Commits

Zhang Huangbin committed ec2cf7f

Add default access policies for OpenBSD ldapd(8).

Comments (0)

Files changed (4)

iRedMail/ChangeLog

 iRedMail-0.8.4:
+    * Now supports OpenBSD built-in LDAP daemon: ldapd(8).
     * Fixed:
         - Cannot handle alias domain in Postfix per-user bcc.
           Thanks Ward De Backer <wdb _at_ stabe.be> for the report.

iRedMail/functions/ldapd.sh

 
 ldapd_config()
 {
-    ECHO_INFO "Configure ldapd(8) daemon"
+    ECHO_INFO "Configure LDAP server: ldapd(8)."
 
     # Enable ldapd in rc.conf.local
     cat >> ${RC_CONF_LOCAL} <<EOF
     chmod 0600 ${LDAPD_CONF}
 
     ECHO_DEBUG "Update config file: ${LDAPD_CONF}"
+    export LDAP_SUFFIX LDAP_BASEDN LDAP_ADMIN_BASEDN
+    export LDAP_ROOTDN LDAP_ROOTPW
+    export LDAP_BINDDN LDAP_ADMIN_DN
     perl -pi -e 's#PH_LDAP_SUFFIX#$ENV{LDAP_SUFFIX}#g' ${LDAPD_CONF}
+    perl -pi -e 's#PH_LDAP_BASEDN#$ENV{LDAP_BASEDN}#g' ${LDAPD_CONF}
+    perl -pi -e 's#PH_LDAP_ADMIN_BASEDN#$ENV{LDAP_ADMIN_BASEDN}#g' ${LDAPD_CONF}
+
     perl -pi -e 's#PH_LDAP_ROOTDN#$ENV{LDAP_ROOTDN}#g' ${LDAPD_CONF}
     perl -pi -e 's#PH_LDAP_ROOTPW#$ENV{LDAP_ROOTPW_SSHA}#g' ${LDAPD_CONF}
 
+    perl -pi -e 's#PH_LDAP_BINDDN#$ENV{LDAP_BINDDN}#g' ${LDAPD_CONF}
+    perl -pi -e 's#PH_LDAP_ADMIN_DN#$ENV{LDAP_ADMIN_DN}#g' ${LDAPD_CONF}
+
     ECHO_DEBUG "Start ldapd"
     ${DIR_RC_SCRIPTS}/${LDAPD_RC_SCRIPT_NAME} restart &>/dev/null
 

iRedMail/functions/openldap.sh

 
 openldap_config()
 {
-    ECHO_INFO "Configure OpenLDAP server (Storing mail accounts)."
+    ECHO_INFO "Configure LDAP server: OpenLDAP."
 
     ECHO_DEBUG "Stoping OpenLDAP."
     ${OPENLDAP_RC_SCRIPT} stop &>/dev/null

iRedMail/samples/ldapd.conf

     index   accessPolicy
     index   memberOfGroup
 
-    # TODO: access policy
+    #
+    # Access policies
+    #
+    # Deny by default.
+    deny read,write access to subtree root by any
+
+    # Update by self
+    allow write access to subtree root by self
+
+    # Read all mail accounts
+    allow read access to subtree "PH_LDAP_BASEDN" by "PH_LDAP_BINDDN"
+
+    # Allow to manage (read+write) mail accounts
+    allow read,write access to subtree "PH_LDAP_BASEDN" by "PH_LDAP_ADMIN_DN"
+    allow read,write access to subtree "PH_LDAP_ADMIN_BASEDN" by "PH_LDAP_ADMIN_DN"
+
 }