From d9d2d7c673163ebb4427e12b0390865874274c43 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 2 May 2012 16:02:59 +0200 Subject: =?UTF-8?q?ou=3Ddomains=20=E2=86=92=20ou=3Dvirtual?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- fripost-docs.org | 68 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/fripost-docs.org b/fripost-docs.org index aa1abb3..ff5fe1b 100644 --- a/fripost-docs.org +++ b/fripost-docs.org @@ -683,7 +683,7 @@ Jamm's (http://jamm.sourceforge.net/howto/html/implementation.html). | `- cn=SMTP | userPassword: xxxxxx | - `- ou=domains + `- ou=virtual |- dc=fripost.org | isActive: TRUE | |- mailTarget=user1@fripost.org @@ -696,7 +696,7 @@ Jamm's (http://jamm.sourceforge.net/howto/html/implementation.html). | `- uid=user2 | `- dc=example.org - owner: uid=user1,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org + owner: uid=user1,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org isActive: TRUE `- mailTarget=user1@fripost.org | mailLocalAddress: user1 @@ -884,7 +884,7 @@ http://www.openldap.org/doc/admin24/access-control.html for details. # Users are allowed to manage (create/delete/toggle activation) the # the domains they own. add: olcAccess - olcAccess: {3}to dn.regex="(.+,)?(dc=[^,]+,ou=domains,o=mailHosting,dc=fripost,dc=org)$" + olcAccess: {3}to dn.regex="(.+,)?(dc=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$" by set.expand="[$2]/owner & user" write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by * break @@ -907,7 +907,7 @@ ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/acl.ldif olcAccess: {0}to dn.one="ou=services,o=mailHosting,dc=fripost,dc=org" attrs=userPassword by self read by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by anonymous auth olcAccess: {1}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=userPassword by self write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by anonymous auth olcAccess: {2}to dn.children="o=mailHosting,dc=fripost,dc=org" attrs=gn,sn by self write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write - olcAccess: {3}to dn.regex="(.+,)?(dc=[^,]+,ou=domains,o=mailHosting,dc=fripost,dc=org)$" by set.expand="[$2]/owner & user" write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by * break + olcAccess: {3}to dn.regex="(.+,)?(dc=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$" by set.expand="[$2]/owner & user" write by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by * break olcAccess: {4}to dn.subtree="o=mailHosting,dc=fripost,dc=org" by dn.one="ou=managers,o=mailHosting,dc=fripost,dc=org" write by self read by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" read by dn.exact="cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org" read olcAccess: {5}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=fripost,dc=org" write by * none olcAccess: {6}to dn.base="" by * read @@ -917,7 +917,7 @@ ldapmodify -QY EXTERNAL -H ldapi:/// -f /etc/ldap/fripost/acl.ldif Note: Users are allowed to manage their domain, but an admin is needed to add a domain to the tree. A possibility to avoid that with a web-form is to send a mail to the postmaster@example.org (or even to the mail that appears in the WHOIS) with a confirmation hash. That would simply require -a new ACL with writable [ou=domains,...]/children, and [dc=...,ou=domains,...]/entry. (And probably a +a new ACL with writable [ou=virtual,...]/children, and [dc=...,ou=virtual,...]/entry. (And probably a "semi-admin" with only these rights.) **** Create the base tree @@ -928,7 +928,7 @@ a new ACL with writable [ou=domains,...]/children, and [dc=...,ou=domains,...]/e objectClass: organization description: Mail hosting - dn: ou=domains,o=mailHosting,dc=fripost,dc=org + dn: ou=virtual,o=mailHosting,dc=fripost,dc=org objectClass: organizationalUnit description: Virtual Hosting @@ -944,7 +944,7 @@ ldapadd -cxWD cn=admin,dc=fripost,dc=org -f /etc/ldap/fripost/base.ldif To delete a leaf (`-r' to delete the whole sub-tree): - ldapdelete -r -D cn=admin,dc=fripost,dc=org 'dc=example.org,ou=domains,o=mailHosting,dc=fripost,dc=org' -W + ldapdelete -r -D cn=admin,dc=fripost,dc=org 'dc=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=org' -W **** Populate the tree @@ -960,37 +960,37 @@ To delete a leaf (`-r' to delete the whole sub-tree): objectClass: organizationalRole userPassword: {SSHA}xxxxxx - dn: dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org + dn: dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org objectClass: virtualDomain isActive: TRUE - dn: uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org + dn: uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org objectClass: virtualMailbox gn: First Name sn: Last Name userPassword: {SSHA}xxxxxx isActive: TRUE - dn: dc=example.org,ou=domains,o=mailHosting,dc=fripost,dc=org + dn: dc=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=org objectClass: virtualDomain - owner: uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org + owner: uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org isActive: TRUE - dn: mailTarget=user-alias@fripost.org,dc=example.org,ou=domains,o=mailHosting,dc=fripost, dc=org + dn: mailTarget=user-alias@fripost.org,dc=example.org,ou=virtual,o=mailHosting,dc=fripost, dc=org objectClass: inetLocalMailRecipient objectClass: virtualAliases isActive: TRUE mailLocalAddress: user mailLocalAddress: user-alias - dn: uid=user2,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org + dn: uid=user2,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org objectClass: virtualMailbox gn: First Name sn: Last Name userPassword: {SSHA}xxxxxx isActive: FALSE - dn: mailTarget=user@fripost.org,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org + dn: mailTarget=user@fripost.org,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org objectClass: inetLocalMailRecipient objectClass: virtualAliases mailLocalAddress: user-alias @@ -1007,15 +1007,15 @@ e.g., `slappasswd -h "{SSHA}"'. `slapacl' is an helpful tool to debugs the ACLS. For instance, to check what are the rights of user@fripost.org on the domain example.org, we can run: - slapacl -b 'dc=example.org,ou=domains,o=mailHosting,dc=fripost,dc=org' -D 'uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org' + slapacl -b 'dc=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=org' -D 'uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org' We can also check ACLs with concrete examples: -ldapwhoami -xD "uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org" -W +ldapwhoami -xD "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -W should return the whole dn: -"uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org" +"uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" **** Check the ACL @@ -1024,26 +1024,26 @@ should return the whole dn: `slpacat' (run as root) dumps everything in the tree, including the (hashed) passwords. So should - ldapsearch -xLLL -D "cn=admin,dc=fripost,dc=org" -b 'ou=domains,o=mailHosting,dc=fripost,dc=org' -W + ldapsearch -xLLL -D "cn=admin,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' -W and - ldapsearch -xLLL -D "cn=admin1,ou=managers,o=mailHosting,dc=fripost,dc=org" -b 'ou=domains,o=mailHosting,dc=fripost,dc=org' -W + ldapsearch -xLLL -D "cn=admin1,ou=managers,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' -W ***** Anonymous user -`ldapsearch -xLLL -b "ou=domains,o=mailHosting,dc=fripost,dc=org"' should exit +`ldapsearch -xLLL -b "ou=virtual,o=mailHosting,dc=fripost,dc=org"' should exit with return status 0, but shouldn't print anything. ***** Services -ldapsearch -xLLL -D "cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" -b 'ou=domains,o=mailHosting,dc=fripost,dc=org' -W +ldapsearch -xLLL -D "cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' -W should not disclose the passwords. ***** Self -ldapsearch -xLLL -D "uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org" -b 'ou=domains,o=mailHosting,dc=fripost,dc=org' -W +ldapsearch -xLLL -D "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -b 'ou=virtual,o=mailHosting,dc=fripost,dc=org' -W should return all the information for this very user, but not e.g., the password of the other users. @@ -1052,7 +1052,7 @@ The user should be able to change his/her password, and aliases in his/her own d :: /tmp/usermod.ldif - dn: uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org + dn: uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org changetype: modify replace: userPassword userPassword: xxxxxx @@ -1062,7 +1062,7 @@ The user should be able to change his/her password, and aliases in his/her own d add: mailLocalAddress mailLocalAddress: user-alias2@example.org -ldapmodify -D "uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org" -W -f /tmp/usermod.ldif +ldapmodify -D "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" -W -f /tmp/usermod.ldif [Note: Still that should be wrapped up in a script, and there is no need to write on disk since the data is read from the standard input.] @@ -1070,11 +1070,11 @@ disk since the data is read from the standard input.] We now ensure that the leaf has been updated: - :: slapcat -s "uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org" + :: slapcat -s "uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org" [...] userPassword:: aG9w entryCSN: 20120404215647.957317Z#000000#000#000000 - modifiersName: uid=user,dc=fripost.org,ou=domains,o=mailHosting,dc=fripost,dc=org + modifiersName: uid=user,dc=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=org modifyTimestamp: 20120404215647Z On other modifications, for instance of `maildir', `ldapmodify' @@ -1240,7 +1240,7 @@ http://www.tehinterweb.co.uk/roundcube/#pisieverules server_host = ldapi:// version = 3 - search_base = dc=%s,ou=domains,o=mailHosting,dc=fripost,dc=org + search_base = dc=%s,ou=virtual,o=mailHosting,dc=fripost,dc=org scope = base bind = no query_filter = (&(ObjectClass=virtualDomain)(dc=%s)(isActive=TRUE)) @@ -1255,7 +1255,7 @@ Test it: :: /etc/postfix/ldap_virtual_mailbox_maps.cf server_host = ldapi:// version = 3 - search_base = uid=%u,dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org + search_base = uid=%u,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org scope = base bind = no query_filter = (&(ObjectClass=virtualMailbox)(uid=%u)(isActive=TRUE)) @@ -1270,7 +1270,7 @@ Test it: server_host = ldapi:// version = 3 - search_base = dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org + search_base = dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org scope = one bind = no query_filter = (&(ObjectClass=virtualAliases)(mailLocalAddress=%u)(isActive=TRUE)) @@ -1382,8 +1382,8 @@ Copy this file in /etc/dovecot, and chmod 600 it. Uncomment the following lines: hosts = localhost # Or wherever is our LDAP server ldap_version = 3 auth_bind = yes - auth_bind_userdn = uid=%n,dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org - base = uid=%n,dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org + auth_bind_userdn = uid=%n,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org + base = uid=%n,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org deref = never scope = base pass_filter = (&(objectClass=virtualMailbox)(uid=%n)(isActive=TRUE)) @@ -1459,7 +1459,7 @@ speaks to the master). ldap_bind_dn: cn=SASLauth,ou=services,o=mailHosting,dc=fripost,dc=org ldap_bind_pw: d&KU0.n8Do225e(Tc[,3PF7|r+/hpQF6 ldap_auth_method: bind - ldap_search_base: uid=%U,dc=%d,ou=domains,o=mailHosting,dc=fripost,dc=org + ldap_search_base: uid=%U,dc=%d,ou=virtual,o=mailHosting,dc=fripost,dc=org ldap_filter: (&(objectClass=virtualMailbox)(uid=%U)(isActive=TRUE)) ldap_scope: base @@ -1738,11 +1738,11 @@ $rcmail_config['password_ldap_host'] = '127.0.0.1'; $rcmail_config['password_ldap_port'] = '389'; $rcmail_config['password_ldap_starttls'] = false; $rcmail_config['password_ldap_version'] = '3'; -$rcmail_config['password_ldap_basedn'] = 'dc=domains,o=mailHosting,dc=fripost,dc=org' +$rcmail_config['password_ldap_basedn'] = 'ou=virtual,o=mailHosting,dc=fripost,dc=org' $rcmail_config['password_ldap_method'] = 'user'; $rcmail_config['password_ldap_adminDN'] = null; $rcmail_config['password_ldap_adminPW'] = null; -$rcmail_config['password_ldap_userDN_mask'] = 'uid=%name,dc=%domain,ou=domains,o=mailHosting,dc=fripost,dc=org'; +$rcmail_config['password_ldap_userDN_mask'] = 'uid=%name,dc=%domain,ou=virtual,o=mailHosting,dc=fripost,dc=org'; $rcmail_config['password_ldap_searchDN'] = null $rcmail_config['password_ldap_searchPW'] = null $rcmail_config['password_ldap_search_base'] = null -- cgit v1.2.3