From 45768c5c537c0fa418fb45015f46fd5764022dd1 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem.moulin@fripost.org>
Date: Tue, 3 Apr 2012 02:14:31 +0200
Subject: A first schema for the table that maintains users informations.

---
 fripost-docs.org | 145 +++++++++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 135 insertions(+), 10 deletions(-)

(limited to 'fripost-docs.org')

diff --git a/fripost-docs.org b/fripost-docs.org
index 91c8943..abed845 100644
--- a/fripost-docs.org
+++ b/fripost-docs.org
@@ -632,16 +632,26 @@ http://www.rjsystems.nl/en/2100-d6-openldap-provider.php
 sudo apt-get install slapd ldap-utils 
 
 If it does not prompt for your domain, admin password, etc., run
-`dpkg-reconfigure -plow slapd'.
+`dpkg-reconfigure -plow slapd'. Here is how we answer the questions:
+
+Omit OpenLDAP server configuration?                             No
+DNS domain name:                                                fripost.org
+Organization name:                                              Fripost
+Administrator password:                                         *********
+Database backend to use:                                        HDB
+Do you want the database to be removed when slapd is purged?    No
+Move old database?                                              Yes
+Allow LDAPv2 protocol?                                          No
+
 
 We do not want to listen all the Internet: in `/etc/default/slapd', change
-`SLAPD_SERVICES' accordingly. E.g., to only listen to localhost (non SSL) and
+`SLAPD_SERVICES' accordingly. E.g., to only listen to (non SSL) localhost and
 unix sockets, specify
 
 SLAPD_SERVICES="ldap:///127.0.0.1:389 ldapi:///%2fvar%2frun%2fopenldap%2fldapi/????x-mod=0777"
 
 (This should be enough if the connection from the IMAP/SASL services are
-wrapped into SSH or SSL tunnels.)
+wrapped into SSH or SSL/TLS tunnels.)
 
 We can check the configuration with
 
@@ -651,17 +661,132 @@ and modify a .ldif file with
 
   ldapmodify -Y EXTERNAL -H ldapi:/// -f "<file.ldif>"
 
-**** Our schema
+**** Fripost's schema
+
+We base our schema on qmail's: http://dhits.nl/download/qmail.new.schema .
+Note: our schema is not standalone, see the section below.
+
+Put the code below into `/tmp/fripost.ldif', and run
+    ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/fripost.ldif
+
+dn: cn=mailAccount,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: mailAccount
+olcAttributeTypes: ( 1.3.6.1.4.1.12461.1.1.1 NAME 'mailbox'
+    DESC 'The path to the mailbox.'
+    EQUALITY caseExactIA5Match
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.12461.1.1.2 NAME 'domain'
+    DESC 'The path to the mailbox.'
+    EQUALITY caseIgnoreIA5Match
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: ( 1.3.6.1.4.1.12461.1.1.3 NAME 'quota'
+    DESC 'The quota on a mailbox e.g., "50MB".'
+    EQUALITY caseExactIA5Match
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+
+
+# Note: For the meaning of the sequences of digits above, grep the output of
+#    ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
+# (For instance, 1.3.6.1.4.1.1466.115.121.1.26 is a IA5String, meaning the spaces
+# doesn't matter)
+    
+
+# We will also use other attributes, coming from imported schemas:
+# * uid, userid: RFC4519: user identifier.
+#     Usernames. Note that the case is ignored.
+# * cn, commonName: RFC4519: common name(s) for which the entity is known by
+#     First name of the user.
+# * sn, surName: RFC2256: last (family) name(s) for which the entity is known by
+#
+# Also, some attributes will be set automatically, see below.
+
+
+[TODO: This is only an attempt to subsume the MySQL table `mailbox'. Do the same
+for the 3 others.]
+
+**** Add a custom ACL
+
+The ACL is already properly defined (check it with `ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}hdb))"').
+
+olcAccess: {0}to attrs=userPassword,shadowLastChange
+    by self write
+    by anonymous auth
+    by dn="cn=admin,dc=fripost,dc=org" write
+    by * none
+olcAccess: {1}to dn.base=""
+    by * read
+olcAccess: {2}to *
+    by self write
+    by dn="cn=admin,dc=fripost,dc=org" write
+    by * read
+
+But we may want to hide the users' name to anyone but the admin. To this end, create a file
+`/tmp/bigbrother.ldif' with the following content:
+
+dn: olcDatabase={1}hdb,cn=config
+changetype: modify
+add: olcAccess
+olcAccess: {1}to dn.base="o=mailAccount,dc=fripost,dc=org" attrs=cn,sn by dn="cn=admin,dc=fripost,dc=org" write by * none
+
+and run `ldapmodify -QY EXTERNAL -H ldapi:/// -f /tmp/bigbrother.ldif'. We can
+now check `ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}hdb))"'
+the difference:
+
+olcAccess: {0}to attrs=userPassword,shadowLastChange
+    by self write
+    by anonymous auth
+    by dn="cn=admin,dc=fripost,dc=org" write
+    by * none
+olcAccess: {1}to dn.base="o=mailAccount,dc=fripost,dc=org" attrs=cn,sn
+    by dn="cn=admin,dc=fripost,dc=org" write
+    by * none
+olcAccess: {2}to dn.base=""
+    by * read
+olcAccess: {3}to *
+    by self write
+    by dn="cn=admin,dc=fripost,dc=org" write
+    by * read
+
+[TODO: The proper way to define admin rights would be to make a group "Admin".]
+
+**** Add a user
+
+We start by creating our base tree, in `/tmp/base.ldif':
+
+dn: o=mailAccount,dc=fripost,dc=org
+o: Mail Users
+objectClass: organization
+
+(Run `ldapadd -cxWD cn=admin,dc=fripost,dc=org -f /tmp/base.ldif' to attach the tree'.)
+
+
+We are now ready to create a user. Open a file `/tmp/user.ldif', with the following content:
+
+dn: uid=user,o=mailAccount,dc=fripost,dc=org
+objectClass: top
+objectClass: mailAccount
+uid: user
+cn: secret
+userPassword: {SSHA}ByzkkO0jNcDwx3+1wZi6FVm0WoEI5Ivo
+domain: fripost.org
+mailbox: /hop/ 
+accountActive: TRUE
+
+And add it with `ldapadd -cxWD cn=admin,dc=fripost,dc=org -f /tmp/user.ldif'. (Note: this should
+obviously be wrapped in a script; `ldapadd' reads the standard input, so there's no need to write
+on disk.) Where the password is a the S-SHA1 hash of "hackme".
+
 
-[TODO: find something suitable to subsume the MySQL databases; we could find some
-inspiration here: http://dhits.nl/download/qmail.new.schema]
+To delete a user, you can run
+    ldapdelete -D cn=admin,dc=fripost,dc=org 'uid=user,o=mailAccount,dc=fripost,dc=org' -W
 
-If the task is only to provide a secure way to authenticate, the "basic tree" of
-http://www.rjsystems.nl/en/2100-d6-openldap-provider.php#tree is good enough.
+`slapcat', run as root, dums everything in the tree, including the (hashed) passwords. However, run as a
+non-authenticated user, the target's name remains hidden.
 
-After adding an user, we can check that the authentication works properly:
+We can check that the SASL binds work as excected:
 
-ldapwhoami -xD uid=myuserid,ou=account,dc=fripost,dc=org -W
+    ldapwhoami -xD uid=user,ou=mailAccount,dc=fripost,dc=org -W
 
 *** Configuring the main IMAP server
 **** Install packages
-- 
cgit v1.2.3