Update LDAP config

2024-09-03 20:06:10 +02:00 · 2018-11-25 22:31:40 +01:00 · 2018-11-25 22:31:40 +01:00 · d975ed2689
commit d975ed2689
parent 836083a62e
5 changed files with 108 additions and 18 deletions
--- a/data/hooks/conf_regen/06-slapd
+++ b/data/hooks/conf_regen/06-slapd
@ -60,7 +60,7 @@ do_pre_regen() {

  # copy configuration files
  cp -a ldap.conf slapd.conf "$ldap_dir"
-  cp -a sudo.schema mailserver.schema "$schema_dir"
+  cp -a sudo.schema mailserver.schema yunohost.schema "$schema_dir"

  install -D -m 644 slapd.default "${pending_dir}/etc/default/slapd"
 }
--- a/data/other/ldap_scheme.yml
+++ b/data/other/ldap_scheme.yml
@ -17,6 +17,12 @@ parents:
            - organizationalUnit
            - top

+    ou=permission:
+        ou: permission
+        objectClass:
+            - organizationalUnit
+            - top
+
    ou=groups:
        ou: groups
        objectClass:
@ -29,22 +35,6 @@ parents:
            - top

 children:
-    cn=admins,ou=groups:
-        cn: admins
-        gidNumber: "4001"
-        memberUid: admin
-        objectClass:
-            - posixGroup
-            - top
-
-    cn=sftpusers,ou=groups:
-        cn: sftpusers
-        gidNumber: "4002"
-        memberUid: admin
-        objectClass:
-            - posixGroup
-            - top
-
    cn=admin,ou=sudo:
        cn: admin
        sudoUser: admin
@ -54,3 +44,34 @@ children:
        objectClass:
            - sudoRole
            - top
+    cn=admins,ou=groups:
+        cn: admins
+        gidNumber: "4001"
+        memberUid: admin
+        objectClass:
+            - posixGroup
+            - top
+    cn=ALL,ou=groups:
+        cn: ALL
+        gidNumber: "4002"
+        objectClass:
+            - posixGroup
+            - groupOfNamesYnh
+
+depends_children:
+    cn=main.mail,ou=permission:
+        cn: main.mail
+        gidNumber: "5001"
+        objectClass:
+            - posixGroup
+            - permissionYnh
+        groupPermission:
+            - "cn=ALL,ou=groups,dc=yunohost,dc=org"
+    cn=main.metronome,ou=permission:
+        cn: main.metronome
+        gidNumber: "5002"
+        objectClass:
+            - posixGroup
+            - permissionYnh
+        groupPermission:
+            - "cn=ALL,ou=groups,dc=yunohost,dc=org"
--- a/data/templates/slapd/slapd.conf
+++ b/data/templates/slapd/slapd.conf
@ -14,6 +14,7 @@ include         /etc/ldap/schema/nis.schema
 include         /etc/ldap/schema/inetorgperson.schema
 include         /etc/ldap/schema/mailserver.schema
 include         /etc/ldap/schema/sudo.schema
+include         /etc/ldap/schema/yunohost.schema

 # Where the pid file is put. The init.d script
 # will not stop the server if you change this.
@ -31,7 +32,7 @@ password-hash   {SSHA}
 # Where the dynamically loaded modules are stored
 modulepath	/usr/lib/ldap
 moduleload	back_mdb
-moduleload      memberof
+moduleload	memberof

 # The maximum number of entries that is returned for a search operation
 sizelimit 500
@ -110,3 +111,32 @@ access to *
        by dn="cn=admin,dc=yunohost,dc=org" write
        by group/groupOfNames/Member="cn=admin,ou=groups,dc=yunohost,dc=org" write
        by * read
+
+# Configure Memberof Overlay (used for Yunohost permission)
+
+# Link user <-> group
+#dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
+overlay                 memberof
+memberof-group-oc       groupOfNamesYnh
+memberof-member-ad      member
+memberof-memberof-ad    memberOf
+memberof-dangling       error
+memberof-refint         TRUE
+
+# Link permission <-> groupes
+#dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config
+overlay                 memberof
+memberof-group-oc       permissionYnh
+memberof-member-ad      groupPermission
+memberof-memberof-ad    permission
+memberof-dangling       error
+memberof-refint         TRUE
+
+# Link permission <-> user
+#dn: olcOverlay={2}memberof,olcDatabase={1}mdb,cn=config
+overlay                 memberof
+memberof-group-oc       permissionYnh
+memberof-member-ad      inheritPermission
+memberof-memberof-ad    permission
+memberof-dangling       error
+memberof-refint         TRUE
--- a/data/templates/slapd/yunohost.schema
+++ b/data/templates/slapd/yunohost.schema
@ -0,0 +1,33 @@
+#dn: cn=yunohost,cn=schema,cn=config
+#objectClass: olcSchemaConfig
+#cn: yunohost
+# ATTRIBUTES
+# For Permission
+attributetype ( 1.3.6.1.4.1.17953.9.1.1 NAME 'permission'
+  DESC 'Yunohost permission on user and group side'
+  SUP distinguishedName )
+attributetype ( 1.3.6.1.4.1.17953.9.1.2 NAME 'groupPermission'
+  DESC 'Yunohost permission for a group on permission side'
+  SUP distinguishedName )
+attributetype ( 1.3.6.1.4.1.17953.9.1.3 NAME 'inheritPermission'
+  DESC 'Yunohost permission for user on permission side'
+  SUP distinguishedName )
+attributetype ( 1.3.6.1.4.1.17953.9.1.4 NAME 'URL'
+  DESC 'Yunohost application URL'
+  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+# OBJECTCLASS
+# For Applications
+objectclass ( 1.3.6.1.4.1.17953.9.2.1 NAME 'groupOfNamesYnh'
+  DESC 'Yunohost user group'
+  SUP top AUXILIARY
+  MAY ( member $ businessCategory $ seeAlso $ owner $ ou $ o $ permission ) )
+objectclass ( 1.3.6.1.4.1.17953.9.2.2 NAME 'permissionYnh'
+  DESC 'a Yunohost application'
+  SUP top AUXILIARY
+  MUST cn
+  MAY ( groupPermission $ inheritPermission $ URL ) )
+# For User
+objectclass ( 1.3.6.1.4.1.17953.9.2.3 NAME 'userPermissionYnh'
+  DESC 'a Yunohost application'
+  SUP top AUXILIARY
+  MAY ( permission ) )
--- a/src/yunohost/tools.py
+++ b/src/yunohost/tools.py
@ -89,6 +89,12 @@ def tools_ldapinit():
        except Exception as e:
            logger.warn("Error when trying to inject '%s' -> '%s' into ldap: %s" % (rdn, attr_dict, e))

+    for rdn, attr_dict in ldap_map['depends_children'].items():
+        try:
+            auth.add(rdn, attr_dict)
+        except Exception as e:
+            logger.warn("Error when trying to inject '%s' -> '%s' into ldap: %s" % (rdn, attr_dict, e))
+
    admin_dict = {
        'cn': 'admin',
        'uid': 'admin',