Conversation
ulvida
left a comment
There was a problem hiding this comment.
A first review of this "work in progress", before proposing to the upstream.
| - name: Add ldap-secure to features if LDAP auth is enabled | ||
| set_fact: | ||
| sympa_cpanm_features: "{{ sympa_cpanm_features + ['ldap-secure'] }}" | ||
| when: sympa_ldap_auth_enabled | bool |
There was a problem hiding this comment.
Shouldn't we allow a non encrypted ldap authentication, with a second boolean flag or several values for this variable?
By the way, there is another PR for LDAP auth. It takes another approach, defining a structure sympa_config_ldap, and changing auth.conf template for a more rigid one.
I prefer present approach, that preserve pre-existent API variable sympa_web_authentication. I consider very elegant how present version of auth.conf template solves all possible backends, withe their specific parameters. I think we should take this approach for other templates, such as robots.conf: some parameters deserve specific consideration (such as listmaster), but after we can loop all the rest of key: value parameters as {{ key }} {{ value }}. The devops configuring her sympa server should ensure all are legitimate parameters for the .conf file.
It deserves to notice that building rigid templates doesn't really ensure we will detect configuration errors. If a parameter is misspelled, it will silently be ignored, eventually leading to a misconfiguration.
If we want to check configuration, we should explicitely do it with a loop of asserts on all possible values. For templates, considering sympa configuration file structure, appropriate loops on key: value parameters templated as {{ key }} {{ value }} are ok.
Comentario original en español:
¿no deberíamos permitir una authenticación en ldap sin encriptado, con un segundo booleano o con algunos valores a esta variable, en vez de enable/disable booleano?
Sea dicho de paso ya hay otra PR para la auth LDAP. Toma un enfoque diferente: define una estructura sympa_config_ldap, y cambia el template auth.conf por uno más rígido.
Prefiero el enfoque tomado acá, que respeta la variable de API pre-existente sympa_web_authentication. Y me parece muy elegante como la versión actual el template auth.conf resuelve todos los backend possibles, con sus diversos parámetros. Creo que podríamos tomarla para otras plantillas, como robots.conf: algunos parámetros merecen tratamiento especial (como listmaster), pero luego toda la lista restante de key: value, a carga do quién use el rol de poner ahí parámetros legitimos para un robot sympa.
| {% if item.config_colors is defined %} | ||
| ## Colors | ||
| {% for color in item.config_colors %} | ||
| color_{{ loop.index - 1 }} {{ color }} |
There was a problem hiding this comment.
Entiendo que el parámetro color_x fue abandonado en la 6.2.70.
| cookie_domain {{ item.web_domain | default(item.domain) }} | ||
| {% endif %} | ||
| {% if item.config_title is defined %} | ||
| title {{ item.config_title }} |
There was a problem hiding this comment.
Why adding prefix config_ to all the following parameters?
We are proposing the definition of sympa_robots role's API. I think we should stick as close as possible of sympa configuration vocabulary.
¿porqué config_ para todos los siguientes parámetros que agregan de un robot?
acá están proponiendo la API de la sympa_robots. Creo que el nombre debe ser igual al parámetro sympa. Idealmente, la plantilla debe considerar todos los parámetros de config que la doc indica se pueden usar en un robots.conf.
| sympa_dkim_feature: false | ||
| sympa_dkim_add_signature_to: | ||
| - robot | ||
| - list |
There was a problem hiding this comment.
Candide question: Shouldn't we allow to sign each robot with its specific DKIM key?
There was a problem hiding this comment.
I guess it would be better if each robot is from an entirely different fqdn
There was a problem hiding this comment.
Now, in cielito.sympa.install, we hard coded dkim_same_key: false when calling dkim role .
But: are we proposing a complete and consistent DKIM features API for this upstream role?
There was a problem hiding this comment.
Was dkim_same_key from our fork or from upstream? Why is it broken in our fork? Anyways, it doesn't seem like a great idea to have the same key for every (sub)domain.
| @@ -1,8 +1,31 @@ | |||
| # Robot configuration for {{ item.domain }} | |||
There was a problem hiding this comment.
For code clarity, shouldn't we give a name (for instance sympa_robot) to this item loop variable?
There was a problem hiding this comment.
Oups... my own fault.
Now I remember I preferred "not to change too much". I'll grap this in a PR specific to robots configuration.
| set_fact: | ||
| sympa_cpanm_features: "{{ sympa_cpanm_features + ['ldap-secure'] }}" | ||
| when: sympa_ldap_auth_enabled | bool | ||
| tags: sympaldap |
There was a problem hiding this comment.
role tags are sympa-conf, sympa-auth, ... should therefore be sympa-ldap here.
There was a problem hiding this comment.
right... anyway, all tagging is still to review. not very relevant, so.
There was a problem hiding this comment.
I think these tags are not meant to be run until everything prior has been ran at least once, because the rest of the file has no tags at all
|
I added the LDAP variables to default/main.yml as well as README.md. and I also added the option for non-SSL LDAP authentication. |
|
|
||
| #### *sympa_ldap_auth_ssl* | ||
|
|
||
| Whether authentication through LDAP uses SSL. Defaults to `true`. |
There was a problem hiding this comment.
Is it SSL or TLS? And shouldn't we allow any transport protocol, for sysadmin to be able to fit their installation with their LDAP requirements?
By the way, to complete LDAP understanding we should also document somewhere how to build sympa_web_authentication. A link to ldap auth.conf configuration would be worthy.
There was a problem hiding this comment.
Is it SSL or TLS?
ldap-secure depends on IO::Socket::SSL, so I guess it is SSL.
And shouldn't we allow any transport protocol, for sysadmin to be able to fit their installation with their LDAP requirements?
What do you mean? We are currently covering both ldap and ldap-secure, the only ldap related features on sympa's cpanfile.
There was a problem hiding this comment.
ldap-secure depends on IO::Socket::SSL, so I guess it is SSL.
SSL is often used for secure layer, but strictly SSL is deprecated and being replaced by TLS. Seeing our LDAP parameters, I think we are using TLS 1.2, on port 389. ldaps (i.e. LDAP on SSL listen on port 636).
What do you mean?
I mean the LDAP may pre-exists and Sympa should bind to itl as provided: basic ldap on port 389, ldaps on 636 and/or ldap+starttls on 389 (our LDAP, for instance, took a while to offer this last protocol)
We are currently covering both ldap and ldap-secure, the only ldap related features on sympa's cpanfile.
There are also TLS parameters of the authentication.
There was a problem hiding this comment.
There are also TLS parameters of the authentication.
I see, then shall I rename variables to reference TLS instead of SSL, or directly reference "secure" instead?
I mean the LDAP may pre-exists and Sympa should bind to itl as provided: basic ldap on port 389, ldaps on 636 and/or ldap+starttls on 389 (our LDAP, for instance, took a while to offer this last protocol)
So then, does that need any special configurations from this role? I thought the {{ key }} {{ value }} approach would eliminate all those quirks.
ulvida
left a comment
There was a problem hiding this comment.
Non blocking details in API and templating, for a better PR to upstream.
| {% if sympa_dkim_signature_apply_on | length>0 %} | ||
| dkim_signature_apply_on {{ sympa_dkim_signature_apply_on | join(',') }} | ||
| {% else %} | ||
| dkim_signature_apply_on none |
There was a problem hiding this comment.
dkim_signature_apply_on is not mandatory, and default behaviour of sympa when its not defined - or empty? - is not none. I think it's good to define sympa_dkim_signature_apply_on as a list, but not to "over-template" it.
There was a problem hiding this comment.
So, just keep the if statement and remove the else statement entirely?
| sympa_dkim_feature: false | ||
| sympa_dkim_add_signature_to: | ||
| - robot | ||
| - list |
There was a problem hiding this comment.
Now, in cielito.sympa.install, we hard coded dkim_same_key: false when calling dkim role .
But: are we proposing a complete and consistent DKIM features API for this upstream role?
| - md5_authenticated_messages | ||
| - smime_authenticated_messages | ||
| - dkim_authenticated_messages | ||
| - editor_validated_messages |
There was a problem hiding this comment.
I understand you set these values because of these sympa defaults.
However, this is the default behaviour of sympa when dkim_signature_apply_on is not defined. Here, we must allow such setting, not set values that reproduce this behaviour. As we need to allow "dkim_signature_apply_on not defined" in sympa, we shouldn't set a default value here.
There was a problem hiding this comment.
So, we shouldn't set any of these four values, and if the user decides to set dkim_signature_apply_on, they should handle it themselves? Just in case, this code was snipped from our legacy sympa role and adapted by @paulo-ruiz.
There was a problem hiding this comment.
So, we shouldn't set any of these four values, and if the user decides to set dkim_signature_apply_on, they should handle it themselves?
Yes. Eventually the role could assert permitted values, but I think re-coding in the role the default behaviour of sympa conflicts with DRY principle. don't you think so?
Just in case, this code was snipped from our legacy sympa role and adapted by @paulo-ruiz.
legacy or upstream sympa role? There is nothing about DKIM in upstream version of this template. We are building our PR.
There was a problem hiding this comment.
legacy or upstream sympa role? There is nothing about DKIM in upstream version of this template. We are building our PR.
I am referring to this.
There was a problem hiding this comment.
Yes. Eventually the role could assert permitted values, but I think re-coding in the role the default behaviour of sympa conflicts with DRY principle. don't you think so?
Yes, I agree that it's better to simplify this.
| # adapted from stuvusIT/sympa repository on Github | ||
|
|
||
| ## dkim_feature | ||
| dkim_feature {{ sympa_dkim_feature | bool | ternary('on', 'off') }} |
There was a problem hiding this comment.
All the previous parameters of this file are prefixed with sympa_config_* and for this one and following we switch to sympa_*. Should we harmonise naming? or sympa_config_dkim_* is too much?
There was a problem hiding this comment.
both variables exist, though. sympa_dkim_feature actually configures dkim, and sympa_config_dkim_feature just installs the dependencies. i would change the last one, but that would break upstream. merging them into one doesn't seem ideal either.
| path: "{{ sympa_installation_directory }}/arc/{{ sympa_robot_domain }}" | ||
| owner: "{{ sympa_unix_user }}" | ||
| group: "{{ sympa_unix_group }}" | ||
| mode: 0755 |
There was a problem hiding this comment.
Apparently, these folders per robot are not needed. Sympa create archive folder with the full name of the list list@robot_domain.
In this PR we fix:
We are also working in Spamassassin and Clamav integration.
Cuando tengamos algo listo sacamos el "WIP;" y proponemos la PR al upstream