LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

roles/ldap: super-refactoring and TLS support. 

- Tasks splitted in subfiles.
- Static slapd configuration (slapd.conf) moved *properly* to dynamic
conf (slapd.d).
- TLS Enabled by default, with certificate acquired using
  `ca_manager`.
- New default tree
- New default ACL
- Kerberos schema added
- {SSHA512} hash properly configured.
python3
Zolfa 4 years ago
parent
9a24a52f31
commit
da88337966
Signed by: zolfa GPG Key ID: E1A43B038C4D6616
15 changed files with 879 additions and 624 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +5
    -0
      roles/ldap/defaults/main.yaml
  2. +3
    -0
      roles/ldap/defaults/main.yaml~
  3. +162
    -0
      roles/ldap/files/kerberos.ldif
  4. +19
    -0
      roles/ldap/files/ldapns.ldif
  5. +30
    -0
      roles/ldap/files/phamm-vacation.ldif
  6. +0
    -63
      roles/ldap/files/phamm-vacation.schema
  7. +132
    -0
      roles/ldap/files/phamm.ldif
  8. +0
    -240
      roles/ldap/files/phamm.schema
  9. +201
    -0
      roles/ldap/tasks/1_configure_server.yaml
  10. +40
    -0
      roles/ldap/tasks/2_renew_rootpw.yaml
  11. +143
    -0
      roles/ldap/tasks/3_provision_tree.yaml
  12. +128
    -0
      roles/ldap/tasks/4_setup_tls.yaml
  13. +16
    -123
      roles/ldap/tasks/main.yaml
  14. +0
    -186
      roles/ldap/templates/default_tree.ldif.j2
  15. +0
    -12
      roles/ldap/templates/slapd.conf.j2

+ 5
- 0
roles/ldap/defaults/main.yaml View File

@ -0,0 +1,5 @@
---
ldap_tls_enabled: true
renew_rootdn_pw: true
check_tree: true
...

+ 3
- 0
roles/ldap/defaults/main.yaml~ View File

@ -0,0 +1,3 @@
---
ldap_tls_enabled: true
...

+ 162
- 0
roles/ldap/files/kerberos.ldif View File

@ -0,0 +1,162 @@
dn: cn=kerberos,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: kerberos
olcAttributeTypes: {0}( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName
' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1
.4.1.1466.115.121.1.26 )
olcAttributeTypes: {1}( 1.2.840.113554.1.4.1.6.1 NAME 'krbCanonicalName' EQU
ALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.
1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {2}( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType
' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {3}( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DE
SC 'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {4}( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpi
ration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE )
olcAttributeTypes: {5}( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags'
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {6}( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife
' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {7}( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewable
Age' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALU
E )
olcAttributeTypes: {8}( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReferen
ces' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {9}( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers'
EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {10}( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers'
EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {11}( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers'
EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {12}( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer'
EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {13}( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope
' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {14}( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalRe
ferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
.12 )
olcAttributeTypes: {15}( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNaming
Attr' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-
VALUE )
olcAttributeTypes: {16}( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers'
EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {17}( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife'
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {18}( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife'
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {19}( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffC
hars' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VAL
UE )
olcAttributeTypes: {20}( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLengt
h' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
)
olcAttributeTypes: {21}( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryL
ength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VA
LUE )
olcAttributeTypes: {22}( 1.3.6.1.4.1.5322.21.2.1 NAME 'krbPwdMaxFailure' EQU
ALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {23}( 1.3.6.1.4.1.5322.21.2.2 NAME 'krbPwdFailureCountInt
erval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VA
LUE )
olcAttributeTypes: {24}( 1.3.6.1.4.1.5322.21.2.3 NAME 'krbPwdLockoutDuration
' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {25}( 1.2.840.113554.1.4.1.6.2 NAME 'krbPwdAttributes' EQ
UALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {26}( 1.2.840.113554.1.4.1.6.3 NAME 'krbPwdMaxLife' EQUAL
ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {27}( 1.2.840.113554.1.4.1.6.4 NAME 'krbPwdMaxRenewableLi
fe' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
)
olcAttributeTypes: {28}( 1.2.840.113554.1.4.1.6.5 NAME 'krbPwdAllowedKeysalt
s' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-
VALUE )
olcAttributeTypes: {29}( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyRe
ference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.
12 SINGLE-VALUE )
olcAttributeTypes: {30}( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExp
iration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE )
olcAttributeTypes: {31}( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKe
y' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {32}( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolic
yReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121
.1.12 SINGLE-VALUE )
olcAttributeTypes: {33}( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' E
QUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {34}( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncS
altTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {35}( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEn
cSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {36}( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory'
EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {37}( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChan
ge' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SING
LE-VALUE )
olcAttributeTypes: {38}( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' E
QUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VA
LUE )
olcAttributeTypes: {39}( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUAL
ITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {40}( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAl
iases' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {41}( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccess
fulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE )
olcAttributeTypes: {42}( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedA
uth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SIN
GLE-VALUE )
olcAttributeTypes: {43}( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailed
Count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VA
LUE )
olcAttributeTypes: {44}( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData'
EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {45}( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectRefer
ences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
)
olcAttributeTypes: {46}( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContai
nerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1
2 )
olcAttributeTypes: {47}( 2.16.840.1.113730.3.8.15.2.1 NAME 'krbPrincipalAuth
Ind' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {48}( 1.3.6.1.4.1.5322.21.2.4 NAME 'krbAllowedToDelegateT
o' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.
1.4.1.1466.115.121.1.26 )
olcObjectClasses: {0}( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP
top STRUCTURAL MUST cn )
olcObjectClasses: {1}( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer
' SUP top STRUCTURAL MUST cn MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ k
rbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSa
ltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdm
Servers $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef
) )
olcObjectClasses: {2}( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' SUP t
op ABSTRACT MUST cn MAY ( krbHostServer $ krbRealmReferences ) )
olcObjectClasses: {3}( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SU
P krbService STRUCTURAL )
olcObjectClasses: {4}( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SU
P krbService STRUCTURAL )
olcObjectClasses: {5}( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux'
SUP top AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled
$ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krb
PasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHisto
ry $ krbLastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastS
uccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ kr
bAllowedToDelegateTo $ krbPrincipalAuthInd ) )
olcObjectClasses: {6}( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP
top STRUCTURAL MUST krbPrincipalName MAY krbObjectReferences )
olcObjectClasses: {7}( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux'
SUP top AUXILIARY MAY krbPrincipalReferences )
olcObjectClasses: {8}( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' S
UP krbService STRUCTURAL )
olcObjectClasses: {9}( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SU
P top STRUCTURAL MUST cn MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDif
fChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdF
ailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxL
ife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) )
olcObjectClasses: {10}( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicy
Aux' SUP top AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRene
wableAge ) )
olcObjectClasses: {11}( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy
' SUP top STRUCTURAL MUST cn )

+ 19
- 0
roles/ldap/files/ldapns.ldif View File

@ -0,0 +1,19 @@
# LDAP Name Service Additional Schema
# Source: pam_ldap package by Luke Howard converted to LDIF
# Has not been published in Internet Draft or RFC.
dn: cn=ldapns,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: ldapns
olcAttributeTypes: {0}( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
DESC 'IANA GSS-API authorized service name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
olcObjectClasses: {0}( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
DESC 'Auxiliary object class for adding authorizedService attribute'
SUP top AUXILIARY
MAY authorizedService )
olcObjectClasses: {1}( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject'
DESC 'Auxiliary object class for adding host attribute'
SUP top AUXILIARY
MAY host )

+ 30
- 0
roles/ldap/files/phamm-vacation.ldif View File

@ -0,0 +1,30 @@
dn: cn=phamm-vacation,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: phamm-vacation
olcAttributeTypes: {0}( 1.3.6.1.4.1.22339.2.1.1 NAME 'vacationActive' DESC '
A flag, for marking the user as being away' EQUALITY booleanMatch SYNTAX 1.
3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {1}( 1.3.6.1.4.1.22339.2.1.2 NAME 'vacationInfo' DESC 'Ab
sentee note to leave behind, while on vacation' EQUALITY octetStringMatch S
YNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.22339.2.1.3 NAME 'vacationStart' DESC 'B
eginning of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115
.121.1.40 SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.22339.2.1.4 NAME 'vacationEnd' DESC 'End
of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.4
0 SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.22339.2.1.5 NAME 'vacationForward' DESC
'RFC1274: RFC822 Mailbox' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5S
ubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
olcAttributeTypes: {5}( 1.3.6.1.4.1.22339.2.1.6 NAME 'vacationSubject' DESC
'Subject for the vacation message' EQUALITY octetStringMatch SYNTAX 1.3.6.1
.4.1.1466.115.121.1.40 SINGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.22339.2.1.7 NAME 'vacationReminder' DESC
'How many hours we should wait before a second email from someone will cau
se another vacation message to be sent to that email address' EQUALITY octe
tStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.4.1.22339.2.2.1 NAME 'Vacation' DESC 'Users v
acation status information' SUP top AUXILIARY MUST vacationActive MAY ( vac
ationInfo $ vacationStart $ vacationEnd $ vacationForward $ vacationSubject
$ vacationReminder ) )

+ 0
- 63
roles/ldap/files/phamm-vacation.schema View File

@ -1,63 +0,0 @@
#--------------------------------------------------------------------------
# LDAP Schema for phamm-vacation
#----------------------
# Release 1.1.1
# 2012/08/28
#--------------------------------------------------------------------------
# Copyright (c) 2008-2016 Mirko Grava, RHX Srl - www.rhx.it
# Permission is granted to copy, distribute and/or modify this document
# under the terms of the GNU Free Documentation License, Version 2
# or any later version published by the Free Software Foundation;
#--------------------------------------------------------------------------
# 1.3.6.1.4.1.22339 RHX Srl's OID
# 1.3.6.1.4.1.22339.2 Phamm-vacation
# 1.3.6.1.4.1.22339.2.1 AttributeTypes
# 1.3.6.1.4.1.22339.2.2 ObjectClasses
#--------------------------------------------------------------------------
# Attribute Types
#-----------------
attributetype ( 1.3.6.1.4.1.22339.2.1.1 NAME 'vacationActive'
DESC 'A flag, for marking the user as being away'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.2.1.2 NAME 'vacationInfo'
DESC 'Absentee note to leave behind, while on vacation'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.2.1.3 NAME 'vacationStart'
DESC 'Beginning of vacation'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.2.1.4 NAME 'vacationEnd'
DESC 'End of vacation'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.2.1.5 NAME 'vacationForward'
DESC 'RFC1274: RFC822 Mailbox'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
attributetype ( 1.3.6.1.4.1.22339.2.1.6 NAME 'vacationSubject'
DESC 'Subject for the vacation message'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.2.1.7 NAME 'vacationReminder'
DESC 'How many hours we should wait before a second email from someone will cause another vacation message to be sent to that email address'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE )
# Classes
#---------
objectclass ( 1.3.6.1.4.1.22339.2.2.1 NAME 'Vacation'
SUP top AUXILIARY
DESC 'Users vacation status information'
MUST ( vacationActive )
MAY ( vacationInfo $ vacationStart $ vacationEnd $ vacationForward $ vacationSubject $ vacationReminder ) )

+ 132
- 0
roles/ldap/files/phamm.ldif View File

@ -0,0 +1,132 @@
dn: cn=phamm,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: phamm
olcAttributeTypes: {0}( 1.3.6.1.4.1.22339.1.1.1 NAME 'postfixTransport' DESC
'A string directing postfix which transport to use' EQUALITY caseExactIA5M
atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE )
olcAttributeTypes: {1}( 1.3.6.1.4.1.22339.1.1.2 NAME 'accountActive' DESC 'A
boolean telling whether an account is active or not' EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {2}( 1.3.6.1.4.1.22339.1.1.3 NAME 'lastChange' DESC 'Time
in unix time of last change in entry' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE )
olcAttributeTypes: {3}( 1.3.6.1.4.1.22339.1.1.4 NAME 'vd' DESC 'A virtual do
main managed by Phamm' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subs
tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {4}( 1.3.6.1.4.1.22339.1.1.5 NAME 'mailbox' DESC 'The abs
olute path to the mailbox for a mail account in a non-default location' EQU
ALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.22339.1.1.6 NAME 'quota' DESC 'A string
that represents the quota on a mailbox' EQUALITY caseExactIA5Match SYNTAX 1
.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.22339.1.1.7 NAME 'clearPassword' DESC 'A
separate text that stores the mail account password in clear text' EQUALIT
Y octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} )
olcAttributeTypes: {7}( 1.3.6.1.4.1.22339.1.1.8 NAME 'maildrop' DESC 'RFC822
Mailbox - mail alias' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subs
tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
olcAttributeTypes: {8}( 1.3.6.1.4.1.22339.1.1.9 NAME 'mailsource' DESC 'Mess
age source' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {9}( 1.3.6.1.4.1.22339.1.1.10 NAME 'editAliases' DESC 'A
boolean telling whether a domain manager can edit Aliases' EQUALITY boolean
Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {10}( 1.3.6.1.4.1.22339.1.1.11 NAME 'editAccounts' DESC '
A boolean telling whether a domain manager can edit Accounts' EQUALITY bool
eanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {11}( 1.3.6.1.4.1.22339.1.1.12 NAME 'editAV' DESC 'A bool
ean telling whether a domain manager can edit Antivirus' EQUALITY booleanMa
tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {12}( 1.3.6.1.4.1.22339.1.1.13 NAME 'delete' DESC 'A bool
ean telling whether this item is marked for deletion' EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {13}( 1.3.6.1.4.1.22339.1.1.14 NAME 'forwardActive' DESC
'A boolean telling whether this item is using forward' EQUALITY booleanMatc
h SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.4.1.22339.1.1.15 NAME 'maxDomain' DESC 'A s
tring that represents the max domain for a VirtualAdmin' EQUALITY caseExact
IA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {15}( 1.3.6.1.4.1.22339.1.1.16 NAME 'maxMail' DESC 'A str
ing that represents the max mail for a VirtualAdmin' EQUALITY caseExactIA5M
atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {16}( 1.3.6.1.4.1.22339.1.1.17 NAME 'maxAlias' DESC 'A st
ring that represents the max alias for a VirtualAdmin' EQUALITY caseExactIA
5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {17}( 1.3.6.1.4.1.22339.1.1.18 NAME 'maxQuota' DESC 'A st
ring that represents the max quota for a VirtualAdmin' EQUALITY caseExactIA
5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {18}( 1.3.6.1.4.1.22339.1.1.19 NAME 'adminID' DESC 'A str
ing that represents the dn of admin domain' EQUALITY caseExactIA5Match SYNT
AX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {19}( 1.3.6.1.4.1.22339.1.1.20 NAME 'vdHome' DESC 'The ab
solute path to the virtual domain home' EQUALITY caseExactIA5Match SYNTAX 1
.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {20}( 1.3.6.1.4.1.22339.1.1.21 NAME 'otherTransport' DESC
'A string directing postfix which transport to use' EQUALITY caseExactIA5M
atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE )
olcAttributeTypes: {21}( 1.3.6.1.4.1.22339.1.1.22 NAME 'creationDate' DESC '
Timestamp of creation' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.12
1.1.27{14} SINGLE-VALUE )
olcAttributeTypes: {22}( 1.3.6.1.4.1.22339.1.1.23 NAME 'otherPath' DESC 'Thi
s path to help any application' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4
.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {23}( 1.3.6.1.4.1.22339.1.1.24 NAME 'createMaildir' DESC
'A boolean telling when we must create Maildir for maildrop transport' EQUA
LITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {24}( 1.3.6.1.4.1.22339.1.1.25 NAME 'smtpAuth' DESC 'A bo
olean telling when we could do smtp-auth' EQUALITY booleanMatch SYNTAX 1.3.
6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {25}( 1.3.6.1.4.1.22339.1.1.26 NAME 'expireDate' DESC 'Ex
pire date' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27{14} S
INGLE-VALUE )
olcAttributeTypes: {26}( 1.3.6.1.4.1.22339.1.1.27 NAME 'mailAutoreply' DESC
'RFC822 Mailbox - mail for autoreply' EQUALITY caseIgnoreIA5Match SUBSTR ca
seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
olcAttributeTypes: {27}( 1.3.6.1.4.1.22339.1.1.28 NAME 'bypassGreyListing' D
ESC 'A boolean telling when we could bypass Grey Listing' EQUALITY booleanM
atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {28}( 1.3.6.1.4.1.22339.1.1.29 NAME 'phammGroup' DESC 'De
fine the phamm Group of the VirtualMailAccount' EQUALITY caseIgnoreMatch SU
BSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
olcAttributeTypes: {29}( 1.3.6.1.4.1.22339.1.1.30 NAME 'maxSmtpAuth' DESC 'A
string that represents the max SMTP Auth for a VirtualAdmin' EQUALITY case
ExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {30}( 1.3.6.1.4.1.22339.1.1.31 NAME 'maxAntivirus' DESC '
A string that represents the max Antivirus for a VirtualAdmin' EQUALITY cas
eExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {31}( 1.3.6.1.4.1.22339.1.1.32 NAME 'maxAntiSpam' DESC 'A
string that represents the max AntiSpam for a VirtualAdmin' EQUALITY caseE
xactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {32}( 1.3.6.1.4.1.22339.1.1.33 NAME 'maxGreyList' DESC 'A
string that represents the max AntiGreyList for a VirtualAdmin' EQUALITY c
aseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.4.1.22339.1.2.1 NAME 'VirtualMailAccount' DES
C 'Mail account objects' SUP inetOrgPerson STRUCTURAL MUST ( mail $ vdHome
$ mailbox $ accountActive $ lastChange $ delete ) MAY ( quota $ otherTransp
ort $ editAccounts $ creationDate $ createMaildir $ smtpAuth $ expireDate $
mailAutoreply $ bypassGreyListing $ phammGroup ) )
olcObjectClasses: {1}( 1.3.6.1.4.1.22339.1.2.2 NAME 'VirtualMailAlias' DESC
'Mail aliasing/forwarding entry' SUP inetOrgPerson STRUCTURAL MUST ( mail $
maildrop $ accountActive $ lastChange ) MAY ( mailsource $ editAccounts $
creationDate $ smtpAuth $ expireDate $ bypassGreyListing ) )
olcObjectClasses: {2}( 1.3.6.1.4.1.22339.1.2.3 NAME 'VirtualDomain' DESC 'Vi
rtual Domain entry to be used with postfix transport maps' SUP top STRUCTUR
AL MUST ( vd $ accountActive $ lastChange $ delete ) MAY ( postfixTransport
$ description $ maxMail $ maxAlias $ maxQuota $ editAV $ adminID $ creatio
nDate $ bypassGreyListing $ maxSmtpAuth $ maxAntivirus $ maxAntiSpam $ maxG
reyList ) )
olcObjectClasses: {3}( 1.3.6.1.4.1.22339.1.2.4 NAME 'VirtualForward' DESC 'F
orward setting for VirtualMailAccount' SUP top AUXILIARY MUST forwardActive
MAY maildrop )
olcObjectClasses: {4}( 1.3.6.1.4.1.22339.1.2.5 NAME 'VirtualAdmin' DESC 'Vir
tual Admin entry' SUP inetOrgPerson STRUCTURAL MUST ( mail $ maxDomain $ ac
countActive $ lastChange ) MAY ( vd $ editAccounts ) )
olcObjectClasses: {5}( 1.3.6.1.4.1.22339.1.2.6 NAME 'VirtualBackupDomain' DE
SC 'Virtual Backup Domain entry to be used for relay' SUP top STRUCTURAL MU
ST ( vd $ accountActive $ lastChange $ delete ) MAY description )
olcObjectClasses: {6}( 1.3.6.1.4.1.22339.1.2.7 NAME 'VirtualBackupMail' DESC
'Virtual Backup Mail entry to be used for relay' SUP top STRUCTURAL MUST (
mail $ accountActive $ lastChange ) MAY description )
olcObjectClasses: {7}( 1.3.6.1.4.1.22339.1.2.8 NAME 'Yap' DESC 'Yet another
path' SUP top AUXILIARY MUST otherPath )

+ 0
- 240
roles/ldap/files/phamm.schema View File

@ -1,240 +0,0 @@
#--------------------------------------------------------------------------
# LDAP Schema for phamm
#----------------------
# Release 1.5
# 2014/10/3
#--------------------------------------------------------------------------
# Copyright (c) 2006-2016 Mirko Grava, RHX Srl - www.rhx.it
# Permission is granted to copy, distribute and/or modify this document
# under the terms of the GNU Free Documentation License, Version 2
# or any later version published by the Free Software Foundation;
#--------------------------------------------------------------------------
# 1.3.6.1.4.1.22339 RHX Srl's OID
# 1.3.6.1.4.1.22339.1 Phamm
# 1.3.6.1.4.1.22339.1.1 AttributeTypes
# 1.3.6.1.4.1.22339.1.2 ObjectClasses
#--------------------------------------------------------------------------
# Attribute Types
#-----------------
attributetype ( 1.3.6.1.4.1.22339.1.1.1 NAME 'postfixTransport'
DESC 'A string directing postfix which transport to use'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.2 NAME 'accountActive'
DESC 'A boolean telling whether an account is active or not'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.3 NAME 'lastChange'
DESC 'Time in unix time of last change in entry'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.4 NAME 'vd'
DESC 'A virtual domain managed by Phamm'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.22339.1.1.5 NAME 'mailbox'
DESC 'The absolute path to the mailbox for a mail account in a non-default location'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.6 NAME 'quota'
DESC 'A string that represents the quota on a mailbox'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.7 NAME 'clearPassword'
DESC 'A separate text that stores the mail account password in clear text'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128})
attributetype ( 1.3.6.1.4.1.22339.1.1.8 NAME 'maildrop'
DESC 'RFC822 Mailbox - mail alias'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
attributetype ( 1.3.6.1.4.1.22339.1.1.9 NAME 'mailsource'
DESC 'Message source'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.22339.1.1.10 NAME 'editAliases'
DESC 'A boolean telling whether a domain manager can edit Aliases'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.11 NAME 'editAccounts'
DESC 'A boolean telling whether a domain manager can edit Accounts'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.12 NAME 'editAV'
DESC 'A boolean telling whether a domain manager can edit Antivirus'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.13 NAME 'delete'
DESC 'A boolean telling whether this item is marked for deletion'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.14 NAME 'forwardActive'
DESC 'A boolean telling whether this item is using forward'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.15 NAME 'maxDomain'
DESC 'A string that represents the max domain for a VirtualAdmin'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.16 NAME 'maxMail'
DESC 'A string that represents the max mail for a VirtualAdmin'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.17 NAME 'maxAlias'
DESC 'A string that represents the max alias for a VirtualAdmin'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.18 NAME 'maxQuota'
DESC 'A string that represents the max quota for a VirtualAdmin'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.19 NAME 'adminID'
DESC 'A string that represents the dn of admin domain'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.20 NAME 'vdHome'
DESC 'The absolute path to the virtual domain home'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.21 NAME 'otherTransport'
DESC 'A string directing postfix which transport to use'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.22 NAME 'creationDate'
DESC 'Timestamp of creation'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27{14} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.23 NAME 'otherPath'
DESC 'This path to help any application'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.24 NAME 'createMaildir'
DESC 'A boolean telling when we must create Maildir for maildrop transport'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.25 NAME 'smtpAuth'
DESC 'A boolean telling when we could do smtp-auth'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.26 NAME 'expireDate'
DESC 'Expire date'
EQUALITY integerMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27{14} SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.27 NAME 'mailAutoreply'
DESC 'RFC822 Mailbox - mail for autoreply'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
attributetype ( 1.3.6.1.4.1.22339.1.1.28 NAME 'bypassGreyListing'
DESC 'A boolean telling when we could bypass Grey Listing'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.29 NAME 'phammGroup'
DESC 'Define the phamm Group of the VirtualMailAccount'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
attributetype ( 1.3.6.1.4.1.22339.1.1.30 NAME 'maxSmtpAuth'
DESC 'A string that represents the max SMTP Auth for a VirtualAdmin'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.31 NAME 'maxAntivirus'
DESC 'A string that represents the max Antivirus for a VirtualAdmin'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.32 NAME 'maxAntiSpam'
DESC 'A string that represents the max AntiSpam for a VirtualAdmin'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.22339.1.1.33 NAME 'maxGreyList'
DESC 'A string that represents the max AntiGreyList for a VirtualAdmin'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
# Classes
#---------
objectclass ( 1.3.6.1.4.1.22339.1.2.1 NAME 'VirtualMailAccount'
SUP inetOrgPerson STRUCTURAL
DESC 'Mail account objects'
MUST ( mail $ vdHome $ mailbox $ accountActive $ lastChange $ delete )
MAY ( quota $ otherTransport $ editAccounts $ creationDate $ createMaildir $ smtpAuth $ expireDate $ mailAutoreply $ bypassGreyListing $ phammGroup ) )
objectclass ( 1.3.6.1.4.1.22339.1.2.2 NAME 'VirtualMailAlias'
SUP inetOrgPerson STRUCTURAL
DESC 'Mail aliasing/forwarding entry'
MUST ( mail $ maildrop $ accountActive $ lastChange )
MAY ( mailsource $ editAccounts $ creationDate $ smtpAuth $ expireDate $ bypassGreyListing) )
objectclass ( 1.3.6.1.4.1.22339.1.2.3 NAME 'VirtualDomain'
SUP top STRUCTURAL
DESC 'Virtual Domain entry to be used with postfix transport maps'
MUST ( vd $ accountActive $ lastChange $ delete )
MAY ( postfixTransport $ description $ maxMail $ maxAlias $ maxQuota $ editAV $ adminID $ creationDate $ bypassGreyListing $ maxSmtpAuth $ maxAntivirus $ maxAntiSpam $ maxGreyList) )
objectclass ( 1.3.6.1.4.1.22339.1.2.4 NAME 'VirtualForward'
SUP top AUXILIARY
DESC 'Forward setting for VirtualMailAccount'
MUST ( forwardActive )
MAY ( maildrop ) )
objectclass ( 1.3.6.1.4.1.22339.1.2.5 NAME 'VirtualAdmin'
SUP inetOrgPerson STRUCTURAL
DESC 'Virtual Admin entry'
MUST ( mail $ maxDomain $ accountActive $ lastChange )
MAY ( vd $ editAccounts ) )
objectclass ( 1.3.6.1.4.1.22339.1.2.6 NAME 'VirtualBackupDomain'
SUP top STRUCTURAL
DESC 'Virtual Backup Domain entry to be used for relay'
MUST ( vd $ accountActive $ lastChange $ delete )
MAY ( description ) )
objectclass ( 1.3.6.1.4.1.22339.1.2.7 NAME 'VirtualBackupMail'
SUP top STRUCTURAL
DESC 'Virtual Backup Mail entry to be used for relay'
MUST ( mail $ accountActive $ lastChange )
MAY ( description ) )
objectclass ( 1.3.6.1.4.1.22339.1.2.8 NAME 'Yap'
SUP top AUXILIARY
DESC 'Yet another path'
MUST ( otherPath )
)

+ 201
- 0
roles/ldap/tasks/1_configure_server.yaml View File

@ -0,0 +1,201 @@
---
- include_role:
name: 'service'
vars:
service_name: 'nscd'
service_packages: 'nscd'
- name: 'set debconf values'
debconf:
name: 'slapd'
question: '{{ item.question }}'
vtype: 'string'
value: '{{ item.value }}'
loop:
- { question: 'slapd/domain', value: '{{ ldap_domain }}' }
- { question: 'slapd/dump_database', value: 'when needed' }
- { question: 'shared/organization', value: '{{ ldap_organization }}' }
- include_role:
name: 'service'
vars:
service_name: 'slapd'
service_packages:
- 'slapd'
- 'ldap-utils'
- 'libpam-ldap'
- 'python3-ldap'
- 'sudo'
- name: 'start slapd service'
service:
name: 'slapd'
enabled: true
state: 'started'
- name: 'copy schemas'
copy:
src: '{{ item }}'
dest: '/etc/ldap/schema/'
loop:
- 'ldapns.ldif'
- 'kerberos.ldif'
- 'phamm.ldif'
- 'phamm-vacation.ldif'
- name: 'activate schemas'
command:
cmd: 'ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }}'
creates: '/etc/ldap/slapd.d/cn=config/cn=schema/cn={*}{{ item }}'
loop:
- 'ldapns.ldif'
- 'kerberos.ldif'
- 'phamm.ldif'
- 'phamm-vacation.ldif'
- name: 'activate modules'
ldap_attr:
dn: 'cn=module{0},cn=config'
name: 'olcModuleLoad'
values:
- '{0}back_mdb'
- '{1}pw-sha2'
- '{2}auditlog'
- '{3}memberof'
- name: 'create log dir'
file:
path: '/var/log/openldap'
owner: 'openldap'
group: 'openldap'
state: 'directory'
- name: 'set loglevel'
ldap_attr:
dn: 'cn=config'
name: 'olcLogLevel'
values: 'conns acl'
- name: 'activate auditlog overlay'
ldap_entry:
dn: 'olcOverlay={0}auditlog,olcDatabase={{ item.db }},cn=config'
objectClass:
- 'olcOverlayConfig'
- 'olcAuditLogConfig'
attributes:
olcAuditlogFile: '/var/log/openldap/{{ item.logfile }}'
loop:
- { db: '{0}config', logfile: 'audit_config.ldif' }
- { db: '{1}mdb', logfile: 'audit_mdb.ldif' }
- name: 'activate memberof overlay'
ldap_entry:
dn: 'olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config'
objectClass:
- 'olcOverlayConfig'
- 'olcMemberOf'
- name: 'set default password hash'
ldap_attr:
dn: 'olcDatabase={-1}frontend,cn=config'
name: 'olcPasswordHash'
values: '{SSHA512}'
- name: 'evaluating base_dn'
set_fact:
base_dn: 'dc={{ ldap_domain.replace(".", ",dc=") }}'
- name: 'configure TLS x509 <-> ldap dn translation'
ldap_attr:
dn: 'cn=config'
name: 'olcAuthzRegexp'
state: 'exact'
values:
- |-
{0} ^cn=([^,]+),ou=Server,{{ x509_suffix }}$
cn=$1,ou=Server,{{ base_dn }}
- |-
{1} ^mail=[^,]+,cn=([^,]+),ou=People,{{ x509_suffix }}$
cn=$1,ou=People,{{ base_dn }}
- name: 'configure main tree acls'
ldap_attr:
dn: 'olcDatabase={1}mdb,cn=config'
name: 'olcAccess'
state: 'exact'
values:
# [0] -> Admins can proxy-auth to RootDN
# /proxy-auth is not required for routine user-management operations
- |-
{0} to dn.exact=cn=admin,{{ base_dn }} attrs=authzFrom
by group.exact=cn=admin,ou=Group,dc=lilik,dc=it auth
by * none
# [1] :: ou=People
# [1.0] -> Admins can edit People `userPassword`
# -> People can edit their `userPassword`
# -> Anyone can auth with `userPassword` if using strong TLS.
- |-
{1} to dn.one=ou=People,{{ base_dn }} attrs=userPassword
by group.exact=cn=admin,ou=Group,{{ base_dn }} write
by self write
by anonymous tls_ssf=256 auth
by * none
# [1.1] -> Admins can list the full People tree
# -> Servers can perform search on People tree
- |-
{2}to dn.exact=ou=People,{{ base_dn }} attrs=entry
by group.exact=cn=admin,ou=Group,{{ base_dn }} read
by dn.children=ou=Server,{{ base_dn }} search
by * none
# [1.2] -> Admins can add/remove People entries
- |-
{3} to dn.exact=ou=People,{{ base_dn }} attrs=children
by group.exact=cn=admin,ou=Group,{{ base_dn }} write
by * none
# [1.3] -> Admins can edit all People attributes
# -> Servers can read all People attributes (except userPassword)
# -> People can read all their attributes
# -> Break: over privileges may be accorded later (i.e.: servers)
- |-
{4} to dn.one=ou=People,{{ base_dn }}
by group.exact=cn=admin,ou=Group,{{ base_dn }} write
by dn.children=ou=Server,{{ base_dn }} read
by self read
by * break
# [1.5] -> No other access to People tree
- |-
{5} to dn.subtree=ou=People,{{ base_dn }}
by * none
# [2] :: ou=Group
# [2.1] -> Admins can add/remove members from groups
- |-
{6} to dn.one=ou=Group,{{ base_dn }} attrs=member
by group.exact=cn=admin,ou=Group,{{ base_dn }} write
by * none
# [2.2] -> No other access to Group tree
- |-
{7} to dn.children=ou=Group,{{ base_dn }}
by * none
# [3] :: ou=Server
# [3.0] -> Local servers can simple-bind their entries if using TLS
# /Server using TLS-client Auth with OU=Server are automatically authenticated
- |-
{8} to dn.children=ou=Server,{{ base_dn }} attrs=userPassword
by peername.ip=10.151.42.0%255.255.255.0 tls_ssf=256 auth
by group.exact=cn=admin,ou=Group,{{ base_dn }} write
by * none
# [3.1] -> No other access to Server tree
- |-
{9} to dn.subtree=ou=Server,{{ base_dn }}
by * none
# [4] :: ou=VirtualDomains - WiP
# [4.0] -> Admins can write whole subtree
# [4.1] -> Servers can read whole subtree
# - >-
# to dn.subtree=ou=VirtualDomains,{{ base_dn }}
# by group.exact=cn=admin,ou=Group,{{ base_dn }} write
# by dn.children=ou=Server,{{ base_dn }} read
# [5] :: ou=Kerberos - Wi
...

+ 40
- 0
roles/ldap/tasks/2_renew_rootpw.yaml View File

@ -0,0 +1,40 @@
---
- name: 'evaluating base_dn'
set_fact:
base_dn: 'dc={{ ldap_domain.replace(".", ",dc=") }}'
- name: 'renewing admin password - generation'
gen_passwd: 'length=32'
register: new_passwd
- name: 'renewing admin password - hashing'
shell: >
slappasswd
-o module-load=pw-sha2
-h "{SSHA512}"
-s "{{ new_passwd.passwd }}"
register: new_passwd_hash
- name: 'renewing admin password - setting RootPW'
ldap_attr:
dn: 'olcDatabase={1}mdb,cn=config'
name: 'olcRootPW'
values: '{{ new_passwd_hash.stdout }}'
state: 'exact'
- name: 'renewing admin password - calling ldappasswd'
ldap_passwd:
dn: 'cn=admin,{{ base_dn }}'
passwd: '{{ new_passwd.passwd }}'
bind_dn: 'cn=admin,{{ base_dn }}'
bind_pw: '{{ new_passwd.passwd }}'
- name: 'renewing admin password - storing plaintext'
copy:
content: '{{ new_passwd.passwd }}'
dest: '/etc/slapd.secret'
- name: 'renewing admin password - setting fact'
set_fact:
ldap_passwd: '{{ new_passwd.passwd }}'
...

+ 143
- 0
roles/ldap/tasks/3_provision_tree.yaml View File

@ -0,0 +1,143 @@
---
- name: 'evaluating base_dn'
set_fact:
base_dn: 'dc={{ ldap_domain.replace(".", ",dc=") }}'
- when: ldap_passwd is not defined
block:
- name: 'get plaintext admin password'
slurp:
path: '/etc/slapd.secret'
register: slapd_secret
- name: 'set ldap_passwd'
set_fact:
ldap_passwd: '{{ slapd_secret.content | b64decode }}'
- set_fact:
- name: 'provisioning tree - organization units'
ldap_entry:
dn: 'ou={{ item }},{{ base_dn }}'
objectClass:
- 'organizationalUnit'
bind_dn: 'cn=admin,{{ base_dn }}'
bind_pw: '{{ ldap_passwd }}'
loop:
- 'People'
- 'Group'
- 'Server'
- 'VirtualDomain'
- 'Kerberos'
- name: 'provisioning tree - virtual domains'
ldap_entry:
dn: 'vd={{ item }},ou=VirtualDomain,{{ base_dn }}'
objectClass:
- 'VirtualDomain'
attributes:
postfixTransport: 'maildrop:'
delete: 'FALSE'
accountActive: 'TRUE'
lastChange: '{{ ansible_date_time.epoch }}'
bind_dn: 'cn=admin,{{ base_dn }}'
bind_pw: '{{ ldap_passwd }}'
loop: '{{ virtual_domains }}'
- name: 'provisioning tree - virtual domain postmasters'
ldap_entry:
dn: 'cn=postmaster,vd={{ item }},ou=VirtualDomain,{{ base_dn }}'
objectClass:
- 'VirtualMailAlias'
attributes:
mail: 'postmaster@{{ item }}'
editAccounts: 'TRUE'
accountActive: 'TRUE'
lastChange: '{{ ansible_date_time.epoch }}'
maildrop: 'postmaster'
sn: 'postmaster'
bind_dn: 'cn=admin,{{ base_dn }}'
bind_pw: '{{ ldap_passwd }}'
loop: '{{ virtual_domains }}'
- name: 'provisioning tree - posix groups'
ldap_entry:
dn: 'cn={{ item.name }},ou=Group,{{ base_dn }}'
objectClass:
- 'posixGroup'
attributes:
gidNumber: '{{ item.gid }}'
bind_dn: 'cn=admin,{{ base_dn }}'
bind_pw: '{{ ldap_passwd }}'
loop:
- { name: 'stduser', gid: 5000 }
- { name: 'user_sites', gid: 900 }
- name: 'provisioning tree - name groups'
ldap_entry:
dn: 'cn={{ item }},ou=Group,{{ base_dn }}'
objectClass:
- 'groupOfNames'
attributes:
member: 'cn=admin,{{ base_dn }}'
bind_dn: 'cn=admin,{{ base_dn }}'
bind_pw: '{{ ldap_passwd }}'
loop:
- 'admin'
- 'wiki'
- 'lilik.it'
- 'cloud'
- 'projects'
- 'teambox'
- 'im'
- name: 'provisioning tree - test users'
ldap_entry:
dn: 'cn={{ item.user }},ou=People,{{ base_dn }}'
objectClass:
- 'inetOrgPerson'
- 'authorizedServiceObject'
attributes: '{{ item.attrs }}'
bind_dn: 'cn=admin,{{ base_dn }}'
bind_pw: '{{ ldap_passwd }}'
loop:
- { user: 'pippo', attrs: { sn: 'User Pippo', mail: 'pippo@lilik.it', authorizedService: 'gitlab' } }
- { user: 'pluto', attrs: { sn: 'User Pluto', mail: 'pluto@lilik.it' } }
- { user: 'test_admin', attrs: { sn: 'Test admin', mail: 'admin1@lilik.it' } }
- name: 'provisioning tree - test users passwd'
ldap_passwd:
dn: 'cn={{ item.user }},ou=People,{{ base_dn }}'
passwd: '{{ item.passwd }}'
bind_dn: 'cn=admin,{{ base_dn }}'
bind_pw: '{{ ldap_passwd }}'
loop:
- { user: 'pippo', passwd: 'pippopippo' }
- { user: 'pluto', passwd: 'plutopluto' }
- { user: 'test_admin', passwd: 'pippopippo' }
- name: 'provisioning tree - admin group members'
ldap_attr:
dn: 'cn=admin,ou=Group,{{ base_dn }}'
name: 'member'
values: 'cn=test_admin,ou=People,{{ base_dn }}'
bind_dn: 'cn=admin,{{ base_dn }}'
bind_pw: '{{ ldap_passwd }}'
- name: 'provisioning tree - servers'
ldap_entry:
dn: 'cn={{ item }},ou=Server,{{ base_dn }}'
objectClass: 'applicationProcess'
objectClass: 'person'
attributes:
sn: '{{ item }}'
bind_dn: 'cn=admin,{{ base_dn }}'
bind_pw: '{{ ldap_passwd }}'
loop:
- 'TestServer'
- 'projects'
#- name: templating ACLs
# template:
# src: "global.acl.j2"
# dest: "/etc/ldap/{{ item }}"
...

+ 128
- 0
roles/ldap/tasks/4_setup_tls.yaml View File

@ -0,0 +1,128 @@
- apt:
pkg: 'openssl'
state: 'present'
- name: 'generate ED25519 private key'
shell:
cmd: >
openssl genpkey
-algorithm ED25519
-out /etc/ldap/slapd.key
creates: '/etc/ldap/slapd.key'
- name: 'set private key ownership'
file:
path: '/etc/ldap/slapd.key'
owner: 'openldap'
group: 'openldap'
mode: '600'
- name: 'generate certificate request'
shell:
cmd: >
openssl req
-new
-subj "{{ ssl_subject_prefix }}/OU=Server/CN={{ ansible_hostname }}.{{ fqdn_domain }}"
-key /etc/ldap/slapd.key
-out /etc/ldap/slapd.csr
creates: '/etc/ldap/slapd.csr'
- name: 'set key ownership and permission'
file:
path: /etc/ldap
- name: 'lookup_ssl_ca_cert'
when: ssl_ca_cert is not defined
set_fact:
ssl_ca_cert: '{{ lookup("file", "lilik_ca_w1.pub") }}'
- name: 'update ssl_ca_cert'
copy:
content: "{{ ssl_ca_cert }}"
dest: '/etc/ldap/ssl_ca.crt'
- name: 'check if slapd cert is valid'
command: >
openssl verify
-CAfile /etc/ldap/ssl_ca.crt
-untrusted /etc/ldap/slapd.crt
/etc/ldap/slapd.crt
register: slapd_cert_is_valid
changed_when: false
failed_when: false
- when: slapd_cert_is_valid.rc != 0
block:
- name: 'renewing cert - generating ca request'
cert_request:
host: '{{ ansible_hostname }}.{{ fqdn_domain }}'
path: '/etc/ldap/slapd.csr'
proto: 'ssl'
register: ca_request
- name: 'renewing cert - sending ca sign request'
include: 'ca-dialog.yaml'
- set_fact:
request_output: '{{ request_result.stdout | string | from_json }}'
- debug:
var: request_result
- name: 'renewing cert - generating get cert request'
set_fact:
ca_request:
type: 'get_certificate'
requestID: '{{ request_output.requestID }}'
- debug:
msg: >
Please manually confirm sign request with id
{{ request_output.requestID }}
- name: 'renewing cert - waiting for ca signature'
include: 'ca-dialog.yaml'
- set_fact:
cert_key: '{{ request_result.stdout | string | from_json }}'
- debug:
var: request_result
verbosity: 2
- name: 'renewing cert - storing new cert file'
copy:
content: '{{ cert_key.result }}'
dest: '/etc/ldap/slapd.crt'
# !BUG! Fixed in Ansible dev using ldap_attrs instead of ldap_attr
# Ref: https://github.com/ansible/ansible/issues/25665
- name: 'configuring TLS options (workaround)'
ldap_attr:
dn: 'cn=config'
name: '{{ item.name }}'
values: '{{ item.value }}'
loop:
- { name: 'olcTLSCertificateFile', value: '/etc/ldap/slapd.crt' }
- { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' }
failed_when: false
- name: 'configuring TLS options'
ldap_attr:
dn: 'cn=config'
name: '{{ item.name }}'
values: '{{ item.value }}'
state: 'exact'
loop:
- { name: 'olcTLSCertificateFile', value: '/etc/ldap/slapd.crt' }
- { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' }
- { name: 'olcTLSCACertificateFile', value: '/etc/ldap/ssl_ca.crt' }
- { name: 'olcTLSVerifyClient', value: 'try' } # TLS Client Auth
- name: 'configuring slapd service'
lineinfile:
line: 'SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"'
regexp: '^SLAPD_SERVICES='
path: '/etc/default/slapd'
notify:
- 'restart slapd'

+ 16
- 123
roles/ldap/tasks/main.yaml View File

@ -1,123 +1,16 @@
- include_role:
name: service
vars:
service_name: nscd
service_packages: nscd
- name: configure OpenLDAP (domain)
debconf:
name: 'slapd'
question: 'slapd/domain'
vtype: 'string'
value: '{{ ldap_domain }}'
- name: configure OpenLDAP (configure)
debconf:
name: 'slapd'
question: 'slapd/dump_database'
vtype: 'string'
value: 'when needed'
- name: configure OpenLDAP (organization)
debconf:
name: 'slapd'
question: 'shared/organization'
vtype: 'string'
value: '{{ ldap_organization }}'
- name: slurp slap secret file
slurp:
src: /etc/slapd.secret
register: slapdsecret
failed_when: false
changed_when: false
- set_fact:
slapd_passwd: "{{ slapdsecret['content'] | b64decode }}"
when: '"content" in slapdsecret'
- block:
- name: generate admin password
gen_passwd: length=20
register: new_passwd
- name: store slapd secret
copy:
content : "{{ new_passwd.passwd }}"
dest: /etc/slapd.secret
- set_fact:
slapd_passwd: "{{ new_passwd.passwd }}"
when: 'not "content" in slapdsecret'
- name: configure OpenLDAP (password1)
debconf:
name: 'slapd'
question: 'slapd/password1'
vtype: 'string'
value: '{{ slapd_passwd }}'
- name: configure OpenLDAP (password2)
debconf:
name: 'slapd'
question: 'slapd/password2'
vtype: 'string'
value: '{{ slapd_passwd }}'
- include_role:
name: service
vars:
service_name: slapd
service_packages:
- slapd
- ldap-utils
- libpam-ldap
- sudo
- name: download schemas
copy:
src: "{{ item }}"
dest: /etc/ldap/schema/
loop:
- "phamm.schema"
- "phamm-vacation.schema"
- name: upload slapd config
template:
src: slapd.conf.j2
dest: "/etc/ldap/slapd.conf"
- name: update slapd config
shell: slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d
args:
creates: "/etc/ldap/slapd.d/cn=config/cn=schema/cn={4}phamm.ldif"
become: true
become_method: sudo
become_user: openldap
notify: restart slapd
- name: fix missing memberOf and pw-sha2 module load
blockinfile:
dest: /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif
content: |
olcModuleLoad: {1}memberof
olcModuleLoad: {2}pw-sha2
notify: restart slapd
- name: upload default tree
template:
dest=/etc/ldap/default_tree.ldif
src=default_tree.ldif.j2
owner=root
group=root
mode=0400
register: upload_default_tree
- name: create default tree
shell: slapadd -l /etc/ldap/default_tree.ldif
when: upload_default_tree.changed
notify: restart slapd
- name: enable OpenLDAP server
service:
name: 'slapd'
enabled: true
state: started
---
- name: 'including configuration tasks'
include_tasks: '1_configure_server.yaml'
- name: 'including password renewal tasks'
include_tasks: '2_renew_rootpw.yaml'
when: renew_rootdn_pw
- name: 'including tree provisionig tasks'
include_tasks: '3_provision_tree.yaml'
when: check_tree
- name: 'including tls tasks'
include_tasks: '4_setup_tls.yaml'
when: ldap_tls_enabled
...

+ 0
- 186
roles/ldap/templates/default_tree.ldif.j2 View File

@ -1,186 +0,0 @@
# Entry 4: o=Group,dc=lilik,dc=it
dn: o=Group,dc=lilik,dc=it
hassubordinates: TRUE
o: Group
objectclass: organization
objectclass: top
structuralobjectclass: organization
subschemasubentry: cn=Subschema
# Entry 10: cn=stdusers,o=Group,dc=lilik,dc=it
dn: cn=stdusers,o=Group,dc=lilik,dc=it
cn: stdusers
gidnumber: 9000
hassubordinates: FALSE
objectclass: posixGroup
objectclass: top
structuralobjectclass: posixGroup
subschemasubentry: cn=Subschema
# Entry 12: cn=users_sites,o=Group,dc=lilik,dc=it
dn: cn=users_sites,o=Group,dc=lilik,dc=it
cn: users_sites
gidnumber: 500
hassubordinates: FALSE
memberuid: test_user
objectclass: posixGroup
objectclass: top
structuralobjectclass: posixGroup
subschemasubentry: cn=Subschema
# Entry 14: o=hosting,dc=lilik,dc=it
dn: o=hosting,dc=lilik,dc=it
description: mail.lilik.it hosting root
hassubordinates: TRUE
o: hosting
objectclass: top
objectclass: organization
structuralobjectclass: organization
subschemasubentry: cn=Subschema
# Entry 22: vd=lilik.it,o=hosting,dc=lilik,dc=it
dn: vd=lilik.it,o=hosting,dc=lilik,dc=it
accountactive: TRUE
delete: FALSE
editav: FALSE
hassubordinates: TRUE
maxalias: 20
maxmail: 11
maxquota: 250
objectclass: top
objectclass: VirtualDomain
postfixtransport: maildrop:
structuralobjectclass: VirtualDomain
subschemasubentry: cn=Subschema
vd: lilik.it
lastChange: 1228821387
# Entry 23: cn=postmaster,vd=lilik.it,o=hosting,dc=lilik,dc=it
dn: cn=postmaster,vd=lilik.it,o=hosting,dc=lilik,dc=it
accountactive: TRUE
cn: postmaster
editaccounts: TRUE
hassubordinates: FALSE
mail: postmaster
maildrop: postmaster
objectclass: top
objectclass: VirtualMailAlias
sn: postmaster
structuralobjectclass: VirtualMailAlias
subschemasubentry: cn=Subschema
userpassword: {SSHA}4IuBxQNWgMNPX/lCtP2GgbJeiYX+u4ud
lastChange: 1228821387
# Entry 24: mail=abuse,vd=lilik.it,o=hosting,dc=lilik,dc=it
dn: mail=abuse,vd=lilik.it,o=hosting,dc=lilik,dc=it
accountactive: TRUE
cn: NONAME
givenname: NONAME
hassubordinates: FALSE
mail: abuse
maildrop: root
objectclass: top
objectclass: VirtualMailAlias
smtpauth: FALSE
sn: NONAME
structuralobjectclass: VirtualMailAlias
subschemasubentry: cn=Subschema
userpassword: {CRYPT}!
lastChange: 1228821387
dn: mail=test_user,vd=lilik.it,o=hosting,dc=lilik,dc=it
objectclass: alias
objectclass: extensibleObject
#uid: alias
aliasedobjectname: uid=test_user,o=People,dc=lilik,dc=it
# Entry 319: o=People,dc=lilik,dc=it
dn: o=People,dc=lilik,dc=it
hassubordinates: TRUE
o: People
objectclass: organization
objectclass: top
structuralobjectclass: organization
subschemasubentry: cn=Subschema
dn: uid=test_user,o=People,dc=lilik,dc=it
accountactive: TRUE
cn: Test
delete: FALSE
gidnumber: 100
givenname: Test
hassubordinates: FALSE
homedirectory: /home/test_user
loginshell: /bin/bash
mail: test_user
objectclass: top
objectclass: inetOrgPerson
objectclass: VirtualMailAccount
objectclass: posixAccount
objectclass: shadowAccount
objectclass: hostObject
othertransport: phamm:
quota: 1024000
shadowlastchange: 14281
smtpauth: FALSE
sn: User
structuralobjectclass: VirtualMailAccount
subschemasubentry: cn=Subschema
uid: test_user
uidnumber: 10001
userpassword: {SSHA}2SWroMDSWoIWlYEvzpHvSRK4PMsjGW/u
lastChange: 1228821387
vdhome: undefined
mailbox: undefined
# Entry 12: cn=admin,o=Group,dc=lilik,dc=it
dn: cn=admin,o=Group,dc=lilik,dc=it
cn: admin
objectClass: groupOfNames
objectClass: top
structuralObjectClass: groupOfNames
member: cn=admin,dc=lilik,dc=it
dn: cn=wiki,o=Group,dc=lilik,dc=it
cn: wiki
objectClass: groupOfNames
objectClass: top
structuralObjectClass: groupOfNames
member: cn=admin,dc=lilik,dc=it
dn: cn=lilik.it,o=Group,dc=lilik,dc=it
cn: lilik.it
objectClass: groupOfNames
objectClass: top
structuralObjectClass: groupOfNames
member: cn=admin,dc=lilik,dc=it
dn: cn=cloud,o=Group,dc=lilik,dc=it
cn: cloud
objectClass: groupOfNames
objectClass: top
structuralObjectClass: groupOfNames
member: cn=admin,dc=lilik,dc=it
dn: cn=projects,o=Group,dc=lilik,dc=it
cn: projects
objectClass: groupOfNames
objectClass: top
structuralObjectClass: groupOfNames
member: cn=admin,dc=lilik,dc=it
dn: cn=teambox,o=Group,dc=lilik,dc=it
cn: teambox
objectClass: groupOfNames
objectClass: top
structuralObjectClass: groupOfNames
member: cn=admin,dc=lilik,dc=it
dn: cn=im,o=Group,dc=lilik,dc=it
cn: im
objectClass: groupOfNames
objectClass: top
structuralObjectClass: groupOfNames
member: cn=admin,dc=lilik,dc=it

+ 0
- 12
roles/ldap/templates/slapd.conf.j2 View File

@ -1,12 +0,0 @@
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/phamm.schema
include /etc/ldap/schema/phamm-vacation.schema
include /usr/share/doc/libpam-ldap/ldapns.schema
modulepath /usr/lib/ldap
moduleload memberof.la
overlay memberof

Write Preview
Loading…
Cancel
Save