From: root Date: Tue, 3 Aug 2010 15:51:55 +0000 (+0200) Subject: Merge branch 'template' of ssh://matthijs@git.stderr.nl/matthijs/servers/drsnuggles... X-Git-Url: https://git.stderr.nl/gitweb?a=commitdiff_plain;h=refs%2Fheads%2Fldap;hp=a799b50b1d46b49b57ce3212c2fcf60317e7a6f9;p=matthijs%2Fservers%2Fdrsnuggles.git Merge branch 'template' of ssh://matthijs@git.stderr.nl/matthijs/servers/drsnuggles into ldap * 'template' of ssh://matthijs@git.stderr.nl/matthijs/servers/drsnuggles: oidentd: Allow the vserver host to forward connections. oidentd: Add default configuration. --- diff --git a/etc/hostname b/etc/hostname new file mode 100644 index 0000000..2cf18b6 --- /dev/null +++ b/etc/hostname @@ -0,0 +1 @@ +ldap.drsnuggles.stderr.nl diff --git a/etc/ldap/schema/custom.schema b/etc/ldap/schema/custom.schema new file mode 100644 index 0000000..90d4106 --- /dev/null +++ b/etc/ldap/schema/custom.schema @@ -0,0 +1,89 @@ +# Custom schema for our LDAP directory. This defines only objectclasses, the +# relevant attributes are reused from other schema. Having a custom schema +# ensures that we can enforce our local rules and not have all those extra +# attributes available which we'll never use. +# +# A lot of the ideas in this schema are taken from the paper "LDAP Schema +# Design", by Andrew Findlay. +# http://www.skills-1st.co.uk/papers/ldap-schema-design-feb-2005/ldap-schema-design-feb-2005.pdf + + +# Oid for the "stderr.nl" organization, owned by Matthijs Kooijman. Do not use +# this OID or these objectclasses without contacting Matthijs, since they may +# change without notice! +objectIdentifier StdErr 1.3.6.1.4.1.33232 +objectIdentifier StdErrLDAP StdErr:2 +objectIdentifier StdErrAttributeType StdErrLDAP:1 +objectIdentifier StdErrObjectClass StdErrLDAP:2 + +# +# Define a number of structural object classes. These define what an object +# _is_ and is expected never to change. +# + +# An object. Can be anything that is not a person and not a group (mostly +# used for organizing the directory and for sytem accounts). +objectclass ( StdErrObjectClass:1 + NAME 'simpleObject' + SUP top + STRUCTURAL + MUST ( displayName) + MAY ( uniqueIdentifier ) ) + +# A person. Any person that should be represented should be a simplePerson, +# adding auxillary classes from below to add an account, mailbox, etc. +objectclass ( StdErrObjectClass:2 + NAME 'simplePerson' + SUP simpleObject + STRUCTURAL + MUST ( cn $ givenName $ sn) + MAY ( mail) ) + +# A group. This is any group of things, though usually it will be a group of +# people. Does not have any particular meaning by itself, but auxillary classes +# from below can be added to make this group a unix group, mail alias, etc. +# +# This is similar to groupOfUniqueNames, but its uniqueMember attribute is +# optional, allowing for an empty group. +# Also, it adds a displayName and removes some other attributes. +objectclass ( StdErrObjectClass:3 + NAME 'simpleGroup' + SUP simpleObject + STRUCTURAL + MUST ( cn ) + MAY ( uniqueMember $ description ) ) + +# A posix group that should get a unix account. +# +# This is similar to posixGroup, but it is an auxillary class instead of +# structural, so it can be used together with groupOfUniqueNames +objectclass ( StdErrObjectClass:4 + NAME 'simplePosixGroup' + SUP top + AUXILIARY + MUST ( cn $ gidNumber ) + MAY ( memberUid $ description ) ) + +# A mail user. It has a number of mail addresses (mail and +# mailAlternateAddresses). Mail to these addresses should be delivered to the +# mailbox of uid on mailHost or forwarded to all mailForwardingAddresses. +objectclass ( StdErrObjectClass:5 + NAME 'mailUser' + SUP top + AUXILIARY + MUST ( mail ) + MAY ( mailAlternateAddress $ mailHost $ uid $ mailForwardingAddress ) ) + +# A mail group. This has a number of mail addresses (mail and +# mailAlternateAddresses). Mail to these addresses should be delivered to each +# rf822member and uniqueMember. +objectclass ( StdErrObjectClass:6 + NAME 'mailGroup' + SUP top + AUXILIARY + MUST ( mail ) + MAY ( mailAlternateAddress $ rfc822member $ uniqueMember ) ) + +# Note that there is no alternative for posixGroup here. posixGroup exactly has +# the attributes we would like to have, so there seems to be no need to add a +# custom version of it. diff --git a/etc/ldap/schema/qmail-reduced.schema b/etc/ldap/schema/qmail-reduced.schema new file mode 100644 index 0000000..1a65991 --- /dev/null +++ b/etc/ldap/schema/qmail-reduced.schema @@ -0,0 +1,25 @@ +# This is a selection of attribute types from the qmail.schema file. + + attributetype ( 1.3.6.1.4.1.7914.1.2.1.4 NAME 'mailAlternateAddress' + DESC 'Secondary (alias) mailaddresses for the same user' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) + + attributetype ( 1.3.6.1.4.1.7914.1.2.1.6 NAME 'mailHost' + DESC 'On which qmail server the messagestore of this user is located.' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE) + + attributetype ( 1.3.6.1.4.1.7914.1.2.1.7 NAME 'mailForwardingAddress' + DESC 'Address(es) to forward all incoming messages to.' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) + + attributetype ( 1.3.6.1.4.1.7914.1.3.1.2 NAME 'rfc822member' + DESC 'Group member specified as normal rf822 email address.' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) diff --git a/etc/ldap/slapd.conf b/etc/ldap/slapd.conf new file mode 100644 index 0000000..34fbcf1 --- /dev/null +++ b/etc/ldap/slapd.conf @@ -0,0 +1,105 @@ +# This is the main slapd configuration file. See slapd.conf(5) for more +# info on the configuration options. +# +# This file configures slapd to run a fairly simple database, with nothing +# fancy. + +####################################################################### +# Global Directives: + +# Schema and objectClass definitions +include /etc/ldap/schema/core.schema +include /etc/ldap/schema/cosine.schema +include /etc/ldap/schema/nis.schema +include /etc/ldap/schema/ldapns.schema +include /etc/ldap/schema/inetorgperson.schema +include /etc/ldap/schema/qmail-reduced.schema +include /etc/ldap/schema/custom.schema + +# Where the pid file is put. The init.d script +# will not stop the server if you change this. +pidfile /var/run/slapd/slapd.pid + +# List of arguments that were passed to the server +argsfile /var/run/slapd/slapd.args + +# Read slapd.conf(5) for possible values +loglevel none + +# Where the dynamically loaded modules are stored +modulepath /usr/lib/ldap +moduleload back_bdb + +# The maximum number of entries that is returned for a search operation +sizelimit 500 + +# The tool-threads parameter sets the actual amount of cpu's that is used +# for indexing. +tool-threads 1 + +####################################################################### +database bdb + +# The base of your directory in database #1 +suffix "dc=drsnuggles,dc=stderr,dc=nl" + +# Where the database file are physically stored for database #1 +directory "/data/db/ldap" + +# For the Debian package we use 2MB as default but be sure to update this +# value if you have plenty of RAM +dbconfig set_cachesize 0 2097152 0 + +# Sven Hartge reported that he had to set this value incredibly high +# to get slapd running at all. See http://bugs.debian.org/303057 for more +# information. + +# Number of objects that can be locked at the same time. +dbconfig set_lk_max_objects 1500 +# Number of locks (both requested and granted) +dbconfig set_lk_max_locks 1500 +# Number of lockers +dbconfig set_lk_max_lockers 1500 + +# Indexing options for database #1 +index objectClass eq +index cn eq +index uniqueMember,memberUid eq +index mail,mailAlternateAddress eq +index uid,uidNumber,gidNumber eq +index mailHost,host eq + +# Save the time that the entry gets modified, for database #1 +lastmod on + +# Checkpoint the BerkeleyDB database periodically in case of system +# failure and to speed slapd shutdown. +checkpoint 512 30 + +# The userPassword by default can be changed +# by the entry owning it if they are authenticated. +# Others should not be able to see it, except the +# admin entry below +# These access lines apply to database #1 only +access to attrs=userPassword,shadowLastChange + by dn="cn=admin,dc=drsnuggles,dc=stderr,dc=nl" write + by anonymous auth + by self write + by * none + +# Ensure read access to the base for things like +# supportedSASLMechanisms. Without this you may +# have problems with SASL not knowing what +# mechanisms are available and the like. +# Note that this is covered by the 'access to *' +# ACL below too but if you change that as people +# are wont to do you'll still need this if you +# want SASL (and possible other things) to work +# happily. +access to dn.base="" by * read + +# The admin dn has full write access, everyone else +# can read everything. +access to * + by dn="cn=admin,dc=drsnuggles,dc=stderr,dc=nl" write + by * read diff --git a/etc/mailname b/etc/mailname new file mode 100644 index 0000000..2cf18b6 --- /dev/null +++ b/etc/mailname @@ -0,0 +1 @@ +ldap.drsnuggles.stderr.nl