>'.
The default indexes below are not enough for our purpose, since we will heavily
be looking for e.g., the `uid' attribute.
- :: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
+ :: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
[...]
olcDbIndex: objectClass eq
@@ -813,10 +813,10 @@ be looking for e.g., the `uid' attribute.
add: olcDbIndex
olcDbIndex: owner eq
-ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/indexes.ldif
+ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/indexes.ldif
- :: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
+ :: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
[...]
olcDbIndex: entryUUID eq
olcDbIndex: objectClass pres,eq
@@ -844,7 +844,7 @@ We are using the so-called "Sets" to let the users manage their domain themselve
See section 8.5 "Sets - Granting rights based on relationships" in LDAP's manual
http://www.openldap.org/doc/admin24/access-control.html for details.
- :: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
+ :: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
[...]
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=fripost,dc=org" write by * none
olcAccess: {1}to dn.base="" by * read
@@ -900,10 +900,10 @@ http://www.openldap.org/doc/admin24/access-control.html for details.
by dn.exact="cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org" read
by * search
-ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/acl.ldif
+ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/acl.ldif
- :: ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
+ :: ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(olcDatabase={1}hdb)"
[...]
olcAccess: {0}to dn.one="ou=services,o=mailHosting,dc=fripost,dc=org" attrs=userPassword by self read by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by anonymous auth
olcAccess: {1}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=userPassword by self write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by anonymous auth
@@ -941,11 +941,11 @@ a new ACL with writable [ou=virtual,...]/children, and [dc=...,ou=virtual,...]/e
objectClass: organizationalUnit
description: E-mail services
-ldapadd -cxWD cn=admin,dc=fripost,dc=org -f /etc/ldap/fripost/base.ldif
+ldapadd -xWD cn=admin,dc=fripost,dc=org -f /etc/ldap/fripost/base.ldif
To delete a leaf (`-r' to delete the whole sub-tree):
- ldapdelete -r -D cn=admin,dc=fripost,dc=org 'dc=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=org' -W
+ ldapdelete -r -xWD cn=admin,dc=fripost,dc=org 'dc=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=org'
**** Populate the tree
@@ -997,7 +997,7 @@ To delete a leaf (`-r' to delete the whole sub-tree):
mailLocalAddress: user-alias
isActive: TRUE
-ldapadd -cxWD cn=admin,dc=fripost,dc=org -f /tmp/populate.ldif
+ldapadd -xWD cn=admin,dc=fripost,dc=org -f /tmp/populate.ldif
Note: This should obviously be wrapped in a script; `ldapadd' reads the standard
@@ -1012,7 +1012,7 @@ the rights of user@fripost.org on the domain example.org, we can run:
We can also check ACLs with concrete examples:
-ldapwhoami -xD "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -W
+ldapwhoami -xWD "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org"
should return the whole dn:
@@ -1025,26 +1025,26 @@ should return the whole dn:
`slpacat' (run as root) dumps everything in the tree, including the (hashed)
passwords. So should
- ldapsearch -xLLL -D "cn=admin,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' -W
+ ldapsearch -xWD "cn=admin,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org'
and
- ldapsearch -xLLL -D "cn=admin1,ou=managers,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' -W
+ ldapsearch -xWD "cn=admin1,ou=managers,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org'
***** Anonymous user
-`ldapsearch -xLLL -b "ou=virtual,o=mailHosting,dc=fripost,dc=org"' should exit
+`ldapsearch -x -b "ou=virtual,o=mailHosting,dc=fripost,dc=org"' should exit
with return status 0, but shouldn't print anything.
***** Services
-ldapsearch -xLLL -D "cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' -W
+ldapsearch -xWD "cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org'
should not disclose the passwords.
***** Self
-ldapsearch -xLLL -D "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' -W
+ldapsearch -xWD "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org'
should return all the information for this very user, but not e.g., the password of the other users.
@@ -1063,7 +1063,7 @@ The user should be able to change his/her password, and aliases in his/her own d
add: mailLocalAddress
mailLocalAddress: user-alias2@example.org
-ldapmodify -D "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -W -f /tmp/usermod.ldif
+ldapmodify -xWD "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -f /tmp/usermod.ldif
[Note: Still that should be wrapped up in a script, and there is no need to write on
disk since the data is read from the standard input.]
@@ -1094,15 +1094,6 @@ Documentation: http://www.openldap.org/doc/admin22/syncrepl.html
Cf. installation of the master LDAP server.
(We also need to install fripost's schema and indexes.)
-The slave may only listen on the UNIX socket; To specify that, in
-`/etc/default/slapd', change `SLAPD_SERVICES' to
-
-SLAPD_SERVICES="ldapi:///"
-
-[TODO: *Ideally*, Postfix's should perform the LDAP lookups on a UNIX socket. However,
-while it `postmap -q' worked fine, Postfix itself couldn't query the LDAP server.
-A quick fix was to query the network instead: SLAPD_SERVICES="ldapi:///127.0.0.1:389/".]
-
In the rest of this section, we assume there is a tunnel from the master
LDAP server to the slave (i.e., ldap://127.0.0.1:3890 on the slaves actually
speaks to the master).
@@ -1121,7 +1112,7 @@ We first need to load the module `syncprov.la'.
add: olcModuleLoad
olcModuleLoad: syncprov.la
-ldapmodify -QY EXTERNAL -H ldapi:/// -f modules.ldif
+ldapmodify -Y EXTERNAL -H ldapi:/// -f modules.ldif
The master can now define itself as the provider.
@@ -1155,7 +1146,7 @@ ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif
binddn="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org"
credentials="xxxxxx"
-ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/syncrepl.ldif
+ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/syncrepl.ldif
(Since we in our case we have several slaves, we may want to increment the
rid.)
@@ -1241,8 +1232,41 @@ http://wiki.dovecot.org/LDA/Postfix
http://www.tehinterweb.co.uk/roundcube/#pisieverules
+On the MX's, the slave (a partial replicate of the main LDAP server server)
+may only listen on a UNIX socket in Postfix's chroot jail; To specify that,
+in `/etc/default/slapd', change `SLAPD_SERVICES' to
+
+SLAPD_SERVICES="ldapi://%2Fvar%2Fspool%2Fpostfix%2Fvar%2Frun%2Fldapi/????x-mod=0777"
+
+Note that in the configuration files below, the `server_host' is relative
+to Postfix's jail, hence one should drop the prefix "%2Fvar%2Fspool%2Fpostfix".
+On the other hand, to test the files with `postmap' one has to put back
+the prefix.
+
+
+TODO: Postfix 2.7 does not support SASL binds. Hence one cannot SASL bind on
+the socket with the EXTERNAL mechanism, which leads to a flood of warnings
+"connection_read(XX): no connection!" in the syslog. One can also reproduce the
+flood with
+ ldapsearch -H 'ldapi://%2Fvar%2Fspool%2Fpostfix%2Fvar%2Frun%2Fldapi/' -x -WD 'cn=guilhem,ou=managers,o=mailHosting,dc=fripost,dc=org' -b 'o=mailHosting,dc=fripost.org,dc=org'
+instead of
+ ldapsearch -H 'ldapi://%2Fvar%2Fspool%2Fpostfix%2Fvar%2Frun%2Fldapi/' -Y EXTERNAL -WD 'cn=guilhem,ou=managers,o=mailHosting,dc=fripost,dc=org' -b 'o=mailHosting,dc=fripost.org,dc=org'
+(The first one performs a simple bind and does not unbind properly, while
+the second one is safe and performs a SASL bind with the EXTERNAL mechanism.)
+
+TODO: With Postfix 2.8, one could do [Not tested]
+ bind = sasl
+ sasl_mechs = EXTERNAL
+
+See also
+ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=643970
+ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660223
+ http://www.openldap.org/lists/openldap-software/200811/msg00078.html
+
+
:: /etc/postfix/ldap/ldap_virtual_mailbox_domains.cf
+ #server_host = ldapi://%2Fvar%2Frun%2Fldapi/
server_host = ldap://127.0.0.1:389/
version = 3
search_base = dc=%s,ou=virtual,o=mailHosting,dc=fripost,dc=org
@@ -1261,8 +1285,10 @@ Test it:
:: /etc/postfix/ldap/ldap_virtual_mailbox_maps.cf
+ #server_host = ldapi://%2Fvar%2Frun%2Fldapi/
server_host = ldap://127.0.0.1:389/
version = 3
+ version = 3
search_base = uid=%u,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
scope = base
bind = yes
@@ -1278,6 +1304,7 @@ Test it:
:: /etc/postfix/ldap/ldap_virtual_alias_maps.cf
+ #server_host = ldapi://%2Fvar%2Frun%2Fldapi/
server_host = ldap://127.0.0.1:389/
version = 3
search_base = dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org
@@ -1292,9 +1319,6 @@ Test it:
postmap -q user-alias@fripost.org ldap:/etc/postfix/ldap/ldap_virtual_alias_maps.cf
postmap -q user@example.org ldap:/etc/postfix/ldap/ldap_virtual_alias_maps.cf
-
-(The main LDAP server is partly replicated on a UNIX socket on the MX's.)
-
**** Test delivery
sudo mkdir -p /home/mail/virtual/fripost.org/
@@ -1464,7 +1488,7 @@ this machine actually speaks to the master).
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -O /etc/saslauthd.conf"
[...]
-(Note: The socket has to be readable by postfix.)
+(Note: The socket has to be in Postfix's chroot jail.)
:: /etc/saslauthd.conf
@@ -1482,11 +1506,11 @@ before binding to the user (unlike Dovecot). Hence it needs to have read access
on the user's entry (except his/her password, of course).
After restarting saslauthd (`/etc/init.d/saslauthd restart'), we can test the
-authentication: `testsaslauthd -u user@fripost.org -p password'. (The password
-cannot be prompted, so you may want to create a dummy user.)
+authentication:
+
+ testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u user@fripost.org -p password
-[Note: for `testsaslauthd' to work, you have to set OPTIONS="-c -m /var/run/saslauthd"
-in `/etc/default/saslauthd'.]
+(The password cannot be prompted, so you may want to create a dummy user.)
**** Configure Postfix