diff options
| -rw-r--r-- | figures/network.tex | 2 | ||||
| -rw-r--r-- | fripost-docs.org | 43 |
2 files changed, 36 insertions, 9 deletions
diff --git a/figures/network.tex b/figures/network.tex index 8be726a..833c3f5 100644 --- a/figures/network.tex +++ b/figures/network.tex @@ -203,7 +203,7 @@ .. controls +(30:8cm) and +(0,-2.5cm) .. (LDAP-producer.south) node[pos=0.5,above,proto] {LDAP \textnormal{(over \texttt{SSH})}} - node[pos=0.15,below,what] {mod. \texttt{userPassword}} + node[pos=0.15,align=center,what] {bind to \\ mod. \texttt{userPassword}} node[pos=0.96,above,port] {389}; \draw[->,route] (MSA) edge diff --git a/fripost-docs.org b/fripost-docs.org index 53f21d2..21d7154 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -745,6 +745,25 @@ Note: For the meaning of the sequences of digits above, grep the output of (For instance, 1.3.6.1.4.1.1466.115.121.1.26 is a IA5String, meaning the spaces don't matter) +TODO: Because of the use of `mailLocalAddress', we cannot use wildcard on aliases +with the current schema. It should be amended as follows: + + olcAttributeTypes: ( 1.3.6.1.4.1.7914.1.2.1.3 NAME 'mailAliasGoto' + DESC 'The target of e-mail virtual aliases.' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE ) + olcAttributeTypes: ( 1.3.6.1.4.1.7914.1.2.1.4 NAME 'mailAliasFrom' + DESC 'The login part of virtual aliases.' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) + olcObjectclasses: ( 1.3.6.1.4.1.12461.1.2.2 NAME 'virtualAliases' + SUP top STRUCTURAL + DESC 'Virtual Aliases.' + MUST ( mailAliasGoto $ mailAliasFrom $ isActive ) + + We can now add it to the schema list: ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/fripost.ldif @@ -813,6 +832,13 @@ be looking for e.g., the `uid' attribute. add: olcDbIndex olcDbIndex: owner eq +TODO: After having amended the schema as specified above, we'll also need a +`sub' index on aliases: + + add: olcDbIndex + olcDbIndex: mailAliasGoto,mailAliasFrom eq,sub + + ldapmodify -Y EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/indexes.ldif @@ -1247,22 +1273,23 @@ the prefix. TODO: Postfix 2.7 does not support SASL binds. Hence one cannot SASL bind on the socket with the EXTERNAL mechanism, which leads to a flood of warnings "connection_read(XX): no connection!" in the syslog. One can also reproduce the -flood with +warning with ldapsearch -H 'ldapi://%2Fvar%2Fspool%2Fpostfix%2Fvar%2Frun%2Fldapi/' -x -WD 'cn=guilhem,ou=managers,o=mailHosting,dc=fripost,dc=org' -b 'o=mailHosting,dc=fripost.org,dc=org' -instead of +instead of the proper ldapsearch -H 'ldapi://%2Fvar%2Fspool%2Fpostfix%2Fvar%2Frun%2Fldapi/' -Y EXTERNAL -WD 'cn=guilhem,ou=managers,o=mailHosting,dc=fripost,dc=org' -b 'o=mailHosting,dc=fripost.org,dc=org' (The first one performs a simple bind and does not unbind properly, while the second one is safe and performs a SASL bind with the EXTERNAL mechanism.) -TODO: With Postfix 2.8, one could do [Not tested] - bind = sasl - sasl_mechs = EXTERNAL - See also http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=643970 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660223 http://www.openldap.org/lists/openldap-software/200811/msg00078.html +TODO: In the time being, we stick to simple binds on 127.0.0.1:389, but with +Postfix 2.8, one could do [Not tested] + bind = sasl + sasl_mechs = EXTERNAL + :: /etc/postfix/ldap/ldap_virtual_mailbox_domains.cf @@ -1833,8 +1860,8 @@ on this machine actually speaks to the master). $rcmail_config['password_driver'] = 'ldap_simple'; $rcmail_config['password_confirm_current'] = true; - $rcmail_config['password_minimum_length'] = 8; - $rcmail_config['password_require_nonalpha'] = true; + $rcmail_config['password_minimum_length'] = 12; + $rcmail_config['password_require_nonalpha'] = false; $rcmail_config['password_log'] = false; $rcmail_config['password_ldap_host'] = '127.0.0.1'; $rcmail_config['password_ldap_port'] = '3890'; |