- Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.python3
@ -0,0 +1,5 @@ | |||
--- | |||
ldap_tls_enabled: true | |||
renew_rootdn_pw: true | |||
check_tree: true | |||
... |
@ -0,0 +1,3 @@ | |||
--- | |||
ldap_tls_enabled: true | |||
... |
@ -0,0 +1,162 @@ | |||
dn: cn=kerberos,cn=schema,cn=config | |||
objectClass: olcSchemaConfig | |||
cn: kerberos | |||
olcAttributeTypes: {0}( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName | |||
' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1 | |||
.4.1.1466.115.121.1.26 ) | |||
olcAttributeTypes: {1}( 1.2.840.113554.1.4.1.6.1 NAME 'krbCanonicalName' EQU | |||
ALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1. | |||
1466.115.121.1.26 SINGLE-VALUE ) | |||
olcAttributeTypes: {2}( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType | |||
' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) | |||
olcAttributeTypes: {3}( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DE | |||
SC 'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
olcAttributeTypes: {4}( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpi | |||
ration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 | |||
SINGLE-VALUE ) | |||
olcAttributeTypes: {5}( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags' | |||
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) | |||
olcAttributeTypes: {6}( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife | |||
' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) | |||
olcAttributeTypes: {7}( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewable | |||
Age' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALU | |||
E ) | |||
olcAttributeTypes: {8}( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReferen | |||
ces' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) | |||
olcAttributeTypes: {9}( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers' | |||
EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) | |||
olcAttributeTypes: {10}( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' | |||
EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) | |||
olcAttributeTypes: {11}( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers' | |||
EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) | |||
olcAttributeTypes: {12}( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer' | |||
EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | |||
olcAttributeTypes: {13}( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope | |||
' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) | |||
olcAttributeTypes: {14}( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalRe | |||
ferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 | |||
.12 ) | |||
olcAttributeTypes: {15}( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNaming | |||
Attr' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE- | |||
VALUE ) | |||
olcAttributeTypes: {16}( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers' | |||
EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) | |||
olcAttributeTypes: {17}( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife' | |||
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) | |||
olcAttributeTypes: {18}( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife' | |||
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) | |||
olcAttributeTypes: {19}( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffC | |||
hars' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VAL | |||
UE ) | |||
olcAttributeTypes: {20}( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLengt | |||
h' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE | |||
) | |||
olcAttributeTypes: {21}( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryL | |||
ength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VA | |||
LUE ) | |||
olcAttributeTypes: {22}( 1.3.6.1.4.1.5322.21.2.1 NAME 'krbPwdMaxFailure' EQU | |||
ALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) | |||
olcAttributeTypes: {23}( 1.3.6.1.4.1.5322.21.2.2 NAME 'krbPwdFailureCountInt | |||
erval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VA | |||
LUE ) | |||
olcAttributeTypes: {24}( 1.3.6.1.4.1.5322.21.2.3 NAME 'krbPwdLockoutDuration | |||
' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) | |||
olcAttributeTypes: {25}( 1.2.840.113554.1.4.1.6.2 NAME 'krbPwdAttributes' EQ | |||
UALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) | |||
olcAttributeTypes: {26}( 1.2.840.113554.1.4.1.6.3 NAME 'krbPwdMaxLife' EQUAL | |||
ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) | |||
olcAttributeTypes: {27}( 1.2.840.113554.1.4.1.6.4 NAME 'krbPwdMaxRenewableLi | |||
fe' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE | |||
) | |||
olcAttributeTypes: {28}( 1.2.840.113554.1.4.1.6.5 NAME 'krbPwdAllowedKeysalt | |||
s' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE- | |||
VALUE ) | |||
olcAttributeTypes: {29}( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyRe | |||
ference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. | |||
12 SINGLE-VALUE ) | |||
olcAttributeTypes: {30}( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExp | |||
iration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 | |||
SINGLE-VALUE ) | |||
olcAttributeTypes: {31}( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKe | |||
y' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) | |||
olcAttributeTypes: {32}( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolic | |||
yReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121 | |||
.1.12 SINGLE-VALUE ) | |||
olcAttributeTypes: {33}( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' E | |||
QUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) | |||
olcAttributeTypes: {34}( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncS | |||
altTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) | |||
olcAttributeTypes: {35}( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEn | |||
cSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) | |||
olcAttributeTypes: {36}( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory' | |||
EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) | |||
olcAttributeTypes: {37}( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChan | |||
ge' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SING | |||
LE-VALUE ) | |||
olcAttributeTypes: {38}( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' E | |||
QUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VA | |||
LUE ) | |||
olcAttributeTypes: {39}( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUAL | |||
ITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) | |||
olcAttributeTypes: {40}( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAl | |||
iases' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | |||
olcAttributeTypes: {41}( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccess | |||
fulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 | |||
SINGLE-VALUE ) | |||
olcAttributeTypes: {42}( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedA | |||
uth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SIN | |||
GLE-VALUE ) | |||
olcAttributeTypes: {43}( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailed | |||
Count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VA | |||
LUE ) | |||
olcAttributeTypes: {44}( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData' | |||
EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) | |||
olcAttributeTypes: {45}( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectRefer | |||
ences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 | |||
) | |||
olcAttributeTypes: {46}( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContai | |||
nerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 | |||
2 ) | |||
olcAttributeTypes: {47}( 2.16.840.1.113730.3.8.15.2.1 NAME 'krbPrincipalAuth | |||
Ind' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) | |||
olcAttributeTypes: {48}( 1.3.6.1.4.1.5322.21.2.4 NAME 'krbAllowedToDelegateT | |||
o' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6. | |||
1.4.1.1466.115.121.1.26 ) | |||
olcObjectClasses: {0}( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP | |||
top STRUCTURAL MUST cn ) | |||
olcObjectClasses: {1}( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer | |||
' SUP top STRUCTURAL MUST cn MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ k | |||
rbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSa | |||
ltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdm | |||
Servers $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef | |||
) ) | |||
olcObjectClasses: {2}( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' SUP t | |||
op ABSTRACT MUST cn MAY ( krbHostServer $ krbRealmReferences ) ) | |||
olcObjectClasses: {3}( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SU | |||
P krbService STRUCTURAL ) | |||
olcObjectClasses: {4}( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SU | |||
P krbService STRUCTURAL ) | |||
olcObjectClasses: {5}( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' | |||
SUP top AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled | |||
$ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krb | |||
PasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHisto | |||
ry $ krbLastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastS | |||
uccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ kr | |||
bAllowedToDelegateTo $ krbPrincipalAuthInd ) ) | |||
olcObjectClasses: {6}( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP | |||
top STRUCTURAL MUST krbPrincipalName MAY krbObjectReferences ) | |||
olcObjectClasses: {7}( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux' | |||
SUP top AUXILIARY MAY krbPrincipalReferences ) | |||
olcObjectClasses: {8}( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' S | |||
UP krbService STRUCTURAL ) | |||
olcObjectClasses: {9}( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SU | |||
P top STRUCTURAL MUST cn MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDif | |||
fChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdF | |||
ailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxL | |||
ife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) ) | |||
olcObjectClasses: {10}( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicy | |||
Aux' SUP top AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRene | |||
wableAge ) ) | |||
olcObjectClasses: {11}( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy | |||
' SUP top STRUCTURAL MUST cn ) | |||
@ -0,0 +1,19 @@ | |||
# LDAP Name Service Additional Schema | |||
# Source: pam_ldap package by Luke Howard converted to LDIF | |||
# Has not been published in Internet Draft or RFC. | |||
dn: cn=ldapns,cn=schema,cn=config | |||
objectClass: olcSchemaConfig | |||
cn: ldapns | |||
olcAttributeTypes: {0}( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' | |||
DESC 'IANA GSS-API authorized service name' | |||
EQUALITY caseIgnoreMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) | |||
olcObjectClasses: {0}( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' | |||
DESC 'Auxiliary object class for adding authorizedService attribute' | |||
SUP top AUXILIARY | |||
MAY authorizedService ) | |||
olcObjectClasses: {1}( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject' | |||
DESC 'Auxiliary object class for adding host attribute' | |||
SUP top AUXILIARY | |||
MAY host ) |
@ -0,0 +1,30 @@ | |||
dn: cn=phamm-vacation,cn=schema,cn=config | |||
objectClass: olcSchemaConfig | |||
cn: phamm-vacation | |||
olcAttributeTypes: {0}( 1.3.6.1.4.1.22339.2.1.1 NAME 'vacationActive' DESC ' | |||
A flag, for marking the user as being away' EQUALITY booleanMatch SYNTAX 1. | |||
3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
olcAttributeTypes: {1}( 1.3.6.1.4.1.22339.2.1.2 NAME 'vacationInfo' DESC 'Ab | |||
sentee note to leave behind, while on vacation' EQUALITY octetStringMatch S | |||
YNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) | |||
olcAttributeTypes: {2}( 1.3.6.1.4.1.22339.2.1.3 NAME 'vacationStart' DESC 'B | |||
eginning of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115 | |||
.121.1.40 SINGLE-VALUE ) | |||
olcAttributeTypes: {3}( 1.3.6.1.4.1.22339.2.1.4 NAME 'vacationEnd' DESC 'End | |||
of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.4 | |||
0 SINGLE-VALUE ) | |||
olcAttributeTypes: {4}( 1.3.6.1.4.1.22339.2.1.5 NAME 'vacationForward' DESC | |||
'RFC1274: RFC822 Mailbox' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5S | |||
ubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) | |||
olcAttributeTypes: {5}( 1.3.6.1.4.1.22339.2.1.6 NAME 'vacationSubject' DESC | |||
'Subject for the vacation message' EQUALITY octetStringMatch SYNTAX 1.3.6.1 | |||
.4.1.1466.115.121.1.40 SINGLE-VALUE ) | |||
olcAttributeTypes: {6}( 1.3.6.1.4.1.22339.2.1.7 NAME 'vacationReminder' DESC | |||
'How many hours we should wait before a second email from someone will cau | |||
se another vacation message to be sent to that email address' EQUALITY octe | |||
tStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) | |||
olcObjectClasses: {0}( 1.3.6.1.4.1.22339.2.2.1 NAME 'Vacation' DESC 'Users v | |||
acation status information' SUP top AUXILIARY MUST vacationActive MAY ( vac | |||
ationInfo $ vacationStart $ vacationEnd $ vacationForward $ vacationSubject | |||
$ vacationReminder ) ) | |||
@ -1,63 +0,0 @@ | |||
#-------------------------------------------------------------------------- | |||
# LDAP Schema for phamm-vacation | |||
#---------------------- | |||
# Release 1.1.1 | |||
# 2012/08/28 | |||
#-------------------------------------------------------------------------- | |||
# Copyright (c) 2008-2016 Mirko Grava, RHX Srl - www.rhx.it | |||
# Permission is granted to copy, distribute and/or modify this document | |||
# under the terms of the GNU Free Documentation License, Version 2 | |||
# or any later version published by the Free Software Foundation; | |||
#-------------------------------------------------------------------------- | |||
# 1.3.6.1.4.1.22339 RHX Srl's OID | |||
# 1.3.6.1.4.1.22339.2 Phamm-vacation | |||
# 1.3.6.1.4.1.22339.2.1 AttributeTypes | |||
# 1.3.6.1.4.1.22339.2.2 ObjectClasses | |||
#-------------------------------------------------------------------------- | |||
# Attribute Types | |||
#----------------- | |||
attributetype ( 1.3.6.1.4.1.22339.2.1.1 NAME 'vacationActive' | |||
DESC 'A flag, for marking the user as being away' | |||
EQUALITY booleanMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.2.1.2 NAME 'vacationInfo' | |||
DESC 'Absentee note to leave behind, while on vacation' | |||
EQUALITY octetStringMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.2.1.3 NAME 'vacationStart' | |||
DESC 'Beginning of vacation' | |||
EQUALITY octetStringMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.2.1.4 NAME 'vacationEnd' | |||
DESC 'End of vacation' | |||
EQUALITY octetStringMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.2.1.5 NAME 'vacationForward' | |||
DESC 'RFC1274: RFC822 Mailbox' | |||
EQUALITY caseIgnoreIA5Match | |||
SUBSTR caseIgnoreIA5SubstringsMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) | |||
attributetype ( 1.3.6.1.4.1.22339.2.1.6 NAME 'vacationSubject' | |||
DESC 'Subject for the vacation message' | |||
EQUALITY octetStringMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.2.1.7 NAME 'vacationReminder' | |||
DESC 'How many hours we should wait before a second email from someone will cause another vacation message to be sent to that email address' | |||
EQUALITY octetStringMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) | |||
# Classes | |||
#--------- | |||
objectclass ( 1.3.6.1.4.1.22339.2.2.1 NAME 'Vacation' | |||
SUP top AUXILIARY | |||
DESC 'Users vacation status information' | |||
MUST ( vacationActive ) | |||
MAY ( vacationInfo $ vacationStart $ vacationEnd $ vacationForward $ vacationSubject $ vacationReminder ) ) |
@ -0,0 +1,132 @@ | |||
dn: cn=phamm,cn=schema,cn=config | |||
objectClass: olcSchemaConfig | |||
cn: phamm | |||
olcAttributeTypes: {0}( 1.3.6.1.4.1.22339.1.1.1 NAME 'postfixTransport' DESC | |||
'A string directing postfix which transport to use' EQUALITY caseExactIA5M | |||
atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE ) | |||
olcAttributeTypes: {1}( 1.3.6.1.4.1.22339.1.1.2 NAME 'accountActive' DESC 'A | |||
boolean telling whether an account is active or not' EQUALITY booleanMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
olcAttributeTypes: {2}( 1.3.6.1.4.1.22339.1.1.3 NAME 'lastChange' DESC 'Time | |||
in unix time of last change in entry' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 | |||
SINGLE-VALUE ) | |||
olcAttributeTypes: {3}( 1.3.6.1.4.1.22339.1.1.4 NAME 'vd' DESC 'A virtual do | |||
main managed by Phamm' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subs | |||
tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | |||
olcAttributeTypes: {4}( 1.3.6.1.4.1.22339.1.1.5 NAME 'mailbox' DESC 'The abs | |||
olute path to the mailbox for a mail account in a non-default location' EQU | |||
ALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
olcAttributeTypes: {5}( 1.3.6.1.4.1.22339.1.1.6 NAME 'quota' DESC 'A string | |||
that represents the quota on a mailbox' EQUALITY caseExactIA5Match SYNTAX 1 | |||
.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
olcAttributeTypes: {6}( 1.3.6.1.4.1.22339.1.1.7 NAME 'clearPassword' DESC 'A | |||
separate text that stores the mail account password in clear text' EQUALIT | |||
Y octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) | |||
olcAttributeTypes: {7}( 1.3.6.1.4.1.22339.1.1.8 NAME 'maildrop' DESC 'RFC822 | |||
Mailbox - mail alias' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subs | |||
tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) | |||
olcAttributeTypes: {8}( 1.3.6.1.4.1.22339.1.1.9 NAME 'mailsource' DESC 'Mess | |||
age source' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | |||
olcAttributeTypes: {9}( 1.3.6.1.4.1.22339.1.1.10 NAME 'editAliases' DESC 'A | |||
boolean telling whether a domain manager can edit Aliases' EQUALITY boolean | |||
Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
olcAttributeTypes: {10}( 1.3.6.1.4.1.22339.1.1.11 NAME 'editAccounts' DESC ' | |||
A boolean telling whether a domain manager can edit Accounts' EQUALITY bool | |||
eanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
olcAttributeTypes: {11}( 1.3.6.1.4.1.22339.1.1.12 NAME 'editAV' DESC 'A bool | |||
ean telling whether a domain manager can edit Antivirus' EQUALITY booleanMa | |||
tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
olcAttributeTypes: {12}( 1.3.6.1.4.1.22339.1.1.13 NAME 'delete' DESC 'A bool | |||
ean telling whether this item is marked for deletion' EQUALITY booleanMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
olcAttributeTypes: {13}( 1.3.6.1.4.1.22339.1.1.14 NAME 'forwardActive' DESC | |||
'A boolean telling whether this item is using forward' EQUALITY booleanMatc | |||
h SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
olcAttributeTypes: {14}( 1.3.6.1.4.1.22339.1.1.15 NAME 'maxDomain' DESC 'A s | |||
tring that represents the max domain for a VirtualAdmin' EQUALITY caseExact | |||
IA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
olcAttributeTypes: {15}( 1.3.6.1.4.1.22339.1.1.16 NAME 'maxMail' DESC 'A str | |||
ing that represents the max mail for a VirtualAdmin' EQUALITY caseExactIA5M | |||
atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
olcAttributeTypes: {16}( 1.3.6.1.4.1.22339.1.1.17 NAME 'maxAlias' DESC 'A st | |||
ring that represents the max alias for a VirtualAdmin' EQUALITY caseExactIA | |||
5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
olcAttributeTypes: {17}( 1.3.6.1.4.1.22339.1.1.18 NAME 'maxQuota' DESC 'A st | |||
ring that represents the max quota for a VirtualAdmin' EQUALITY caseExactIA | |||
5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
olcAttributeTypes: {18}( 1.3.6.1.4.1.22339.1.1.19 NAME 'adminID' DESC 'A str | |||
ing that represents the dn of admin domain' EQUALITY caseExactIA5Match SYNT | |||
AX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
olcAttributeTypes: {19}( 1.3.6.1.4.1.22339.1.1.20 NAME 'vdHome' DESC 'The ab | |||
solute path to the virtual domain home' EQUALITY caseExactIA5Match SYNTAX 1 | |||
.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
olcAttributeTypes: {20}( 1.3.6.1.4.1.22339.1.1.21 NAME 'otherTransport' DESC | |||
'A string directing postfix which transport to use' EQUALITY caseExactIA5M | |||
atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE ) | |||
olcAttributeTypes: {21}( 1.3.6.1.4.1.22339.1.1.22 NAME 'creationDate' DESC ' | |||
Timestamp of creation' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.12 | |||
1.1.27{14} SINGLE-VALUE ) | |||
olcAttributeTypes: {22}( 1.3.6.1.4.1.22339.1.1.23 NAME 'otherPath' DESC 'Thi | |||
s path to help any application' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4 | |||
.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
olcAttributeTypes: {23}( 1.3.6.1.4.1.22339.1.1.24 NAME 'createMaildir' DESC | |||
'A boolean telling when we must create Maildir for maildrop transport' EQUA | |||
LITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
olcAttributeTypes: {24}( 1.3.6.1.4.1.22339.1.1.25 NAME 'smtpAuth' DESC 'A bo | |||
olean telling when we could do smtp-auth' EQUALITY booleanMatch SYNTAX 1.3. | |||
6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
olcAttributeTypes: {25}( 1.3.6.1.4.1.22339.1.1.26 NAME 'expireDate' DESC 'Ex | |||
pire date' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27{14} S | |||
INGLE-VALUE ) | |||
olcAttributeTypes: {26}( 1.3.6.1.4.1.22339.1.1.27 NAME 'mailAutoreply' DESC | |||
'RFC822 Mailbox - mail for autoreply' EQUALITY caseIgnoreIA5Match SUBSTR ca | |||
seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) | |||
olcAttributeTypes: {27}( 1.3.6.1.4.1.22339.1.1.28 NAME 'bypassGreyListing' D | |||
ESC 'A boolean telling when we could bypass Grey Listing' EQUALITY booleanM | |||
atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
olcAttributeTypes: {28}( 1.3.6.1.4.1.22339.1.1.29 NAME 'phammGroup' DESC 'De | |||
fine the phamm Group of the VirtualMailAccount' EQUALITY caseIgnoreMatch SU | |||
BSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) | |||
olcAttributeTypes: {29}( 1.3.6.1.4.1.22339.1.1.30 NAME 'maxSmtpAuth' DESC 'A | |||
string that represents the max SMTP Auth for a VirtualAdmin' EQUALITY case | |||
ExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
olcAttributeTypes: {30}( 1.3.6.1.4.1.22339.1.1.31 NAME 'maxAntivirus' DESC ' | |||
A string that represents the max Antivirus for a VirtualAdmin' EQUALITY cas | |||
eExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
olcAttributeTypes: {31}( 1.3.6.1.4.1.22339.1.1.32 NAME 'maxAntiSpam' DESC 'A | |||
string that represents the max AntiSpam for a VirtualAdmin' EQUALITY caseE | |||
xactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
olcAttributeTypes: {32}( 1.3.6.1.4.1.22339.1.1.33 NAME 'maxGreyList' DESC 'A | |||
string that represents the max AntiGreyList for a VirtualAdmin' EQUALITY c | |||
aseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
olcObjectClasses: {0}( 1.3.6.1.4.1.22339.1.2.1 NAME 'VirtualMailAccount' DES | |||
C 'Mail account objects' SUP inetOrgPerson STRUCTURAL MUST ( mail $ vdHome | |||
$ mailbox $ accountActive $ lastChange $ delete ) MAY ( quota $ otherTransp | |||
ort $ editAccounts $ creationDate $ createMaildir $ smtpAuth $ expireDate $ | |||
mailAutoreply $ bypassGreyListing $ phammGroup ) ) | |||
olcObjectClasses: {1}( 1.3.6.1.4.1.22339.1.2.2 NAME 'VirtualMailAlias' DESC | |||
'Mail aliasing/forwarding entry' SUP inetOrgPerson STRUCTURAL MUST ( mail $ | |||
maildrop $ accountActive $ lastChange ) MAY ( mailsource $ editAccounts $ | |||
creationDate $ smtpAuth $ expireDate $ bypassGreyListing ) ) | |||
olcObjectClasses: {2}( 1.3.6.1.4.1.22339.1.2.3 NAME 'VirtualDomain' DESC 'Vi | |||
rtual Domain entry to be used with postfix transport maps' SUP top STRUCTUR | |||
AL MUST ( vd $ accountActive $ lastChange $ delete ) MAY ( postfixTransport | |||
$ description $ maxMail $ maxAlias $ maxQuota $ editAV $ adminID $ creatio | |||
nDate $ bypassGreyListing $ maxSmtpAuth $ maxAntivirus $ maxAntiSpam $ maxG | |||
reyList ) ) | |||
olcObjectClasses: {3}( 1.3.6.1.4.1.22339.1.2.4 NAME 'VirtualForward' DESC 'F | |||
orward setting for VirtualMailAccount' SUP top AUXILIARY MUST forwardActive | |||
MAY maildrop ) | |||
olcObjectClasses: {4}( 1.3.6.1.4.1.22339.1.2.5 NAME 'VirtualAdmin' DESC 'Vir | |||
tual Admin entry' SUP inetOrgPerson STRUCTURAL MUST ( mail $ maxDomain $ ac | |||
countActive $ lastChange ) MAY ( vd $ editAccounts ) ) | |||
olcObjectClasses: {5}( 1.3.6.1.4.1.22339.1.2.6 NAME 'VirtualBackupDomain' DE | |||
SC 'Virtual Backup Domain entry to be used for relay' SUP top STRUCTURAL MU | |||
ST ( vd $ accountActive $ lastChange $ delete ) MAY description ) | |||
olcObjectClasses: {6}( 1.3.6.1.4.1.22339.1.2.7 NAME 'VirtualBackupMail' DESC | |||
'Virtual Backup Mail entry to be used for relay' SUP top STRUCTURAL MUST ( | |||
mail $ accountActive $ lastChange ) MAY description ) | |||
olcObjectClasses: {7}( 1.3.6.1.4.1.22339.1.2.8 NAME 'Yap' DESC 'Yet another | |||
path' SUP top AUXILIARY MUST otherPath ) | |||
@ -1,240 +0,0 @@ | |||
#-------------------------------------------------------------------------- | |||
# LDAP Schema for phamm | |||
#---------------------- | |||
# Release 1.5 | |||
# 2014/10/3 | |||
#-------------------------------------------------------------------------- | |||
# Copyright (c) 2006-2016 Mirko Grava, RHX Srl - www.rhx.it | |||
# Permission is granted to copy, distribute and/or modify this document | |||
# under the terms of the GNU Free Documentation License, Version 2 | |||
# or any later version published by the Free Software Foundation; | |||
#-------------------------------------------------------------------------- | |||
# 1.3.6.1.4.1.22339 RHX Srl's OID | |||
# 1.3.6.1.4.1.22339.1 Phamm | |||
# 1.3.6.1.4.1.22339.1.1 AttributeTypes | |||
# 1.3.6.1.4.1.22339.1.2 ObjectClasses | |||
#-------------------------------------------------------------------------- | |||
# Attribute Types | |||
#----------------- | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.1 NAME 'postfixTransport' | |||
DESC 'A string directing postfix which transport to use' | |||
EQUALITY caseExactIA5Match | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.2 NAME 'accountActive' | |||
DESC 'A boolean telling whether an account is active or not' | |||
EQUALITY booleanMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.3 NAME 'lastChange' | |||
DESC 'Time in unix time of last change in entry' | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.4 NAME 'vd' | |||
DESC 'A virtual domain managed by Phamm' | |||
EQUALITY caseIgnoreIA5Match | |||
SUBSTR caseIgnoreIA5SubstringsMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.5 NAME 'mailbox' | |||
DESC 'The absolute path to the mailbox for a mail account in a non-default location' | |||
EQUALITY caseExactIA5Match | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.6 NAME 'quota' | |||
DESC 'A string that represents the quota on a mailbox' | |||
EQUALITY caseExactIA5Match | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.7 NAME 'clearPassword' | |||
DESC 'A separate text that stores the mail account password in clear text' | |||
EQUALITY octetStringMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128}) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.8 NAME 'maildrop' | |||
DESC 'RFC822 Mailbox - mail alias' | |||
EQUALITY caseIgnoreIA5Match | |||
SUBSTR caseIgnoreIA5SubstringsMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.9 NAME 'mailsource' | |||
DESC 'Message source' | |||
EQUALITY caseIgnoreIA5Match | |||
SUBSTR caseIgnoreIA5SubstringsMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.10 NAME 'editAliases' | |||
DESC 'A boolean telling whether a domain manager can edit Aliases' | |||
EQUALITY booleanMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.11 NAME 'editAccounts' | |||
DESC 'A boolean telling whether a domain manager can edit Accounts' | |||
EQUALITY booleanMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.12 NAME 'editAV' | |||
DESC 'A boolean telling whether a domain manager can edit Antivirus' | |||
EQUALITY booleanMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.13 NAME 'delete' | |||
DESC 'A boolean telling whether this item is marked for deletion' | |||
EQUALITY booleanMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.14 NAME 'forwardActive' | |||
DESC 'A boolean telling whether this item is using forward' | |||
EQUALITY booleanMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.15 NAME 'maxDomain' | |||
DESC 'A string that represents the max domain for a VirtualAdmin' | |||
EQUALITY caseExactIA5Match | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.16 NAME 'maxMail' | |||
DESC 'A string that represents the max mail for a VirtualAdmin' | |||
EQUALITY caseExactIA5Match | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.17 NAME 'maxAlias' | |||
DESC 'A string that represents the max alias for a VirtualAdmin' | |||
EQUALITY caseExactIA5Match | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.18 NAME 'maxQuota' | |||
DESC 'A string that represents the max quota for a VirtualAdmin' | |||
EQUALITY caseExactIA5Match | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.19 NAME 'adminID' | |||
DESC 'A string that represents the dn of admin domain' | |||
EQUALITY caseExactIA5Match | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.20 NAME 'vdHome' | |||
DESC 'The absolute path to the virtual domain home' | |||
EQUALITY caseExactIA5Match | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.21 NAME 'otherTransport' | |||
DESC 'A string directing postfix which transport to use' | |||
EQUALITY caseExactIA5Match | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.22 NAME 'creationDate' | |||
DESC 'Timestamp of creation' | |||
EQUALITY integerMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27{14} SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.23 NAME 'otherPath' | |||
DESC 'This path to help any application' | |||
EQUALITY caseExactIA5Match | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.24 NAME 'createMaildir' | |||
DESC 'A boolean telling when we must create Maildir for maildrop transport' | |||
EQUALITY booleanMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.25 NAME 'smtpAuth' | |||
DESC 'A boolean telling when we could do smtp-auth' | |||
EQUALITY booleanMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.26 NAME 'expireDate' | |||
DESC 'Expire date' | |||
EQUALITY integerMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27{14} SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.27 NAME 'mailAutoreply' | |||
DESC 'RFC822 Mailbox - mail for autoreply' | |||
EQUALITY caseIgnoreIA5Match | |||
SUBSTR caseIgnoreIA5SubstringsMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.28 NAME 'bypassGreyListing' | |||
DESC 'A boolean telling when we could bypass Grey Listing' | |||
EQUALITY booleanMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.29 NAME 'phammGroup' | |||
DESC 'Define the phamm Group of the VirtualMailAccount' | |||
EQUALITY caseIgnoreMatch | |||
SUBSTR caseIgnoreSubstringsMatch | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.30 NAME 'maxSmtpAuth' | |||
DESC 'A string that represents the max SMTP Auth for a VirtualAdmin' | |||
EQUALITY caseExactIA5Match | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.31 NAME 'maxAntivirus' | |||
DESC 'A string that represents the max Antivirus for a VirtualAdmin' | |||
EQUALITY caseExactIA5Match | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.32 NAME 'maxAntiSpam' | |||
DESC 'A string that represents the max AntiSpam for a VirtualAdmin' | |||
EQUALITY caseExactIA5Match | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
attributetype ( 1.3.6.1.4.1.22339.1.1.33 NAME 'maxGreyList' | |||
DESC 'A string that represents the max AntiGreyList for a VirtualAdmin' | |||
EQUALITY caseExactIA5Match | |||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||
# Classes | |||
#--------- | |||
objectclass ( 1.3.6.1.4.1.22339.1.2.1 NAME 'VirtualMailAccount' | |||
SUP inetOrgPerson STRUCTURAL | |||
DESC 'Mail account objects' | |||
MUST ( mail $ vdHome $ mailbox $ accountActive $ lastChange $ delete ) | |||
MAY ( quota $ otherTransport $ editAccounts $ creationDate $ createMaildir $ smtpAuth $ expireDate $ mailAutoreply $ bypassGreyListing $ phammGroup ) ) | |||
objectclass ( 1.3.6.1.4.1.22339.1.2.2 NAME 'VirtualMailAlias' | |||
SUP inetOrgPerson STRUCTURAL | |||
DESC 'Mail aliasing/forwarding entry' | |||
MUST ( mail $ maildrop $ accountActive $ lastChange ) | |||
MAY ( mailsource $ editAccounts $ creationDate $ smtpAuth $ expireDate $ bypassGreyListing) ) | |||
objectclass ( 1.3.6.1.4.1.22339.1.2.3 NAME 'VirtualDomain' | |||
SUP top STRUCTURAL | |||
DESC 'Virtual Domain entry to be used with postfix transport maps' | |||
MUST ( vd $ accountActive $ lastChange $ delete ) | |||
MAY ( postfixTransport $ description $ maxMail $ maxAlias $ maxQuota $ editAV $ adminID $ creationDate $ bypassGreyListing $ maxSmtpAuth $ maxAntivirus $ maxAntiSpam $ maxGreyList) ) | |||
objectclass ( 1.3.6.1.4.1.22339.1.2.4 NAME 'VirtualForward' | |||
SUP top AUXILIARY | |||
DESC 'Forward setting for VirtualMailAccount' | |||
MUST ( forwardActive ) | |||
MAY ( maildrop ) ) | |||
objectclass ( 1.3.6.1.4.1.22339.1.2.5 NAME 'VirtualAdmin' | |||
SUP inetOrgPerson STRUCTURAL | |||
DESC 'Virtual Admin entry' | |||
MUST ( mail $ maxDomain $ accountActive $ lastChange ) | |||
MAY ( vd $ editAccounts ) ) | |||
objectclass ( 1.3.6.1.4.1.22339.1.2.6 NAME 'VirtualBackupDomain' | |||
SUP top STRUCTURAL | |||
DESC 'Virtual Backup Domain entry to be used for relay' | |||
MUST ( vd $ accountActive $ lastChange $ delete ) | |||
MAY ( description ) ) | |||
objectclass ( 1.3.6.1.4.1.22339.1.2.7 NAME 'VirtualBackupMail' | |||
SUP top STRUCTURAL | |||
DESC 'Virtual Backup Mail entry to be used for relay' | |||
MUST ( mail $ accountActive $ lastChange ) | |||
MAY ( description ) ) | |||
objectclass ( 1.3.6.1.4.1.22339.1.2.8 NAME 'Yap' | |||
SUP top AUXILIARY | |||
DESC 'Yet another path' | |||
MUST ( otherPath ) | |||
) | |||
@ -0,0 +1,201 @@ | |||
--- | |||
- include_role: | |||
name: 'service' | |||
vars: | |||
service_name: 'nscd' | |||
service_packages: 'nscd' | |||
- name: 'set debconf values' | |||
debconf: | |||
name: 'slapd' | |||
question: '{{ item.question }}' | |||
vtype: 'string' | |||
value: '{{ item.value }}' | |||
loop: | |||
- { question: 'slapd/domain', value: '{{ ldap_domain }}' } | |||
- { question: 'slapd/dump_database', value: 'when needed' } | |||
- { question: 'shared/organization', value: '{{ ldap_organization }}' } | |||
- include_role: | |||
name: 'service' | |||
vars: | |||
service_name: 'slapd' | |||
service_packages: | |||
- 'slapd' | |||
- 'ldap-utils' | |||
- 'libpam-ldap' | |||
- 'python3-ldap' | |||
- 'sudo' | |||
- name: 'start slapd service' | |||
service: | |||
name: 'slapd' | |||
enabled: true | |||
state: 'started' | |||
- name: 'copy schemas' | |||
copy: | |||
src: '{{ item }}' | |||
dest: '/etc/ldap/schema/' | |||
loop: | |||
- 'ldapns.ldif' | |||
- 'kerberos.ldif' | |||
- 'phamm.ldif' | |||
- 'phamm-vacation.ldif' | |||
- name: 'activate schemas' | |||
command: | |||
cmd: 'ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }}' | |||
creates: '/etc/ldap/slapd.d/cn=config/cn=schema/cn={*}{{ item }}' | |||
loop: | |||
- 'ldapns.ldif' | |||
- 'kerberos.ldif' | |||
- 'phamm.ldif' | |||
- 'phamm-vacation.ldif' | |||
- name: 'activate modules' | |||
ldap_attr: | |||
dn: 'cn=module{0},cn=config' | |||
name: 'olcModuleLoad' | |||
values: | |||
- '{0}back_mdb' | |||
- '{1}pw-sha2' | |||
- '{2}auditlog' | |||
- '{3}memberof' | |||
- name: 'create log dir' | |||
file: | |||
path: '/var/log/openldap' | |||
owner: 'openldap' | |||
group: 'openldap' | |||
state: 'directory' | |||
- name: 'set loglevel' | |||
ldap_attr: | |||
dn: 'cn=config' | |||
name: 'olcLogLevel' | |||
values: 'conns acl' | |||
- name: 'activate auditlog overlay' | |||
ldap_entry: | |||
dn: 'olcOverlay={0}auditlog,olcDatabase={{ item.db }},cn=config' | |||
objectClass: | |||
- 'olcOverlayConfig' | |||
- 'olcAuditLogConfig' | |||
attributes: | |||
olcAuditlogFile: '/var/log/openldap/{{ item.logfile }}' | |||
loop: | |||
- { db: '{0}config', logfile: 'audit_config.ldif' } | |||
- { db: '{1}mdb', logfile: 'audit_mdb.ldif' } | |||
- name: 'activate memberof overlay' | |||
ldap_entry: | |||
dn: 'olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config' | |||
objectClass: | |||
- 'olcOverlayConfig' | |||
- 'olcMemberOf' | |||
- name: 'set default password hash' | |||
ldap_attr: | |||
dn: 'olcDatabase={-1}frontend,cn=config' | |||
name: 'olcPasswordHash' | |||
values: '{SSHA512}' | |||
- name: 'evaluating base_dn' | |||
set_fact: | |||
base_dn: 'dc={{ ldap_domain.replace(".", ",dc=") }}' | |||
- name: 'configure TLS x509 <-> ldap dn translation' | |||
ldap_attr: | |||
dn: 'cn=config' | |||
name: 'olcAuthzRegexp' | |||
state: 'exact' | |||
values: | |||
- |- | |||
{0} ^cn=([^,]+),ou=Server,{{ x509_suffix }}$ | |||
cn=$1,ou=Server,{{ base_dn }} | |||
- |- | |||
{1} ^mail=[^,]+,cn=([^,]+),ou=People,{{ x509_suffix }}$ | |||
cn=$1,ou=People,{{ base_dn }} | |||
- name: 'configure main tree acls' | |||
ldap_attr: | |||
dn: 'olcDatabase={1}mdb,cn=config' | |||
name: 'olcAccess' | |||
state: 'exact' | |||
values: | |||
# [0] -> Admins can proxy-auth to RootDN | |||
# /proxy-auth is not required for routine user-management operations | |||
- |- | |||
{0} to dn.exact=cn=admin,{{ base_dn }} attrs=authzFrom | |||
by group.exact=cn=admin,ou=Group,dc=lilik,dc=it auth | |||
by * none | |||
# [1] :: ou=People | |||
# [1.0] -> Admins can edit People `userPassword` | |||
# -> People can edit their `userPassword` | |||
# -> Anyone can auth with `userPassword` if using strong TLS. | |||
- |- | |||
{1} to dn.one=ou=People,{{ base_dn }} attrs=userPassword | |||
by group.exact=cn=admin,ou=Group,{{ base_dn }} write | |||
by self write | |||
by anonymous tls_ssf=256 auth | |||
by * none | |||
# [1.1] -> Admins can list the full People tree | |||
# -> Servers can perform search on People tree | |||
- |- | |||
{2}to dn.exact=ou=People,{{ base_dn }} attrs=entry | |||
by group.exact=cn=admin,ou=Group,{{ base_dn }} read | |||
by dn.children=ou=Server,{{ base_dn }} search | |||
by * none | |||
# [1.2] -> Admins can add/remove People entries | |||
- |- | |||
{3} to dn.exact=ou=People,{{ base_dn }} attrs=children | |||
by group.exact=cn=admin,ou=Group,{{ base_dn }} write | |||
by * none | |||
# [1.3] -> Admins can edit all People attributes | |||
# -> Servers can read all People attributes (except userPassword) | |||
# -> People can read all their attributes | |||
# -> Break: over privileges may be accorded later (i.e.: servers) | |||
- |- | |||
{4} to dn.one=ou=People,{{ base_dn }} | |||
by group.exact=cn=admin,ou=Group,{{ base_dn }} write | |||
by dn.children=ou=Server,{{ base_dn }} read | |||
by self read | |||
by * break | |||
# [1.5] -> No other access to People tree | |||
- |- | |||
{5} to dn.subtree=ou=People,{{ base_dn }} | |||
by * none | |||
# [2] :: ou=Group | |||
# [2.1] -> Admins can add/remove members from groups | |||
- |- | |||
{6} to dn.one=ou=Group,{{ base_dn }} attrs=member | |||
by group.exact=cn=admin,ou=Group,{{ base_dn }} write | |||
by * none | |||
# [2.2] -> No other access to Group tree | |||
- |- | |||
{7} to dn.children=ou=Group,{{ base_dn }} | |||
by * none | |||
# [3] :: ou=Server | |||
# [3.0] -> Local servers can simple-bind their entries if using TLS | |||
# /Server using TLS-client Auth with OU=Server are automatically authenticated | |||
- |- | |||
{8} to dn.children=ou=Server,{{ base_dn }} attrs=userPassword | |||
by peername.ip=10.151.42.0%255.255.255.0 tls_ssf=256 auth | |||
by group.exact=cn=admin,ou=Group,{{ base_dn }} write | |||
by * none | |||
# [3.1] -> No other access to Server tree | |||
- |- | |||
{9} to dn.subtree=ou=Server,{{ base_dn }} | |||
by * none | |||
# [4] :: ou=VirtualDomains - WiP | |||
# [4.0] -> Admins can write whole subtree | |||
# [4.1] -> Servers can read whole subtree | |||
# - >- | |||
# to dn.subtree=ou=VirtualDomains,{{ base_dn }} | |||
# by group.exact=cn=admin,ou=Group,{{ base_dn }} write | |||
# by dn.children=ou=Server,{{ base_dn }} read | |||
# [5] :: ou=Kerberos - Wi | |||
... | |||
@ -0,0 +1,40 @@ | |||
--- | |||
- name: 'evaluating base_dn' | |||
set_fact: | |||
base_dn: 'dc={{ ldap_domain.replace(".", ",dc=") }}' | |||
- name: 'renewing admin password - generation' | |||
gen_passwd: 'length=32' | |||
register: new_passwd | |||
- name: 'renewing admin password - hashing' | |||
shell: > | |||
slappasswd | |||
-o module-load=pw-sha2 | |||
-h "{SSHA512}" | |||
-s "{{ new_passwd.passwd }}" | |||
register: new_passwd_hash | |||
- name: 'renewing admin password - setting RootPW' | |||
ldap_attr: | |||
dn: 'olcDatabase={1}mdb,cn=config' | |||
name: 'olcRootPW' | |||
values: '{{ new_passwd_hash.stdout }}' | |||
state: 'exact' | |||
- name: 'renewing admin password - calling ldappasswd' | |||
ldap_passwd: | |||
dn: 'cn=admin,{{ base_dn }}' | |||
passwd: '{{ new_passwd.passwd }}' | |||
bind_dn: 'cn=admin,{{ base_dn }}' | |||
bind_pw: '{{ new_passwd.passwd }}' | |||
- name: 'renewing admin password - storing plaintext' | |||
copy: | |||
content: '{{ new_passwd.passwd }}' | |||
dest: '/etc/slapd.secret' | |||
- name: 'renewing admin password - setting fact' | |||
set_fact: | |||
ldap_passwd: '{{ new_passwd.passwd }}' | |||
... |
@ -0,0 +1,143 @@ | |||
--- | |||
- name: 'evaluating base_dn' | |||
set_fact: | |||
base_dn: 'dc={{ ldap_domain.replace(".", ",dc=") }}' | |||
- when: ldap_passwd is not defined | |||
block: | |||
- name: 'get plaintext admin password' | |||
slurp: | |||
path: '/etc/slapd.secret' | |||
register: slapd_secret | |||
- name: 'set ldap_passwd' | |||
set_fact: | |||
ldap_passwd: '{{ slapd_secret.content | b64decode }}' | |||
- set_fact: | |||
- name: 'provisioning tree - organization units' | |||
ldap_entry: | |||
dn: 'ou={{ item }},{{ base_dn }}' | |||
objectClass: | |||
- 'organizationalUnit' | |||
bind_dn: 'cn=admin,{{ base_dn }}' | |||
bind_pw: '{{ ldap_passwd }}' | |||
loop: | |||
- 'People' | |||
- 'Group' | |||
- 'Server' | |||
- 'VirtualDomain' | |||
- 'Kerberos' | |||
- name: 'provisioning tree - virtual domains' | |||
ldap_entry: | |||
dn: 'vd={{ item }},ou=VirtualDomain,{{ base_dn }}' | |||
objectClass: | |||
- 'VirtualDomain' | |||
attributes: | |||
postfixTransport: 'maildrop:' | |||
delete: 'FALSE' | |||
accountActive: 'TRUE' | |||
lastChange: '{{ ansible_date_time.epoch }}' | |||
bind_dn: 'cn=admin,{{ base_dn }}' | |||
bind_pw: '{{ ldap_passwd }}' | |||
loop: '{{ virtual_domains }}' | |||
- name: 'provisioning tree - virtual domain postmasters' | |||
ldap_entry: | |||
dn: 'cn=postmaster,vd={{ item }},ou=VirtualDomain,{{ base_dn }}' | |||
objectClass: | |||
- 'VirtualMailAlias' | |||
attributes: | |||
mail: 'postmaster@{{ item }}' | |||
editAccounts: 'TRUE' | |||
accountActive: 'TRUE' | |||
lastChange: '{{ ansible_date_time.epoch }}' | |||
maildrop: 'postmaster' | |||
sn: 'postmaster' | |||
bind_dn: 'cn=admin,{{ base_dn }}' | |||
bind_pw: '{{ ldap_passwd }}' | |||
loop: '{{ virtual_domains }}' | |||
- name: 'provisioning tree - posix groups' | |||
ldap_entry: | |||
dn: 'cn={{ item.name }},ou=Group,{{ base_dn }}' | |||
objectClass: | |||
- 'posixGroup' | |||
attributes: | |||
gidNumber: '{{ item.gid }}' | |||
bind_dn: 'cn=admin,{{ base_dn }}' | |||
bind_pw: '{{ ldap_passwd }}' | |||
loop: | |||
- { name: 'stduser', gid: 5000 } | |||
- { name: 'user_sites', gid: 900 } | |||
- name: 'provisioning tree - name groups' | |||
ldap_entry: | |||
dn: 'cn={{ item }},ou=Group,{{ base_dn }}' | |||
objectClass: | |||
- 'groupOfNames' | |||
attributes: | |||
member: 'cn=admin,{{ base_dn }}' | |||
bind_dn: 'cn=admin,{{ base_dn }}' | |||
bind_pw: '{{ ldap_passwd }}' | |||
loop: | |||
- 'admin' | |||
- 'wiki' | |||
- 'lilik.it' | |||
- 'cloud' | |||
- 'projects' | |||
- 'teambox' | |||
- 'im' | |||
- name: 'provisioning tree - test users' | |||
ldap_entry: | |||
dn: 'cn={{ item.user }},ou=People,{{ base_dn }}' | |||
objectClass: | |||
- 'inetOrgPerson' | |||
- 'authorizedServiceObject' | |||
attributes: '{{ item.attrs }}' | |||
bind_dn: 'cn=admin,{{ base_dn }}' | |||
bind_pw: '{{ ldap_passwd }}' | |||
loop: | |||
- { user: 'pippo', attrs: { sn: 'User Pippo', mail: 'pippo@lilik.it', authorizedService: 'gitlab' } } | |||
- { user: 'pluto', attrs: { sn: 'User Pluto', mail: 'pluto@lilik.it' } } | |||
- { user: 'test_admin', attrs: { sn: 'Test admin', mail: 'admin1@lilik.it' } } | |||
- name: 'provisioning tree - test users passwd' | |||
ldap_passwd: | |||
dn: 'cn={{ item.user }},ou=People,{{ base_dn }}' | |||
passwd: '{{ item.passwd }}' | |||
bind_dn: 'cn=admin,{{ base_dn }}' | |||
bind_pw: '{{ ldap_passwd }}' | |||
loop: | |||
- { user: 'pippo', passwd: 'pippopippo' } | |||
- { user: 'pluto', passwd: 'plutopluto' } | |||
- { user: 'test_admin', passwd: 'pippopippo' } | |||
- name: 'provisioning tree - admin group members' | |||
ldap_attr: | |||
dn: 'cn=admin,ou=Group,{{ base_dn }}' | |||
name: 'member' | |||
values: 'cn=test_admin,ou=People,{{ base_dn }}' | |||
bind_dn: 'cn=admin,{{ base_dn }}' | |||
bind_pw: '{{ ldap_passwd }}' | |||
- name: 'provisioning tree - servers' | |||
ldap_entry: | |||
dn: 'cn={{ item }},ou=Server,{{ base_dn }}' | |||
objectClass: 'applicationProcess' | |||
objectClass: 'person' | |||
attributes: | |||
sn: '{{ item }}' | |||
bind_dn: 'cn=admin,{{ base_dn }}' | |||
bind_pw: '{{ ldap_passwd }}' | |||
loop: | |||
- 'TestServer' | |||
- 'projects' | |||
#- name: templating ACLs | |||
# template: | |||
# src: "global.acl.j2" | |||
# dest: "/etc/ldap/{{ item }}" | |||
... |
@ -0,0 +1,128 @@ | |||
- apt: | |||
pkg: 'openssl' | |||
state: 'present' | |||
- name: 'generate ED25519 private key' | |||
shell: | |||
cmd: > | |||
openssl genpkey | |||
-algorithm ED25519 | |||
-out /etc/ldap/slapd.key | |||
creates: '/etc/ldap/slapd.key' | |||
- name: 'set private key ownership' | |||
file: | |||
path: '/etc/ldap/slapd.key' | |||
owner: 'openldap' | |||
group: 'openldap' | |||
mode: '600' | |||
- name: 'generate certificate request' | |||
shell: | |||
cmd: > | |||
openssl req | |||
-new | |||
-subj "{{ ssl_subject_prefix }}/OU=Server/CN={{ ansible_hostname }}.{{ fqdn_domain }}" | |||
-key /etc/ldap/slapd.key | |||
-out /etc/ldap/slapd.csr | |||
creates: '/etc/ldap/slapd.csr' | |||
- name: 'set key ownership and permission' | |||
file: | |||
path: /etc/ldap | |||
- name: 'lookup_ssl_ca_cert' | |||
when: ssl_ca_cert is not defined | |||
set_fact: | |||
ssl_ca_cert: '{{ lookup("file", "lilik_ca_w1.pub") }}' | |||
- name: 'update ssl_ca_cert' | |||
copy: | |||
content: "{{ ssl_ca_cert }}" | |||
dest: '/etc/ldap/ssl_ca.crt' | |||
- name: 'check if slapd cert is valid' | |||
command: > | |||
openssl verify | |||
-CAfile /etc/ldap/ssl_ca.crt | |||
-untrusted /etc/ldap/slapd.crt | |||
/etc/ldap/slapd.crt | |||
register: slapd_cert_is_valid | |||
changed_when: false | |||
failed_when: false | |||
- when: slapd_cert_is_valid.rc != 0 | |||
block: | |||
- name: 'renewing cert - generating ca request' | |||
cert_request: | |||
host: '{{ ansible_hostname }}.{{ fqdn_domain }}' | |||
path: '/etc/ldap/slapd.csr' | |||
proto: 'ssl' | |||
register: ca_request | |||
- name: 'renewing cert - sending ca sign request' | |||
include: 'ca-dialog.yaml' | |||
- set_fact: | |||
request_output: '{{ request_result.stdout | string | from_json }}' | |||
- debug: | |||
var: request_result | |||
- name: 'renewing cert - generating get cert request' | |||
set_fact: | |||
ca_request: | |||
type: 'get_certificate' | |||
requestID: '{{ request_output.requestID }}' | |||
- debug: | |||
msg: > | |||
Please manually confirm sign request with id | |||
{{ request_output.requestID }} | |||
- name: 'renewing cert - waiting for ca signature' | |||
include: 'ca-dialog.yaml' | |||
- set_fact: | |||
cert_key: '{{ request_result.stdout | string | from_json }}' | |||
- debug: | |||
var: request_result | |||
verbosity: 2 | |||
- name: 'renewing cert - storing new cert file' | |||
copy: | |||
content: '{{ cert_key.result }}' | |||
dest: '/etc/ldap/slapd.crt' | |||
# !BUG! Fixed in Ansible dev using ldap_attrs instead of ldap_attr | |||
# Ref: https://github.com/ansible/ansible/issues/25665 | |||
- name: 'configuring TLS options (workaround)' | |||
ldap_attr: | |||
dn: 'cn=config' | |||
name: '{{ item.name }}' | |||
values: '{{ item.value }}' | |||
loop: | |||
- { name: 'olcTLSCertificateFile', value: '/etc/ldap/slapd.crt' } | |||
- { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' } | |||
failed_when: false | |||
- name: 'configuring TLS options' | |||
ldap_attr: | |||
dn: 'cn=config' | |||
name: '{{ item.name }}' | |||
values: '{{ item.value }}' | |||
state: 'exact' | |||
loop: | |||
- { name: 'olcTLSCertificateFile', value: '/etc/ldap/slapd.crt' } | |||
- { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' } | |||
- { name: 'olcTLSCACertificateFile', value: '/etc/ldap/ssl_ca.crt' } | |||
- { name: 'olcTLSVerifyClient', value: 'try' } # TLS Client Auth | |||
- name: 'configuring slapd service' | |||
lineinfile: | |||
line: 'SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"' | |||
regexp: '^SLAPD_SERVICES=' | |||
path: '/etc/default/slapd' | |||
notify: | |||
- 'restart slapd' |
@ -1,123 +1,16 @@ | |||
- include_role: | |||
name: service | |||
vars: | |||
service_name: nscd | |||
service_packages: nscd | |||
- name: configure OpenLDAP (domain) | |||
debconf: | |||
name: 'slapd' | |||
question: 'slapd/domain' | |||
vtype: 'string' | |||
value: '{{ ldap_domain }}' | |||
- name: configure OpenLDAP (configure) | |||
debconf: | |||
name: 'slapd' | |||
question: 'slapd/dump_database' | |||
vtype: 'string' | |||
value: 'when needed' | |||
- name: configure OpenLDAP (organization) | |||
debconf: | |||
name: 'slapd' | |||
question: 'shared/organization' | |||
vtype: 'string' | |||
value: '{{ ldap_organization }}' | |||
- name: slurp slap secret file | |||
slurp: | |||
src: /etc/slapd.secret | |||
register: slapdsecret | |||
failed_when: false | |||
changed_when: false | |||
- set_fact: | |||
slapd_passwd: "{{ slapdsecret['content'] | b64decode }}" | |||
when: '"content" in slapdsecret' | |||
- block: | |||
- name: generate admin password | |||
gen_passwd: length=20 | |||
register: new_passwd | |||
- name: store slapd secret | |||
copy: | |||
content : "{{ new_passwd.passwd }}" | |||
dest: /etc/slapd.secret | |||
- set_fact: | |||
slapd_passwd: "{{ new_passwd.passwd }}" | |||
when: 'not "content" in slapdsecret' | |||
- name: configure OpenLDAP (password1) | |||
debconf: | |||
name: 'slapd' | |||
question: 'slapd/password1' | |||
vtype: 'string' | |||
value: '{{ slapd_passwd }}' | |||
- name: configure OpenLDAP (password2) | |||
debconf: | |||
name: 'slapd' | |||
question: 'slapd/password2' | |||
vtype: 'string' | |||
value: '{{ slapd_passwd }}' | |||
- include_role: | |||
name: service | |||
vars: | |||
service_name: slapd | |||
service_packages: | |||
- slapd | |||
- ldap-utils | |||
- libpam-ldap | |||
- sudo | |||
- name: download schemas | |||
copy: | |||
src: "{{ item }}" | |||
dest: /etc/ldap/schema/ | |||
loop: | |||
- "phamm.schema" | |||
- "phamm-vacation.schema" | |||
- name: upload slapd config | |||
template: | |||
src: slapd.conf.j2 | |||
dest: "/etc/ldap/slapd.conf" | |||
- name: update slapd config | |||
shell: slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d | |||
args: | |||
creates: "/etc/ldap/slapd.d/cn=config/cn=schema/cn={4}phamm.ldif" | |||
become: true | |||
become_method: sudo | |||
become_user: openldap | |||
notify: restart slapd | |||
- name: fix missing memberOf and pw-sha2 module load | |||
blockinfile: | |||
dest: /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif | |||
content: | | |||
olcModuleLoad: {1}memberof | |||
olcModuleLoad: {2}pw-sha2 | |||
notify: restart slapd | |||
- name: upload default tree | |||
template: | |||
dest=/etc/ldap/default_tree.ldif | |||
src=default_tree.ldif.j2 | |||
owner=root | |||
group=root | |||
mode=0400 | |||
register: upload_default_tree | |||
- name: create default tree | |||
shell: slapadd -l /etc/ldap/default_tree.ldif | |||
when: upload_default_tree.changed | |||
notify: restart slapd | |||
- name: enable OpenLDAP server | |||
service: | |||
name: 'slapd' | |||
enabled: true | |||
state: started | |||
--- | |||
- name: 'including configuration tasks' | |||
include_tasks: '1_configure_server.yaml' | |||
- name: 'including password renewal tasks' | |||
include_tasks: '2_renew_rootpw.yaml' | |||
when: renew_rootdn_pw | |||
- name: 'including tree provisionig tasks' | |||
include_tasks: '3_provision_tree.yaml' | |||
when: check_tree | |||
- name: 'including tls tasks' | |||
include_tasks: '4_setup_tls.yaml' | |||
when: ldap_tls_enabled | |||
... |
@ -1,186 +0,0 @@ | |||
# Entry 4: o=Group,dc=lilik,dc=it | |||
dn: o=Group,dc=lilik,dc=it | |||
hassubordinates: TRUE | |||
o: Group | |||
objectclass: organization | |||
objectclass: top | |||
structuralobjectclass: organization | |||
subschemasubentry: cn=Subschema | |||
# Entry 10: cn=stdusers,o=Group,dc=lilik,dc=it | |||
dn: cn=stdusers,o=Group,dc=lilik,dc=it | |||
cn: stdusers | |||
gidnumber: 9000 | |||
hassubordinates: FALSE | |||
objectclass: posixGroup | |||
objectclass: top | |||
structuralobjectclass: posixGroup | |||
subschemasubentry: cn=Subschema | |||
# Entry 12: cn=users_sites,o=Group,dc=lilik,dc=it | |||
dn: cn=users_sites,o=Group,dc=lilik,dc=it | |||
cn: users_sites | |||
gidnumber: 500 | |||
hassubordinates: FALSE | |||
memberuid: test_user | |||
objectclass: posixGroup | |||
objectclass: top | |||
structuralobjectclass: posixGroup | |||
subschemasubentry: cn=Subschema | |||
# Entry 14: o=hosting,dc=lilik,dc=it | |||
dn: o=hosting,dc=lilik,dc=it | |||
description: mail.lilik.it hosting root | |||
hassubordinates: TRUE | |||
o: hosting | |||
objectclass: top | |||
objectclass: organization | |||
structuralobjectclass: organization | |||
subschemasubentry: cn=Subschema | |||
# Entry 22: vd=lilik.it,o=hosting,dc=lilik,dc=it | |||
dn: vd=lilik.it,o=hosting,dc=lilik,dc=it | |||
accountactive: TRUE | |||
delete: FALSE | |||
editav: FALSE | |||
hassubordinates: TRUE | |||
maxalias: 20 | |||
maxmail: 11 | |||
maxquota: 250 | |||
objectclass: top | |||
objectclass: VirtualDomain | |||
postfixtransport: maildrop: | |||
structuralobjectclass: VirtualDomain | |||
subschemasubentry: cn=Subschema | |||
vd: lilik.it | |||
lastChange: 1228821387 | |||
# Entry 23: cn=postmaster,vd=lilik.it,o=hosting,dc=lilik,dc=it | |||
dn: cn=postmaster,vd=lilik.it,o=hosting,dc=lilik,dc=it | |||
accountactive: TRUE | |||
cn: postmaster | |||
editaccounts: TRUE | |||
hassubordinates: FALSE | |||
mail: postmaster | |||
maildrop: postmaster | |||
objectclass: top | |||
objectclass: VirtualMailAlias | |||
sn: postmaster | |||
structuralobjectclass: VirtualMailAlias | |||
subschemasubentry: cn=Subschema | |||
userpassword: {SSHA}4IuBxQNWgMNPX/lCtP2GgbJeiYX+u4ud | |||
lastChange: 1228821387 | |||
# Entry 24: mail=abuse,vd=lilik.it,o=hosting,dc=lilik,dc=it | |||
dn: mail=abuse,vd=lilik.it,o=hosting,dc=lilik,dc=it | |||
accountactive: TRUE | |||
cn: NONAME | |||
givenname: NONAME | |||
hassubordinates: FALSE | |||
mail: abuse | |||
maildrop: root | |||
objectclass: top | |||
objectclass: VirtualMailAlias | |||
smtpauth: FALSE | |||
sn: NONAME | |||
structuralobjectclass: VirtualMailAlias | |||
subschemasubentry: cn=Subschema | |||
userpassword: {CRYPT}! | |||
lastChange: 1228821387 | |||
dn: mail=test_user,vd=lilik.it,o=hosting,dc=lilik,dc=it | |||
objectclass: alias | |||
objectclass: extensibleObject | |||
#uid: alias | |||
aliasedobjectname: uid=test_user,o=People,dc=lilik,dc=it | |||
# Entry 319: o=People,dc=lilik,dc=it | |||
dn: o=People,dc=lilik,dc=it | |||
hassubordinates: TRUE | |||
o: People | |||
objectclass: organization | |||
objectclass: top | |||
structuralobjectclass: organization | |||
subschemasubentry: cn=Subschema | |||
dn: uid=test_user,o=People,dc=lilik,dc=it | |||
accountactive: TRUE | |||
cn: Test | |||
delete: FALSE | |||
gidnumber: 100 | |||
givenname: Test | |||
hassubordinates: FALSE | |||
homedirectory: /home/test_user | |||
loginshell: /bin/bash | |||
mail: test_user | |||
objectclass: top | |||
objectclass: inetOrgPerson | |||
objectclass: VirtualMailAccount | |||
objectclass: posixAccount | |||
objectclass: shadowAccount | |||
objectclass: hostObject | |||
othertransport: phamm: | |||
quota: 1024000 | |||
shadowlastchange: 14281 | |||
smtpauth: FALSE | |||
sn: User | |||
structuralobjectclass: VirtualMailAccount | |||
subschemasubentry: cn=Subschema | |||
uid: test_user | |||
uidnumber: 10001 | |||
userpassword: {SSHA}2SWroMDSWoIWlYEvzpHvSRK4PMsjGW/u | |||
lastChange: 1228821387 | |||
vdhome: undefined | |||
mailbox: undefined | |||
# Entry 12: cn=admin,o=Group,dc=lilik,dc=it | |||
dn: cn=admin,o=Group,dc=lilik,dc=it | |||
cn: admin | |||
objectClass: groupOfNames | |||
objectClass: top | |||
structuralObjectClass: groupOfNames | |||
member: cn=admin,dc=lilik,dc=it | |||
dn: cn=wiki,o=Group,dc=lilik,dc=it | |||
cn: wiki | |||
objectClass: groupOfNames | |||
objectClass: top | |||
structuralObjectClass: groupOfNames | |||
member: cn=admin,dc=lilik,dc=it | |||
dn: cn=lilik.it,o=Group,dc=lilik,dc=it | |||
cn: lilik.it | |||
objectClass: groupOfNames | |||
objectClass: top | |||
structuralObjectClass: groupOfNames | |||
member: cn=admin,dc=lilik,dc=it | |||
dn: cn=cloud,o=Group,dc=lilik,dc=it | |||
cn: cloud | |||
objectClass: groupOfNames | |||
objectClass: top | |||
structuralObjectClass: groupOfNames | |||
member: cn=admin,dc=lilik,dc=it | |||
dn: cn=projects,o=Group,dc=lilik,dc=it | |||
cn: projects | |||
objectClass: groupOfNames | |||
objectClass: top | |||
structuralObjectClass: groupOfNames | |||
member: cn=admin,dc=lilik,dc=it | |||
dn: cn=teambox,o=Group,dc=lilik,dc=it | |||
cn: teambox | |||
objectClass: groupOfNames | |||
objectClass: top | |||
structuralObjectClass: groupOfNames | |||
member: cn=admin,dc=lilik,dc=it | |||
dn: cn=im,o=Group,dc=lilik,dc=it | |||
cn: im | |||
objectClass: groupOfNames | |||
objectClass: top | |||
structuralObjectClass: groupOfNames | |||
member: cn=admin,dc=lilik,dc=it |
@ -1,12 +0,0 @@ | |||
include /etc/ldap/schema/core.schema | |||
include /etc/ldap/schema/cosine.schema | |||
include /etc/ldap/schema/nis.schema | |||
include /etc/ldap/schema/inetorgperson.schema | |||
include /etc/ldap/schema/phamm.schema | |||
include /etc/ldap/schema/phamm-vacation.schema | |||
include /usr/share/doc/libpam-ldap/ldapns.schema | |||
modulepath /usr/lib/ldap | |||
moduleload memberof.la | |||
overlay memberof |