- Tasks splitted in subfiles. - Static slapd configuration (slapd.conf) moved *properly* to dynamic conf (slapd.d). - TLS Enabled by default, with certificate acquired using `ca_manager`. - New default tree - New default ACL - Kerberos schema added - {SSHA512} hash properly configured.python3
@ -0,0 +1,5 @@ | |||||
--- | |||||
ldap_tls_enabled: true | |||||
renew_rootdn_pw: true | |||||
check_tree: true | |||||
... |
@ -0,0 +1,3 @@ | |||||
--- | |||||
ldap_tls_enabled: true | |||||
... |
@ -0,0 +1,162 @@ | |||||
dn: cn=kerberos,cn=schema,cn=config | |||||
objectClass: olcSchemaConfig | |||||
cn: kerberos | |||||
olcAttributeTypes: {0}( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName | |||||
' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1 | |||||
.4.1.1466.115.121.1.26 ) | |||||
olcAttributeTypes: {1}( 1.2.840.113554.1.4.1.6.1 NAME 'krbCanonicalName' EQU | |||||
ALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1. | |||||
1466.115.121.1.26 SINGLE-VALUE ) | |||||
olcAttributeTypes: {2}( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType | |||||
' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) | |||||
olcAttributeTypes: {3}( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DE | |||||
SC 'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||||
olcAttributeTypes: {4}( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpi | |||||
ration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 | |||||
SINGLE-VALUE ) | |||||
olcAttributeTypes: {5}( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags' | |||||
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) | |||||
olcAttributeTypes: {6}( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife | |||||
' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) | |||||
olcAttributeTypes: {7}( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewable | |||||
Age' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALU | |||||
E ) | |||||
olcAttributeTypes: {8}( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReferen | |||||
ces' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) | |||||
olcAttributeTypes: {9}( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers' | |||||
EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) | |||||
olcAttributeTypes: {10}( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' | |||||
EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) | |||||
olcAttributeTypes: {11}( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers' | |||||
EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) | |||||
olcAttributeTypes: {12}( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer' | |||||
EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | |||||
olcAttributeTypes: {13}( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope | |||||
' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) | |||||
olcAttributeTypes: {14}( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalRe | |||||
ferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 | |||||
.12 ) | |||||
olcAttributeTypes: {15}( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNaming | |||||
Attr' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE- | |||||
VALUE ) | |||||
olcAttributeTypes: {16}( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers' | |||||
EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) | |||||
olcAttributeTypes: {17}( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife' | |||||
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) | |||||
olcAttributeTypes: {18}( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife' | |||||
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) | |||||
olcAttributeTypes: {19}( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffC | |||||
hars' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VAL | |||||
UE ) | |||||
olcAttributeTypes: {20}( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLengt | |||||
h' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE | |||||
) | |||||
olcAttributeTypes: {21}( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryL | |||||
ength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VA | |||||
LUE ) | |||||
olcAttributeTypes: {22}( 1.3.6.1.4.1.5322.21.2.1 NAME 'krbPwdMaxFailure' EQU | |||||
ALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) | |||||
olcAttributeTypes: {23}( 1.3.6.1.4.1.5322.21.2.2 NAME 'krbPwdFailureCountInt | |||||
erval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VA | |||||
LUE ) | |||||
olcAttributeTypes: {24}( 1.3.6.1.4.1.5322.21.2.3 NAME 'krbPwdLockoutDuration | |||||
' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) | |||||
olcAttributeTypes: {25}( 1.2.840.113554.1.4.1.6.2 NAME 'krbPwdAttributes' EQ | |||||
UALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) | |||||
olcAttributeTypes: {26}( 1.2.840.113554.1.4.1.6.3 NAME 'krbPwdMaxLife' EQUAL | |||||
ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) | |||||
olcAttributeTypes: {27}( 1.2.840.113554.1.4.1.6.4 NAME 'krbPwdMaxRenewableLi | |||||
fe' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE | |||||
) | |||||
olcAttributeTypes: {28}( 1.2.840.113554.1.4.1.6.5 NAME 'krbPwdAllowedKeysalt | |||||
s' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE- | |||||
VALUE ) | |||||
olcAttributeTypes: {29}( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyRe | |||||
ference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1. | |||||
12 SINGLE-VALUE ) | |||||
olcAttributeTypes: {30}( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExp | |||||
iration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 | |||||
SINGLE-VALUE ) | |||||
olcAttributeTypes: {31}( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKe | |||||
y' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) | |||||
olcAttributeTypes: {32}( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolic | |||||
yReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121 | |||||
.1.12 SINGLE-VALUE ) | |||||
olcAttributeTypes: {33}( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' E | |||||
QUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) | |||||
olcAttributeTypes: {34}( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncS | |||||
altTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) | |||||
olcAttributeTypes: {35}( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEn | |||||
cSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) | |||||
olcAttributeTypes: {36}( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory' | |||||
EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) | |||||
olcAttributeTypes: {37}( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChan | |||||
ge' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SING | |||||
LE-VALUE ) | |||||
olcAttributeTypes: {38}( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' E | |||||
QUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VA | |||||
LUE ) | |||||
olcAttributeTypes: {39}( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUAL | |||||
ITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) | |||||
olcAttributeTypes: {40}( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAl | |||||
iases' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | |||||
olcAttributeTypes: {41}( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccess | |||||
fulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 | |||||
SINGLE-VALUE ) | |||||
olcAttributeTypes: {42}( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedA | |||||
uth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SIN | |||||
GLE-VALUE ) | |||||
olcAttributeTypes: {43}( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailed | |||||
Count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VA | |||||
LUE ) | |||||
olcAttributeTypes: {44}( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData' | |||||
EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) | |||||
olcAttributeTypes: {45}( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectRefer | |||||
ences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 | |||||
) | |||||
olcAttributeTypes: {46}( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContai | |||||
nerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1 | |||||
2 ) | |||||
olcAttributeTypes: {47}( 2.16.840.1.113730.3.8.15.2.1 NAME 'krbPrincipalAuth | |||||
Ind' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) | |||||
olcAttributeTypes: {48}( 1.3.6.1.4.1.5322.21.2.4 NAME 'krbAllowedToDelegateT | |||||
o' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6. | |||||
1.4.1.1466.115.121.1.26 ) | |||||
olcObjectClasses: {0}( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP | |||||
top STRUCTURAL MUST cn ) | |||||
olcObjectClasses: {1}( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer | |||||
' SUP top STRUCTURAL MUST cn MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ k | |||||
rbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSa | |||||
ltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdm | |||||
Servers $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef | |||||
) ) | |||||
olcObjectClasses: {2}( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' SUP t | |||||
op ABSTRACT MUST cn MAY ( krbHostServer $ krbRealmReferences ) ) | |||||
olcObjectClasses: {3}( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SU | |||||
P krbService STRUCTURAL ) | |||||
olcObjectClasses: {4}( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SU | |||||
P krbService STRUCTURAL ) | |||||
olcObjectClasses: {5}( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' | |||||
SUP top AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled | |||||
$ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krb | |||||
PasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHisto | |||||
ry $ krbLastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastS | |||||
uccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ kr | |||||
bAllowedToDelegateTo $ krbPrincipalAuthInd ) ) | |||||
olcObjectClasses: {6}( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP | |||||
top STRUCTURAL MUST krbPrincipalName MAY krbObjectReferences ) | |||||
olcObjectClasses: {7}( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux' | |||||
SUP top AUXILIARY MAY krbPrincipalReferences ) | |||||
olcObjectClasses: {8}( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' S | |||||
UP krbService STRUCTURAL ) | |||||
olcObjectClasses: {9}( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SU | |||||
P top STRUCTURAL MUST cn MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDif | |||||
fChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdF | |||||
ailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxL | |||||
ife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) ) | |||||
olcObjectClasses: {10}( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicy | |||||
Aux' SUP top AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRene | |||||
wableAge ) ) | |||||
olcObjectClasses: {11}( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy | |||||
' SUP top STRUCTURAL MUST cn ) | |||||
@ -0,0 +1,19 @@ | |||||
# LDAP Name Service Additional Schema | |||||
# Source: pam_ldap package by Luke Howard converted to LDIF | |||||
# Has not been published in Internet Draft or RFC. | |||||
dn: cn=ldapns,cn=schema,cn=config | |||||
objectClass: olcSchemaConfig | |||||
cn: ldapns | |||||
olcAttributeTypes: {0}( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' | |||||
DESC 'IANA GSS-API authorized service name' | |||||
EQUALITY caseIgnoreMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) | |||||
olcObjectClasses: {0}( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' | |||||
DESC 'Auxiliary object class for adding authorizedService attribute' | |||||
SUP top AUXILIARY | |||||
MAY authorizedService ) | |||||
olcObjectClasses: {1}( 1.3.6.1.4.1.5322.17.1.2 NAME 'hostObject' | |||||
DESC 'Auxiliary object class for adding host attribute' | |||||
SUP top AUXILIARY | |||||
MAY host ) |
@ -0,0 +1,30 @@ | |||||
dn: cn=phamm-vacation,cn=schema,cn=config | |||||
objectClass: olcSchemaConfig | |||||
cn: phamm-vacation | |||||
olcAttributeTypes: {0}( 1.3.6.1.4.1.22339.2.1.1 NAME 'vacationActive' DESC ' | |||||
A flag, for marking the user as being away' EQUALITY booleanMatch SYNTAX 1. | |||||
3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||||
olcAttributeTypes: {1}( 1.3.6.1.4.1.22339.2.1.2 NAME 'vacationInfo' DESC 'Ab | |||||
sentee note to leave behind, while on vacation' EQUALITY octetStringMatch S | |||||
YNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) | |||||
olcAttributeTypes: {2}( 1.3.6.1.4.1.22339.2.1.3 NAME 'vacationStart' DESC 'B | |||||
eginning of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115 | |||||
.121.1.40 SINGLE-VALUE ) | |||||
olcAttributeTypes: {3}( 1.3.6.1.4.1.22339.2.1.4 NAME 'vacationEnd' DESC 'End | |||||
of vacation' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.4 | |||||
0 SINGLE-VALUE ) | |||||
olcAttributeTypes: {4}( 1.3.6.1.4.1.22339.2.1.5 NAME 'vacationForward' DESC | |||||
'RFC1274: RFC822 Mailbox' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5S | |||||
ubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) | |||||
olcAttributeTypes: {5}( 1.3.6.1.4.1.22339.2.1.6 NAME 'vacationSubject' DESC | |||||
'Subject for the vacation message' EQUALITY octetStringMatch SYNTAX 1.3.6.1 | |||||
.4.1.1466.115.121.1.40 SINGLE-VALUE ) | |||||
olcAttributeTypes: {6}( 1.3.6.1.4.1.22339.2.1.7 NAME 'vacationReminder' DESC | |||||
'How many hours we should wait before a second email from someone will cau | |||||
se another vacation message to be sent to that email address' EQUALITY octe | |||||
tStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) | |||||
olcObjectClasses: {0}( 1.3.6.1.4.1.22339.2.2.1 NAME 'Vacation' DESC 'Users v | |||||
acation status information' SUP top AUXILIARY MUST vacationActive MAY ( vac | |||||
ationInfo $ vacationStart $ vacationEnd $ vacationForward $ vacationSubject | |||||
$ vacationReminder ) ) | |||||
@ -1,63 +0,0 @@ | |||||
#-------------------------------------------------------------------------- | |||||
# LDAP Schema for phamm-vacation | |||||
#---------------------- | |||||
# Release 1.1.1 | |||||
# 2012/08/28 | |||||
#-------------------------------------------------------------------------- | |||||
# Copyright (c) 2008-2016 Mirko Grava, RHX Srl - www.rhx.it | |||||
# Permission is granted to copy, distribute and/or modify this document | |||||
# under the terms of the GNU Free Documentation License, Version 2 | |||||
# or any later version published by the Free Software Foundation; | |||||
#-------------------------------------------------------------------------- | |||||
# 1.3.6.1.4.1.22339 RHX Srl's OID | |||||
# 1.3.6.1.4.1.22339.2 Phamm-vacation | |||||
# 1.3.6.1.4.1.22339.2.1 AttributeTypes | |||||
# 1.3.6.1.4.1.22339.2.2 ObjectClasses | |||||
#-------------------------------------------------------------------------- | |||||
# Attribute Types | |||||
#----------------- | |||||
attributetype ( 1.3.6.1.4.1.22339.2.1.1 NAME 'vacationActive' | |||||
DESC 'A flag, for marking the user as being away' | |||||
EQUALITY booleanMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.2.1.2 NAME 'vacationInfo' | |||||
DESC 'Absentee note to leave behind, while on vacation' | |||||
EQUALITY octetStringMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.2.1.3 NAME 'vacationStart' | |||||
DESC 'Beginning of vacation' | |||||
EQUALITY octetStringMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.2.1.4 NAME 'vacationEnd' | |||||
DESC 'End of vacation' | |||||
EQUALITY octetStringMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.2.1.5 NAME 'vacationForward' | |||||
DESC 'RFC1274: RFC822 Mailbox' | |||||
EQUALITY caseIgnoreIA5Match | |||||
SUBSTR caseIgnoreIA5SubstringsMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) | |||||
attributetype ( 1.3.6.1.4.1.22339.2.1.6 NAME 'vacationSubject' | |||||
DESC 'Subject for the vacation message' | |||||
EQUALITY octetStringMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.2.1.7 NAME 'vacationReminder' | |||||
DESC 'How many hours we should wait before a second email from someone will cause another vacation message to be sent to that email address' | |||||
EQUALITY octetStringMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) | |||||
# Classes | |||||
#--------- | |||||
objectclass ( 1.3.6.1.4.1.22339.2.2.1 NAME 'Vacation' | |||||
SUP top AUXILIARY | |||||
DESC 'Users vacation status information' | |||||
MUST ( vacationActive ) | |||||
MAY ( vacationInfo $ vacationStart $ vacationEnd $ vacationForward $ vacationSubject $ vacationReminder ) ) |
@ -0,0 +1,132 @@ | |||||
dn: cn=phamm,cn=schema,cn=config | |||||
objectClass: olcSchemaConfig | |||||
cn: phamm | |||||
olcAttributeTypes: {0}( 1.3.6.1.4.1.22339.1.1.1 NAME 'postfixTransport' DESC | |||||
'A string directing postfix which transport to use' EQUALITY caseExactIA5M | |||||
atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE ) | |||||
olcAttributeTypes: {1}( 1.3.6.1.4.1.22339.1.1.2 NAME 'accountActive' DESC 'A | |||||
boolean telling whether an account is active or not' EQUALITY booleanMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||||
olcAttributeTypes: {2}( 1.3.6.1.4.1.22339.1.1.3 NAME 'lastChange' DESC 'Time | |||||
in unix time of last change in entry' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 | |||||
SINGLE-VALUE ) | |||||
olcAttributeTypes: {3}( 1.3.6.1.4.1.22339.1.1.4 NAME 'vd' DESC 'A virtual do | |||||
main managed by Phamm' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subs | |||||
tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | |||||
olcAttributeTypes: {4}( 1.3.6.1.4.1.22339.1.1.5 NAME 'mailbox' DESC 'The abs | |||||
olute path to the mailbox for a mail account in a non-default location' EQU | |||||
ALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
olcAttributeTypes: {5}( 1.3.6.1.4.1.22339.1.1.6 NAME 'quota' DESC 'A string | |||||
that represents the quota on a mailbox' EQUALITY caseExactIA5Match SYNTAX 1 | |||||
.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
olcAttributeTypes: {6}( 1.3.6.1.4.1.22339.1.1.7 NAME 'clearPassword' DESC 'A | |||||
separate text that stores the mail account password in clear text' EQUALIT | |||||
Y octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128} ) | |||||
olcAttributeTypes: {7}( 1.3.6.1.4.1.22339.1.1.8 NAME 'maildrop' DESC 'RFC822 | |||||
Mailbox - mail alias' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Subs | |||||
tringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) | |||||
olcAttributeTypes: {8}( 1.3.6.1.4.1.22339.1.1.9 NAME 'mailsource' DESC 'Mess | |||||
age source' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | |||||
olcAttributeTypes: {9}( 1.3.6.1.4.1.22339.1.1.10 NAME 'editAliases' DESC 'A | |||||
boolean telling whether a domain manager can edit Aliases' EQUALITY boolean | |||||
Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||||
olcAttributeTypes: {10}( 1.3.6.1.4.1.22339.1.1.11 NAME 'editAccounts' DESC ' | |||||
A boolean telling whether a domain manager can edit Accounts' EQUALITY bool | |||||
eanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||||
olcAttributeTypes: {11}( 1.3.6.1.4.1.22339.1.1.12 NAME 'editAV' DESC 'A bool | |||||
ean telling whether a domain manager can edit Antivirus' EQUALITY booleanMa | |||||
tch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||||
olcAttributeTypes: {12}( 1.3.6.1.4.1.22339.1.1.13 NAME 'delete' DESC 'A bool | |||||
ean telling whether this item is marked for deletion' EQUALITY booleanMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||||
olcAttributeTypes: {13}( 1.3.6.1.4.1.22339.1.1.14 NAME 'forwardActive' DESC | |||||
'A boolean telling whether this item is using forward' EQUALITY booleanMatc | |||||
h SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||||
olcAttributeTypes: {14}( 1.3.6.1.4.1.22339.1.1.15 NAME 'maxDomain' DESC 'A s | |||||
tring that represents the max domain for a VirtualAdmin' EQUALITY caseExact | |||||
IA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
olcAttributeTypes: {15}( 1.3.6.1.4.1.22339.1.1.16 NAME 'maxMail' DESC 'A str | |||||
ing that represents the max mail for a VirtualAdmin' EQUALITY caseExactIA5M | |||||
atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
olcAttributeTypes: {16}( 1.3.6.1.4.1.22339.1.1.17 NAME 'maxAlias' DESC 'A st | |||||
ring that represents the max alias for a VirtualAdmin' EQUALITY caseExactIA | |||||
5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
olcAttributeTypes: {17}( 1.3.6.1.4.1.22339.1.1.18 NAME 'maxQuota' DESC 'A st | |||||
ring that represents the max quota for a VirtualAdmin' EQUALITY caseExactIA | |||||
5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
olcAttributeTypes: {18}( 1.3.6.1.4.1.22339.1.1.19 NAME 'adminID' DESC 'A str | |||||
ing that represents the dn of admin domain' EQUALITY caseExactIA5Match SYNT | |||||
AX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
olcAttributeTypes: {19}( 1.3.6.1.4.1.22339.1.1.20 NAME 'vdHome' DESC 'The ab | |||||
solute path to the virtual domain home' EQUALITY caseExactIA5Match SYNTAX 1 | |||||
.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
olcAttributeTypes: {20}( 1.3.6.1.4.1.22339.1.1.21 NAME 'otherTransport' DESC | |||||
'A string directing postfix which transport to use' EQUALITY caseExactIA5M | |||||
atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE ) | |||||
olcAttributeTypes: {21}( 1.3.6.1.4.1.22339.1.1.22 NAME 'creationDate' DESC ' | |||||
Timestamp of creation' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.12 | |||||
1.1.27{14} SINGLE-VALUE ) | |||||
olcAttributeTypes: {22}( 1.3.6.1.4.1.22339.1.1.23 NAME 'otherPath' DESC 'Thi | |||||
s path to help any application' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4 | |||||
.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
olcAttributeTypes: {23}( 1.3.6.1.4.1.22339.1.1.24 NAME 'createMaildir' DESC | |||||
'A boolean telling when we must create Maildir for maildrop transport' EQUA | |||||
LITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||||
olcAttributeTypes: {24}( 1.3.6.1.4.1.22339.1.1.25 NAME 'smtpAuth' DESC 'A bo | |||||
olean telling when we could do smtp-auth' EQUALITY booleanMatch SYNTAX 1.3. | |||||
6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||||
olcAttributeTypes: {25}( 1.3.6.1.4.1.22339.1.1.26 NAME 'expireDate' DESC 'Ex | |||||
pire date' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27{14} S | |||||
INGLE-VALUE ) | |||||
olcAttributeTypes: {26}( 1.3.6.1.4.1.22339.1.1.27 NAME 'mailAutoreply' DESC | |||||
'RFC822 Mailbox - mail for autoreply' EQUALITY caseIgnoreIA5Match SUBSTR ca | |||||
seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) | |||||
olcAttributeTypes: {27}( 1.3.6.1.4.1.22339.1.1.28 NAME 'bypassGreyListing' D | |||||
ESC 'A boolean telling when we could bypass Grey Listing' EQUALITY booleanM | |||||
atch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||||
olcAttributeTypes: {28}( 1.3.6.1.4.1.22339.1.1.29 NAME 'phammGroup' DESC 'De | |||||
fine the phamm Group of the VirtualMailAccount' EQUALITY caseIgnoreMatch SU | |||||
BSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) | |||||
olcAttributeTypes: {29}( 1.3.6.1.4.1.22339.1.1.30 NAME 'maxSmtpAuth' DESC 'A | |||||
string that represents the max SMTP Auth for a VirtualAdmin' EQUALITY case | |||||
ExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
olcAttributeTypes: {30}( 1.3.6.1.4.1.22339.1.1.31 NAME 'maxAntivirus' DESC ' | |||||
A string that represents the max Antivirus for a VirtualAdmin' EQUALITY cas | |||||
eExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
olcAttributeTypes: {31}( 1.3.6.1.4.1.22339.1.1.32 NAME 'maxAntiSpam' DESC 'A | |||||
string that represents the max AntiSpam for a VirtualAdmin' EQUALITY caseE | |||||
xactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
olcAttributeTypes: {32}( 1.3.6.1.4.1.22339.1.1.33 NAME 'maxGreyList' DESC 'A | |||||
string that represents the max AntiGreyList for a VirtualAdmin' EQUALITY c | |||||
aseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
olcObjectClasses: {0}( 1.3.6.1.4.1.22339.1.2.1 NAME 'VirtualMailAccount' DES | |||||
C 'Mail account objects' SUP inetOrgPerson STRUCTURAL MUST ( mail $ vdHome | |||||
$ mailbox $ accountActive $ lastChange $ delete ) MAY ( quota $ otherTransp | |||||
ort $ editAccounts $ creationDate $ createMaildir $ smtpAuth $ expireDate $ | |||||
mailAutoreply $ bypassGreyListing $ phammGroup ) ) | |||||
olcObjectClasses: {1}( 1.3.6.1.4.1.22339.1.2.2 NAME 'VirtualMailAlias' DESC | |||||
'Mail aliasing/forwarding entry' SUP inetOrgPerson STRUCTURAL MUST ( mail $ | |||||
maildrop $ accountActive $ lastChange ) MAY ( mailsource $ editAccounts $ | |||||
creationDate $ smtpAuth $ expireDate $ bypassGreyListing ) ) | |||||
olcObjectClasses: {2}( 1.3.6.1.4.1.22339.1.2.3 NAME 'VirtualDomain' DESC 'Vi | |||||
rtual Domain entry to be used with postfix transport maps' SUP top STRUCTUR | |||||
AL MUST ( vd $ accountActive $ lastChange $ delete ) MAY ( postfixTransport | |||||
$ description $ maxMail $ maxAlias $ maxQuota $ editAV $ adminID $ creatio | |||||
nDate $ bypassGreyListing $ maxSmtpAuth $ maxAntivirus $ maxAntiSpam $ maxG | |||||
reyList ) ) | |||||
olcObjectClasses: {3}( 1.3.6.1.4.1.22339.1.2.4 NAME 'VirtualForward' DESC 'F | |||||
orward setting for VirtualMailAccount' SUP top AUXILIARY MUST forwardActive | |||||
MAY maildrop ) | |||||
olcObjectClasses: {4}( 1.3.6.1.4.1.22339.1.2.5 NAME 'VirtualAdmin' DESC 'Vir | |||||
tual Admin entry' SUP inetOrgPerson STRUCTURAL MUST ( mail $ maxDomain $ ac | |||||
countActive $ lastChange ) MAY ( vd $ editAccounts ) ) | |||||
olcObjectClasses: {5}( 1.3.6.1.4.1.22339.1.2.6 NAME 'VirtualBackupDomain' DE | |||||
SC 'Virtual Backup Domain entry to be used for relay' SUP top STRUCTURAL MU | |||||
ST ( vd $ accountActive $ lastChange $ delete ) MAY description ) | |||||
olcObjectClasses: {6}( 1.3.6.1.4.1.22339.1.2.7 NAME 'VirtualBackupMail' DESC | |||||
'Virtual Backup Mail entry to be used for relay' SUP top STRUCTURAL MUST ( | |||||
mail $ accountActive $ lastChange ) MAY description ) | |||||
olcObjectClasses: {7}( 1.3.6.1.4.1.22339.1.2.8 NAME 'Yap' DESC 'Yet another | |||||
path' SUP top AUXILIARY MUST otherPath ) | |||||
@ -1,240 +0,0 @@ | |||||
#-------------------------------------------------------------------------- | |||||
# LDAP Schema for phamm | |||||
#---------------------- | |||||
# Release 1.5 | |||||
# 2014/10/3 | |||||
#-------------------------------------------------------------------------- | |||||
# Copyright (c) 2006-2016 Mirko Grava, RHX Srl - www.rhx.it | |||||
# Permission is granted to copy, distribute and/or modify this document | |||||
# under the terms of the GNU Free Documentation License, Version 2 | |||||
# or any later version published by the Free Software Foundation; | |||||
#-------------------------------------------------------------------------- | |||||
# 1.3.6.1.4.1.22339 RHX Srl's OID | |||||
# 1.3.6.1.4.1.22339.1 Phamm | |||||
# 1.3.6.1.4.1.22339.1.1 AttributeTypes | |||||
# 1.3.6.1.4.1.22339.1.2 ObjectClasses | |||||
#-------------------------------------------------------------------------- | |||||
# Attribute Types | |||||
#----------------- | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.1 NAME 'postfixTransport' | |||||
DESC 'A string directing postfix which transport to use' | |||||
EQUALITY caseExactIA5Match | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.2 NAME 'accountActive' | |||||
DESC 'A boolean telling whether an account is active or not' | |||||
EQUALITY booleanMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.3 NAME 'lastChange' | |||||
DESC 'Time in unix time of last change in entry' | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.4 NAME 'vd' | |||||
DESC 'A virtual domain managed by Phamm' | |||||
EQUALITY caseIgnoreIA5Match | |||||
SUBSTR caseIgnoreIA5SubstringsMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.5 NAME 'mailbox' | |||||
DESC 'The absolute path to the mailbox for a mail account in a non-default location' | |||||
EQUALITY caseExactIA5Match | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.6 NAME 'quota' | |||||
DESC 'A string that represents the quota on a mailbox' | |||||
EQUALITY caseExactIA5Match | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.7 NAME 'clearPassword' | |||||
DESC 'A separate text that stores the mail account password in clear text' | |||||
EQUALITY octetStringMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40{128}) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.8 NAME 'maildrop' | |||||
DESC 'RFC822 Mailbox - mail alias' | |||||
EQUALITY caseIgnoreIA5Match | |||||
SUBSTR caseIgnoreIA5SubstringsMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.9 NAME 'mailsource' | |||||
DESC 'Message source' | |||||
EQUALITY caseIgnoreIA5Match | |||||
SUBSTR caseIgnoreIA5SubstringsMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.10 NAME 'editAliases' | |||||
DESC 'A boolean telling whether a domain manager can edit Aliases' | |||||
EQUALITY booleanMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.11 NAME 'editAccounts' | |||||
DESC 'A boolean telling whether a domain manager can edit Accounts' | |||||
EQUALITY booleanMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.12 NAME 'editAV' | |||||
DESC 'A boolean telling whether a domain manager can edit Antivirus' | |||||
EQUALITY booleanMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.13 NAME 'delete' | |||||
DESC 'A boolean telling whether this item is marked for deletion' | |||||
EQUALITY booleanMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.14 NAME 'forwardActive' | |||||
DESC 'A boolean telling whether this item is using forward' | |||||
EQUALITY booleanMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.15 NAME 'maxDomain' | |||||
DESC 'A string that represents the max domain for a VirtualAdmin' | |||||
EQUALITY caseExactIA5Match | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.16 NAME 'maxMail' | |||||
DESC 'A string that represents the max mail for a VirtualAdmin' | |||||
EQUALITY caseExactIA5Match | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.17 NAME 'maxAlias' | |||||
DESC 'A string that represents the max alias for a VirtualAdmin' | |||||
EQUALITY caseExactIA5Match | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.18 NAME 'maxQuota' | |||||
DESC 'A string that represents the max quota for a VirtualAdmin' | |||||
EQUALITY caseExactIA5Match | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.19 NAME 'adminID' | |||||
DESC 'A string that represents the dn of admin domain' | |||||
EQUALITY caseExactIA5Match | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.20 NAME 'vdHome' | |||||
DESC 'The absolute path to the virtual domain home' | |||||
EQUALITY caseExactIA5Match | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.21 NAME 'otherTransport' | |||||
DESC 'A string directing postfix which transport to use' | |||||
EQUALITY caseExactIA5Match | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{20} SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.22 NAME 'creationDate' | |||||
DESC 'Timestamp of creation' | |||||
EQUALITY integerMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27{14} SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.23 NAME 'otherPath' | |||||
DESC 'This path to help any application' | |||||
EQUALITY caseExactIA5Match | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.24 NAME 'createMaildir' | |||||
DESC 'A boolean telling when we must create Maildir for maildrop transport' | |||||
EQUALITY booleanMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.25 NAME 'smtpAuth' | |||||
DESC 'A boolean telling when we could do smtp-auth' | |||||
EQUALITY booleanMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.26 NAME 'expireDate' | |||||
DESC 'Expire date' | |||||
EQUALITY integerMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27{14} SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.27 NAME 'mailAutoreply' | |||||
DESC 'RFC822 Mailbox - mail for autoreply' | |||||
EQUALITY caseIgnoreIA5Match | |||||
SUBSTR caseIgnoreIA5SubstringsMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.28 NAME 'bypassGreyListing' | |||||
DESC 'A boolean telling when we could bypass Grey Listing' | |||||
EQUALITY booleanMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.29 NAME 'phammGroup' | |||||
DESC 'Define the phamm Group of the VirtualMailAccount' | |||||
EQUALITY caseIgnoreMatch | |||||
SUBSTR caseIgnoreSubstringsMatch | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.30 NAME 'maxSmtpAuth' | |||||
DESC 'A string that represents the max SMTP Auth for a VirtualAdmin' | |||||
EQUALITY caseExactIA5Match | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.31 NAME 'maxAntivirus' | |||||
DESC 'A string that represents the max Antivirus for a VirtualAdmin' | |||||
EQUALITY caseExactIA5Match | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.32 NAME 'maxAntiSpam' | |||||
DESC 'A string that represents the max AntiSpam for a VirtualAdmin' | |||||
EQUALITY caseExactIA5Match | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
attributetype ( 1.3.6.1.4.1.22339.1.1.33 NAME 'maxGreyList' | |||||
DESC 'A string that represents the max AntiGreyList for a VirtualAdmin' | |||||
EQUALITY caseExactIA5Match | |||||
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) | |||||
# Classes | |||||
#--------- | |||||
objectclass ( 1.3.6.1.4.1.22339.1.2.1 NAME 'VirtualMailAccount' | |||||
SUP inetOrgPerson STRUCTURAL | |||||
DESC 'Mail account objects' | |||||
MUST ( mail $ vdHome $ mailbox $ accountActive $ lastChange $ delete ) | |||||
MAY ( quota $ otherTransport $ editAccounts $ creationDate $ createMaildir $ smtpAuth $ expireDate $ mailAutoreply $ bypassGreyListing $ phammGroup ) ) | |||||
objectclass ( 1.3.6.1.4.1.22339.1.2.2 NAME 'VirtualMailAlias' | |||||
SUP inetOrgPerson STRUCTURAL | |||||
DESC 'Mail aliasing/forwarding entry' | |||||
MUST ( mail $ maildrop $ accountActive $ lastChange ) | |||||
MAY ( mailsource $ editAccounts $ creationDate $ smtpAuth $ expireDate $ bypassGreyListing) ) | |||||
objectclass ( 1.3.6.1.4.1.22339.1.2.3 NAME 'VirtualDomain' | |||||
SUP top STRUCTURAL | |||||
DESC 'Virtual Domain entry to be used with postfix transport maps' | |||||
MUST ( vd $ accountActive $ lastChange $ delete ) | |||||
MAY ( postfixTransport $ description $ maxMail $ maxAlias $ maxQuota $ editAV $ adminID $ creationDate $ bypassGreyListing $ maxSmtpAuth $ maxAntivirus $ maxAntiSpam $ maxGreyList) ) | |||||
objectclass ( 1.3.6.1.4.1.22339.1.2.4 NAME 'VirtualForward' | |||||
SUP top AUXILIARY | |||||
DESC 'Forward setting for VirtualMailAccount' | |||||
MUST ( forwardActive ) | |||||
MAY ( maildrop ) ) | |||||
objectclass ( 1.3.6.1.4.1.22339.1.2.5 NAME 'VirtualAdmin' | |||||
SUP inetOrgPerson STRUCTURAL | |||||
DESC 'Virtual Admin entry' | |||||
MUST ( mail $ maxDomain $ accountActive $ lastChange ) | |||||
MAY ( vd $ editAccounts ) ) | |||||
objectclass ( 1.3.6.1.4.1.22339.1.2.6 NAME 'VirtualBackupDomain' | |||||
SUP top STRUCTURAL | |||||
DESC 'Virtual Backup Domain entry to be used for relay' | |||||
MUST ( vd $ accountActive $ lastChange $ delete ) | |||||
MAY ( description ) ) | |||||
objectclass ( 1.3.6.1.4.1.22339.1.2.7 NAME 'VirtualBackupMail' | |||||
SUP top STRUCTURAL | |||||
DESC 'Virtual Backup Mail entry to be used for relay' | |||||
MUST ( mail $ accountActive $ lastChange ) | |||||
MAY ( description ) ) | |||||
objectclass ( 1.3.6.1.4.1.22339.1.2.8 NAME 'Yap' | |||||
SUP top AUXILIARY | |||||
DESC 'Yet another path' | |||||
MUST ( otherPath ) | |||||
) | |||||
@ -0,0 +1,201 @@ | |||||
--- | |||||
- include_role: | |||||
name: 'service' | |||||
vars: | |||||
service_name: 'nscd' | |||||
service_packages: 'nscd' | |||||
- name: 'set debconf values' | |||||
debconf: | |||||
name: 'slapd' | |||||
question: '{{ item.question }}' | |||||
vtype: 'string' | |||||
value: '{{ item.value }}' | |||||
loop: | |||||
- { question: 'slapd/domain', value: '{{ ldap_domain }}' } | |||||
- { question: 'slapd/dump_database', value: 'when needed' } | |||||
- { question: 'shared/organization', value: '{{ ldap_organization }}' } | |||||
- include_role: | |||||
name: 'service' | |||||
vars: | |||||
service_name: 'slapd' | |||||
service_packages: | |||||
- 'slapd' | |||||
- 'ldap-utils' | |||||
- 'libpam-ldap' | |||||
- 'python3-ldap' | |||||
- 'sudo' | |||||
- name: 'start slapd service' | |||||
service: | |||||
name: 'slapd' | |||||
enabled: true | |||||
state: 'started' | |||||
- name: 'copy schemas' | |||||
copy: | |||||
src: '{{ item }}' | |||||
dest: '/etc/ldap/schema/' | |||||
loop: | |||||
- 'ldapns.ldif' | |||||
- 'kerberos.ldif' | |||||
- 'phamm.ldif' | |||||
- 'phamm-vacation.ldif' | |||||
- name: 'activate schemas' | |||||
command: | |||||
cmd: 'ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/{{ item }}' | |||||
creates: '/etc/ldap/slapd.d/cn=config/cn=schema/cn={*}{{ item }}' | |||||
loop: | |||||
- 'ldapns.ldif' | |||||
- 'kerberos.ldif' | |||||
- 'phamm.ldif' | |||||
- 'phamm-vacation.ldif' | |||||
- name: 'activate modules' | |||||
ldap_attr: | |||||
dn: 'cn=module{0},cn=config' | |||||
name: 'olcModuleLoad' | |||||
values: | |||||
- '{0}back_mdb' | |||||
- '{1}pw-sha2' | |||||
- '{2}auditlog' | |||||
- '{3}memberof' | |||||
- name: 'create log dir' | |||||
file: | |||||
path: '/var/log/openldap' | |||||
owner: 'openldap' | |||||
group: 'openldap' | |||||
state: 'directory' | |||||
- name: 'set loglevel' | |||||
ldap_attr: | |||||
dn: 'cn=config' | |||||
name: 'olcLogLevel' | |||||
values: 'conns acl' | |||||
- name: 'activate auditlog overlay' | |||||
ldap_entry: | |||||
dn: 'olcOverlay={0}auditlog,olcDatabase={{ item.db }},cn=config' | |||||
objectClass: | |||||
- 'olcOverlayConfig' | |||||
- 'olcAuditLogConfig' | |||||
attributes: | |||||
olcAuditlogFile: '/var/log/openldap/{{ item.logfile }}' | |||||
loop: | |||||
- { db: '{0}config', logfile: 'audit_config.ldif' } | |||||
- { db: '{1}mdb', logfile: 'audit_mdb.ldif' } | |||||
- name: 'activate memberof overlay' | |||||
ldap_entry: | |||||
dn: 'olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config' | |||||
objectClass: | |||||
- 'olcOverlayConfig' | |||||
- 'olcMemberOf' | |||||
- name: 'set default password hash' | |||||
ldap_attr: | |||||
dn: 'olcDatabase={-1}frontend,cn=config' | |||||
name: 'olcPasswordHash' | |||||
values: '{SSHA512}' | |||||
- name: 'evaluating base_dn' | |||||
set_fact: | |||||
base_dn: 'dc={{ ldap_domain.replace(".", ",dc=") }}' | |||||
- name: 'configure TLS x509 <-> ldap dn translation' | |||||
ldap_attr: | |||||
dn: 'cn=config' | |||||
name: 'olcAuthzRegexp' | |||||
state: 'exact' | |||||
values: | |||||
- |- | |||||
{0} ^cn=([^,]+),ou=Server,{{ x509_suffix }}$ | |||||
cn=$1,ou=Server,{{ base_dn }} | |||||
- |- | |||||
{1} ^mail=[^,]+,cn=([^,]+),ou=People,{{ x509_suffix }}$ | |||||
cn=$1,ou=People,{{ base_dn }} | |||||
- name: 'configure main tree acls' | |||||
ldap_attr: | |||||
dn: 'olcDatabase={1}mdb,cn=config' | |||||
name: 'olcAccess' | |||||
state: 'exact' | |||||
values: | |||||
# [0] -> Admins can proxy-auth to RootDN | |||||
# /proxy-auth is not required for routine user-management operations | |||||
- |- | |||||
{0} to dn.exact=cn=admin,{{ base_dn }} attrs=authzFrom | |||||
by group.exact=cn=admin,ou=Group,dc=lilik,dc=it auth | |||||
by * none | |||||
# [1] :: ou=People | |||||
# [1.0] -> Admins can edit People `userPassword` | |||||
# -> People can edit their `userPassword` | |||||
# -> Anyone can auth with `userPassword` if using strong TLS. | |||||
- |- | |||||
{1} to dn.one=ou=People,{{ base_dn }} attrs=userPassword | |||||
by group.exact=cn=admin,ou=Group,{{ base_dn }} write | |||||
by self write | |||||
by anonymous tls_ssf=256 auth | |||||
by * none | |||||
# [1.1] -> Admins can list the full People tree | |||||
# -> Servers can perform search on People tree | |||||
- |- | |||||
{2}to dn.exact=ou=People,{{ base_dn }} attrs=entry | |||||
by group.exact=cn=admin,ou=Group,{{ base_dn }} read | |||||
by dn.children=ou=Server,{{ base_dn }} search | |||||
by * none | |||||
# [1.2] -> Admins can add/remove People entries | |||||
- |- | |||||
{3} to dn.exact=ou=People,{{ base_dn }} attrs=children | |||||
by group.exact=cn=admin,ou=Group,{{ base_dn }} write | |||||
by * none | |||||
# [1.3] -> Admins can edit all People attributes | |||||
# -> Servers can read all People attributes (except userPassword) | |||||
# -> People can read all their attributes | |||||
# -> Break: over privileges may be accorded later (i.e.: servers) | |||||
- |- | |||||
{4} to dn.one=ou=People,{{ base_dn }} | |||||
by group.exact=cn=admin,ou=Group,{{ base_dn }} write | |||||
by dn.children=ou=Server,{{ base_dn }} read | |||||
by self read | |||||
by * break | |||||
# [1.5] -> No other access to People tree | |||||
- |- | |||||
{5} to dn.subtree=ou=People,{{ base_dn }} | |||||
by * none | |||||
# [2] :: ou=Group | |||||
# [2.1] -> Admins can add/remove members from groups | |||||
- |- | |||||
{6} to dn.one=ou=Group,{{ base_dn }} attrs=member | |||||
by group.exact=cn=admin,ou=Group,{{ base_dn }} write | |||||
by * none | |||||
# [2.2] -> No other access to Group tree | |||||
- |- | |||||
{7} to dn.children=ou=Group,{{ base_dn }} | |||||
by * none | |||||
# [3] :: ou=Server | |||||
# [3.0] -> Local servers can simple-bind their entries if using TLS | |||||
# /Server using TLS-client Auth with OU=Server are automatically authenticated | |||||
- |- | |||||
{8} to dn.children=ou=Server,{{ base_dn }} attrs=userPassword | |||||
by peername.ip=10.151.42.0%255.255.255.0 tls_ssf=256 auth | |||||
by group.exact=cn=admin,ou=Group,{{ base_dn }} write | |||||
by * none | |||||
# [3.1] -> No other access to Server tree | |||||
- |- | |||||
{9} to dn.subtree=ou=Server,{{ base_dn }} | |||||
by * none | |||||
# [4] :: ou=VirtualDomains - WiP | |||||
# [4.0] -> Admins can write whole subtree | |||||
# [4.1] -> Servers can read whole subtree | |||||
# - >- | |||||
# to dn.subtree=ou=VirtualDomains,{{ base_dn }} | |||||
# by group.exact=cn=admin,ou=Group,{{ base_dn }} write | |||||
# by dn.children=ou=Server,{{ base_dn }} read | |||||
# [5] :: ou=Kerberos - Wi | |||||
... | |||||
@ -0,0 +1,40 @@ | |||||
--- | |||||
- name: 'evaluating base_dn' | |||||
set_fact: | |||||
base_dn: 'dc={{ ldap_domain.replace(".", ",dc=") }}' | |||||
- name: 'renewing admin password - generation' | |||||
gen_passwd: 'length=32' | |||||
register: new_passwd | |||||
- name: 'renewing admin password - hashing' | |||||
shell: > | |||||
slappasswd | |||||
-o module-load=pw-sha2 | |||||
-h "{SSHA512}" | |||||
-s "{{ new_passwd.passwd }}" | |||||
register: new_passwd_hash | |||||
- name: 'renewing admin password - setting RootPW' | |||||
ldap_attr: | |||||
dn: 'olcDatabase={1}mdb,cn=config' | |||||
name: 'olcRootPW' | |||||
values: '{{ new_passwd_hash.stdout }}' | |||||
state: 'exact' | |||||
- name: 'renewing admin password - calling ldappasswd' | |||||
ldap_passwd: | |||||
dn: 'cn=admin,{{ base_dn }}' | |||||
passwd: '{{ new_passwd.passwd }}' | |||||
bind_dn: 'cn=admin,{{ base_dn }}' | |||||
bind_pw: '{{ new_passwd.passwd }}' | |||||
- name: 'renewing admin password - storing plaintext' | |||||
copy: | |||||
content: '{{ new_passwd.passwd }}' | |||||
dest: '/etc/slapd.secret' | |||||
- name: 'renewing admin password - setting fact' | |||||
set_fact: | |||||
ldap_passwd: '{{ new_passwd.passwd }}' | |||||
... |
@ -0,0 +1,143 @@ | |||||
--- | |||||
- name: 'evaluating base_dn' | |||||
set_fact: | |||||
base_dn: 'dc={{ ldap_domain.replace(".", ",dc=") }}' | |||||
- when: ldap_passwd is not defined | |||||
block: | |||||
- name: 'get plaintext admin password' | |||||
slurp: | |||||
path: '/etc/slapd.secret' | |||||
register: slapd_secret | |||||
- name: 'set ldap_passwd' | |||||
set_fact: | |||||
ldap_passwd: '{{ slapd_secret.content | b64decode }}' | |||||
- set_fact: | |||||
- name: 'provisioning tree - organization units' | |||||
ldap_entry: | |||||
dn: 'ou={{ item }},{{ base_dn }}' | |||||
objectClass: | |||||
- 'organizationalUnit' | |||||
bind_dn: 'cn=admin,{{ base_dn }}' | |||||
bind_pw: '{{ ldap_passwd }}' | |||||
loop: | |||||
- 'People' | |||||
- 'Group' | |||||
- 'Server' | |||||
- 'VirtualDomain' | |||||
- 'Kerberos' | |||||
- name: 'provisioning tree - virtual domains' | |||||
ldap_entry: | |||||
dn: 'vd={{ item }},ou=VirtualDomain,{{ base_dn }}' | |||||
objectClass: | |||||
- 'VirtualDomain' | |||||
attributes: | |||||
postfixTransport: 'maildrop:' | |||||
delete: 'FALSE' | |||||
accountActive: 'TRUE' | |||||
lastChange: '{{ ansible_date_time.epoch }}' | |||||
bind_dn: 'cn=admin,{{ base_dn }}' | |||||
bind_pw: '{{ ldap_passwd }}' | |||||
loop: '{{ virtual_domains }}' | |||||
- name: 'provisioning tree - virtual domain postmasters' | |||||
ldap_entry: | |||||
dn: 'cn=postmaster,vd={{ item }},ou=VirtualDomain,{{ base_dn }}' | |||||
objectClass: | |||||
- 'VirtualMailAlias' | |||||
attributes: | |||||
mail: 'postmaster@{{ item }}' | |||||
editAccounts: 'TRUE' | |||||
accountActive: 'TRUE' | |||||
lastChange: '{{ ansible_date_time.epoch }}' | |||||
maildrop: 'postmaster' | |||||
sn: 'postmaster' | |||||
bind_dn: 'cn=admin,{{ base_dn }}' | |||||
bind_pw: '{{ ldap_passwd }}' | |||||
loop: '{{ virtual_domains }}' | |||||
- name: 'provisioning tree - posix groups' | |||||
ldap_entry: | |||||
dn: 'cn={{ item.name }},ou=Group,{{ base_dn }}' | |||||
objectClass: | |||||
- 'posixGroup' | |||||
attributes: | |||||
gidNumber: '{{ item.gid }}' | |||||
bind_dn: 'cn=admin,{{ base_dn }}' | |||||
bind_pw: '{{ ldap_passwd }}' | |||||
loop: | |||||
- { name: 'stduser', gid: 5000 } | |||||
- { name: 'user_sites', gid: 900 } | |||||
- name: 'provisioning tree - name groups' | |||||
ldap_entry: | |||||
dn: 'cn={{ item }},ou=Group,{{ base_dn }}' | |||||
objectClass: | |||||
- 'groupOfNames' | |||||
attributes: | |||||
member: 'cn=admin,{{ base_dn }}' | |||||
bind_dn: 'cn=admin,{{ base_dn }}' | |||||
bind_pw: '{{ ldap_passwd }}' | |||||
loop: | |||||
- 'admin' | |||||
- 'wiki' | |||||
- 'lilik.it' | |||||
- 'cloud' | |||||
- 'projects' | |||||
- 'teambox' | |||||
- 'im' | |||||
- name: 'provisioning tree - test users' | |||||
ldap_entry: | |||||
dn: 'cn={{ item.user }},ou=People,{{ base_dn }}' | |||||
objectClass: | |||||
- 'inetOrgPerson' | |||||
- 'authorizedServiceObject' | |||||
attributes: '{{ item.attrs }}' | |||||
bind_dn: 'cn=admin,{{ base_dn }}' | |||||
bind_pw: '{{ ldap_passwd }}' | |||||
loop: | |||||
- { user: 'pippo', attrs: { sn: 'User Pippo', mail: 'pippo@lilik.it', authorizedService: 'gitlab' } } | |||||
- { user: 'pluto', attrs: { sn: 'User Pluto', mail: 'pluto@lilik.it' } } | |||||
- { user: 'test_admin', attrs: { sn: 'Test admin', mail: 'admin1@lilik.it' } } | |||||
- name: 'provisioning tree - test users passwd' | |||||
ldap_passwd: | |||||
dn: 'cn={{ item.user }},ou=People,{{ base_dn }}' | |||||
passwd: '{{ item.passwd }}' | |||||
bind_dn: 'cn=admin,{{ base_dn }}' | |||||
bind_pw: '{{ ldap_passwd }}' | |||||
loop: | |||||
- { user: 'pippo', passwd: 'pippopippo' } | |||||
- { user: 'pluto', passwd: 'plutopluto' } | |||||
- { user: 'test_admin', passwd: 'pippopippo' } | |||||
- name: 'provisioning tree - admin group members' | |||||
ldap_attr: | |||||
dn: 'cn=admin,ou=Group,{{ base_dn }}' | |||||
name: 'member' | |||||
values: 'cn=test_admin,ou=People,{{ base_dn }}' | |||||
bind_dn: 'cn=admin,{{ base_dn }}' | |||||
bind_pw: '{{ ldap_passwd }}' | |||||
- name: 'provisioning tree - servers' | |||||
ldap_entry: | |||||
dn: 'cn={{ item }},ou=Server,{{ base_dn }}' | |||||
objectClass: 'applicationProcess' | |||||
objectClass: 'person' | |||||
attributes: | |||||
sn: '{{ item }}' | |||||
bind_dn: 'cn=admin,{{ base_dn }}' | |||||
bind_pw: '{{ ldap_passwd }}' | |||||
loop: | |||||
- 'TestServer' | |||||
- 'projects' | |||||
#- name: templating ACLs | |||||
# template: | |||||
# src: "global.acl.j2" | |||||
# dest: "/etc/ldap/{{ item }}" | |||||
... |
@ -0,0 +1,128 @@ | |||||
- apt: | |||||
pkg: 'openssl' | |||||
state: 'present' | |||||
- name: 'generate ED25519 private key' | |||||
shell: | |||||
cmd: > | |||||
openssl genpkey | |||||
-algorithm ED25519 | |||||
-out /etc/ldap/slapd.key | |||||
creates: '/etc/ldap/slapd.key' | |||||
- name: 'set private key ownership' | |||||
file: | |||||
path: '/etc/ldap/slapd.key' | |||||
owner: 'openldap' | |||||
group: 'openldap' | |||||
mode: '600' | |||||
- name: 'generate certificate request' | |||||
shell: | |||||
cmd: > | |||||
openssl req | |||||
-new | |||||
-subj "{{ ssl_subject_prefix }}/OU=Server/CN={{ ansible_hostname }}.{{ fqdn_domain }}" | |||||
-key /etc/ldap/slapd.key | |||||
-out /etc/ldap/slapd.csr | |||||
creates: '/etc/ldap/slapd.csr' | |||||
- name: 'set key ownership and permission' | |||||
file: | |||||
path: /etc/ldap | |||||
- name: 'lookup_ssl_ca_cert' | |||||
when: ssl_ca_cert is not defined | |||||
set_fact: | |||||
ssl_ca_cert: '{{ lookup("file", "lilik_ca_w1.pub") }}' | |||||
- name: 'update ssl_ca_cert' | |||||
copy: | |||||
content: "{{ ssl_ca_cert }}" | |||||
dest: '/etc/ldap/ssl_ca.crt' | |||||
- name: 'check if slapd cert is valid' | |||||
command: > | |||||
openssl verify | |||||
-CAfile /etc/ldap/ssl_ca.crt | |||||
-untrusted /etc/ldap/slapd.crt | |||||
/etc/ldap/slapd.crt | |||||
register: slapd_cert_is_valid | |||||
changed_when: false | |||||
failed_when: false | |||||
- when: slapd_cert_is_valid.rc != 0 | |||||
block: | |||||
- name: 'renewing cert - generating ca request' | |||||
cert_request: | |||||
host: '{{ ansible_hostname }}.{{ fqdn_domain }}' | |||||
path: '/etc/ldap/slapd.csr' | |||||
proto: 'ssl' | |||||
register: ca_request | |||||
- name: 'renewing cert - sending ca sign request' | |||||
include: 'ca-dialog.yaml' | |||||
- set_fact: | |||||
request_output: '{{ request_result.stdout | string | from_json }}' | |||||
- debug: | |||||
var: request_result | |||||
- name: 'renewing cert - generating get cert request' | |||||
set_fact: | |||||
ca_request: | |||||
type: 'get_certificate' | |||||
requestID: '{{ request_output.requestID }}' | |||||
- debug: | |||||
msg: > | |||||
Please manually confirm sign request with id | |||||
{{ request_output.requestID }} | |||||
- name: 'renewing cert - waiting for ca signature' | |||||
include: 'ca-dialog.yaml' | |||||
- set_fact: | |||||
cert_key: '{{ request_result.stdout | string | from_json }}' | |||||
- debug: | |||||
var: request_result | |||||
verbosity: 2 | |||||
- name: 'renewing cert - storing new cert file' | |||||
copy: | |||||
content: '{{ cert_key.result }}' | |||||
dest: '/etc/ldap/slapd.crt' | |||||
# !BUG! Fixed in Ansible dev using ldap_attrs instead of ldap_attr | |||||
# Ref: https://github.com/ansible/ansible/issues/25665 | |||||
- name: 'configuring TLS options (workaround)' | |||||
ldap_attr: | |||||
dn: 'cn=config' | |||||
name: '{{ item.name }}' | |||||
values: '{{ item.value }}' | |||||
loop: | |||||
- { name: 'olcTLSCertificateFile', value: '/etc/ldap/slapd.crt' } | |||||
- { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' } | |||||
failed_when: false | |||||
- name: 'configuring TLS options' | |||||
ldap_attr: | |||||
dn: 'cn=config' | |||||
name: '{{ item.name }}' | |||||
values: '{{ item.value }}' | |||||
state: 'exact' | |||||
loop: | |||||
- { name: 'olcTLSCertificateFile', value: '/etc/ldap/slapd.crt' } | |||||
- { name: 'olcTLSCertificateKeyFile', value: '/etc/ldap/slapd.key' } | |||||
- { name: 'olcTLSCACertificateFile', value: '/etc/ldap/ssl_ca.crt' } | |||||
- { name: 'olcTLSVerifyClient', value: 'try' } # TLS Client Auth | |||||
- name: 'configuring slapd service' | |||||
lineinfile: | |||||
line: 'SLAPD_SERVICES="ldap:/// ldapi:/// ldaps:///"' | |||||
regexp: '^SLAPD_SERVICES=' | |||||
path: '/etc/default/slapd' | |||||
notify: | |||||
- 'restart slapd' |
@ -1,123 +1,16 @@ | |||||
- include_role: | |||||
name: service | |||||
vars: | |||||
service_name: nscd | |||||
service_packages: nscd | |||||
- name: configure OpenLDAP (domain) | |||||
debconf: | |||||
name: 'slapd' | |||||
question: 'slapd/domain' | |||||
vtype: 'string' | |||||
value: '{{ ldap_domain }}' | |||||
- name: configure OpenLDAP (configure) | |||||
debconf: | |||||
name: 'slapd' | |||||
question: 'slapd/dump_database' | |||||
vtype: 'string' | |||||
value: 'when needed' | |||||
- name: configure OpenLDAP (organization) | |||||
debconf: | |||||
name: 'slapd' | |||||
question: 'shared/organization' | |||||
vtype: 'string' | |||||
value: '{{ ldap_organization }}' | |||||
- name: slurp slap secret file | |||||
slurp: | |||||
src: /etc/slapd.secret | |||||
register: slapdsecret | |||||
failed_when: false | |||||
changed_when: false | |||||
- set_fact: | |||||
slapd_passwd: "{{ slapdsecret['content'] | b64decode }}" | |||||
when: '"content" in slapdsecret' | |||||
- block: | |||||
- name: generate admin password | |||||
gen_passwd: length=20 | |||||
register: new_passwd | |||||
- name: store slapd secret | |||||
copy: | |||||
content : "{{ new_passwd.passwd }}" | |||||
dest: /etc/slapd.secret | |||||
- set_fact: | |||||
slapd_passwd: "{{ new_passwd.passwd }}" | |||||
when: 'not "content" in slapdsecret' | |||||
- name: configure OpenLDAP (password1) | |||||
debconf: | |||||
name: 'slapd' | |||||
question: 'slapd/password1' | |||||
vtype: 'string' | |||||
value: '{{ slapd_passwd }}' | |||||
- name: configure OpenLDAP (password2) | |||||
debconf: | |||||
name: 'slapd' | |||||
question: 'slapd/password2' | |||||
vtype: 'string' | |||||
value: '{{ slapd_passwd }}' | |||||
- include_role: | |||||
name: service | |||||
vars: | |||||
service_name: slapd | |||||
service_packages: | |||||
- slapd | |||||
- ldap-utils | |||||
- libpam-ldap | |||||
- sudo | |||||
- name: download schemas | |||||
copy: | |||||
src: "{{ item }}" | |||||
dest: /etc/ldap/schema/ | |||||
loop: | |||||
- "phamm.schema" | |||||
- "phamm-vacation.schema" | |||||
- name: upload slapd config | |||||
template: | |||||
src: slapd.conf.j2 | |||||
dest: "/etc/ldap/slapd.conf" | |||||
- name: update slapd config | |||||
shell: slaptest -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d | |||||
args: | |||||
creates: "/etc/ldap/slapd.d/cn=config/cn=schema/cn={4}phamm.ldif" | |||||
become: true | |||||
become_method: sudo | |||||
become_user: openldap | |||||
notify: restart slapd | |||||
- name: fix missing memberOf and pw-sha2 module load | |||||
blockinfile: | |||||
dest: /etc/ldap/slapd.d/cn=config/cn=module{0}.ldif | |||||
content: | | |||||
olcModuleLoad: {1}memberof | |||||
olcModuleLoad: {2}pw-sha2 | |||||
notify: restart slapd | |||||
- name: upload default tree | |||||
template: | |||||
dest=/etc/ldap/default_tree.ldif | |||||
src=default_tree.ldif.j2 | |||||
owner=root | |||||
group=root | |||||
mode=0400 | |||||
register: upload_default_tree | |||||
- name: create default tree | |||||
shell: slapadd -l /etc/ldap/default_tree.ldif | |||||
when: upload_default_tree.changed | |||||
notify: restart slapd | |||||
- name: enable OpenLDAP server | |||||
service: | |||||
name: 'slapd' | |||||
enabled: true | |||||
state: started | |||||
--- | |||||
- name: 'including configuration tasks' | |||||
include_tasks: '1_configure_server.yaml' | |||||
- name: 'including password renewal tasks' | |||||
include_tasks: '2_renew_rootpw.yaml' | |||||
when: renew_rootdn_pw | |||||
- name: 'including tree provisionig tasks' | |||||
include_tasks: '3_provision_tree.yaml' | |||||
when: check_tree | |||||
- name: 'including tls tasks' | |||||
include_tasks: '4_setup_tls.yaml' | |||||
when: ldap_tls_enabled | |||||
... |
@ -1,186 +0,0 @@ | |||||
# Entry 4: o=Group,dc=lilik,dc=it | |||||
dn: o=Group,dc=lilik,dc=it | |||||
hassubordinates: TRUE | |||||
o: Group | |||||
objectclass: organization | |||||
objectclass: top | |||||
structuralobjectclass: organization | |||||
subschemasubentry: cn=Subschema | |||||
# Entry 10: cn=stdusers,o=Group,dc=lilik,dc=it | |||||
dn: cn=stdusers,o=Group,dc=lilik,dc=it | |||||
cn: stdusers | |||||
gidnumber: 9000 | |||||
hassubordinates: FALSE | |||||
objectclass: posixGroup | |||||
objectclass: top | |||||
structuralobjectclass: posixGroup | |||||
subschemasubentry: cn=Subschema | |||||
# Entry 12: cn=users_sites,o=Group,dc=lilik,dc=it | |||||
dn: cn=users_sites,o=Group,dc=lilik,dc=it | |||||
cn: users_sites | |||||
gidnumber: 500 | |||||
hassubordinates: FALSE | |||||
memberuid: test_user | |||||
objectclass: posixGroup | |||||
objectclass: top | |||||
structuralobjectclass: posixGroup | |||||
subschemasubentry: cn=Subschema | |||||
# Entry 14: o=hosting,dc=lilik,dc=it | |||||
dn: o=hosting,dc=lilik,dc=it | |||||
description: mail.lilik.it hosting root | |||||
hassubordinates: TRUE | |||||
o: hosting | |||||
objectclass: top | |||||
objectclass: organization | |||||
structuralobjectclass: organization | |||||
subschemasubentry: cn=Subschema | |||||
# Entry 22: vd=lilik.it,o=hosting,dc=lilik,dc=it | |||||
dn: vd=lilik.it,o=hosting,dc=lilik,dc=it | |||||
accountactive: TRUE | |||||
delete: FALSE | |||||
editav: FALSE | |||||
hassubordinates: TRUE | |||||
maxalias: 20 | |||||
maxmail: 11 | |||||
maxquota: 250 | |||||
objectclass: top | |||||
objectclass: VirtualDomain | |||||
postfixtransport: maildrop: | |||||
structuralobjectclass: VirtualDomain | |||||
subschemasubentry: cn=Subschema | |||||
vd: lilik.it | |||||
lastChange: 1228821387 | |||||
# Entry 23: cn=postmaster,vd=lilik.it,o=hosting,dc=lilik,dc=it | |||||
dn: cn=postmaster,vd=lilik.it,o=hosting,dc=lilik,dc=it | |||||
accountactive: TRUE | |||||
cn: postmaster | |||||
editaccounts: TRUE | |||||
hassubordinates: FALSE | |||||
mail: postmaster | |||||
maildrop: postmaster | |||||
objectclass: top | |||||
objectclass: VirtualMailAlias | |||||
sn: postmaster | |||||
structuralobjectclass: VirtualMailAlias | |||||
subschemasubentry: cn=Subschema | |||||
userpassword: {SSHA}4IuBxQNWgMNPX/lCtP2GgbJeiYX+u4ud | |||||
lastChange: 1228821387 | |||||
# Entry 24: mail=abuse,vd=lilik.it,o=hosting,dc=lilik,dc=it | |||||
dn: mail=abuse,vd=lilik.it,o=hosting,dc=lilik,dc=it | |||||
accountactive: TRUE | |||||
cn: NONAME | |||||
givenname: NONAME | |||||
hassubordinates: FALSE | |||||
mail: abuse | |||||
maildrop: root | |||||
objectclass: top | |||||
objectclass: VirtualMailAlias | |||||
smtpauth: FALSE | |||||
sn: NONAME | |||||
structuralobjectclass: VirtualMailAlias | |||||
subschemasubentry: cn=Subschema | |||||
userpassword: {CRYPT}! | |||||
lastChange: 1228821387 | |||||
dn: mail=test_user,vd=lilik.it,o=hosting,dc=lilik,dc=it | |||||
objectclass: alias | |||||
objectclass: extensibleObject | |||||
#uid: alias | |||||
aliasedobjectname: uid=test_user,o=People,dc=lilik,dc=it | |||||
# Entry 319: o=People,dc=lilik,dc=it | |||||
dn: o=People,dc=lilik,dc=it | |||||
hassubordinates: TRUE | |||||
o: People | |||||
objectclass: organization | |||||
objectclass: top | |||||
structuralobjectclass: organization | |||||
subschemasubentry: cn=Subschema | |||||
dn: uid=test_user,o=People,dc=lilik,dc=it | |||||
accountactive: TRUE | |||||
cn: Test | |||||
delete: FALSE | |||||
gidnumber: 100 | |||||
givenname: Test | |||||
hassubordinates: FALSE | |||||
homedirectory: /home/test_user | |||||
loginshell: /bin/bash | |||||
mail: test_user | |||||
objectclass: top | |||||
objectclass: inetOrgPerson | |||||
objectclass: VirtualMailAccount | |||||
objectclass: posixAccount | |||||
objectclass: shadowAccount | |||||
objectclass: hostObject | |||||
othertransport: phamm: | |||||
quota: 1024000 | |||||
shadowlastchange: 14281 | |||||
smtpauth: FALSE | |||||
sn: User | |||||
structuralobjectclass: VirtualMailAccount | |||||
subschemasubentry: cn=Subschema | |||||
uid: test_user | |||||
uidnumber: 10001 | |||||
userpassword: {SSHA}2SWroMDSWoIWlYEvzpHvSRK4PMsjGW/u | |||||
lastChange: 1228821387 | |||||
vdhome: undefined | |||||
mailbox: undefined | |||||
# Entry 12: cn=admin,o=Group,dc=lilik,dc=it | |||||
dn: cn=admin,o=Group,dc=lilik,dc=it | |||||
cn: admin | |||||
objectClass: groupOfNames | |||||
objectClass: top | |||||
structuralObjectClass: groupOfNames | |||||
member: cn=admin,dc=lilik,dc=it | |||||
dn: cn=wiki,o=Group,dc=lilik,dc=it | |||||
cn: wiki | |||||
objectClass: groupOfNames | |||||
objectClass: top | |||||
structuralObjectClass: groupOfNames | |||||
member: cn=admin,dc=lilik,dc=it | |||||
dn: cn=lilik.it,o=Group,dc=lilik,dc=it | |||||
cn: lilik.it | |||||
objectClass: groupOfNames | |||||
objectClass: top | |||||
structuralObjectClass: groupOfNames | |||||
member: cn=admin,dc=lilik,dc=it | |||||
dn: cn=cloud,o=Group,dc=lilik,dc=it | |||||
cn: cloud | |||||
objectClass: groupOfNames | |||||
objectClass: top | |||||
structuralObjectClass: groupOfNames | |||||
member: cn=admin,dc=lilik,dc=it | |||||
dn: cn=projects,o=Group,dc=lilik,dc=it | |||||
cn: projects | |||||
objectClass: groupOfNames | |||||
objectClass: top | |||||
structuralObjectClass: groupOfNames | |||||
member: cn=admin,dc=lilik,dc=it | |||||
dn: cn=teambox,o=Group,dc=lilik,dc=it | |||||
cn: teambox | |||||
objectClass: groupOfNames | |||||
objectClass: top | |||||
structuralObjectClass: groupOfNames | |||||
member: cn=admin,dc=lilik,dc=it | |||||
dn: cn=im,o=Group,dc=lilik,dc=it | |||||
cn: im | |||||
objectClass: groupOfNames | |||||
objectClass: top | |||||
structuralObjectClass: groupOfNames | |||||
member: cn=admin,dc=lilik,dc=it |
@ -1,12 +0,0 @@ | |||||
include /etc/ldap/schema/core.schema | |||||
include /etc/ldap/schema/cosine.schema | |||||
include /etc/ldap/schema/nis.schema | |||||
include /etc/ldap/schema/inetorgperson.schema | |||||
include /etc/ldap/schema/phamm.schema | |||||
include /etc/ldap/schema/phamm-vacation.schema | |||||
include /usr/share/doc/libpam-ldap/ldapns.schema | |||||
modulepath /usr/lib/ldap | |||||
moduleload memberof.la | |||||
overlay memberof |