summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>2015-08-15 06:23:07 (GMT)
committerJeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com>2015-08-15 06:23:07 (GMT)
commite4e1623b078f91076817e6ad897430e2c810ae9d (patch)
tree100f1018c01221ccd02af8880b5d904fe4022a02
parent35441cef3d3254a72168935b8ce66420ff72b56f (diff)
downloadkolab-scripts-dev/4459.tar.gz
Replace hosted-kolab scripts with the versions for ticket 4459dev/4459
-rwxr-xr-xhosted-kolab/00-oops-i-did-it-again.sh31
-rwxr-xr-xhosted-kolab/02-add-ou-Domains.sh10
-rwxr-xr-xhosted-kolab/02-replace-roles.sh18
-rwxr-xr-xhosted-kolab/04-add-ou-Domains.sh12
-rwxr-xr-xhosted-kolab/05-add-management-domain.sh (renamed from hosted-kolab/03-add-management-domain.sh)1
-rwxr-xr-xhosted-kolab/06-remove-cn-equals-kolab.sh (renamed from hosted-kolab/04-remove-cn-equals-kolab.sh)0
-rwxr-xr-xhosted-kolab/07-add-self-reg-hosted-domain.sh (renamed from hosted-kolab/06-add-self-reg-hosted-domain.sh)53
-rwxr-xr-xhosted-kolab/08-add-customer-domain.sh (renamed from hosted-kolab/07-add-customer-domain.sh)92
-rwxr-xr-xhosted-kolab/08-add-doe-at-mgmt-domain-admin.sh25
-rwxr-xr-xhosted-kolab/09-add-doe-at-mgmt-domain-admin.sh51
-rwxr-xr-xhosted-kolab/10-add-doe-at-kolabnow.com.sh (renamed from hosted-kolab/09-add-doe-at-kolabnow.com.sh)8
-rwxr-xr-xhosted-kolab/11-add-doe-at-mykolab.com.sh (renamed from hosted-kolab/10-add-doe-at-mykolab.com.sh)9
-rwxr-xr-xhosted-kolab/12-add-sixpack-at-kolabnow.com.sh (renamed from hosted-kolab/11-add-sixpack-at-kolabnow.com.sh)11
-rwxr-xr-xhosted-kolab/15-adjust-configuration.sh99
-rwxr-xr-xhosted-kolab/15-adjust-kolab.conf.sh16
-rwxr-xr-xhosted-kolab/19-test-aci.sh154
-rwxr-xr-xhosted-kolab/99-remove-users.sh2
-rwxr-xr-xhosted-kolab/replace-aci170
18 files changed, 661 insertions, 101 deletions
diff --git a/hosted-kolab/00-oops-i-did-it-again.sh b/hosted-kolab/00-oops-i-did-it-again.sh
new file mode 100755
index 0000000..c2f06d9
--- /dev/null
+++ b/hosted-kolab/00-oops-i-did-it-again.sh
@@ -0,0 +1,31 @@
+#!/bin/bash
+
+../cleanup-and-start-over.sh
+
+../utils/disable-7-bit-plugin.sh
+../utils/enable-audit-log.sh
+#../utils/disable-access-log.sh
+
+rm -rf /var/lib/imap/log/*
+#for user in cyrus-admin doe@example.org doe@kolabnow.com sixpack@kolabnow.com doe@mykolab.com annabelle@kanarip.com kanarip@kanarip.com lydia@kanarip.com; do
+# mkdir -p /var/lib/imap/log/${user}
+#done
+#chown -R cyrus:mail /var/lib/imap/log/
+
+#yum-builddep -y cyrus-imapd pykolab
+
+setup-kolab --default --mysqlserver=new --timezone=Europe/Zurich --directory-manager-pwd=Welcome2KolabSystems
+
+./01-add-hosted-kolab-service-account.sh
+./02-replace-roles.sh
+./04-add-ou-Domains.sh
+./05-add-management-domain.sh
+./06-remove-cn-equals-kolab.sh
+./07-add-self-reg-hosted-domain.sh
+#./08-add-customer-domain.sh
+#./09-add-doe-at-mgmt-domain-admin.sh
+#./10-add-doe-at-kolabnow.com.sh
+#./11-add-doe-at-mykolab.com.sh
+#./12-add-sixpack-at-kolabnow.com.sh
+./15-adjust-configuration.sh
+
diff --git a/hosted-kolab/02-add-ou-Domains.sh b/hosted-kolab/02-add-ou-Domains.sh
deleted file mode 100755
index 400002d..0000000
--- a/hosted-kolab/02-add-ou-Domains.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-
- . ./settings.sh
-(
- echo "dn: ou=Domains,${rootdn}"
- echo "ou: Domains"
- echo "objectClass: top"
- echo "objectClass: organizationalunit"
- echo ""
-) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
diff --git a/hosted-kolab/02-replace-roles.sh b/hosted-kolab/02-replace-roles.sh
new file mode 100755
index 0000000..3e2d260
--- /dev/null
+++ b/hosted-kolab/02-replace-roles.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+ . ./settings.sh
+
+(
+ echo "cn=kolab-admin,${rootdn}"
+) | ldapdelete -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
+
+(
+ echo "dn: cn=admin-user,${rootdn}"
+ echo "objectclass: top"
+ echo "objectclass: ldapsubentry"
+ echo "objectclass: nsroledefinition"
+ echo "objectclass: nssimpleroledefinition"
+ echo "objectclass: nsmanagedroledefinition"
+ echo "cn: admin-user"
+ echo ""
+) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
diff --git a/hosted-kolab/04-add-ou-Domains.sh b/hosted-kolab/04-add-ou-Domains.sh
new file mode 100755
index 0000000..8415711
--- /dev/null
+++ b/hosted-kolab/04-add-ou-Domains.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+ . ./settings.sh
+(
+ echo "dn: ou=Domains,${rootdn}"
+ echo "ou: Domains"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo "aci: (target = \"ldap:///${domain_base_dn}\")(targetattr=\"objectclass || aci || inetdomainstatus || inetdomainbasedn || associateddomain\") (version 3.0;acl \"Allow Domain Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo "aci: (targetattr=\"objectclass || aci || inetdomainstatus || inetdomainbasedn || associateddomain\") (version 3.0;acl \"Allow Search\"; allow (search,read,compare)(userdn = \"ldap:///anyone\");)"
+ echo ""
+) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
diff --git a/hosted-kolab/03-add-management-domain.sh b/hosted-kolab/05-add-management-domain.sh
index 98184bb..16efa77 100755
--- a/hosted-kolab/03-add-management-domain.sh
+++ b/hosted-kolab/05-add-management-domain.sh
@@ -6,6 +6,7 @@
echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Rest\";deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///${rootdn}??sub?(objectclass=*)\");)"
echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Hosted Kolab\";deny (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
echo "inetDomainStatus: active"
+ echo "inetDomainBaseDN: dc=example,dc=org"
echo "objectClass: top"
echo "objectClass: domainrelatedobject"
echo "objectClass: inetdomain"
diff --git a/hosted-kolab/04-remove-cn-equals-kolab.sh b/hosted-kolab/06-remove-cn-equals-kolab.sh
index 643cc5b..643cc5b 100755
--- a/hosted-kolab/04-remove-cn-equals-kolab.sh
+++ b/hosted-kolab/06-remove-cn-equals-kolab.sh
diff --git a/hosted-kolab/06-add-self-reg-hosted-domain.sh b/hosted-kolab/07-add-self-reg-hosted-domain.sh
index 2144b14..97c9a7f 100755
--- a/hosted-kolab/06-add-self-reg-hosted-domain.sh
+++ b/hosted-kolab/07-add-self-reg-hosted-domain.sh
@@ -10,7 +10,7 @@
echo "associateddomain: ${hosted_domain}"
echo "inetdomainstatus: active"
echo "inetdomainbasedn: dc=mykolab,dc=com"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn} || ldap://ou=People,${hosted_domain_rootdn}\");)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn} || ldap://ou=People,${hosted_domain_rootdn}??sub?(objectclass=*)\") AND NOT (roledn = \"ldap:///cn=admin-user,${rootdn}\");)"
echo ""
for domain in kolabnow.com swisscollab.ch mykolab.ch; do
@@ -21,7 +21,7 @@
echo "associateddomain: ${domain}"
echo "inetdomainstatus: active"
echo "inetdomainbasedn: dc=mykolab,dc=com"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn} || ldap://ou=People,${hosted_domain_rootdn}\");)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn} || ldap://ou=People,${hosted_domain_rootdn}??sub?(objectclass=*)\") AND NOT (roledn = \"ldap:///cn=admin-user,${rootdn}\");)"
echo ""
done
@@ -53,12 +53,13 @@
(
echo "dn: ${hosted_domain_rootdn}"
echo "aci: (targetattr=\"carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier\")(version 3.0; acl \"Enable self write for common attributes\"; allow (write) userdn=\"ldap:///self\";)"
- echo "aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";)"
- echo "aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";)"
+ echo "aci: (targetattr = \"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";)"
+ echo "aci: (targetattr = \"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";)"
echo "aci: (targetattr = \"*\")(version 3.0; acl \"SIE Group\"; allow (all) groupdn = \"ldap:///cn=slapd-$(hostname -s),cn=389 Directory Server,cn=Server Group,cn=$(hostname -f),ou=${domain},o=NetscapeRoot\";)"
- echo "aci: (targetattr =\"*\")(version 3.0;acl \"Kolab Administrators\";allow (all) (roledn=\"ldap:///cn=kolab-admin,${rootdn}\");)"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Search Access\";allow (compare,search)(userdn = \"ldap:///${hosted_domain_rootdn}??sub?(objectclass=*)\");)"
- echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Service Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${domain_rootdn}\");)"
+ echo "aci: (targetattr = \"*\")(version 3.0;acl \"Kolab Administrators\";allow (all) (roledn=\"ldap:///cn=admin-user,${rootdn}\");)"
+ echo "aci: (targetattr != \"userPassword\")(version 3.0;acl \"Search Access\";allow (compare,search)(userdn = \"ldap:///${hosted_domain_rootdn}??sub?(objectclass=*)\");)"
+ echo "aci: (targetattr != \"userPassword\")(version 3.0;acl \"Service Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${rootdn}\");)"
+ echo "aci: (target = \"ldap:///ou=*,${hosted_domain_rootdn}\")(targetattr=\"objectclass || aci || ou\") (version 3.0;acl \"Allow Domain OU Registration\"; allow (add,write)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
echo "objectClass: top"
echo "objectClass: domain"
echo "dc: $(echo ${hosted_domain} | cut -d'.' -f 1)"
@@ -66,6 +67,42 @@
) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
(
+ echo "dn: cn=active-user,${hosted_domain_rootdn}"
+ echo "objectclass: top"
+ echo "objectclass: ldapsubentry"
+ echo "objectclass: nsroledefinition"
+ echo "objectclass: nssimpleroledefinition"
+ echo "objectclass: nsmanagedroledefinition"
+ echo "cn: active-user"
+ echo ""
+
+ echo "dn: cn=suspended-user,${hosted_domain_rootdn}"
+ echo "objectclass: top"
+ echo "objectclass: ldapsubentry"
+ echo "objectclass: nsroledefinition"
+ echo "objectclass: nssimpleroledefinition"
+ echo "objectclass: nsmanagedroledefinition"
+ echo "cn: suspended-user"
+ echo ""
+
+ echo "dn: cn=imap-user,${hosted_domain_rootdn}"
+ echo "objectclass: top"
+ echo "objectclass: ldapsubentry"
+ echo "objectclass: nsroledefinition"
+ echo "objectclass: nssimpleroledefinition"
+ echo "objectclass: nsmanagedroledefinition"
+ echo "cn: imap-user"
+ echo ""
+
+ echo "dn: cn=kolab-user,${hosted_domain_rootdn}"
+ echo "objectclass: top"
+ echo "objectclass: ldapsubentry"
+ echo "objectclass: nsroledefinition"
+ echo "objectclass: nssimpleroledefinition"
+ echo "objectclass: nsmanagedroledefinition"
+ echo "cn: kolab-user"
+ echo ""
+
echo "dn: ou=Groups,${hosted_domain_rootdn}"
echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn}\");)"
echo "ou: Groups"
@@ -75,7 +112,7 @@
echo "dn: ou=People,${hosted_domain_rootdn}"
echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=*)\");)"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Allow Hosted Kolab Service\"; allow (search,add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Allow Hosted Kolab Service\"; allow (search,add,read)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Allow Kolab Service\"; allow (read,search,compare)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${rootdn}\");)"
echo "aci: (targetattr = \"*\") (version 3.0;acl \"Self Search Access\";allow (read,compare,search)(userdn = \"ldap:///self\");)"
echo "ou: People"
diff --git a/hosted-kolab/07-add-customer-domain.sh b/hosted-kolab/08-add-customer-domain.sh
index 2b9bba8..feb8010 100755
--- a/hosted-kolab/07-add-customer-domain.sh
+++ b/hosted-kolab/08-add-customer-domain.sh
@@ -14,9 +14,9 @@ export hosted_domain_rootdn="ou=kanarip.com,${rootdn}"
echo "objectclass: inetdomain"
echo "inetdomainstatus: active"
echo "inetdomainbasedn: ${hosted_domain_rootdn}"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\") AND NOT roledn = \"ldap:///cn=admin-user,${mgmt_domain_rootdn}\";)"
echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,${hosted_domain_rootdn}\");)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,${hosted_domain_rootdn} || ldap:///cn=admin-user,${mgmt_domain_rootdn}\");)"
echo ""
echo "dn: associateddomain=kanarip.ch,ou=Domains,${mgmt_domain_rootdn}"
@@ -25,9 +25,9 @@ export hosted_domain_rootdn="ou=kanarip.com,${rootdn}"
echo "objectclass: inetdomain"
echo "inetdomainstatus: active"
echo "inetdomainbasedn: ${hosted_domain_rootdn}"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\") AND NOT roledn = \"ldap:///cn=admin-user,${mgmt_domain_rootdn}\";)"
echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,${hosted_domain_rootdn}\");)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,${hosted_domain_rootdn} || ldap:///cn=admin-user,${mgmt_domain_rootdn}\");)"
echo ""
echo "dn: associateddomain=kanarip.nl,ou=Domains,${mgmt_domain_rootdn}"
@@ -36,21 +36,23 @@ export hosted_domain_rootdn="ou=kanarip.com,${rootdn}"
echo "objectclass: inetdomain"
echo "inetdomainstatus: active"
echo "inetdomainbasedn: ${hosted_domain_rootdn}"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\") AND NOT roledn = \"ldap:///cn=admin-user,${mgmt_domain_rootdn}\";)"
echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,${hosted_domain_rootdn}\");)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,${hosted_domain_rootdn} || ldap:///cn=admin-user,${mgmt_domain_rootdn}\");)"
echo ""
) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
(
-
- echo "dn: ou=${hosted_domain},${rootdn}"
+ echo "dn: ${hosted_domain_rootdn}"
echo "ou: ${hosted_domain}"
echo "objectClass: top"
echo "objectClass: organizationalunit"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///uid=hosted-kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\") AND NOT roledn = \"ldap:///cn=admin-user,${mgmt_domain_rootdn}\";)"
echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)"
- echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,${hosted_domain_rootdn}\");)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,${hosted_domain_rootdn} || ldap:///cn=admin-user,${mgmt_domain_rootdn}\");)"
+ echo "aci: (target = \"ldap:///ou=*,${hosted_domain_rootdn}\")(targetattr=\"objectclass || aci || ou\") (version 3.0;acl \"Allow Domain sub-OU Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${mgmt_domain_rootdn}\");)"
+ echo "aci: (target = \"ldap:///uid=*,ou=People,${hosted_domain_rootdn}\")(targetattr=\"*\") (version 3.0;acl \"Allow Domain First User Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${mgmt_domain_rootdn}\");)"
+ echo "aci: (target = \"ldap:///cn=*,${hosted_domain_rootdn}\")(targetattr=\"objectclass || cn\") (version 3.0;acl \"Allow Domain Role Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${mgmt_domain_rootdn}\");)"
echo ""
echo "dn: cn=admin-user,${hosted_domain_rootdn}"
@@ -128,22 +130,40 @@ export hosted_domain_rootdn="ou=kanarip.com,${rootdn}"
echo "objectClass: kolabinetorgperson"
echo "objectClass: mailrecipient"
echo "objectClass: organizationalperson"
+ echo "objectClass: country"
echo "objectClass: person"
echo "givenName: Jeroen"
- echo "mailQuota: 1048576"
- echo "preferredLanguage: en_US"
+ echo "mailQuota: 2097152"
echo "sn: van Meeuwen"
echo "cn: Jeroen van Meeuwen"
- echo "displayName: van Meeuwen, Jeroen"
echo "mail: kanarip@kanarip.com"
echo "uid: kanarip@kanarip.com"
echo "mailHost: localhost"
- echo "userPassword: 456789"
+ echo "mailalternateaddress: vanmeeuwen@kolabsys.com"
+ echo "telephonenumber: +41438178006"
+ echo "mobile: +41799519003"
+ echo "street: Schulhausstrasse 47"
+ echo "postalcode: 8703"
+ echo "l: Erlenbach"
+ echo "c: CH"
+ echo "userPassword: ${default_user_password}"
echo "nsroledn: cn=activesync-user,${hosted_domain_rootdn}"
echo "nsroledn: cn=admin-user,${hosted_domain_rootdn}"
echo "nsroledn: cn=kolab-user,${hosted_domain_rootdn}"
echo ""
+) | ldapadd -x -h ${ldap_host} -D "uid=hosted-kolab-service,ou=Special Users,${mgmt_domain_rootdn}" -w Welcome2KolabSystems -c
+(
+ echo "dn: ${hosted_domain_rootdn}"
+ echo "changetype: modify"
+ echo "replace: aci"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\") AND NOT roledn = \"ldap:///cn=admin-user,${mgmt_domain_rootdn}\";)"
+ echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,${hosted_domain_rootdn} || ldap:///cn=admin-user,${mgmt_domain_rootdn}\");)"
+ echo ""
+) | ldapmodify -x -h ${ldap_host} -D "uid=hosted-kolab-service,ou=Special Users,${mgmt_domain_rootdn}" -w Welcome2KolabSystems -c
+
+(
echo "dn: uid=lydia@kanarip.com,ou=People,${hosted_domain_rootdn}"
echo "objectClass: top"
echo "objectClass: inetorgperson"
@@ -152,15 +172,13 @@ export hosted_domain_rootdn="ou=kanarip.com,${rootdn}"
echo "objectClass: organizationalperson"
echo "objectClass: person"
echo "givenName: Lydia"
- echo "mailQuota: 1048576"
- echo "preferredLanguage: en_US"
+ echo "mailQuota: 2097152"
echo "sn: van Meeuwen"
echo "cn: Lydia van Meeuwen"
- echo "displayName: van Meeuwen, Lydia"
echo "mail: lydia@kanarip.nl"
echo "uid: lydia@kanarip.com"
echo "mailHost: localhost"
- echo "userPassword: 456789"
+ echo "userPassword: ${default_user_password}"
echo "nsroledn: cn=activesync-user,${hosted_domain_rootdn}"
echo "nsroledn: cn=kolab-user,${hosted_domain_rootdn}"
echo ""
@@ -173,17 +191,45 @@ export hosted_domain_rootdn="ou=kanarip.com,${rootdn}"
echo "objectClass: organizationalperson"
echo "objectClass: person"
echo "givenName: Annabelle"
- echo "mailQuota: 1048576"
- echo "preferredLanguage: en_US"
+ echo "mailQuota: 2097152"
echo "sn: van Meeuwen"
echo "cn: Annabelle van Meeuwen"
- echo "displayName: van Meeuwen, Annabelle"
echo "mail: annabelle@kanarip.ch"
echo "uid: annabelle@kanarip.com"
echo "mailHost: localhost"
- echo "userPassword: 456789"
+ echo "userPassword: ${default_user_password}"
echo "nsroledn: cn=activesync-user,${hosted_domain_rootdn}"
echo "nsroledn: cn=kolab-user,${hosted_domain_rootdn}"
echo ""
+) | ldapadd -x -h ${ldap_host} -D "uid=kanarip@kanarip.com,ou=People,${hosted_domain_rootdn}" -w "${default_user_password}" -c
+
+num_domains=$(
+ ldapsearch -x -h localhost \
+ -D "uid=kanarip@kanarip.com,ou=People,${hosted_domain_rootdn}" \
+ -w "${default_user_password}" \
+ -b "${domain_base_dn}" \
+ -s sub \
+ -LLL "(&(objectclass=domainrelatedobject)(associateddomain=${hosted_domain}))" dn | \
+ grep ^dn | \
+ wc -l
+ )
+
+if [ ${num_domains} -ne 1 ]; then
+ echo "ERROR: Expected 1 domain, got ${num_domains} domains"
+fi
+
+num_domains=$(
+ ldapsearch -x -h localhost \
+ -D "uid=kanarip@kanarip.com,ou=People,${hosted_domain_rootdn}" \
+ -w "${default_user_password}" \
+ -b "${domain_base_dn}" \
+ -s sub \
+ -LLL "(objectclass=domainrelatedobject)" dn | \
+ grep ^dn | \
+ wc -l
+ )
+
+if [ ${num_domains} -ne 3 ]; then
+ echo "ERROR: Expected 3 domains, got ${num_domains} domain(s)"
+fi
-) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
diff --git a/hosted-kolab/08-add-doe-at-mgmt-domain-admin.sh b/hosted-kolab/08-add-doe-at-mgmt-domain-admin.sh
deleted file mode 100755
index 6ccaee9..0000000
--- a/hosted-kolab/08-add-doe-at-mgmt-domain-admin.sh
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-
-. ./settings.sh
-
-(
- echo "dn: uid=doe@${domain},ou=People,${rootdn}"
- echo "objectClass: top"
- echo "objectClass: inetorgperson"
- echo "objectClass: kolabinetorgperson"
- echo "objectClass: mailrecipient"
- echo "objectClass: organizationalperson"
- echo "objectClass: person"
- echo "givenName: John"
- echo "mailQuota: 1048576"
- echo "preferredLanguage: en_US"
- echo "sn: Doe"
- echo "cn: John Doe"
- echo "displayName: Doe, John"
- echo "mail: doe@${domain}"
- echo "uid: doe@${domain}"
- echo "mailHost: localhost"
- echo "nsroledn: cn=kolab-admin,${rootdn}"
- echo "userPassword: ${default_user_password}"
- echo ""
-) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
diff --git a/hosted-kolab/09-add-doe-at-mgmt-domain-admin.sh b/hosted-kolab/09-add-doe-at-mgmt-domain-admin.sh
new file mode 100755
index 0000000..298d776
--- /dev/null
+++ b/hosted-kolab/09-add-doe-at-mgmt-domain-admin.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+. ./settings.sh
+
+(
+ echo "dn: uid=doe@${domain},ou=People,${rootdn}"
+ echo "objectClass: top"
+ echo "objectClass: inetorgperson"
+ echo "objectClass: kolabinetorgperson"
+ echo "objectClass: organizationalperson"
+ echo "objectClass: person"
+ echo "givenName: John"
+ echo "sn: Doe"
+ echo "cn: John Doe"
+ echo "mail: doe@${domain}"
+ echo "uid: doe@${domain}"
+ echo "nsroledn: cn=admin-user,${rootdn}"
+ echo "userPassword: ${default_user_password}"
+ echo ""
+) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
+
+num_domains=$(
+ ldapsearch -x -h localhost \
+ -D "uid=doe@${domain},ou=People,${rootdn}" \
+ -w "${default_user_password}" \
+ -b "${domain_base_dn}" \
+ -s sub \
+ -LLL "(&(objectclass=domainrelatedobject)(associateddomain=${domain}))" dn | \
+ grep ^dn | \
+ wc -l
+ )
+
+if [ ${num_domains} -ne 1 ]; then
+ echo "ERROR: Expected 1 domain, got ${num_domains} domains"
+fi
+
+num_domains=$(
+ ldapsearch -x -h localhost \
+ -D "uid=doe@${domain},ou=People,${rootdn}" \
+ -w "${default_user_password}" \
+ -b "${domain_base_dn}" \
+ -s sub \
+ -LLL '(objectclass=domainrelatedobject)' dn | \
+ grep ^dn | \
+ wc -l
+ )
+
+if [ ${num_domains} -lt 3 ]; then
+ echo "ERROR: Expected more than 3 domains, got ${num_domains} domain(s)"
+fi
+
diff --git a/hosted-kolab/09-add-doe-at-kolabnow.com.sh b/hosted-kolab/10-add-doe-at-kolabnow.com.sh
index a057d7f..0b29dc6 100755
--- a/hosted-kolab/09-add-doe-at-kolabnow.com.sh
+++ b/hosted-kolab/10-add-doe-at-kolabnow.com.sh
@@ -8,17 +8,19 @@
echo "objectClass: inetorgperson"
echo "objectClass: kolabinetorgperson"
echo "objectClass: mailrecipient"
+ echo "objectClass: country"
echo "objectClass: organizationalperson"
echo "objectClass: person"
echo "givenName: Jane"
- echo "mailQuota: 1048576"
- echo "preferredLanguage: en_US"
+ echo "mailQuota: 2097152"
+ echo "c: CH"
echo "sn: Doe"
echo "cn: Jane Doe"
- echo "displayName: Doe, Jane"
echo "mail: doe@kolabnow.com"
echo "uid: doe@kolabnow.com"
echo "mailHost: localhost"
+ echo "nsroledn: cn=active-user,${hosted_domain_rootdn}"
+ echo "nsroledn: cn=kolab-user,dc=mykolab,dc=com"
echo "userPassword: ${default_user_password}"
echo ""
) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
diff --git a/hosted-kolab/10-add-doe-at-mykolab.com.sh b/hosted-kolab/11-add-doe-at-mykolab.com.sh
index ae03fc6..9f3cf25 100755
--- a/hosted-kolab/10-add-doe-at-mykolab.com.sh
+++ b/hosted-kolab/11-add-doe-at-mykolab.com.sh
@@ -10,15 +10,18 @@
echo "objectClass: mailrecipient"
echo "objectClass: organizationalperson"
echo "objectClass: person"
+ echo "objectClass: country"
+ echo "c: CH"
echo "givenName: Jane"
- echo "mailQuota: 1048576"
- echo "preferredLanguage: en_US"
+ echo "mailQuota: 2097152"
echo "sn: Doe"
echo "cn: Jane Doe"
- echo "displayName: Doe, Jane"
echo "mail: doe@mykolab.com"
echo "uid: doe@mykolab.com"
echo "mailHost: localhost"
+ echo "nsroledn: cn=active-user,${hosted_domain_rootdn}"
+ echo "nsroledn: cn=activesync-user,dc=mykolab,dc=com"
+ echo "nsroledn: cn=kolab-user,dc=mykolab,dc=com"
echo "userPassword: ${default_user_password}"
echo ""
) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
diff --git a/hosted-kolab/11-add-sixpack-at-kolabnow.com.sh b/hosted-kolab/12-add-sixpack-at-kolabnow.com.sh
index aae9225..4c799e6 100755
--- a/hosted-kolab/11-add-sixpack-at-kolabnow.com.sh
+++ b/hosted-kolab/12-add-sixpack-at-kolabnow.com.sh
@@ -10,15 +10,18 @@
echo "objectClass: mailrecipient"
echo "objectClass: organizationalperson"
echo "objectClass: person"
+ echo "objectClass: country"
+ echo "c: CH"
echo "givenName: Joe"
- echo "mailQuota: 1048576"
- echo "preferredLanguage: en_US"
+ echo "mailQuota: 2097152"
echo "sn: Sixpack"
echo "cn: Joe Sixpack"
- echo "displayName: Sixpack, Joe"
echo "mail: sixpack@kolabnow.com"
echo "uid: sixpack@kolabnow.com"
echo "mailHost: localhost"
- echo "userPassword: 741852"
+ echo "nsroledn: cn=active-user,${hosted_domain_rootdn}"
+ echo "nsroledn: cn=imap-user,dc=mykolab,dc=com"
+ echo "userPassword: ${default_user_password}"
echo ""
) | ldapadd -x -h ${ldap_host} -D "uid=hosted-kolab-service,ou=Special Users,${rootdn}" -w "${hosted_kolab_service_pw}"
+
diff --git a/hosted-kolab/15-adjust-configuration.sh b/hosted-kolab/15-adjust-configuration.sh
new file mode 100755
index 0000000..48c3821
--- /dev/null
+++ b/hosted-kolab/15-adjust-configuration.sh
@@ -0,0 +1,99 @@
+#!/bin/bash
+
+. ./settings.sh
+
+rm -rf /etc/kolab/kolab.conf.orig
+cp /etc/kolab/kolab.conf /etc/kolab/kolab.conf.orig
+
+sed -r -i \
+ -e "s/^domain_base_dn.*$/domain_base_dn = ${domain_base_dn}/g" \
+ -e 's/^primary_mail.*/primary_mail = %(uid)s@%(domain)s/g' \
+ -e '/^secondary_mail/,+10d' \
+ -e '/^primary_mail/ a\
+daemon_rcpt_policy = False' \
+ -e '/kolab_wap/ a\
+login_filter = (uid=%U@%d)\
+devel_mode = 1\
+debug_mode = trace' \
+ -e 's/^auth_attributes.*$/auth_attributes = uid/g' \
+ -e 's/^result_attribute.*$/result_attribute = uid/g' \
+ -e 's/^domain_filter.*$/domain_filter = (\&(objectclass=domainrelatedobject)(associateddomain=*))/g' \
+ -e 's/^user_filter.*$/user_filter = (|(\&(uid=cyrus-admin)(!(objectclass=kolabinetorgperson)))(objectclass=kolabinetorgperson))/g' \
+ /etc/kolab/kolab.conf
+
+if [ -z "$(grep ^auth_mechanism /etc/kolab/kolab.conf)" ]; then
+ echo "WARNING: No more auth_mechanism setting?"
+ sed -i -e '/\[kolab\]/ a\
+auth_mechanism = ldap' \
+ /etc/kolab/kolab.conf
+fi
+
+sed -r -i \
+ -e 's/^ldap_filter:.*$/ldap_filter: (|(\&(uid=cyrus-admin)(uid=%u)(objectclass=inetorgperson)(!(objectclass=kolabinetorgperson)))(\&(uid=%u)(objectclass=kolabinetorgperson)))/g' \
+ -e 's/^ldap_base:.*$/ldap_base: dc=example,dc=org/g' \
+ -e 's/^ldap_user_attribute:.*$/ldap_user_attribute: uid/g' \
+ -e 's/^ldap_group_base:.*%$/ldap_group_base: dc=example,dc=org/g' \
+ -e 's/^ldap_group_filter:.*$/ldap_group_filter: (\&(objectclass=kolabgroupofuniquenames)(mail=%u))/g' \
+ -e 's/^ldap_member_base:.*$/ldap_member_base: dc=mykolab,dc=com/g' \
+ -e 's/^ldap_member_method:.*$/ldap_member_method: filter/g' \
+ -e 's/^ldap_member_filter:.*$/ldap_member_filter: (uniquemember=%D)/g' \
+ -e 's/^ldap_member_attribute:.*$/ldap_member_attribute: mail/g' \
+ -e '/^ldap_domain_base_dn/d' \
+ -e '/^debug:/d' \
+ -e '/^auditlog:/d' \
+ -e '/^chatty:/d' \
+ -e '/^ldap_member_attribute:.*$/ a\
+ldap_domain_base_dn: ou=Domains,dc=example,dc=org' \
+ /etc/imapd.conf
+
+echo "debug: 1" >> /etc/imapd.conf
+echo "auditlog: 1" >> /etc/imapd.conf
+echo "chatty: 1" >> /etc/imapd.conf
+
+service cyrus-imapd restart
+
+service kolabd restart
+service kolab-saslauthd restart
+
+if [ ! -d "/usr/share/kolab-hkccp/" ]; then
+ git clone ssh://git@git.kolab.org/diffusion/H/hkccp.git /usr/share/kolab-hkccp/
+ mkdir -p /usr/share/kolab-hkccp/temp/session
+ chown apache:apache /usr/share/kolab-hkccp/temp/session
+fi
+
+rm -rf /usr/share/kolab-hkccp/config/config.ini
+cp /usr/share/kolab-hkccp/config/config.ini.kolab /usr/share/kolab-hkccp/config/config.ini
+
+pushd /usr/share/kolab-hkccp/
+uri=$(grep ^cache_uri /etc/kolab/kolab.conf | awk '{print $3}')
+service_auth_pw=$(grep ^service_bind_pw /etc/kolab/kolab.conf | awk '{print $3}')
+
+sed -r -i \
+ -e "s|^dsn =.*$|dsn = $uri|g" \
+ -e "s|^dsnr =.*$|dsnr = $uri|g" \
+ -e "s|^service_auth_pw =.*$|service_auth_pw = $service_auth_pw|g" \
+ -e '/^root_dn = / a\
+mgmt_root_dn = "dc=example,dc=org"\
+hosted_root_dn = "dc=mykolab,dc=com"' \
+ config/config.ini
+
+password=$(grep ^cache_uri /etc/kolab/kolab.conf | awk '{print $3}' | cut -d':' -f3 | cut -d'@' -f1)
+mysql -u kolab --password="${password}" kolab < SQL/mysql.sql
+popd
+
+pushd /usr/share/kolab-webadmin/
+php sample-insert-hosted-user_types.php
+popd
+
+pushd /usr/share/kolab-hkccp
+
+mkdir -p temp/session/
+chown apache temp/session/
+
+#php bin/backend.php adduser doe@example.org --tenant 1 --verbose
+#php bin/backend.php adduser kanarip@kanarip.com --tenant 1 --verbose
+#php bin/backend.php adduser doe@kolabnow.com --tenant 1 --verbose
+#php bin/backend.php adduser sixpack@kolabnow.com --tenant 1 --verbose
+#php bin/backend.php adduser doe@mykolab.com --tenant 1 --verbose
+popd
+
diff --git a/hosted-kolab/15-adjust-kolab.conf.sh b/hosted-kolab/15-adjust-kolab.conf.sh
deleted file mode 100755
index 2f902de..0000000
--- a/hosted-kolab/15-adjust-kolab.conf.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/bash
-
-. ./settings.sh
-
-sed -r -i \
- -e "s/^domain_base_dn.*$/domain_base_dn = ${domain_base_dn}/g" \
- -e 's/^primary_mail.*/primary_mail = %(uid)s@%(domain)s/g' \
- -e '/secondary_mail/,+11d' \
- -e '/^primary_mail/ a\
-daemon_rcpt_policy = False' \
- -e 's/^auth_attributes.*$/auth_attributes = mail, uid/g' \
- /etc/kolab/kolab.conf.default
-
-service kolabd restart
-service kolab-saslauthd restart
-
diff --git a/hosted-kolab/19-test-aci.sh b/hosted-kolab/19-test-aci.sh
index 47354dc..b6d3fb3 100755
--- a/hosted-kolab/19-test-aci.sh
+++ b/hosted-kolab/19-test-aci.sh
@@ -2,11 +2,149 @@
. ./settings.sh
-echo "== doe@kolabsys.net =="
-ldapsearch -x -h ${ldap_host} -D "uid=doe@kolabsys.net,ou=People,dc=kolabsys,dc=net" -w "123456" -b ${rootdn} -LLL
-echo "== doe@kolabnow.com =="
-ldapsearch -x -h ${ldap_host} -D "uid=doe@kolabnow.com,ou=People,dc=kolabnow,dc=com" -w "456789" -b ${hosted_domain_rootdn} -LLL
-echo "== sixpack@kolabnow.com =="
-ldapsearch -x -h ${ldap_host} -D "uid=sixpack@kolabnow.com,ou=People,dc=kolabnow,dc=com" -w "741852" -b ${hosted_domain_rootdn} -LLL
-echo "== kanarip@kanarip.com =="
-ldapsearch -x -h ${ldap_host} -D "uid=kanarip@kanarip.com,ou=People,ou=kanarip.com,dc=kolabnow,dc=com" -w "456789" -b ${hosted_domain_rootdn} -LLL
+max_domains=$(
+ ldapsearch -x -h localhost \
+ -D "${ldap_binddn}" \
+ -w "${ldap_bindpw}" \
+ -b "${domain_base_dn}" \
+ -s sub \
+ -LLL "(objectclass=domainrelatedobject)" dn | \
+ grep ^dn | \
+ wc -l
+ )
+
+num_domains=$(
+ ldapsearch -x -h localhost \
+ -D "uid=doe@${domain},ou=People,${rootdn}" \
+ -w "${default_user_password}" \
+ -b "${domain_base_dn}" \
+ -s sub \
+ -LLL "(&(objectclass=domainrelatedobject)(associateddomain=${domain}))" dn | \
+ grep ^dn | \
+ wc -l
+ )
+
+if [ ${num_domains} -ne 1 ]; then
+ echo "ERROR: Expected 1 domain, got ${num_domains} domains"
+fi
+
+num_domains=$(
+ ldapsearch -x -h localhost \
+ -D "uid=doe@${domain},ou=People,${rootdn}" \
+ -w "${default_user_password}" \
+ -b "${domain_base_dn}" \
+ -s sub \
+ -LLL '(objectclass=domainrelatedobject)' dn | \
+ grep ^dn | \
+ wc -l
+ )
+
+if [ ${num_domains} -lt 3 ]; then
+ echo "ERROR: Expected more than 3 domains, got ${num_domains} domain(s)"
+fi
+
+num_domains=$(
+ ldapsearch -x -h localhost \
+ -D "uid=kolab-service,ou=Special Users,${rootdn}" \
+ -w "$(grep ^service_bind_pw /etc/kolab/kolab.conf | awk '{print $3}')" \
+ -b "${domain_base_dn}" \
+ -s sub \
+ -LLL "(objectclass=domainrelatedobject)" dn | \
+ grep ^dn | \
+ wc -l
+ )
+
+if [ ${num_domains} -ne ${max_domains} ]; then
+ echo "ERROR: Expected ${max_domains} domains, got ${num_domains} domain(s)"
+fi
+
+num_users=$(
+ ldapsearch -x -h localhost \
+ -D "uid=kolab-service,ou=Special Users,${rootdn}" \
+ -w "$(grep ^service_bind_pw /etc/kolab/kolab.conf | awk '{print $3}')" \
+ -b "${hosted_domain_rootdn}" \
+ -s sub \
+ -LLL "(objectclass=kolabinetorgperson)" dn | \
+ grep ^dn | \
+ wc -l
+ )
+
+if [ ${num_users} -lt 6 ]; then
+ echo "ERROR: Expected 6 or more users, got ${num_users} user(s)"
+fi
+
+num_domains=$(
+ ldapsearch -x -h localhost \
+ -D "uid=kanarip@kanarip.com,ou=People,ou=kanarip.com,dc=mykolab,dc=com" \
+ -w "${default_user_password}" \
+ -b "${domain_base_dn}" \
+ -s sub \
+ -LLL "(&(objectclass=domainrelatedobject)(associateddomain=kanarip.com))" dn | \
+ grep ^dn | \
+ wc -l
+ )
+
+if [ ${num_domains} -ne 1 ]; then
+ echo "ERROR: Expected 1 domain, got ${num_domains} domains"
+fi
+
+num_domains=$(
+ ldapsearch -x -h localhost \
+ -D "uid=kanarip@kanarip.com,ou=People,ou=kanarip.com,dc=mykolab,dc=com" \
+ -w "${default_user_password}" \
+ -b "${domain_base_dn}" \
+ -s sub \
+ -LLL "(objectclass=domainrelatedobject)" dn | \
+ grep ^dn | \
+ wc -l
+ )
+
+if [ ${num_domains} -ne 3 ]; then
+ echo "ERROR: Expected 3 domains, got ${num_domains} domain(s)"
+fi
+
+num_entries=$(
+ ldapsearch -x -h localhost \
+ -D "uid=doe@mykolab.com,ou=People,dc=mykolab,dc=com" \
+ -w "${default_user_password}" \
+ -b "${hosted_domain_rootdn}" \
+ -s sub \
+ -LLL "(objectclass=*)" dn | \
+ grep ^dn | \
+ wc -l
+ )
+
+if [ ${num_entries} -ne 1 ]; then
+ echo "ERROR: Expected one entry on foreign domain search but got ${num_entries}"
+fi
+
+num_entries=$(
+ ldapsearch -x -h localhost \
+ -D "uid=kanarip@kanarip.com,ou=People,ou=kanarip.com,dc=mykolab,dc=com" \
+ -w "${default_user_password}" \
+ -b "${hosted_domain_rootdn}" \
+ -s sub \
+ -LLL "(objectclass=*)" dn | \
+ grep ^dn | \
+ wc -l
+ )
+
+if [ ${num_entries} -ne 8 ]; then
+ echo "ERROR: Expected some 8 entries on foreign domain hierarchy search but got ${num_entries}"
+fi
+
+num_domains=$(
+ ldapsearch -x -h localhost \
+ -D "uid=hosted-kolab-service,ou=Special Users,dc=example,dc=org" \
+ -w "${default_user_password}" \
+ -b "${domain_base_dn}" \
+ -s sub \
+ -LLL "(objectclass=domainrelatedobject)" dn | \
+ grep ^dn | \
+ wc -l
+ )
+
+if [ ${num_domains} -ne 4 ]; then
+ echo "ERROR: Expected 3 domains, got ${num_domains} domain(s)"
+fi
+
diff --git a/hosted-kolab/99-remove-users.sh b/hosted-kolab/99-remove-users.sh
index 9924a2f..d6e39fc 100755
--- a/hosted-kolab/99-remove-users.sh
+++ b/hosted-kolab/99-remove-users.sh
@@ -3,5 +3,5 @@
. ./settings.sh
(
- ldapsearch -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -b ${rootdn} "(objectclass=kolabinetorgperson)" dn | grep ^dn | sed -e 's/dn: //g'
+ ldapsearch -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -b ${hosted_domain_rootdn} "(mailalternateaddress=*)" dn | grep ^dn | sed -e 's/dn: //g'
) | ldapdelete -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}"
diff --git a/hosted-kolab/replace-aci b/hosted-kolab/replace-aci
new file mode 100755
index 0000000..8d21d3b
--- /dev/null
+++ b/hosted-kolab/replace-aci
@@ -0,0 +1,170 @@
+#!/bin/bash
+
+. ./settings.sh
+
+(
+ echo "dn: ${domain_base_dn}"
+ echo "changetype: modify"
+ echo "replace: aci"
+ echo "aci: (target = \"ldap:///associateddomain=*,${domain_base_dn}\")(targetattr=\"objectclass || aci || inetdomainstatus || inetdomainbasedn || associateddomain\") (version 3.0;acl \"Allow Domain Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo ""
+) | ldapmodify -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+
+(
+ echo "dn: ${hosted_domain_rootdn}"
+ echo "changetype: modify"
+ echo "replace: aci"
+ echo "aci: (targetattr=\"carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier\")(version 3.0; acl \"Enable self write for common attributes\"; allow (write) userdn=\"ldap:///self\";)"
+ echo "aci: (targetattr = \"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";)"
+ echo "aci: (targetattr = \"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";)"
+ echo "aci: (targetattr = \"*\")(version 3.0; acl \"SIE Group\"; allow (all) groupdn = \"ldap:///cn=slapd-$(hostname -s),cn=389 Directory Server,cn=Server Group,cn=$(hostname -f),ou=${domain},o=NetscapeRoot\";)"
+ echo "aci: (targetattr = \"*\")(version 3.0;acl \"Kolab Administrators\";allow (all) (roledn=\"ldap:///cn=admin-user,${rootdn}\");)"
+ echo "aci: (targetattr = \"*\")(version 3.0;acl \"Search Access\";allow (compare,search)(userdn = \"ldap:///${hosted_domain_rootdn}??sub?(objectclass=*)\");)"
+ echo "aci: (targetattr != \"userPassword\")(version 3.0;acl \"Service Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${domain_rootdn}\");)"
+ echo "aci: (target = \"ldap:///ou=*,${hosted_domain_rootdn}\")(targetattr=\"objectclass || aci || ou\") (version 3.0;acl \"Allow Domain OU Registration\"; allow (add,write)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo ""
+) | ldapmodify -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+
+(
+ echo "dn: associateddomain=self-reg.tld,${domain_base_dn}"
+ echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Rest\";deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///ou=self-reg.tld,${hosted_domain_rootdn}??sub?(objectclass=*)\");)"
+ echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Hosted Kolab\";deny (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo "inetDomainStatus: active"
+ echo "objectClass: top"
+ echo "objectClass: domainrelatedobject"
+ echo "objectClass: inetdomain"
+ echo "associatedDomain: self-reg.tld"
+ echo ""
+) | ldapadd -x -h ${ldap_host} -D "uid=hosted-kolab-service,ou=Special Users,${rootdn}" -w Welcome2KolabSystems
+
+export hosted_domain="self-reg.tld"
+
+(
+ echo "dn: ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "changetype: modify"
+ echo "replace: aci"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn} || ldap:///ou=People,ou=${hosted_domain},${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\") AND NOT roledn = \"ldap:///cn=admin-user,${mgmt_domain_rootdn}\";)"
+ echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///ou=People,ou=${hosted_domain},${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,ou=${hosted_domain},${hosted_domain_rootdn} || ldap:///cn=admin-user,${rootdn}\");)"
+ echo "aci: (target = \"ldap:///ou=*,ou=${hosted_domain},${hosted_domain_rootdn}\")(targetattr=\"objectclass || aci || ou\") (version 3.0;acl \"Allow Domain sub-OU Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo "aci: (target = \"ldap:///uid=*,ou=People,ou=${hosted_domain},${hosted_domain_rootdn}\")(targetattr=\"*\") (version 3.0;acl \"Allow Domain First User Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo "aci: (target = \"ldap:///cn=*,ou=${hosted_domain},${hosted_domain_rootdn}\")(targetattr=\"objectclass || cn\") (version 3.0;acl \"Allow Domain Role Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo ""
+) | ldapmodify -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c
+
+(
+ echo "dn: ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "ou: ${hosted_domain}"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn} || ldap:///ou=People,ou=${hosted_domain},${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\") AND NOT roledn = \"ldap:///cn=admin-user,${mgmt_domain_rootdn}\";)"
+ echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///ou=People,ou=${hosted_domain},${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,ou=${hosted_domain},${hosted_domain_rootdn} || ldap:///cn=admin-user,${rootdn}\");)"
+ echo "aci: (target = \"ldap:///ou=*,ou=${hosted_domain},${hosted_domain_rootdn}\")(targetattr=\"objectclass || aci || ou\") (version 3.0;acl \"Allow Domain sub-OU Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo "aci: (target = \"ldap:///uid=*,ou=People,ou=${hosted_domain},${hosted_domain_rootdn}\")(targetattr=\"*\") (version 3.0;acl \"Allow Domain First User Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo "aci: (target = \"ldap:///cn=*,ou=${hosted_domain},${hosted_domain_rootdn}\")(targetattr=\"objectclass || cn\") (version 3.0;acl \"Allow Domain Role Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)"
+ echo ""
+
+ echo "dn: cn=admin-user,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "objectclass: top"
+ echo "objectclass: ldapsubentry"
+ echo "objectclass: nsroledefinition"
+ echo "objectclass: nssimpleroledefinition"
+ echo "objectclass: nsmanagedroledefinition"
+ echo "cn: admin-user"
+ echo ""
+
+ echo "dn: cn=activesync-user,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "objectclass: top"
+ echo "objectclass: ldapsubentry"
+ echo "objectclass: nsroledefinition"
+ echo "objectclass: nssimpleroledefinition"
+ echo "objectclass: nsmanagedroledefinition"
+ echo "cn: activesync-user"
+ echo ""
+
+ echo "dn: cn=imap-user,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "objectclass: top"
+ echo "objectclass: ldapsubentry"
+ echo "objectclass: nsroledefinition"
+ echo "objectclass: nssimpleroledefinition"
+ echo "objectclass: nsmanagedroledefinition"
+ echo "cn: imap-user"
+ echo ""
+
+ echo "dn: cn=kolab-user,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "objectclass: top"
+ echo "objectclass: ldapsubentry"
+ echo "objectclass: nsroledefinition"
+ echo "objectclass: nssimpleroledefinition"
+ echo "objectclass: nsmanagedroledefinition"
+ echo "cn: kolab-user"
+ echo ""
+
+ echo "dn: cn=xmpp-user,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "objectclass: top"
+ echo "objectclass: ldapsubentry"
+ echo "objectclass: nsroledefinition"
+ echo "objectclass: nssimpleroledefinition"
+ echo "objectclass: nsmanagedroledefinition"
+ echo "cn: xmpp-user"
+ echo ""
+
+ echo "dn: ou=Groups,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "ou: Groups"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo ""
+
+ echo "dn: ou=People,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "ou: People"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo ""
+
+ echo "dn: ou=Resources,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "ou: Resources"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo ""
+
+ echo "dn: ou=Shared Folders,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "ou: Shared Folders"
+ echo "objectClass: top"
+ echo "objectClass: organizationalunit"
+ echo ""
+
+ echo "dn: uid=kanarip@self-reg.tld,ou=People,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "objectClass: top"
+ echo "objectClass: inetorgperson"
+ echo "objectClass: kolabinetorgperson"
+ echo "objectClass: mailrecipient"
+ echo "objectClass: organizationalperson"
+ echo "objectClass: country"
+ echo "objectClass: person"
+ echo "givenName: Jeroen"
+ echo "mailQuota: 1048576"
+ echo "preferredLanguage: en_US"
+ echo "sn: van Meeuwen"
+ echo "cn: Jeroen van Meeuwen"
+ echo "displayName: van Meeuwen, Jeroen"
+ echo "mail: kanarip@self-reg.tld"
+ echo "uid: kanarip@self-reg.tld"
+ echo "mailHost: localhost"
+ echo "c: CH"
+ echo "userPassword: ${default_user_password}"
+ echo "nsroledn: cn=activesync-user,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "nsroledn: cn=admin-user,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "nsroledn: cn=kolab-user,ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo ""
+) | ldapadd -x -h ${ldap_host} -D "uid=hosted-kolab-service,ou=Special Users,${rootdn}" -w Welcome2KolabSystems -c
+
+(
+ echo "dn: ou=${hosted_domain},${hosted_domain_rootdn}"
+ echo "changetype: modify"
+ echo "replace: aci"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///ou=People,ou=${hosted_domain},${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\") AND NOT roledn = \"ldap:///cn=admin-user,${mgmt_domain_rootdn}\";)"
+ echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///ou=People,ou=${hosted_domain},${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)"
+ echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,ou=${hosted_domain},${hosted_domain_rootdn} || ldap:///cn=admin-user,${rootdn}\");)"
+ echo ""
+) | ldapmodify -x -h ${ldap_host} -D "uid=hosted-kolab-service,ou=Special Users,${rootdn}" -w Welcome2KolabSystems -c