From ad0038bb1fdd526a1cb2ae837a1d14b514c91384 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 28 Apr 2012 17:50:11 +0200 Subject: Documenting LDAP replication; fixing SASLauth. --- fripost-docs.org | 106 ++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 81 insertions(+), 25 deletions(-) diff --git a/fripost-docs.org b/fripost-docs.org index 30eaa39..240c891 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -311,8 +311,8 @@ ORIGIN_PORT="1917" 2b. Create a new user on the destination host: - sudo adduser --home=$TUNNEL_HOME --shell=`type rbash|cut -d' ' -f3` \ - --system $TUNNEL_USER + sudo adduser --system --home=$TUNNEL_HOME --shell=`type rbash|cut -d' ' -f3` \ + $TUNNEL_USER echo "exit" | sudo -u $TUNNEL_USER tee $TUNNEL_HOME/.bash_profile # Note: We need bash, so we can not change the shell to something else. @@ -878,12 +878,14 @@ http://www.openldap.org/doc/admin24/access-control.html for details. by * break - # Admins have writing rights on the branch. Authenticated users can read - # their entry. The SMTP server can read entries on the branch. + # their entry. The SMTP and SASLauthd servervices can read entries on the + # branch (but not the passwords). Other cannot access the branch. add: olcAccess olcAccess: {4}to dn.subtree="o=mailHosting,dc=fripost,dc=org" by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by self read by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" read + by dn.exact="cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org" read ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/acl.ldif @@ -894,7 +896,7 @@ ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/acl.ldif olcAccess: {1}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=userPassword by self write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by anonymous auth olcAccess: {2}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=gn,sn by self write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write olcAccess: {3}to dn.regex="(.+,)?(dc=[^,]+,ou=domains,o=mailHosting,dc=fripost,dc=org)$" by set.expand="[$2]/owner & user" write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by * break - olcAccess: {4}to dn.subtree="o=mailHosting,dc=fripost,dc=org" by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by self read by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" read + olcAccess: {4}to dn.subtree="o=mailHosting,dc=fripost,dc=org" by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by self read by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" read by dn.exact="cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org" read olcAccess: {5}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=fripost,dc=org" write by * none olcAccess: {6}to dn.base="" by * read olcAccess: {7}to * by self write by dn="cn=admin,dc=fripost,dc=org" write by * read @@ -911,7 +913,7 @@ a new ACL with writable [ou=domains,...]/children, and [dc=...,ou=domains,...]/e :: /etc/ldap/fripost/base.ldif dn: o=mailHosting,dc=fripost,dc=org - objectClass: organizational + objectClass: organization description: Mail hosting dn: ou=domains,o=mailHosting,dc=fripost,dc=org @@ -1018,8 +1020,8 @@ and ***** Anonymous user -`ldapsearch -xLLL -b "ou=domains,o=mailHosting,dc=fripost,dc=org"' should exit with status 0, but not return -anything. +`ldapsearch -xLLL -b "ou=domains,o=mailHosting,dc=fripost,dc=org"' should exit +with return status 0, but shouldn't print anything. ***** Services @@ -1068,7 +1070,11 @@ should refuse with `Insufficient access (50)'. **** Partial replication on the MXs -In case the LDAP goes down, we partly replicate the LDAP tree on the MXs. +In case the LDAP goes down, we partly (e.g., we omit the passwords) replicate the LDAP +tree on the MXs. + +Documentation: http://www.openldap.org/doc/admin22/syncrepl.html + http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap ***** Installation @@ -1081,15 +1087,61 @@ The slave may only listen on the UNIX socket; To specify that, in SLAPD_SERVICES="ldapi:///" In the rest of this section, we assume there is a tunnel from the master -LDAP server to the slave (i.e., ldap://localhost:389 on the slaves actually +LDAP server to the slave (i.e., ldap://127.0.0.1:3890 on the slaves actually speaks to the master). Following LDAP's terminology, the master server is also called "production", and the slave is known as "consumer". -***** Using syncrepl +***** Using syncprov (on the master) + +We first need to load the module `syncprov.la'. + + :: /etc/ldap/fripost/modules.ldif + + dn: cn=module{0}, cn=config + changetype: modify + add: olcModuleLoad + olcModuleLoad: syncprov.la + +ldapmodify -QY EXTERNAL -H ldapi:/// -f modules.ldif + +The master can now define itself as the provider. + + :: /etc/ldap/fripost/syncprov.ldif + + dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config + objectClass: olcOverlayConfig + objectClass: olcSyncProvConfig + olcOverlay: syncprov + # contextCSN saved to database every 50 updates or 5 minutes + olcSpCheckpoint: 50 5 + +ldapadd -Y EXTERNAL -H ldapi:/// -f syncprov.ldif -TODO +***** Using syncrepl (on the slave) + + :: /etc/ldap/fripost/syncrepl.ldif + + dn: olcDatabase={1}hdb,cn=config + changetype: modify + replace: olcSyncRepl + olcSyncRepl: rid=000 + provider=ldap://127.0.0.1:3890 + type=refreshAndPersist + retry="5 5 300 +" + searchbase="o=mailHosting,dc=fripost,dc=org" + attrs="*,+" + scope=sub + schemachecking=off + bindmethod=simple + binddn="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" + credentials="xxxxxx" + +ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/syncrepl.ldif + +(Since we in our case we have several slaves, we may want to increment the +rid.) *** Configuring the main IMAP server **** Install packages @@ -1173,13 +1225,11 @@ http://www.tehinterweb.co.uk/roundcube/#pisieverules :: /etc/postfix/ldap_virtual_mailbox_domains.cf - server_host = ldap://localhost/ + server_host = ldapi:// version = 3 - search_base = ou=domains,o=mailHosting,dc=fripost,dc=org - scope = one - bind = yes - bind_dn = cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org - bind_pw = xxxxxx + search_base = dc=%s,ou=domains,o=mailHosting,dc=fripost,dc=org + scope = base + bind = no query_filter = (&(ObjectClass=virtualDomain)(dc=%s)(isActive=TRUE)) result_attribute = dc @@ -1191,13 +1241,11 @@ Test it: :: /etc/postfix/ldap_virtual_alias_maps.cf - server_host = ldap://localhost/ + server_host = ldapi:// version = 3 search_base = dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org scope = one - bind = yes - bind_dn = cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org - bind_pw = smtp + bind = no query_filter = (&(ObjectClass=virtualAliases)(mailLocalAddress=%u)(isActive=TRUE)) result_attribute = mailTarget @@ -1205,6 +1253,8 @@ Test it: postmap -q user-alias@fripost.org ldap:/etc/postfix/ldap_virtual_alias_maps.cf postmap -q user@example.org ldap:/etc/postfix/ldap_virtual_alias_maps.cf +(The main LDAP server is partly replicated on a UNIX socket on the MX's.) + **** Test delivery sudo mkdir -p /home/mail/virtual/fripost.org/ @@ -1367,6 +1417,10 @@ sudo apt-get install sasl2-bin libsasl2-modules-ldap (Scrictly speaking sasl2-bin is not necessary, but it offers some programs to test our installation.) +In the rest of this section, we assume there is a tunnel from the master +LDAP server to the slave (i.e., ldap://127.0.0.1:3890 on the slaves actually +speaks to the master). + **** Configure saslauthd :: /etc/default/saslauthd @@ -1380,12 +1434,14 @@ test our installation.) :: /etc/saslauthd.conf - ldap_servers: ldap://localhost + ldap_servers: ldap://127.0.0.1:3890/ ldap_version: 3 + ldap_bind_dn: cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org + ldap_bind_pw: d&KU0.n8Do225e(Tc[,3PF7|r+/hpQF6 ldap_auth_method: bind - ldap_search_base: dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org - ldap_scope: one - ldap_filter: (&(objectClass=virtualMailbox)(uid=%u)(isActive=TRUE)) + ldap_search_base: uid=%U,dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org + ldap_filter: (&(objectClass=virtualMailbox)(uid=%U)(isActive=TRUE)) + ldap_scope: base After restarting saslauthd (`/etc/init.d/saslauthd restart'), we can test the authentication: `testsaslauthd -u user@fripost.org -p password'. (The password -- cgit v1.2.3