-
Notifications
You must be signed in to change notification settings - Fork 0
WIP: LDAP over TLS, DKIM and robots.conf.j2 #1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from 24 commits
3425f77
08265c2
f76d0de
153012a
3c535f7
58e92a6
f7fdcaf
9df15d0
0e47990
123afa6
55d051b
735140f
bc172c6
fee0a63
55c990c
67a06e6
245491a
f61f71a
b00cb5a
5498477
f095e88
3b26398
a9fb16f
8340e19
b63c87b
f2f7e00
6f70d93
a286266
17846bc
99e78d8
7214997
a089342
29a605e
f163afd
2bff66c
9f3af37
592b602
af2f987
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -54,8 +54,6 @@ sympa_config_sendmail: /usr/sbin/sendmail | |
| sympa_config_sendmail_aliases: /etc/mail/sympa/aliases | ||
| sympa_config_shared_feature: 'on' | ||
|
|
||
| sympa_config_dkim_feature: false | ||
|
|
||
| sympa_edit_list_defaults: | ||
| - role: privileged_owner | ||
| privilege: write | ||
|
|
@@ -134,6 +132,9 @@ sympa_soap_fcgi_enabled: false | |
| sympa_soap_fcgi_protocol: https | ||
| sympa_soap_fcgi_instances: 2 | ||
|
|
||
| sympa_ldap_auth_enabled: false | ||
| sympa_ldap_auth_ssl: true | ||
|
|
||
| sympa_web_nginx_snippet: | | ||
| location = / { | ||
| return 301 /{{ sympa_web_path }}; | ||
|
|
@@ -159,6 +160,23 @@ sympa_soap_nginx_snippet: | | |
| fastcgi_pass unix:/run/sympasoap/sympasoap.socket; | ||
| } | ||
|
|
||
| sympa_robots: {} | ||
|
|
||
| sympa_install_odbc_driver: false | ||
|
|
||
| sympa_rsyslog_unix_user: "{{ sympa_unix_user }}" | ||
|
|
||
|
|
||
| sympa_dkim_feature: false | ||
|
|
||
| sympa_config_dkim_feature: '{{ sympa_dkim_feature }}' | ||
|
|
||
| sympa_dkim_add_signature_to: | ||
| - robot | ||
| - list | ||
|
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Candide question: Shouldn't we allow to sign each robot with its specific DKIM key?
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I guess it would be better if each robot is from an entirely different fqdn
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Now, in But: are we proposing a complete and consistent DKIM features API for this upstream role?
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Was |
||
| sympa_dkim_private_key_path: /etc/ssl/dkim_private.key | ||
| sympa_dkim_signature_apply_on: | ||
| - md5_authenticated_messages | ||
| - smime_authenticated_messages | ||
| - dkim_authenticated_messages | ||
| - editor_validated_messages | ||
|
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I understand you set these values because of these sympa defaults. However, this is the default behaviour of sympa when
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. So, we shouldn't set any of these four values, and if the user decides to set
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Yes. Eventually the role could assert permitted values, but I think re-coding in the role the default behaviour of sympa conflicts with DRY principle. don't you think so?
legacy or upstream sympa role? There is nothing about DKIM in upstream version of this template. We are building our PR.
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
I am referring to this.
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Yes, I agree that it's better to simplify this. |
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -42,6 +42,14 @@ | |
| name: "{{ sympa_openssldev_package }}" | ||
| when: sympa_config_dkim_feature or sympa_soap_fcgi_enabled | ||
|
|
||
| - name: Install SSL development library and zlib development needed for LDAP | ||
| package: | ||
| name: | ||
| - "{{ sympa_openssldev_package }}" | ||
| - "{{ sympa_zlibdev_package }}" | ||
| when: sympa_ldap_auth_enabled and sympa_ldap_auth_ssl | ||
| tags: sympaldap | ||
|
|
||
| - name: Add Mail::DKIM::Verifier to features if DKIM support is requested | ||
| set_fact: | ||
| sympa_cpanm_features: "{{ sympa_cpanm_features + ['Mail::DKIM::Verifier'] }}" | ||
|
|
@@ -58,6 +66,25 @@ | |
| when: sympa_soap_fcgi_enabled | ||
| tags: sympasoap | ||
|
|
||
| - name: Add ldap-secure to features if LDAP (ssl) auth is enabled | ||
| set_fact: | ||
| sympa_cpanm_features: "{{ sympa_cpanm_features + ['ldap-secure'] }}" | ||
| when: sympa_ldap_auth_enabled and sympa_ldap_auth_ssl | ||
| tags: sympaldap | ||
|
|
||
| - name: Add ldap to features if LDAP (no SSL) auth is enabled | ||
| set_fact: | ||
| sympa_cpanm_features: "{{ sympa_cpanm_features + ['ldap'] }}" | ||
| when: sympa_ldap_auth_enabled and not sympa_ldap_auth_ssl | ||
| tags: sympaldap | ||
|
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. role tags are
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. What about
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. right... anyway, all tagging is still to review. not very relevant, so.
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think these tags are not meant to be run until everything prior has been ran at least once, because the rest of the file has no tags at all |
||
|
|
||
| - name: Print features before install | ||
| ansible.builtin.debug: | ||
| var: sympa_cpanm_features | ||
| verbosity: 1 | ||
|
|
||
| - name: Install Perl modules with cpanm | ||
| command: "{{ sympa_cpanm_program }} --notest --installdeps {{ sympa_source_directory }}{% for feature in sympa_cpanm_features %} --with-feature {{ feature }}{% endfor %}" | ||
| tags: sympasoap | ||
| tags: | ||
| - sympasoap | ||
| - sympaldap | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| --- | ||
| # Copyright (C) 2020-2022 Stefan Hornburg (Racke) <racke@linuxia.de> | ||
| # SPDX-License-Identifier: GPL-2.0-or-later | ||
|
|
||
| - name: Create directory for {{ sympa_robot_domain }} robot | ||
| file: | ||
| state: directory | ||
| path: "{{ sympa_configuration_directory }}/{{ sympa_robot_domain }}" | ||
| owner: "{{ sympa_unix_user }}" | ||
| group: "{{ sympa_unix_group }}" | ||
| mode: 0755 | ||
|
|
||
| - name: Create list data directory for {{ sympa_robot_domain }} robot | ||
| file: | ||
| state: directory | ||
| path: "{{ sympa_list_home_directory }}/{{ sympa_robot_domain }}" | ||
| owner: "{{ sympa_unix_user }}" | ||
| group: "{{ sympa_unix_group }}" | ||
| mode: 0755 | ||
|
|
||
| - name: Create archives' directory {{ sympa_robot_domain }} robot | ||
| file: | ||
| state: directory | ||
| path: "{{ sympa_installation_directory }}/arc/{{ sympa_robot_domain }}" | ||
| owner: "{{ sympa_unix_user }}" | ||
| group: "{{ sympa_unix_group }}" | ||
| mode: 0755 | ||
|
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Apparently, these folders per robot are not needed. Sympa create archive folder with the full name of the list |
||
|
|
||
| - debug: | ||
| var: "{{ item }}" | ||
| verbosity: 2 | ||
| loop: | ||
| - sympa_robot_domain | ||
| - sympa_robot | ||
| - sympa_robots | ||
|
|
||
|
|
||
| - name: Create {{ sympa_robot_domain }} robot configuration file | ||
| template: | ||
| src: robot.conf.j2 | ||
| dest: "{{ sympa_configuration_directory }}/{{ sympa_robot_domain }}/robot.conf" | ||
| owner: "{{ sympa_unix_user }}" | ||
| group: "{{ sympa_unix_group }}" | ||
| mode: 0644 | ||
| notify: | ||
| - restart sympa | ||
| - restart wwsympa | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,47 +1,41 @@ | ||
| --- | ||
| # Copyright (C) 2020-2022 Stefan Hornburg (Racke) <racke@linuxia.de> | ||
| # SPDX-License-Identifier: GPL-2.0-or-later | ||
| # Sympa robots configuration | ||
|
|
||
| - name: Create directory for robots | ||
| file: | ||
| state: directory | ||
| path: "{{ sympa_configuration_directory }}/{{ item.domain }}" | ||
| owner: "{{ sympa_unix_user }}" | ||
| group: "{{ sympa_unix_group }}" | ||
| mode: 0755 | ||
| when: item.domain != sympa_domain | ||
| loop: "{{ sympa_robots }}" | ||
| - name: Create configuration files for robots on request (dict variable) | ||
| include_tasks: | ||
| file: robot.yml | ||
| apply: | ||
| tags: | ||
| - sympa | ||
| - sympa-conf | ||
| - sympa-robots | ||
| loop: "{{ sympa_robots | list }}" | ||
| loop_control: | ||
| loop_var: sympa_robot_domain | ||
| vars: | ||
| sympa_robot_domain_query: '"{{ sympa_robot_domain }}"' | ||
| sympa_robot: "{{ sympa_robots | community.general.json_query ( sympa_robot_domain_query ) }}" | ||
| when: | ||
| - sympa_robots is mapping | ||
| - sympa_robot_domain != sympa_domain | ||
|
|
||
| - name: Create list data directory for robots | ||
| file: | ||
| state: directory | ||
| path: "{{ sympa_list_home_directory }}/{{ item.domain }}" | ||
| owner: "{{ sympa_unix_user }}" | ||
| group: "{{ sympa_unix_group }}" | ||
| mode: 0755 | ||
| when: item.domain != sympa_domain | ||
| loop: "{{ sympa_robots }}" | ||
|
|
||
| - name: Create list data directory for robots | ||
| file: | ||
| state: directory | ||
| path: "{{ sympa_list_home_directory }}/{{ item.domain }}" | ||
| owner: "{{ sympa_unix_user }}" | ||
| group: "{{ sympa_unix_group }}" | ||
| mode: 0755 | ||
| when: item.domain != sympa_domain | ||
| loop: "{{ sympa_robots }}" | ||
| - name: Create configuration files for robots on request (list variable) | ||
| include_tasks: | ||
| file: robot.yml | ||
| apply: | ||
| tags: | ||
| - sympa | ||
| - sympa-conf | ||
| - sympa-robots | ||
| loop: "{{ sympa_robots | list }}" | ||
| loop_control: | ||
| loop_var: sympa_robot | ||
| vars: | ||
| sympa_robot_domain: "{{ sympa_robot.domain }}" | ||
| when: | ||
| - sympa_robots is not mapping # then it must be a list of dicts | ||
| - sympa_robot_domain != sympa_domain | ||
|
|
||
| - name: Create configuration file | ||
| template: | ||
| src: robot.conf.j2 | ||
| dest: "{{ sympa_configuration_directory }}/{{ item.domain }}/robot.conf" | ||
| owner: "{{ sympa_unix_user }}" | ||
| group: "{{ sympa_unix_group }}" | ||
| mode: 0644 | ||
| when: item.domain != sympa_domain | ||
| loop: "{{ sympa_robots }}" | ||
| notify: | ||
| - restart sympa | ||
| - restart wwsympa | ||
|
|
||
| ... |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,8 +1,32 @@ | ||
| # Robot configuration for {{ item.domain }} | ||
| domain {{ item.domain }} | ||
| # Robot configuration for {{ sympa_robot_domain }} | ||
| domain {{ sympa_robot_domain }} | ||
|
|
||
| # Robot's listmaster | ||
| {% if sympa_robot.listmaster is defined %} | ||
| listmaster {% if sympa_robot.listmaster is string %}{{ sympa_robot.listmaster }}{% else %}{{ sympa_robot.listmaster | join(',') }}{% endif %} | ||
| {% else %} | ||
| listmaster listmaster@{{ sympa_robot_domain }} | ||
| {% endif %} | ||
|
|
||
| {% if sympa_web_fcgi_enabled %} | ||
|
|
||
| # Web interface | ||
| wwsympa_url {{ sympa_web_fcgi_protocol }}://{{ item.web_domain | default(item.domain) }}/{{ sympa_web_path }} | ||
| cookie_domain {{ item.web_domain | default(item.domain) }} | ||
| wwsympa_url {{ sympa_web_fcgi_protocol }}://{{ sympa_robot.wwsympa_url | default(sympa_robot.web_domain) | default(sympa_robot_domain) }}/{{ sympa_web_path }} | ||
| cookie_domain {{ sympa_robot.wwsympa_url | default(sympa_robot.web_domain) | default(sympa_robot_domain) }} | ||
| {% endif %} | ||
|
|
||
| {% for robot_param,value in sympa_robot.items() %} | ||
|
|
||
| {% if not robot_param in ['domain', 'listmaster', 'wwsympa_url', 'web_domain'] %} | ||
|
|
||
| {% if value is mapping %} | ||
| # {{ robot_param }} value(s) | ||
| {% for sub_el,val in value.items() -%} | ||
| {{ robot_param }}.{{ sub_el }} {{ val }} | ||
| {% endfor %} | ||
| {% else %} | ||
| # {{ robot_param }} value | ||
| {{ robot_param }} {{ value }} | ||
| {%- endif %} | ||
| {%- endif %} | ||
| {%- endfor %} |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -115,6 +115,10 @@ alias_manager {{ sympa_config_alias_manager }} | |
| aliases_program {{ sympa_config_aliases_program }} | ||
| {% endif %} | ||
|
|
||
| {% if sympa_config_aliases_db_type is defined %} | ||
| aliases_db_type {{ sympa_config_aliases_db_type }} | ||
| {% endif %} | ||
|
|
||
| {% if sympa_config_aliases_wrapper is defined %} | ||
| aliases_wrapper {{ sympa_config_aliases_wrapper }} | ||
| {% endif %} | ||
|
|
@@ -139,3 +143,35 @@ process_archive {{ sympa_config_process_archive | bool | ternary('on', 'off') }} | |
| # Extra parameters | ||
| {{ sympa_config_extra_parameters }} | ||
| {% endif %} | ||
|
|
||
| ###\\\\ DKIM ////### | ||
|
|
||
| ## dkim_feature | ||
| dkim_feature {% if sympa_dkim_feature %}on{% else %}off{% endif %} | ||
|
|
||
| ## dkim_signature_apply_on | ||
| ## Type of message that is added a DKIM signature before distribution to | ||
| ## subscribers. Possible values are "none", "any" or a list of the following | ||
| ## keywords: "md5_authenticated_messages", "smime_authenticated_messages", | ||
| ## "dkim_authenticated_messages", "editor_validated_messages". | ||
| {% if sympa_dkim_signature_apply_on | length>0 %} | ||
| dkim_signature_apply_on {{ sympa_dkim_signature_apply_on | join(',') }} | ||
| {% else %} | ||
| dkim_signature_apply_on none | ||
|
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. So, just keep the if statement and remove the else statement entirely? |
||
| {% endif %} | ||
|
|
||
| ## dkim_private_key_path | ||
| ## Location of the file where DKIM private key is stored | ||
| dkim_parameters.private_key_path {{ sympa_dkim_private_key_path }} | ||
|
|
||
| ## dkim_signer_domain | ||
| ## The "d=" tag as defined in rfc 4871, default is virtual host domain name | ||
| {% if sympa_dkim_signer_domain is defined %} | ||
| dkim_parameters.signer_domain {{ sympa_dkim_signer_domain }} | ||
| {% endif %} | ||
|
|
||
| ## dkim_selector | ||
| ## The selector | ||
| {% if sympa_dkim_selector is defined %} | ||
| dkim_parameters.selector {{ sympa_dkim_selector }} | ||
| {% endif %} | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it SSL or TLS? And shouldn't we allow any transport protocol, for sysadmin to be able to fit their installation with their LDAP requirements?
By the way, to complete LDAP understanding we should also document somewhere how to build
sympa_web_authentication. A link to ldapauth.confconfiguration would be worthy.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ldap-securedepends onIO::Socket::SSL, so I guess it is SSL.What do you mean? We are currently covering both
ldapandldap-secure, the only ldap related features on sympa'scpanfile.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SSL is often used for secure layer, but strictly SSL is deprecated and being replaced by TLS. Seeing our LDAP parameters, I think we are using TLS 1.2, on port 389. ldaps (i.e. LDAP on SSL listen on port 636).
There are also TLS parameters of the authentication.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, then shall I rename variables to reference TLS instead of SSL, or directly reference "secure" instead?
So then, does that need any special configurations from this role? I thought the
{{ key }} {{ value }}approach would eliminate all those quirks.