Browse Source

roles/ldap: phamm.schema now provided locally

python3
Zolfa 5 years ago
parent
commit
6e85719a42
Signed by: zolfa GPG Key ID: E1A43B038C4D6616
5 changed files with 323 additions and 4 deletions
  1. +3
    -3
      MIGRATION.md
  2. +63
    -0
      roles/ldap/files/phamm-vacation.schema
  3. +240
    -0
      roles/ldap/files/phamm.schema
  4. +16
    -1
      roles/ldap/tasks/main.yaml
  5. +1
    -0
      roles/ldap/templates/slapd.conf.j2

+ 3
- 3
MIGRATION.md View File

@ -18,14 +18,14 @@ On the hosts:
## Roles
| Role name | Modified? | Tested? | Production? | Notes |
| Role name | Modified? | Tested? | Production? | Notes |
|----------------------|:---------:|:--------:|:-----------:|----------------------------------------------------------------------|
|`roles/service` | **YES** | **YES** | NO | New `apt` module style for packages. |
|`roles/ssh_server` | **YES** | **YES** | NO | `lxc_ssh.py` --> `ssh_lxc.py`, multi-key support. |
|`roles/ca` | **YES** | ReadNote | NO | New `apt` module style for pacakges. Works with this [ca_manager]. |
|`prepare_host.yaml` | **YES** | **YES** | NO | Migrate Debian release to Buster and Python 2 to 3. |
|`roles/lxc_guest.yaml`| **YES** | **YES** | NO | Updated Debian and LXC. `xfs` ***broken***, `ext4` working. |
|`roles/ldap` | NO | NO | NO | |
|`roles/lxc_guest` | **YES** | **YES** | NO | Updated Debian and LXC. `xfs` ***broken***, `ext4` working. |
|`roles/ldap` | **YES** | **YES** | NO | `phamm.schema` now provided locally. |
|`roles/nginx` | NO | NO | NO | |
|`roles/projects` | NO | NO | NO | |
|`roles/dns_record` | NO | NO | NO | |


+ 63
- 0
roles/ldap/files/phamm-vacation.schema View File

@ -0,0 +1,63 @@
#--------------------------------------------------------------------------
# LDAP Schema for phamm-vacation
#----------------------
# Release 1.1.1
# 2012/08/28
#--------------------------------------------------------------------------
# Copyright (c) 2008-2016 Mirko Grava, RHX Srl - www.rhx.it
# Permission is granted to copy, distribute and/or modify this document
# under the terms of the GNU Free Documentation License, Version 2
# or any later version published by the Free Software Foundation;
#--------------------------------------------------------------------------
# 1.3.6.1.4.1.22339 RHX Srl's OID
# 1.3.6.1.4.1.22339.2 Phamm-vacation
# 1.3.6.1.4.1.22339.2.1 AttributeTypes
# 1.3.6.1.4.1.22339.2.2 ObjectClasses
#--------------------------------------------------------------------------
# Attribute Types
#-----------------
attributetype ( 1.3.6.1.4.1.22339.2.1.1 NAME 'vacationActive'
DESC 'A flag, for marking the user as being away'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.2.1.2 NAME 'vacationInfo'
DESC 'Absentee note to leave behind, while on vacation'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.2.1.3 NAME 'vacationStart'
DESC 'Beginning of vacation'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.2.1.4 NAME 'vacationEnd'
DESC 'End of vacation'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.2.1.5 NAME 'vacationForward'
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
attributetype ( 1.3.6.1.4.1.22339.2.1.6 NAME 'vacationSubject'
DESC 'Subject for the vacation message'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.2.1.7 NAME 'vacationReminder'
DESC 'How many hours we should wait before a second email from someone will cause another vacation message to be sent to that email address'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
# Classes
#---------
objectclass ( 1.3.6.1.4.1.22339.2.2.1 NAME 'Vacation'
SUP top AUXILIARY
DESC 'Users vacation status information'
MUST ( vacationActive )
MAY ( vacationInfo $ vacationStart $ vacationEnd $ vacationForward $ vacationSubject $ vacationReminder ) )

+ 240
- 0
roles/ldap/files/phamm.schema View File

@ -0,0 +1,240 @@
#--------------------------------------------------------------------------
# LDAP Schema for phamm
#----------------------
# Release 1.5
# 2014/10/3
#--------------------------------------------------------------------------
# Copyright (c) 2006-2016 Mirko Grava, RHX Srl - www.rhx.it
# Permission is granted to copy, distribute and/or modify this document
# under the terms of the GNU Free Documentation License, Version 2
# or any later version published by the Free Software Foundation;
#--------------------------------------------------------------------------
# 1.3.6.1.4.1.22339 RHX Srl's OID
# 1.3.6.1.4.1.22339.1 Phamm
# 1.3.6.1.4.1.22339.1.1 AttributeTypes
# 1.3.6.1.4.1.22339.1.2 ObjectClasses
#--------------------------------------------------------------------------
# Attribute Types
#-----------------
attributetype ( 1.3.6.1.4.1.22339.1.1.1 NAME 'postfixTransport'
DESC 'A string directing postfix which transport to use'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.2 NAME 'accountActive'
DESC 'A boolean telling whether an account is active or not'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.3 NAME 'lastChange'
DESC 'Time in unix time of last change in entry'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.4 NAME 'vd'
DESC 'A virtual domain managed by Phamm'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.22339.1.1.5 NAME 'mailbox'
DESC 'The absolute path to the mailbox for a mail account in a non-default location'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.6 NAME 'quota'
DESC 'A string that represents the quota on a mailbox'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.7 NAME 'clearPassword'
DESC 'A separate text that stores the mail account password in clear text'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128})
attributetype ( 1.3.6.1.4.1.22339.1.1.8 NAME 'maildrop'
DESC 'RFC822 Mailbox - mail alias'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
attributetype ( 1.3.6.1.4.1.22339.1.1.9 NAME 'mailsource'
DESC 'Message source'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.22339.1.1.10 NAME 'editAliases'
DESC 'A boolean telling whether a domain manager can edit Aliases'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.11 NAME 'editAccounts'
DESC 'A boolean telling whether a domain manager can edit Accounts'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.12 NAME 'editAV'
DESC 'A boolean telling whether a domain manager can edit Antivirus'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.13 NAME 'delete'
DESC 'A boolean telling whether this item is marked for deletion'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.14 NAME 'forwardActive'
DESC 'A boolean telling whether this item is using forward'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.15 NAME 'maxDomain'
DESC 'A string that represents the max domain for a VirtualAdmin'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.16 NAME 'maxMail'
DESC 'A string that represents the max mail for a VirtualAdmin'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.17 NAME 'maxAlias'
DESC 'A string that represents the max alias for a VirtualAdmin'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.18 NAME 'maxQuota'
DESC 'A string that represents the max quota for a VirtualAdmin'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.19 NAME 'adminID'
DESC 'A string that represents the dn of admin domain'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.20 NAME 'vdHome'
DESC 'The absolute path to the virtual domain home'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.21 NAME 'otherTransport'
DESC 'A string directing postfix which transport to use'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.22 NAME 'creationDate'
DESC 'Timestamp of creation'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27{14} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.23 NAME 'otherPath'
DESC 'This path to help any application'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.24 NAME 'createMaildir'
DESC 'A boolean telling when we must create Maildir for maildrop transport'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.25 NAME 'smtpAuth'
DESC 'A boolean telling when we could do smtp-auth'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.26 NAME 'expireDate'
DESC 'Expire date'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27{14} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.27 NAME 'mailAutoreply'
DESC 'RFC822 Mailbox - mail for autoreply'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
attributetype ( 1.3.6.1.4.1.22339.1.1.28 NAME 'bypassGreyListing'
DESC 'A boolean telling when we could bypass Grey Listing'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.29 NAME 'phammGroup'
DESC 'Define the phamm Group of the VirtualMailAccount'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
attributetype ( 1.3.6.1.4.1.22339.1.1.30 NAME 'maxSmtpAuth'
DESC 'A string that represents the max SMTP Auth for a VirtualAdmin'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.31 NAME 'maxAntivirus'
DESC 'A string that represents the max Antivirus for a VirtualAdmin'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.32 NAME 'maxAntiSpam'
DESC 'A string that represents the max AntiSpam for a VirtualAdmin'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.33 NAME 'maxGreyList'
DESC 'A string that represents the max AntiGreyList for a VirtualAdmin'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
# Classes
#---------
objectclass ( 1.3.6.1.4.1.22339.1.2.1 NAME 'VirtualMailAccount'
SUP inetOrgPerson STRUCTURAL
DESC 'Mail account objects'
MUST ( mail $ vdHome $ mailbox $ accountActive $ lastChange $ delete )
MAY ( quota $ otherTransport $ editAccounts $ creationDate $ createMaildir $ smtpAuth $ expireDate $ mailAutoreply $ bypassGreyListing $ phammGroup ) )
objectclass ( 1.3.6.1.4.1.22339.1.2.2 NAME 'VirtualMailAlias'
SUP inetOrgPerson STRUCTURAL
DESC 'Mail aliasing/forwarding entry'
MUST ( mail $ maildrop $ accountActive $ lastChange )
MAY ( mailsource $ editAccounts $ creationDate $ smtpAuth $ expireDate $ bypassGreyListing) )
objectclass ( 1.3.6.1.4.1.22339.1.2.3 NAME 'VirtualDomain'
SUP top STRUCTURAL
DESC 'Virtual Domain entry to be used with postfix transport maps'
MUST ( vd $ accountActive $ lastChange $ delete )
MAY ( postfixTransport $ description $ maxMail $ maxAlias $ maxQuota $ editAV $ adminID $ creationDate $ bypassGreyListing $ maxSmtpAuth $ maxAntivirus $ maxAntiSpam $ maxGreyList) )
objectclass ( 1.3.6.1.4.1.22339.1.2.4 NAME 'VirtualForward'
SUP top AUXILIARY
DESC 'Forward setting for VirtualMailAccount'
MUST ( forwardActive )
MAY ( maildrop ) )
objectclass ( 1.3.6.1.4.1.22339.1.2.5 NAME 'VirtualAdmin'
SUP inetOrgPerson STRUCTURAL
DESC 'Virtual Admin entry'
MUST ( mail $ maxDomain $ accountActive $ lastChange )
MAY ( vd $ editAccounts ) )
objectclass ( 1.3.6.1.4.1.22339.1.2.6 NAME 'VirtualBackupDomain'
SUP top STRUCTURAL
DESC 'Virtual Backup Domain entry to be used for relay'
MUST ( vd $ accountActive $ lastChange $ delete )
MAY ( description ) )
objectclass ( 1.3.6.1.4.1.22339.1.2.7 NAME 'VirtualBackupMail'
SUP top STRUCTURAL
DESC 'Virtual Backup Mail entry to be used for relay'
MUST ( mail $ accountActive $ lastChange )
MAY ( description ) )
objectclass ( 1.3.6.1.4.1.22339.1.2.8 NAME 'Yap'
SUP top AUXILIARY
DESC 'Yet another path'
MUST ( otherPath )
)

+ 16
- 1
roles/ldap/tasks/main.yaml View File

@ -54,18 +54,21 @@
question: 'slapd/password1'
vtype: 'string'
value: '{{ slapd_passwd }}'
- name: configure OpenLDAP (password2)
debconf:
name: 'slapd'
question: 'slapd/password2'
vtype: 'string'
value: '{{ slapd_passwd }}'
- name: configure phamm-ldap
debconf:
name: 'phamm-ldap'
question: 'phamm-ldap/init_base_ldap'
vtype: 'boolean'
value: false
- include_role:
name: service
vars:
@ -73,13 +76,22 @@
service_packages:
- slapd
- ldap-utils
- phamm-ldap
- libpam-ldap
- sudo
- name: download schemas
copy:
src: "{{ item }}"
dest: /etc/ldap/schema/
loop:
- "phamm.schema"
- "phamm-vacation.schema"
- name: upload slapd config
template:
src: slapd.conf.j2
dest: "/etc/ldap/slapd.conf"
- name: update slapd config
shell: slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d
args:
@ -96,6 +108,7 @@
olcModuleLoad: {1}memberof
olcModuleLoad: {2}pw-sha2
notify: restart slapd
- name: upload default tree
template:
dest=/etc/ldap/default_tree.ldif
@ -104,10 +117,12 @@
group=root
mode=0400
register: upload_default_tree
- name: create default tree
shell: slapadd -l /etc/ldap/default_tree.ldif
when: upload_default_tree.changed
notify: restart slapd
- name: enable OpenLDAP server
service:
name: 'slapd'


+ 1
- 0
roles/ldap/templates/slapd.conf.j2 View File

@ -3,6 +3,7 @@ include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/phamm.schema
include /etc/ldap/schema/phamm-vacation.schema
include /usr/share/doc/libpam-ldap/ldapns.schema
modulepath /usr/lib/ldap


Loading…
Cancel
Save