From 609d690fa33cd526c71f5e73939a2912939f73e2 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 5 Apr 2012 15:24:11 +0200 Subject: LDAP: Fixing saslauthd; Adding more ACLs and discussion. --- fripost-docs.org | 44 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 34 insertions(+), 10 deletions(-) diff --git a/fripost-docs.org b/fripost-docs.org index 172c1fe..79c08a4 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -695,11 +695,10 @@ Jamm's (http://jamm.sourceforge.net/howto/html/implementation.html). MAY ( description ) ) olcObjectclasses: ( 1.3.6.1.4.1.12461.1.2.2 NAME 'virtualMailbox' SUP top STRUCTURAL - DESC 'Mail Account Object' + DESC 'Virtual Mailboxes' MUST ( mail $ userPassword $ dc $ maildir $ isActive ) MAY ( mailLocalAddress $ gn $ sn $ quota ) ) - Note: For the meaning of the sequences of digits above, grep the output of `ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"' (For instance, 1.3.6.1.4.1.1466.115.121.1.26 is a IA5String, meaning the spaces @@ -712,6 +711,18 @@ We can now add it to the schema list: (A [dirty] way to delete the schema is to remove the coresponding file in `/etc/ldap/slapd.d/cn=config/cn=schema/' and to restart slapd.) + +Note: Aliases have been inlined in the `virtualMailbox', and the column `alias.domain' +of the MySQL schema has been dropped. If we want to let users manage their aliases (for +the domains they manage), a possible solution is to add these managed virtual domains as +childrens of their owner. A suitable ACL would then define the rights properly: + + olcAccess: to dn.regex="dc=[^,]+,mail=([^,]+),o=mailboxes,dc=mail,dc=fripost,dc=org" attrs=mailLocalAddress + by self write + by dn.expand="mail=$1,o=mailboxes,dc=mail,dc=fripost,dc=org" write + by dn="cn=admin,dc=fripost,dc=org" write + by * read + ***** Add custom indexes The default indexes below are not enough for our purpose, since we will heavily @@ -800,7 +811,7 @@ ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/local/mail.fripost.org-acl.ldi [...] olcAccess: {0}to dn.children="dc=mail,dc=fripost,dc=org" attrs=userPassword by self write by dn="cn=admin,dc=fripost,dc=org" write by anonymous auth by * none olcAccess: {1}to dn.children="o=mailboxes,dc=mail,dc=fripost,dc=org" attrs=gn,sn by self write by dn="cn=admin,dc=fripost,dc=org" write by * none - olcAccess: {2}to dn.children="dc=mail,dc=fripost,dc=org" by dn="cn=admin,dc=fripost,dc=org" write by * read + olcAccess: {2}to dn.children="dc=mail,dc=fripost,dc=org" by dn="cn=admin,dc=fripost,dc=org" write by * read olcAccess: {3}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=fripost,dc=org" write by * none olcAccess: {4}to dn.base="" by * read olcAccess: {5}to * by self write by dn="cn=admin,dc=fripost,dc=org" write by * read @@ -808,6 +819,16 @@ ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/local/mail.fripost.org-acl.ldi [TODO: The proper way to define admin rights would be to make a group "Admin".] +Note: Attributes and entries here are world-readable (beside `userPassword' and names). +An other solution, more restrictive, would be to bind Postfix and Dovecots requests +to either `self' or a new dn "cn=mta,dc=mail,dc=fripost,dc=org" with a new ACL e.g., + + olcAccess: to dn.children="dc=mail,dc=fripost,dc=org" + by dn="cn=admin,dc=fripost,dc=org" write + by dn="cn=mta,dc=mail,dc=fripost,dc=org" read + by self read + by * none + **** Create the base tree :: /etc/ldap/local/mail.fripost.org-base.ldif @@ -1159,9 +1180,9 @@ Copy this file in /etc/dovecot, and chmod 600 it. Uncomment the following lines: deref = never scope = subtree user_attrs = maildir=home=/home/mail/virtual/%$ - user_filter = (&(objectClass=virtualMailbox)(mail=%u)(domain=%d)(isActive=TRUE)) + user_filter = (&(objectClass=virtualMailbox)(mail=%u)(dc=%d)(isActive=TRUE)) pass_attrs = mail=user - pass_filter = (&(objectClass=virtualMailbox)(mail=%u)(domain=%d)(isActive=TRUE)) + pass_filter = (&(objectClass=virtualMailbox)(mail=%u)(dc=%d)(isActive=TRUE)) (And the TLS-related lines in case we are not using a tunnel.) The "base" is the root of our tree structure, in our case dn="o=mailboxes,dc=mail,dc=fripost,dc=org". @@ -1226,20 +1247,23 @@ test our installation.) OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" [...] -(The socket has to be readable by postfix.) +(Note: The socket has to be readable by postfix.) :: /etc/saslauthd.conf ldap_servers: ldap://localhost ldap_version: 3 + ldap_auth_method: bind ldap_search_base: o=mailboxes,dc=mail,dc=fripost,dc=org ldap_scope: sub - ldap_filter: mail=%u - ldap_auth_method: bind + ldap_filter: (&(objectClass=virtualMailbox)(mail=%u)(dc=%d)(isActive=TRUE)) After restarting saslauthd (`/etc/init.d/saslauthd restart'), we can test the -authentication: testsaslauthd -u userid -p password. (The password cannot be -prompted, so you may want to create a dummy user.) +authentication: `testsaslauthd -u user@fripost.org -p password'. (The password +cannot be prompted, so you may want to create a dummy user.) + +[Note: for `testsaslauthd' to work, you have to set OPTIONS="-c -m /var/run/saslauthd" +in `/etc/default/saslauthd'.] **** Configure Postfix -- cgit v1.2.3