From d975ed2689b28134442b83a2c3d135da17732bbd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Sun, 25 Nov 2018 22:31:40 +0100 Subject: [PATCH] Update LDAP config --- data/hooks/conf_regen/06-slapd | 2 +- data/other/ldap_scheme.yml | 53 +++++++++++++++++++--------- data/templates/slapd/slapd.conf | 32 ++++++++++++++++- data/templates/slapd/yunohost.schema | 33 +++++++++++++++++ src/yunohost/tools.py | 6 ++++ 5 files changed, 108 insertions(+), 18 deletions(-) create mode 100644 data/templates/slapd/yunohost.schema diff --git a/data/hooks/conf_regen/06-slapd b/data/hooks/conf_regen/06-slapd index d0a1fad63..9ba223e4c 100755 --- a/data/hooks/conf_regen/06-slapd +++ b/data/hooks/conf_regen/06-slapd @@ -60,7 +60,7 @@ do_pre_regen() { # copy configuration files cp -a ldap.conf slapd.conf "$ldap_dir" - cp -a sudo.schema mailserver.schema "$schema_dir" + cp -a sudo.schema mailserver.schema yunohost.schema "$schema_dir" install -D -m 644 slapd.default "${pending_dir}/etc/default/slapd" } diff --git a/data/other/ldap_scheme.yml b/data/other/ldap_scheme.yml index 75bdea6e2..d30c4915c 100644 --- a/data/other/ldap_scheme.yml +++ b/data/other/ldap_scheme.yml @@ -17,6 +17,12 @@ parents: - organizationalUnit - top + ou=permission: + ou: permission + objectClass: + - organizationalUnit + - top + ou=groups: ou: groups objectClass: @@ -29,22 +35,6 @@ parents: - top children: - cn=admins,ou=groups: - cn: admins - gidNumber: "4001" - memberUid: admin - objectClass: - - posixGroup - - top - - cn=sftpusers,ou=groups: - cn: sftpusers - gidNumber: "4002" - memberUid: admin - objectClass: - - posixGroup - - top - cn=admin,ou=sudo: cn: admin sudoUser: admin @@ -54,3 +44,34 @@ children: objectClass: - sudoRole - top + cn=admins,ou=groups: + cn: admins + gidNumber: "4001" + memberUid: admin + objectClass: + - posixGroup + - top + cn=ALL,ou=groups: + cn: ALL + gidNumber: "4002" + objectClass: + - posixGroup + - groupOfNamesYnh + +depends_children: + cn=main.mail,ou=permission: + cn: main.mail + gidNumber: "5001" + objectClass: + - posixGroup + - permissionYnh + groupPermission: + - "cn=ALL,ou=groups,dc=yunohost,dc=org" + cn=main.metronome,ou=permission: + cn: main.metronome + gidNumber: "5002" + objectClass: + - posixGroup + - permissionYnh + groupPermission: + - "cn=ALL,ou=groups,dc=yunohost,dc=org" diff --git a/data/templates/slapd/slapd.conf b/data/templates/slapd/slapd.conf index 9a8800d9d..4acebe97e 100644 --- a/data/templates/slapd/slapd.conf +++ b/data/templates/slapd/slapd.conf @@ -14,6 +14,7 @@ include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/mailserver.schema include /etc/ldap/schema/sudo.schema +include /etc/ldap/schema/yunohost.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. @@ -31,7 +32,7 @@ password-hash {SSHA} # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_mdb -moduleload memberof +moduleload memberof # The maximum number of entries that is returned for a search operation sizelimit 500 @@ -110,3 +111,32 @@ access to * by dn="cn=admin,dc=yunohost,dc=org" write by group/groupOfNames/Member="cn=admin,ou=groups,dc=yunohost,dc=org" write by * read + +# Configure Memberof Overlay (used for Yunohost permission) + +# Link user <-> group +#dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config +overlay memberof +memberof-group-oc groupOfNamesYnh +memberof-member-ad member +memberof-memberof-ad memberOf +memberof-dangling error +memberof-refint TRUE + +# Link permission <-> groupes +#dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config +overlay memberof +memberof-group-oc permissionYnh +memberof-member-ad groupPermission +memberof-memberof-ad permission +memberof-dangling error +memberof-refint TRUE + +# Link permission <-> user +#dn: olcOverlay={2}memberof,olcDatabase={1}mdb,cn=config +overlay memberof +memberof-group-oc permissionYnh +memberof-member-ad inheritPermission +memberof-memberof-ad permission +memberof-dangling error +memberof-refint TRUE diff --git a/data/templates/slapd/yunohost.schema b/data/templates/slapd/yunohost.schema new file mode 100644 index 000000000..7da60a20c --- /dev/null +++ b/data/templates/slapd/yunohost.schema @@ -0,0 +1,33 @@ +#dn: cn=yunohost,cn=schema,cn=config +#objectClass: olcSchemaConfig +#cn: yunohost +# ATTRIBUTES +# For Permission +attributetype ( 1.3.6.1.4.1.17953.9.1.1 NAME 'permission' + DESC 'Yunohost permission on user and group side' + SUP distinguishedName ) +attributetype ( 1.3.6.1.4.1.17953.9.1.2 NAME 'groupPermission' + DESC 'Yunohost permission for a group on permission side' + SUP distinguishedName ) +attributetype ( 1.3.6.1.4.1.17953.9.1.3 NAME 'inheritPermission' + DESC 'Yunohost permission for user on permission side' + SUP distinguishedName ) +attributetype ( 1.3.6.1.4.1.17953.9.1.4 NAME 'URL' + DESC 'Yunohost application URL' + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) +# OBJECTCLASS +# For Applications +objectclass ( 1.3.6.1.4.1.17953.9.2.1 NAME 'groupOfNamesYnh' + DESC 'Yunohost user group' + SUP top AUXILIARY + MAY ( member $ businessCategory $ seeAlso $ owner $ ou $ o $ permission ) ) +objectclass ( 1.3.6.1.4.1.17953.9.2.2 NAME 'permissionYnh' + DESC 'a Yunohost application' + SUP top AUXILIARY + MUST cn + MAY ( groupPermission $ inheritPermission $ URL ) ) +# For User +objectclass ( 1.3.6.1.4.1.17953.9.2.3 NAME 'userPermissionYnh' + DESC 'a Yunohost application' + SUP top AUXILIARY + MAY ( permission ) ) diff --git a/src/yunohost/tools.py b/src/yunohost/tools.py index 189b1db09..d58951878 100644 --- a/src/yunohost/tools.py +++ b/src/yunohost/tools.py @@ -89,6 +89,12 @@ def tools_ldapinit(): except Exception as e: logger.warn("Error when trying to inject '%s' -> '%s' into ldap: %s" % (rdn, attr_dict, e)) + for rdn, attr_dict in ldap_map['depends_children'].items(): + try: + auth.add(rdn, attr_dict) + except Exception as e: + logger.warn("Error when trying to inject '%s' -> '%s' into ldap: %s" % (rdn, attr_dict, e)) + admin_dict = { 'cn': 'admin', 'uid': 'admin',