upgrade doc: Fix an improper ACL control in OpenLDAP config file.
This commit is contained in:
parent
f37b0398b8
commit
97b45d5b98
|
@ -8,6 +8,7 @@ __This is still a DRAFT document, do NOT apply it.__
|
|||
|
||||
> We offer remote upgrade service, check [the price](../support.html) and [contact us](../contact.html).
|
||||
|
||||
* 2015-10-08: OpenLDAP: Fix improper ACL control.
|
||||
* 2015-09-28: SOGo: cron jobs which run every minute must be grouped in one job.
|
||||
* 2015-09-28: [RHEL/CentOS 7] Fix incorrect default firewall zone name
|
||||
* 2015-09-28: [RHEL/CentOS 7] Remove `daemonze =` line in `/etc/uwsgi.ini`.
|
||||
|
@ -401,6 +402,45 @@ dovecot unix - n n - - pipe
|
|||
|
||||
## OpenLDAP backend special
|
||||
|
||||
### Fixed: improper ACL control
|
||||
|
||||
With default OpenLDAP ACL control set by iRedMail, every mail user has
|
||||
permission to query the whole LDAP tree (although cannot query sensitive info
|
||||
like password), we'd better remove this ACL control due to security concern.
|
||||
|
||||
* Please open OpenLDAP config file `slapd.conf`, and find below lines:
|
||||
|
||||
* on RHEL/CentOS: it's `/etc/openldap/slapd.conf`.
|
||||
* on Debian/Ubuntu: it's `/etc/ldap/slapd.conf`.
|
||||
* on FreeBSD: it's `/usr/local/etc/openldap/slapd.conf`.
|
||||
* on OpenBSD: it's `/etc/openldap/slapd.conf`.
|
||||
|
||||
```
|
||||
access to dn.subtree="o=domains,dc=example,dc=com"
|
||||
by anonymous auth
|
||||
by self write
|
||||
by dn.exact="cn=vmail,dc=example,dc=com" read
|
||||
by dn.exact="cn=vmailadmin,dc=example,dc=com" write
|
||||
by dn.regex="mail=[^,]+,ou=Users,domainName=$1,o=domains,dc=example,dc=com$" read
|
||||
by users read
|
||||
```
|
||||
|
||||
The LDAP suffix `dc=example,dc=com` might be different on your server.
|
||||
|
||||
* Remove the 6th line (`by dn.regex="mail=..."`), and replace the line `by users read`
|
||||
by `by users none`.
|
||||
|
||||
```
|
||||
access to dn.subtree="o=domains,dc=example,dc=com"
|
||||
by anonymous auth
|
||||
by self write
|
||||
by dn.exact="cn=vmail,dc=example,dc=com" read
|
||||
by dn.exact="cn=vmailadmin,dc=example,dc=com" write
|
||||
by users none
|
||||
```
|
||||
|
||||
* Save your change and restart OpenLDAP service.
|
||||
|
||||
### Fixed: Dovecot Master User doesn't work with ACL plugin
|
||||
|
||||
iRedMail has both Dovecot Master User and Dovecot `acl` plugin enabled by
|
||||
|
|
|
@ -31,6 +31,7 @@
|
|||
</ul>
|
||||
</li>
|
||||
<li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul>
|
||||
<li><a href="#fixed-improper-acl-control">Fixed: improper ACL control</a></li>
|
||||
<li><a href="#fixed-dovecot-master-user-doesnt-work-with-acl-plugin">Fixed: Dovecot Master User doesn't work with ACL plugin</a></li>
|
||||
<li><a href="#add-new-sql-table-outbound_wblist-in-amavisd-database">Add new SQL table outbound_wblist in amavisd database</a></li>
|
||||
</ul>
|
||||
|
@ -55,6 +56,7 @@
|
|||
<p>We offer remote upgrade service, check <a href="../support.html">the price</a> and <a href="../contact.html">contact us</a>.</p>
|
||||
</blockquote>
|
||||
<ul>
|
||||
<li>2015-10-08: OpenLDAP: Fix improper ACL control.</li>
|
||||
<li>2015-09-28: SOGo: cron jobs which run every minute must be grouped in one job.</li>
|
||||
<li>2015-09-28: [RHEL/CentOS 7] Fix incorrect default firewall zone name</li>
|
||||
<li>2015-09-28: [RHEL/CentOS 7] Remove <code>daemonze =</code> line in <code>/etc/uwsgi.ini</code>.</li>
|
||||
|
@ -400,6 +402,46 @@ dovecot unix - n n - - pipe
|
|||
<li>Save your change and restart Postfix service.</li>
|
||||
</ul>
|
||||
<h2 id="openldap-backend-special">OpenLDAP backend special</h2>
|
||||
<h3 id="fixed-improper-acl-control">Fixed: improper ACL control</h3>
|
||||
<p>With default OpenLDAP ACL control set by iRedMail, every mail user has
|
||||
permission to query the whole LDAP tree (although cannot query sensitive info
|
||||
like password), we'd better remove this ACL control due to security concern.</p>
|
||||
<ul>
|
||||
<li>
|
||||
<p>Please open OpenLDAP config file <code>slapd.conf</code>, and find below lines:</p>
|
||||
<ul>
|
||||
<li>on RHEL/CentOS: it's <code>/etc/openldap/slapd.conf</code>.</li>
|
||||
<li>on Debian/Ubuntu: it's <code>/etc/ldap/slapd.conf</code>.</li>
|
||||
<li>on FreeBSD: it's <code>/usr/local/etc/openldap/slapd.conf</code>.</li>
|
||||
<li>on OpenBSD: it's <code>/etc/openldap/slapd.conf</code>.</li>
|
||||
</ul>
|
||||
</li>
|
||||
</ul>
|
||||
<pre><code>access to dn.subtree="o=domains,dc=example,dc=com"
|
||||
by anonymous auth
|
||||
by self write
|
||||
by dn.exact="cn=vmail,dc=example,dc=com" read
|
||||
by dn.exact="cn=vmailadmin,dc=example,dc=com" write
|
||||
by dn.regex="mail=[^,]+,ou=Users,domainName=$1,o=domains,dc=example,dc=com$" read
|
||||
by users read
|
||||
</code></pre>
|
||||
|
||||
<p>The LDAP suffix <code>dc=example,dc=com</code> might be different on your server.</p>
|
||||
<ul>
|
||||
<li>Remove the 6th line (<code>by dn.regex="mail=..."</code>), and replace the line <code>by users read</code>
|
||||
by <code>by users none</code>.</li>
|
||||
</ul>
|
||||
<pre><code>access to dn.subtree="o=domains,dc=example,dc=com"
|
||||
by anonymous auth
|
||||
by self write
|
||||
by dn.exact="cn=vmail,dc=example,dc=com" read
|
||||
by dn.exact="cn=vmailadmin,dc=example,dc=com" write
|
||||
by users none
|
||||
</code></pre>
|
||||
|
||||
<ul>
|
||||
<li>Save your change and restart OpenLDAP service.</li>
|
||||
</ul>
|
||||
<h3 id="fixed-dovecot-master-user-doesnt-work-with-acl-plugin">Fixed: Dovecot Master User doesn't work with ACL plugin</h3>
|
||||
<p>iRedMail has both Dovecot Master User and Dovecot <code>acl</code> plugin enabled by
|
||||
default, if <code>acl</code> plugin is enabled, the Master User is still subject to ACLs
|
||||
|
|
Loading…
Reference in New Issue