Update LDAP config

data/hooks/conf_regen/06-slapd

@@ -60,7 +60,7 @@ do_pre_regen() {
 
   # copy configuration files
   cp -a ldap.conf slapd.conf "$ldap_dir"
-  cp -a sudo.schema mailserver.schema "$schema_dir"
+  cp -a sudo.schema mailserver.schema yunohost.schema "$schema_dir"
 
   install -D -m 644 slapd.default "${pending_dir}/etc/default/slapd"
 }

data/other/ldap_scheme.yml

@@ -17,6 +17,12 @@ parents:
             - organizationalUnit
             - top
 
+    ou=permission:
+        ou: permission
+        objectClass:
+            - organizationalUnit
+            - top
+
     ou=groups:
         ou: groups
         objectClass:
@@ -29,22 +35,6 @@ parents:
             - top
 
 children:
-    cn=admins,ou=groups:
-        cn: admins
-        gidNumber: "4001"
-        memberUid: admin
-        objectClass:
-            - posixGroup
-            - top
-
-    cn=sftpusers,ou=groups:
-        cn: sftpusers
-        gidNumber: "4002"
-        memberUid: admin
-        objectClass:
-            - posixGroup
-            - top
-
     cn=admin,ou=sudo:
         cn: admin
         sudoUser: admin
@@ -54,3 +44,34 @@ children:
         objectClass:
             - sudoRole
             - top
+    cn=admins,ou=groups:
+        cn: admins
+        gidNumber: "4001"
+        memberUid: admin
+        objectClass:
+            - posixGroup
+            - top
+    cn=ALL,ou=groups:
+        cn: ALL
+        gidNumber: "4002"
+        objectClass:
+            - posixGroup
+            - groupOfNamesYnh
+
+depends_children:
+    cn=main.mail,ou=permission:
+        cn: main.mail
+        gidNumber: "5001"
+        objectClass:
+            - posixGroup
+            - permissionYnh
+        groupPermission:
+            - "cn=ALL,ou=groups,dc=yunohost,dc=org"
+    cn=main.metronome,ou=permission:
+        cn: main.metronome
+        gidNumber: "5002"
+        objectClass:
+            - posixGroup
+            - permissionYnh
+        groupPermission:
+            - "cn=ALL,ou=groups,dc=yunohost,dc=org"

data/templates/slapd/slapd.conf

@@ -14,6 +14,7 @@ include         /etc/ldap/schema/nis.schema
 include         /etc/ldap/schema/inetorgperson.schema
 include         /etc/ldap/schema/mailserver.schema
 include         /etc/ldap/schema/sudo.schema
+include         /etc/ldap/schema/yunohost.schema
 
 # Where the pid file is put. The init.d script
 # will not stop the server if you change this.
@@ -31,7 +32,7 @@ password-hash   {SSHA}
 # Where the dynamically loaded modules are stored
 modulepath	/usr/lib/ldap
 moduleload	back_mdb
-moduleload      memberof
+moduleload	memberof
 
 # The maximum number of entries that is returned for a search operation
 sizelimit 500
@@ -110,3 +111,32 @@ access to *
         by dn="cn=admin,dc=yunohost,dc=org" write
         by group/groupOfNames/Member="cn=admin,ou=groups,dc=yunohost,dc=org" write
         by * read
+
+# Configure Memberof Overlay (used for Yunohost permission)
+
+# Link user <-> group
+#dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
+overlay                 memberof
+memberof-group-oc       groupOfNamesYnh
+memberof-member-ad      member
+memberof-memberof-ad    memberOf
+memberof-dangling       error
+memberof-refint         TRUE
+
+# Link permission <-> groupes
+#dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config
+overlay                 memberof
+memberof-group-oc       permissionYnh
+memberof-member-ad      groupPermission
+memberof-memberof-ad    permission
+memberof-dangling       error
+memberof-refint         TRUE
+
+# Link permission <-> user
+#dn: olcOverlay={2}memberof,olcDatabase={1}mdb,cn=config
+overlay                 memberof
+memberof-group-oc       permissionYnh
+memberof-member-ad      inheritPermission
+memberof-memberof-ad    permission
+memberof-dangling       error
+memberof-refint         TRUE

data/templates/slapd/yunohost.schema

@@ -0,0 +1,33 @@
+#dn: cn=yunohost,cn=schema,cn=config
+#objectClass: olcSchemaConfig
+#cn: yunohost
+# ATTRIBUTES
+# For Permission
+attributetype ( 1.3.6.1.4.1.17953.9.1.1 NAME 'permission'
+  DESC 'Yunohost permission on user and group side'
+  SUP distinguishedName )
+attributetype ( 1.3.6.1.4.1.17953.9.1.2 NAME 'groupPermission'
+  DESC 'Yunohost permission for a group on permission side'
+  SUP distinguishedName )
+attributetype ( 1.3.6.1.4.1.17953.9.1.3 NAME 'inheritPermission'
+  DESC 'Yunohost permission for user on permission side'
+  SUP distinguishedName )
+attributetype ( 1.3.6.1.4.1.17953.9.1.4 NAME 'URL'
+  DESC 'Yunohost application URL'
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+# OBJECTCLASS
+# For Applications
+objectclass ( 1.3.6.1.4.1.17953.9.2.1 NAME 'groupOfNamesYnh'
+  DESC 'Yunohost user group'
+  SUP top AUXILIARY
+  MAY ( member $ businessCategory $ seeAlso $ owner $ ou $ o $ permission ) )
+objectclass ( 1.3.6.1.4.1.17953.9.2.2 NAME 'permissionYnh'
+  DESC 'a Yunohost application'
+  SUP top AUXILIARY
+  MUST cn
+  MAY ( groupPermission $ inheritPermission $ URL ) )
+# For User
+objectclass ( 1.3.6.1.4.1.17953.9.2.3 NAME 'userPermissionYnh'
+  DESC 'a Yunohost application'
+  SUP top AUXILIARY
+  MAY ( permission ) )

src/yunohost/tools.py

@@ -89,6 +89,12 @@ def tools_ldapinit():
         except Exception as e:
             logger.warn("Error when trying to inject '%s' -> '%s' into ldap: %s" % (rdn, attr_dict, e))
 
+    for rdn, attr_dict in ldap_map['depends_children'].items():
+        try:
+            auth.add(rdn, attr_dict)
+        except Exception as e:
+            logger.warn("Error when trying to inject '%s' -> '%s' into ldap: %s" % (rdn, attr_dict, e))
+
     admin_dict = {
         'cn': 'admin',
         'uid': 'admin',