elmau
/
iredmail-doc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

upgrade doc: Fix an improper ACL control in OpenLDAP config file.

This commit is contained in:
Zhang Huangbin 2015-10-08 11:38:27 +08:00
parent f37b0398b8
commit 97b45d5b98
2 changed files with 82 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
en_US/upgrade/0-upgrade.iredmail.0.9.2-0.9.3.md
View File

@ -8,6 +8,7 @@ __This is still a DRAFT document, do NOT apply it.__
> We offer remote upgrade service, check [the price](../support.html) and [contact us](../contact.html).
* 2015-10-08: OpenLDAP: Fix improper ACL control.
* 2015-09-28: SOGo: cron jobs which run every minute must be grouped in one job.
* 2015-09-28: [RHEL/CentOS 7] Fix incorrect default firewall zone name
* 2015-09-28: [RHEL/CentOS 7] Remove `daemonze =` line in `/etc/uwsgi.ini`.
@ -401,6 +402,45 @@ dovecot unix - n n - - pipe
## OpenLDAP backend special
### Fixed: improper ACL control
With default OpenLDAP ACL control set by iRedMail, every mail user has
permission to query the whole LDAP tree (although cannot query sensitive info
like password), we'd better remove this ACL control due to security concern.
* Please open OpenLDAP config file `slapd.conf`, and find below lines:
* on RHEL/CentOS: it's `/etc/openldap/slapd.conf`.
* on Debian/Ubuntu: it's `/etc/ldap/slapd.conf`.
* on FreeBSD: it's `/usr/local/etc/openldap/slapd.conf`.
* on OpenBSD: it's `/etc/openldap/slapd.conf`.
```
access to dn.subtree="o=domains,dc=example,dc=com"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=example,dc=com" read
by dn.exact="cn=vmailadmin,dc=example,dc=com" write
by dn.regex="mail=[^,]+,ou=Users,domainName=$1,o=domains,dc=example,dc=com$" read
by users read
```
The LDAP suffix `dc=example,dc=com` might be different on your server.
* Remove the 6th line (`by dn.regex="mail=..."`), and replace the line `by users read`
by `by users none`.
```
access to dn.subtree="o=domains,dc=example,dc=com"
by anonymous auth
by self write
by dn.exact="cn=vmail,dc=example,dc=com" read
by dn.exact="cn=vmailadmin,dc=example,dc=com" write
by users none
```
* Save your change and restart OpenLDAP service.
### Fixed: Dovecot Master User doesn't work with ACL plugin
iRedMail has both Dovecot Master User and Dovecot `acl` plugin enabled by

42
html/upgrade.iredmail.0.9.2-0.9.3.html
View File

@ -31,6 +31,7 @@
</ul>
</li>
<li><a href="#openldap-backend-special">OpenLDAP backend special</a><ul>
<li><a href="#fixed-improper-acl-control">Fixed: improper ACL control</a></li>
<li><a href="#fixed-dovecot-master-user-doesnt-work-with-acl-plugin">Fixed: Dovecot Master User doesn't work with ACL plugin</a></li>
<li><a href="#add-new-sql-table-outbound_wblist-in-amavisd-database">Add new SQL table outbound_wblist in amavisd database</a></li>
</ul>
@ -55,6 +56,7 @@
<p>We offer remote upgrade service, check <a href="../support.html">the price</a> and <a href="../contact.html">contact us</a>.</p>
</blockquote>
<ul>
<li>2015-10-08: OpenLDAP: Fix improper ACL control.</li>
<li>2015-09-28: SOGo: cron jobs which run every minute must be grouped in one job.</li>
<li>2015-09-28: [RHEL/CentOS 7] Fix incorrect default firewall zone name</li>
<li>2015-09-28: [RHEL/CentOS 7] Remove <code>daemonze =</code> line in <code>/etc/uwsgi.ini</code>.</li>
@ -400,6 +402,46 @@ dovecot unix - n n - - pipe
<li>Save your change and restart Postfix service.</li>
</ul>
<h2 id="openldap-backend-special">OpenLDAP backend special</h2>
<h3 id="fixed-improper-acl-control">Fixed: improper ACL control</h3>
<p>With default OpenLDAP ACL control set by iRedMail, every mail user has
permission to query the whole LDAP tree (although cannot query sensitive info
like password), we'd better remove this ACL control due to security concern.</p>
<ul>
<li>
<p>Please open OpenLDAP config file <code>slapd.conf</code>, and find below lines:</p>
<ul>
<li>on RHEL/CentOS: it's <code>/etc/openldap/slapd.conf</code>.</li>
<li>on Debian/Ubuntu: it's <code>/etc/ldap/slapd.conf</code>.</li>
<li>on FreeBSD: it's <code>/usr/local/etc/openldap/slapd.conf</code>.</li>
<li>on OpenBSD: it's <code>/etc/openldap/slapd.conf</code>.</li>
</ul>
</li>
</ul>
<pre><code>access to dn.subtree=&quot;o=domains,dc=example,dc=com&quot;
by anonymous auth
by self write
by dn.exact=&quot;cn=vmail,dc=example,dc=com&quot; read
by dn.exact=&quot;cn=vmailadmin,dc=example,dc=com&quot; write
by dn.regex=&quot;mail=[^,]+,ou=Users,domainName=$1,o=domains,dc=example,dc=com$&quot; read
by users read
</code></pre>
<p>The LDAP suffix <code>dc=example,dc=com</code> might be different on your server.</p>
<ul>
<li>Remove the 6th line (<code>by dn.regex="mail=..."</code>), and replace the line <code>by users read</code>
by <code>by users none</code>.</li>
</ul>
<pre><code>access to dn.subtree=&quot;o=domains,dc=example,dc=com&quot;
by anonymous auth
by self write
by dn.exact=&quot;cn=vmail,dc=example,dc=com&quot; read
by dn.exact=&quot;cn=vmailadmin,dc=example,dc=com&quot; write
by users none
</code></pre>
<ul>
<li>Save your change and restart OpenLDAP service.</li>
</ul>
<h3 id="fixed-dovecot-master-user-doesnt-work-with-acl-plugin">Fixed: Dovecot Master User doesn't work with ACL plugin</h3>
<p>iRedMail has both Dovecot Master User and Dovecot <code>acl</code> plugin enabled by
default, if <code>acl</code> plugin is enabled, the Master User is still subject to ACLs