diff options
author | Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com> | 2015-08-15 06:23:07 (GMT) |
---|---|---|
committer | Jeroen van Meeuwen (Kolab Systems) <vanmeeuwen@kolabsys.com> | 2015-08-15 06:23:07 (GMT) |
commit | e4e1623b078f91076817e6ad897430e2c810ae9d (patch) | |
tree | 100f1018c01221ccd02af8880b5d904fe4022a02 | |
parent | 35441cef3d3254a72168935b8ce66420ff72b56f (diff) | |
download | kolab-scripts-dev/4459.tar.gz |
Replace hosted-kolab scripts with the versions for ticket 4459dev/4459
18 files changed, 661 insertions, 101 deletions
diff --git a/hosted-kolab/00-oops-i-did-it-again.sh b/hosted-kolab/00-oops-i-did-it-again.sh new file mode 100755 index 0000000..c2f06d9 --- /dev/null +++ b/hosted-kolab/00-oops-i-did-it-again.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +../cleanup-and-start-over.sh + +../utils/disable-7-bit-plugin.sh +../utils/enable-audit-log.sh +#../utils/disable-access-log.sh + +rm -rf /var/lib/imap/log/* +#for user in cyrus-admin doe@example.org doe@kolabnow.com sixpack@kolabnow.com doe@mykolab.com annabelle@kanarip.com kanarip@kanarip.com lydia@kanarip.com; do +# mkdir -p /var/lib/imap/log/${user} +#done +#chown -R cyrus:mail /var/lib/imap/log/ + +#yum-builddep -y cyrus-imapd pykolab + +setup-kolab --default --mysqlserver=new --timezone=Europe/Zurich --directory-manager-pwd=Welcome2KolabSystems + +./01-add-hosted-kolab-service-account.sh +./02-replace-roles.sh +./04-add-ou-Domains.sh +./05-add-management-domain.sh +./06-remove-cn-equals-kolab.sh +./07-add-self-reg-hosted-domain.sh +#./08-add-customer-domain.sh +#./09-add-doe-at-mgmt-domain-admin.sh +#./10-add-doe-at-kolabnow.com.sh +#./11-add-doe-at-mykolab.com.sh +#./12-add-sixpack-at-kolabnow.com.sh +./15-adjust-configuration.sh + diff --git a/hosted-kolab/02-add-ou-Domains.sh b/hosted-kolab/02-add-ou-Domains.sh deleted file mode 100755 index 400002d..0000000 --- a/hosted-kolab/02-add-ou-Domains.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - - . ./settings.sh -( - echo "dn: ou=Domains,${rootdn}" - echo "ou: Domains" - echo "objectClass: top" - echo "objectClass: organizationalunit" - echo "" -) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" diff --git a/hosted-kolab/02-replace-roles.sh b/hosted-kolab/02-replace-roles.sh new file mode 100755 index 0000000..3e2d260 --- /dev/null +++ b/hosted-kolab/02-replace-roles.sh @@ -0,0 +1,18 @@ +#!/bin/bash + + . ./settings.sh + +( + echo "cn=kolab-admin,${rootdn}" +) | ldapdelete -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" + +( + echo "dn: cn=admin-user,${rootdn}" + echo "objectclass: top" + echo "objectclass: ldapsubentry" + echo "objectclass: nsroledefinition" + echo "objectclass: nssimpleroledefinition" + echo "objectclass: nsmanagedroledefinition" + echo "cn: admin-user" + echo "" +) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" diff --git a/hosted-kolab/04-add-ou-Domains.sh b/hosted-kolab/04-add-ou-Domains.sh new file mode 100755 index 0000000..8415711 --- /dev/null +++ b/hosted-kolab/04-add-ou-Domains.sh @@ -0,0 +1,12 @@ +#!/bin/bash + + . ./settings.sh +( + echo "dn: ou=Domains,${rootdn}" + echo "ou: Domains" + echo "objectClass: top" + echo "objectClass: organizationalunit" + echo "aci: (target = \"ldap:///${domain_base_dn}\")(targetattr=\"objectclass || aci || inetdomainstatus || inetdomainbasedn || associateddomain\") (version 3.0;acl \"Allow Domain Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" + echo "aci: (targetattr=\"objectclass || aci || inetdomainstatus || inetdomainbasedn || associateddomain\") (version 3.0;acl \"Allow Search\"; allow (search,read,compare)(userdn = \"ldap:///anyone\");)" + echo "" +) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" diff --git a/hosted-kolab/03-add-management-domain.sh b/hosted-kolab/05-add-management-domain.sh index 98184bb..16efa77 100755 --- a/hosted-kolab/03-add-management-domain.sh +++ b/hosted-kolab/05-add-management-domain.sh @@ -6,6 +6,7 @@ echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Rest\";deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///${rootdn}??sub?(objectclass=*)\");)" echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Hosted Kolab\";deny (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" echo "inetDomainStatus: active" + echo "inetDomainBaseDN: dc=example,dc=org" echo "objectClass: top" echo "objectClass: domainrelatedobject" echo "objectClass: inetdomain" diff --git a/hosted-kolab/04-remove-cn-equals-kolab.sh b/hosted-kolab/06-remove-cn-equals-kolab.sh index 643cc5b..643cc5b 100755 --- a/hosted-kolab/04-remove-cn-equals-kolab.sh +++ b/hosted-kolab/06-remove-cn-equals-kolab.sh diff --git a/hosted-kolab/06-add-self-reg-hosted-domain.sh b/hosted-kolab/07-add-self-reg-hosted-domain.sh index 2144b14..97c9a7f 100755 --- a/hosted-kolab/06-add-self-reg-hosted-domain.sh +++ b/hosted-kolab/07-add-self-reg-hosted-domain.sh @@ -10,7 +10,7 @@ echo "associateddomain: ${hosted_domain}" echo "inetdomainstatus: active" echo "inetdomainbasedn: dc=mykolab,dc=com" - echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn} || ldap://ou=People,${hosted_domain_rootdn}\");)" + echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn} || ldap://ou=People,${hosted_domain_rootdn}??sub?(objectclass=*)\") AND NOT (roledn = \"ldap:///cn=admin-user,${rootdn}\");)" echo "" for domain in kolabnow.com swisscollab.ch mykolab.ch; do @@ -21,7 +21,7 @@ echo "associateddomain: ${domain}" echo "inetdomainstatus: active" echo "inetdomainbasedn: dc=mykolab,dc=com" - echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn} || ldap://ou=People,${hosted_domain_rootdn}\");)" + echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn} || ldap://ou=People,${hosted_domain_rootdn}??sub?(objectclass=*)\") AND NOT (roledn = \"ldap:///cn=admin-user,${rootdn}\");)" echo "" done @@ -53,12 +53,13 @@ ( echo "dn: ${hosted_domain_rootdn}" echo "aci: (targetattr=\"carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier\")(version 3.0; acl \"Enable self write for common attributes\"; allow (write) userdn=\"ldap:///self\";)" - echo "aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";)" - echo "aci: (targetattr=\"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";)" + echo "aci: (targetattr = \"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";)" + echo "aci: (targetattr = \"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";)" echo "aci: (targetattr = \"*\")(version 3.0; acl \"SIE Group\"; allow (all) groupdn = \"ldap:///cn=slapd-$(hostname -s),cn=389 Directory Server,cn=Server Group,cn=$(hostname -f),ou=${domain},o=NetscapeRoot\";)" - echo "aci: (targetattr =\"*\")(version 3.0;acl \"Kolab Administrators\";allow (all) (roledn=\"ldap:///cn=kolab-admin,${rootdn}\");)" - echo "aci: (targetattr = \"*\") (version 3.0;acl \"Search Access\";allow (compare,search)(userdn = \"ldap:///${hosted_domain_rootdn}??sub?(objectclass=*)\");)" - echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Service Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${domain_rootdn}\");)" + echo "aci: (targetattr = \"*\")(version 3.0;acl \"Kolab Administrators\";allow (all) (roledn=\"ldap:///cn=admin-user,${rootdn}\");)" + echo "aci: (targetattr != \"userPassword\")(version 3.0;acl \"Search Access\";allow (compare,search)(userdn = \"ldap:///${hosted_domain_rootdn}??sub?(objectclass=*)\");)" + echo "aci: (targetattr != \"userPassword\")(version 3.0;acl \"Service Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${rootdn}\");)" + echo "aci: (target = \"ldap:///ou=*,${hosted_domain_rootdn}\")(targetattr=\"objectclass || aci || ou\") (version 3.0;acl \"Allow Domain OU Registration\"; allow (add,write)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" echo "objectClass: top" echo "objectClass: domain" echo "dc: $(echo ${hosted_domain} | cut -d'.' -f 1)" @@ -66,6 +67,42 @@ ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" ( + echo "dn: cn=active-user,${hosted_domain_rootdn}" + echo "objectclass: top" + echo "objectclass: ldapsubentry" + echo "objectclass: nsroledefinition" + echo "objectclass: nssimpleroledefinition" + echo "objectclass: nsmanagedroledefinition" + echo "cn: active-user" + echo "" + + echo "dn: cn=suspended-user,${hosted_domain_rootdn}" + echo "objectclass: top" + echo "objectclass: ldapsubentry" + echo "objectclass: nsroledefinition" + echo "objectclass: nssimpleroledefinition" + echo "objectclass: nsmanagedroledefinition" + echo "cn: suspended-user" + echo "" + + echo "dn: cn=imap-user,${hosted_domain_rootdn}" + echo "objectclass: top" + echo "objectclass: ldapsubentry" + echo "objectclass: nsroledefinition" + echo "objectclass: nssimpleroledefinition" + echo "objectclass: nsmanagedroledefinition" + echo "cn: imap-user" + echo "" + + echo "dn: cn=kolab-user,${hosted_domain_rootdn}" + echo "objectclass: top" + echo "objectclass: ldapsubentry" + echo "objectclass: nsroledefinition" + echo "objectclass: nssimpleroledefinition" + echo "objectclass: nsmanagedroledefinition" + echo "cn: kolab-user" + echo "" + echo "dn: ou=Groups,${hosted_domain_rootdn}" echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn}\");)" echo "ou: Groups" @@ -75,7 +112,7 @@ echo "dn: ou=People,${hosted_domain_rootdn}" echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=*)\");)" - echo "aci: (targetattr = \"*\") (version 3.0;acl \"Allow Hosted Kolab Service\"; allow (search,add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" + echo "aci: (targetattr = \"*\") (version 3.0;acl \"Allow Hosted Kolab Service\"; allow (search,add,read)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Allow Kolab Service\"; allow (read,search,compare)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${rootdn}\");)" echo "aci: (targetattr = \"*\") (version 3.0;acl \"Self Search Access\";allow (read,compare,search)(userdn = \"ldap:///self\");)" echo "ou: People" diff --git a/hosted-kolab/07-add-customer-domain.sh b/hosted-kolab/08-add-customer-domain.sh index 2b9bba8..feb8010 100755 --- a/hosted-kolab/07-add-customer-domain.sh +++ b/hosted-kolab/08-add-customer-domain.sh @@ -14,9 +14,9 @@ export hosted_domain_rootdn="ou=kanarip.com,${rootdn}" echo "objectclass: inetdomain" echo "inetdomainstatus: active" echo "inetdomainbasedn: ${hosted_domain_rootdn}" - echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)" + echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\") AND NOT roledn = \"ldap:///cn=admin-user,${mgmt_domain_rootdn}\";)" echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)" - echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,${hosted_domain_rootdn}\");)" + echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,${hosted_domain_rootdn} || ldap:///cn=admin-user,${mgmt_domain_rootdn}\");)" echo "" echo "dn: associateddomain=kanarip.ch,ou=Domains,${mgmt_domain_rootdn}" @@ -25,9 +25,9 @@ export hosted_domain_rootdn="ou=kanarip.com,${rootdn}" echo "objectclass: inetdomain" echo "inetdomainstatus: active" echo "inetdomainbasedn: ${hosted_domain_rootdn}" - echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)" + echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\") AND NOT roledn = \"ldap:///cn=admin-user,${mgmt_domain_rootdn}\";)" echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)" - echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,${hosted_domain_rootdn}\");)" + echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,${hosted_domain_rootdn} || ldap:///cn=admin-user,${mgmt_domain_rootdn}\");)" echo "" echo "dn: associateddomain=kanarip.nl,ou=Domains,${mgmt_domain_rootdn}" @@ -36,21 +36,23 @@ export hosted_domain_rootdn="ou=kanarip.com,${rootdn}" echo "objectclass: inetdomain" echo "inetdomainstatus: active" echo "inetdomainbasedn: ${hosted_domain_rootdn}" - echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)" + echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\") AND NOT roledn = \"ldap:///cn=admin-user,${mgmt_domain_rootdn}\";)" echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)" - echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,${hosted_domain_rootdn}\");)" + echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,${hosted_domain_rootdn} || ldap:///cn=admin-user,${mgmt_domain_rootdn}\");)" echo "" ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c ( - - echo "dn: ou=${hosted_domain},${rootdn}" + echo "dn: ${hosted_domain_rootdn}" echo "ou: ${hosted_domain}" echo "objectClass: top" echo "objectClass: organizationalunit" - echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)" + echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///uid=hosted-kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\") AND NOT roledn = \"ldap:///cn=admin-user,${mgmt_domain_rootdn}\";)" echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)" - echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,${hosted_domain_rootdn}\");)" + echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,${hosted_domain_rootdn} || ldap:///cn=admin-user,${mgmt_domain_rootdn}\");)" + echo "aci: (target = \"ldap:///ou=*,${hosted_domain_rootdn}\")(targetattr=\"objectclass || aci || ou\") (version 3.0;acl \"Allow Domain sub-OU Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${mgmt_domain_rootdn}\");)" + echo "aci: (target = \"ldap:///uid=*,ou=People,${hosted_domain_rootdn}\")(targetattr=\"*\") (version 3.0;acl \"Allow Domain First User Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${mgmt_domain_rootdn}\");)" + echo "aci: (target = \"ldap:///cn=*,${hosted_domain_rootdn}\")(targetattr=\"objectclass || cn\") (version 3.0;acl \"Allow Domain Role Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${mgmt_domain_rootdn}\");)" echo "" echo "dn: cn=admin-user,${hosted_domain_rootdn}" @@ -128,22 +130,40 @@ export hosted_domain_rootdn="ou=kanarip.com,${rootdn}" echo "objectClass: kolabinetorgperson" echo "objectClass: mailrecipient" echo "objectClass: organizationalperson" + echo "objectClass: country" echo "objectClass: person" echo "givenName: Jeroen" - echo "mailQuota: 1048576" - echo "preferredLanguage: en_US" + echo "mailQuota: 2097152" echo "sn: van Meeuwen" echo "cn: Jeroen van Meeuwen" - echo "displayName: van Meeuwen, Jeroen" echo "mail: kanarip@kanarip.com" echo "uid: kanarip@kanarip.com" echo "mailHost: localhost" - echo "userPassword: 456789" + echo "mailalternateaddress: vanmeeuwen@kolabsys.com" + echo "telephonenumber: +41438178006" + echo "mobile: +41799519003" + echo "street: Schulhausstrasse 47" + echo "postalcode: 8703" + echo "l: Erlenbach" + echo "c: CH" + echo "userPassword: ${default_user_password}" echo "nsroledn: cn=activesync-user,${hosted_domain_rootdn}" echo "nsroledn: cn=admin-user,${hosted_domain_rootdn}" echo "nsroledn: cn=kolab-user,${hosted_domain_rootdn}" echo "" +) | ldapadd -x -h ${ldap_host} -D "uid=hosted-kolab-service,ou=Special Users,${mgmt_domain_rootdn}" -w Welcome2KolabSystems -c +( + echo "dn: ${hosted_domain_rootdn}" + echo "changetype: modify" + echo "replace: aci" + echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\") AND NOT roledn = \"ldap:///cn=admin-user,${mgmt_domain_rootdn}\";)" + echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${mgmt_domain_rootdn} || ldap:///ou=People,${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)" + echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,${hosted_domain_rootdn} || ldap:///cn=admin-user,${mgmt_domain_rootdn}\");)" + echo "" +) | ldapmodify -x -h ${ldap_host} -D "uid=hosted-kolab-service,ou=Special Users,${mgmt_domain_rootdn}" -w Welcome2KolabSystems -c + +( echo "dn: uid=lydia@kanarip.com,ou=People,${hosted_domain_rootdn}" echo "objectClass: top" echo "objectClass: inetorgperson" @@ -152,15 +172,13 @@ export hosted_domain_rootdn="ou=kanarip.com,${rootdn}" echo "objectClass: organizationalperson" echo "objectClass: person" echo "givenName: Lydia" - echo "mailQuota: 1048576" - echo "preferredLanguage: en_US" + echo "mailQuota: 2097152" echo "sn: van Meeuwen" echo "cn: Lydia van Meeuwen" - echo "displayName: van Meeuwen, Lydia" echo "mail: lydia@kanarip.nl" echo "uid: lydia@kanarip.com" echo "mailHost: localhost" - echo "userPassword: 456789" + echo "userPassword: ${default_user_password}" echo "nsroledn: cn=activesync-user,${hosted_domain_rootdn}" echo "nsroledn: cn=kolab-user,${hosted_domain_rootdn}" echo "" @@ -173,17 +191,45 @@ export hosted_domain_rootdn="ou=kanarip.com,${rootdn}" echo "objectClass: organizationalperson" echo "objectClass: person" echo "givenName: Annabelle" - echo "mailQuota: 1048576" - echo "preferredLanguage: en_US" + echo "mailQuota: 2097152" echo "sn: van Meeuwen" echo "cn: Annabelle van Meeuwen" - echo "displayName: van Meeuwen, Annabelle" echo "mail: annabelle@kanarip.ch" echo "uid: annabelle@kanarip.com" echo "mailHost: localhost" - echo "userPassword: 456789" + echo "userPassword: ${default_user_password}" echo "nsroledn: cn=activesync-user,${hosted_domain_rootdn}" echo "nsroledn: cn=kolab-user,${hosted_domain_rootdn}" echo "" +) | ldapadd -x -h ${ldap_host} -D "uid=kanarip@kanarip.com,ou=People,${hosted_domain_rootdn}" -w "${default_user_password}" -c + +num_domains=$( + ldapsearch -x -h localhost \ + -D "uid=kanarip@kanarip.com,ou=People,${hosted_domain_rootdn}" \ + -w "${default_user_password}" \ + -b "${domain_base_dn}" \ + -s sub \ + -LLL "(&(objectclass=domainrelatedobject)(associateddomain=${hosted_domain}))" dn | \ + grep ^dn | \ + wc -l + ) + +if [ ${num_domains} -ne 1 ]; then + echo "ERROR: Expected 1 domain, got ${num_domains} domains" +fi + +num_domains=$( + ldapsearch -x -h localhost \ + -D "uid=kanarip@kanarip.com,ou=People,${hosted_domain_rootdn}" \ + -w "${default_user_password}" \ + -b "${domain_base_dn}" \ + -s sub \ + -LLL "(objectclass=domainrelatedobject)" dn | \ + grep ^dn | \ + wc -l + ) + +if [ ${num_domains} -ne 3 ]; then + echo "ERROR: Expected 3 domains, got ${num_domains} domain(s)" +fi -) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c diff --git a/hosted-kolab/08-add-doe-at-mgmt-domain-admin.sh b/hosted-kolab/08-add-doe-at-mgmt-domain-admin.sh deleted file mode 100755 index 6ccaee9..0000000 --- a/hosted-kolab/08-add-doe-at-mgmt-domain-admin.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash - -. ./settings.sh - -( - echo "dn: uid=doe@${domain},ou=People,${rootdn}" - echo "objectClass: top" - echo "objectClass: inetorgperson" - echo "objectClass: kolabinetorgperson" - echo "objectClass: mailrecipient" - echo "objectClass: organizationalperson" - echo "objectClass: person" - echo "givenName: John" - echo "mailQuota: 1048576" - echo "preferredLanguage: en_US" - echo "sn: Doe" - echo "cn: John Doe" - echo "displayName: Doe, John" - echo "mail: doe@${domain}" - echo "uid: doe@${domain}" - echo "mailHost: localhost" - echo "nsroledn: cn=kolab-admin,${rootdn}" - echo "userPassword: ${default_user_password}" - echo "" -) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" diff --git a/hosted-kolab/09-add-doe-at-mgmt-domain-admin.sh b/hosted-kolab/09-add-doe-at-mgmt-domain-admin.sh new file mode 100755 index 0000000..298d776 --- /dev/null +++ b/hosted-kolab/09-add-doe-at-mgmt-domain-admin.sh @@ -0,0 +1,51 @@ +#!/bin/bash + +. ./settings.sh + +( + echo "dn: uid=doe@${domain},ou=People,${rootdn}" + echo "objectClass: top" + echo "objectClass: inetorgperson" + echo "objectClass: kolabinetorgperson" + echo "objectClass: organizationalperson" + echo "objectClass: person" + echo "givenName: John" + echo "sn: Doe" + echo "cn: John Doe" + echo "mail: doe@${domain}" + echo "uid: doe@${domain}" + echo "nsroledn: cn=admin-user,${rootdn}" + echo "userPassword: ${default_user_password}" + echo "" +) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" + +num_domains=$( + ldapsearch -x -h localhost \ + -D "uid=doe@${domain},ou=People,${rootdn}" \ + -w "${default_user_password}" \ + -b "${domain_base_dn}" \ + -s sub \ + -LLL "(&(objectclass=domainrelatedobject)(associateddomain=${domain}))" dn | \ + grep ^dn | \ + wc -l + ) + +if [ ${num_domains} -ne 1 ]; then + echo "ERROR: Expected 1 domain, got ${num_domains} domains" +fi + +num_domains=$( + ldapsearch -x -h localhost \ + -D "uid=doe@${domain},ou=People,${rootdn}" \ + -w "${default_user_password}" \ + -b "${domain_base_dn}" \ + -s sub \ + -LLL '(objectclass=domainrelatedobject)' dn | \ + grep ^dn | \ + wc -l + ) + +if [ ${num_domains} -lt 3 ]; then + echo "ERROR: Expected more than 3 domains, got ${num_domains} domain(s)" +fi + diff --git a/hosted-kolab/09-add-doe-at-kolabnow.com.sh b/hosted-kolab/10-add-doe-at-kolabnow.com.sh index a057d7f..0b29dc6 100755 --- a/hosted-kolab/09-add-doe-at-kolabnow.com.sh +++ b/hosted-kolab/10-add-doe-at-kolabnow.com.sh @@ -8,17 +8,19 @@ echo "objectClass: inetorgperson" echo "objectClass: kolabinetorgperson" echo "objectClass: mailrecipient" + echo "objectClass: country" echo "objectClass: organizationalperson" echo "objectClass: person" echo "givenName: Jane" - echo "mailQuota: 1048576" - echo "preferredLanguage: en_US" + echo "mailQuota: 2097152" + echo "c: CH" echo "sn: Doe" echo "cn: Jane Doe" - echo "displayName: Doe, Jane" echo "mail: doe@kolabnow.com" echo "uid: doe@kolabnow.com" echo "mailHost: localhost" + echo "nsroledn: cn=active-user,${hosted_domain_rootdn}" + echo "nsroledn: cn=kolab-user,dc=mykolab,dc=com" echo "userPassword: ${default_user_password}" echo "" ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" diff --git a/hosted-kolab/10-add-doe-at-mykolab.com.sh b/hosted-kolab/11-add-doe-at-mykolab.com.sh index ae03fc6..9f3cf25 100755 --- a/hosted-kolab/10-add-doe-at-mykolab.com.sh +++ b/hosted-kolab/11-add-doe-at-mykolab.com.sh @@ -10,15 +10,18 @@ echo "objectClass: mailrecipient" echo "objectClass: organizationalperson" echo "objectClass: person" + echo "objectClass: country" + echo "c: CH" echo "givenName: Jane" - echo "mailQuota: 1048576" - echo "preferredLanguage: en_US" + echo "mailQuota: 2097152" echo "sn: Doe" echo "cn: Jane Doe" - echo "displayName: Doe, Jane" echo "mail: doe@mykolab.com" echo "uid: doe@mykolab.com" echo "mailHost: localhost" + echo "nsroledn: cn=active-user,${hosted_domain_rootdn}" + echo "nsroledn: cn=activesync-user,dc=mykolab,dc=com" + echo "nsroledn: cn=kolab-user,dc=mykolab,dc=com" echo "userPassword: ${default_user_password}" echo "" ) | ldapadd -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" diff --git a/hosted-kolab/11-add-sixpack-at-kolabnow.com.sh b/hosted-kolab/12-add-sixpack-at-kolabnow.com.sh index aae9225..4c799e6 100755 --- a/hosted-kolab/11-add-sixpack-at-kolabnow.com.sh +++ b/hosted-kolab/12-add-sixpack-at-kolabnow.com.sh @@ -10,15 +10,18 @@ echo "objectClass: mailrecipient" echo "objectClass: organizationalperson" echo "objectClass: person" + echo "objectClass: country" + echo "c: CH" echo "givenName: Joe" - echo "mailQuota: 1048576" - echo "preferredLanguage: en_US" + echo "mailQuota: 2097152" echo "sn: Sixpack" echo "cn: Joe Sixpack" - echo "displayName: Sixpack, Joe" echo "mail: sixpack@kolabnow.com" echo "uid: sixpack@kolabnow.com" echo "mailHost: localhost" - echo "userPassword: 741852" + echo "nsroledn: cn=active-user,${hosted_domain_rootdn}" + echo "nsroledn: cn=imap-user,dc=mykolab,dc=com" + echo "userPassword: ${default_user_password}" echo "" ) | ldapadd -x -h ${ldap_host} -D "uid=hosted-kolab-service,ou=Special Users,${rootdn}" -w "${hosted_kolab_service_pw}" + diff --git a/hosted-kolab/15-adjust-configuration.sh b/hosted-kolab/15-adjust-configuration.sh new file mode 100755 index 0000000..48c3821 --- /dev/null +++ b/hosted-kolab/15-adjust-configuration.sh @@ -0,0 +1,99 @@ +#!/bin/bash + +. ./settings.sh + +rm -rf /etc/kolab/kolab.conf.orig +cp /etc/kolab/kolab.conf /etc/kolab/kolab.conf.orig + +sed -r -i \ + -e "s/^domain_base_dn.*$/domain_base_dn = ${domain_base_dn}/g" \ + -e 's/^primary_mail.*/primary_mail = %(uid)s@%(domain)s/g' \ + -e '/^secondary_mail/,+10d' \ + -e '/^primary_mail/ a\ +daemon_rcpt_policy = False' \ + -e '/kolab_wap/ a\ +login_filter = (uid=%U@%d)\ +devel_mode = 1\ +debug_mode = trace' \ + -e 's/^auth_attributes.*$/auth_attributes = uid/g' \ + -e 's/^result_attribute.*$/result_attribute = uid/g' \ + -e 's/^domain_filter.*$/domain_filter = (\&(objectclass=domainrelatedobject)(associateddomain=*))/g' \ + -e 's/^user_filter.*$/user_filter = (|(\&(uid=cyrus-admin)(!(objectclass=kolabinetorgperson)))(objectclass=kolabinetorgperson))/g' \ + /etc/kolab/kolab.conf + +if [ -z "$(grep ^auth_mechanism /etc/kolab/kolab.conf)" ]; then + echo "WARNING: No more auth_mechanism setting?" + sed -i -e '/\[kolab\]/ a\ +auth_mechanism = ldap' \ + /etc/kolab/kolab.conf +fi + +sed -r -i \ + -e 's/^ldap_filter:.*$/ldap_filter: (|(\&(uid=cyrus-admin)(uid=%u)(objectclass=inetorgperson)(!(objectclass=kolabinetorgperson)))(\&(uid=%u)(objectclass=kolabinetorgperson)))/g' \ + -e 's/^ldap_base:.*$/ldap_base: dc=example,dc=org/g' \ + -e 's/^ldap_user_attribute:.*$/ldap_user_attribute: uid/g' \ + -e 's/^ldap_group_base:.*%$/ldap_group_base: dc=example,dc=org/g' \ + -e 's/^ldap_group_filter:.*$/ldap_group_filter: (\&(objectclass=kolabgroupofuniquenames)(mail=%u))/g' \ + -e 's/^ldap_member_base:.*$/ldap_member_base: dc=mykolab,dc=com/g' \ + -e 's/^ldap_member_method:.*$/ldap_member_method: filter/g' \ + -e 's/^ldap_member_filter:.*$/ldap_member_filter: (uniquemember=%D)/g' \ + -e 's/^ldap_member_attribute:.*$/ldap_member_attribute: mail/g' \ + -e '/^ldap_domain_base_dn/d' \ + -e '/^debug:/d' \ + -e '/^auditlog:/d' \ + -e '/^chatty:/d' \ + -e '/^ldap_member_attribute:.*$/ a\ +ldap_domain_base_dn: ou=Domains,dc=example,dc=org' \ + /etc/imapd.conf + +echo "debug: 1" >> /etc/imapd.conf +echo "auditlog: 1" >> /etc/imapd.conf +echo "chatty: 1" >> /etc/imapd.conf + +service cyrus-imapd restart + +service kolabd restart +service kolab-saslauthd restart + +if [ ! -d "/usr/share/kolab-hkccp/" ]; then + git clone ssh://git@git.kolab.org/diffusion/H/hkccp.git /usr/share/kolab-hkccp/ + mkdir -p /usr/share/kolab-hkccp/temp/session + chown apache:apache /usr/share/kolab-hkccp/temp/session +fi + +rm -rf /usr/share/kolab-hkccp/config/config.ini +cp /usr/share/kolab-hkccp/config/config.ini.kolab /usr/share/kolab-hkccp/config/config.ini + +pushd /usr/share/kolab-hkccp/ +uri=$(grep ^cache_uri /etc/kolab/kolab.conf | awk '{print $3}') +service_auth_pw=$(grep ^service_bind_pw /etc/kolab/kolab.conf | awk '{print $3}') + +sed -r -i \ + -e "s|^dsn =.*$|dsn = $uri|g" \ + -e "s|^dsnr =.*$|dsnr = $uri|g" \ + -e "s|^service_auth_pw =.*$|service_auth_pw = $service_auth_pw|g" \ + -e '/^root_dn = / a\ +mgmt_root_dn = "dc=example,dc=org"\ +hosted_root_dn = "dc=mykolab,dc=com"' \ + config/config.ini + +password=$(grep ^cache_uri /etc/kolab/kolab.conf | awk '{print $3}' | cut -d':' -f3 | cut -d'@' -f1) +mysql -u kolab --password="${password}" kolab < SQL/mysql.sql +popd + +pushd /usr/share/kolab-webadmin/ +php sample-insert-hosted-user_types.php +popd + +pushd /usr/share/kolab-hkccp + +mkdir -p temp/session/ +chown apache temp/session/ + +#php bin/backend.php adduser doe@example.org --tenant 1 --verbose +#php bin/backend.php adduser kanarip@kanarip.com --tenant 1 --verbose +#php bin/backend.php adduser doe@kolabnow.com --tenant 1 --verbose +#php bin/backend.php adduser sixpack@kolabnow.com --tenant 1 --verbose +#php bin/backend.php adduser doe@mykolab.com --tenant 1 --verbose +popd + diff --git a/hosted-kolab/15-adjust-kolab.conf.sh b/hosted-kolab/15-adjust-kolab.conf.sh deleted file mode 100755 index 2f902de..0000000 --- a/hosted-kolab/15-adjust-kolab.conf.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/bash - -. ./settings.sh - -sed -r -i \ - -e "s/^domain_base_dn.*$/domain_base_dn = ${domain_base_dn}/g" \ - -e 's/^primary_mail.*/primary_mail = %(uid)s@%(domain)s/g' \ - -e '/secondary_mail/,+11d' \ - -e '/^primary_mail/ a\ -daemon_rcpt_policy = False' \ - -e 's/^auth_attributes.*$/auth_attributes = mail, uid/g' \ - /etc/kolab/kolab.conf.default - -service kolabd restart -service kolab-saslauthd restart - diff --git a/hosted-kolab/19-test-aci.sh b/hosted-kolab/19-test-aci.sh index 47354dc..b6d3fb3 100755 --- a/hosted-kolab/19-test-aci.sh +++ b/hosted-kolab/19-test-aci.sh @@ -2,11 +2,149 @@ . ./settings.sh -echo "== doe@kolabsys.net ==" -ldapsearch -x -h ${ldap_host} -D "uid=doe@kolabsys.net,ou=People,dc=kolabsys,dc=net" -w "123456" -b ${rootdn} -LLL -echo "== doe@kolabnow.com ==" -ldapsearch -x -h ${ldap_host} -D "uid=doe@kolabnow.com,ou=People,dc=kolabnow,dc=com" -w "456789" -b ${hosted_domain_rootdn} -LLL -echo "== sixpack@kolabnow.com ==" -ldapsearch -x -h ${ldap_host} -D "uid=sixpack@kolabnow.com,ou=People,dc=kolabnow,dc=com" -w "741852" -b ${hosted_domain_rootdn} -LLL -echo "== kanarip@kanarip.com ==" -ldapsearch -x -h ${ldap_host} -D "uid=kanarip@kanarip.com,ou=People,ou=kanarip.com,dc=kolabnow,dc=com" -w "456789" -b ${hosted_domain_rootdn} -LLL +max_domains=$( + ldapsearch -x -h localhost \ + -D "${ldap_binddn}" \ + -w "${ldap_bindpw}" \ + -b "${domain_base_dn}" \ + -s sub \ + -LLL "(objectclass=domainrelatedobject)" dn | \ + grep ^dn | \ + wc -l + ) + +num_domains=$( + ldapsearch -x -h localhost \ + -D "uid=doe@${domain},ou=People,${rootdn}" \ + -w "${default_user_password}" \ + -b "${domain_base_dn}" \ + -s sub \ + -LLL "(&(objectclass=domainrelatedobject)(associateddomain=${domain}))" dn | \ + grep ^dn | \ + wc -l + ) + +if [ ${num_domains} -ne 1 ]; then + echo "ERROR: Expected 1 domain, got ${num_domains} domains" +fi + +num_domains=$( + ldapsearch -x -h localhost \ + -D "uid=doe@${domain},ou=People,${rootdn}" \ + -w "${default_user_password}" \ + -b "${domain_base_dn}" \ + -s sub \ + -LLL '(objectclass=domainrelatedobject)' dn | \ + grep ^dn | \ + wc -l + ) + +if [ ${num_domains} -lt 3 ]; then + echo "ERROR: Expected more than 3 domains, got ${num_domains} domain(s)" +fi + +num_domains=$( + ldapsearch -x -h localhost \ + -D "uid=kolab-service,ou=Special Users,${rootdn}" \ + -w "$(grep ^service_bind_pw /etc/kolab/kolab.conf | awk '{print $3}')" \ + -b "${domain_base_dn}" \ + -s sub \ + -LLL "(objectclass=domainrelatedobject)" dn | \ + grep ^dn | \ + wc -l + ) + +if [ ${num_domains} -ne ${max_domains} ]; then + echo "ERROR: Expected ${max_domains} domains, got ${num_domains} domain(s)" +fi + +num_users=$( + ldapsearch -x -h localhost \ + -D "uid=kolab-service,ou=Special Users,${rootdn}" \ + -w "$(grep ^service_bind_pw /etc/kolab/kolab.conf | awk '{print $3}')" \ + -b "${hosted_domain_rootdn}" \ + -s sub \ + -LLL "(objectclass=kolabinetorgperson)" dn | \ + grep ^dn | \ + wc -l + ) + +if [ ${num_users} -lt 6 ]; then + echo "ERROR: Expected 6 or more users, got ${num_users} user(s)" +fi + +num_domains=$( + ldapsearch -x -h localhost \ + -D "uid=kanarip@kanarip.com,ou=People,ou=kanarip.com,dc=mykolab,dc=com" \ + -w "${default_user_password}" \ + -b "${domain_base_dn}" \ + -s sub \ + -LLL "(&(objectclass=domainrelatedobject)(associateddomain=kanarip.com))" dn | \ + grep ^dn | \ + wc -l + ) + +if [ ${num_domains} -ne 1 ]; then + echo "ERROR: Expected 1 domain, got ${num_domains} domains" +fi + +num_domains=$( + ldapsearch -x -h localhost \ + -D "uid=kanarip@kanarip.com,ou=People,ou=kanarip.com,dc=mykolab,dc=com" \ + -w "${default_user_password}" \ + -b "${domain_base_dn}" \ + -s sub \ + -LLL "(objectclass=domainrelatedobject)" dn | \ + grep ^dn | \ + wc -l + ) + +if [ ${num_domains} -ne 3 ]; then + echo "ERROR: Expected 3 domains, got ${num_domains} domain(s)" +fi + +num_entries=$( + ldapsearch -x -h localhost \ + -D "uid=doe@mykolab.com,ou=People,dc=mykolab,dc=com" \ + -w "${default_user_password}" \ + -b "${hosted_domain_rootdn}" \ + -s sub \ + -LLL "(objectclass=*)" dn | \ + grep ^dn | \ + wc -l + ) + +if [ ${num_entries} -ne 1 ]; then + echo "ERROR: Expected one entry on foreign domain search but got ${num_entries}" +fi + +num_entries=$( + ldapsearch -x -h localhost \ + -D "uid=kanarip@kanarip.com,ou=People,ou=kanarip.com,dc=mykolab,dc=com" \ + -w "${default_user_password}" \ + -b "${hosted_domain_rootdn}" \ + -s sub \ + -LLL "(objectclass=*)" dn | \ + grep ^dn | \ + wc -l + ) + +if [ ${num_entries} -ne 8 ]; then + echo "ERROR: Expected some 8 entries on foreign domain hierarchy search but got ${num_entries}" +fi + +num_domains=$( + ldapsearch -x -h localhost \ + -D "uid=hosted-kolab-service,ou=Special Users,dc=example,dc=org" \ + -w "${default_user_password}" \ + -b "${domain_base_dn}" \ + -s sub \ + -LLL "(objectclass=domainrelatedobject)" dn | \ + grep ^dn | \ + wc -l + ) + +if [ ${num_domains} -ne 4 ]; then + echo "ERROR: Expected 3 domains, got ${num_domains} domain(s)" +fi + diff --git a/hosted-kolab/99-remove-users.sh b/hosted-kolab/99-remove-users.sh index 9924a2f..d6e39fc 100755 --- a/hosted-kolab/99-remove-users.sh +++ b/hosted-kolab/99-remove-users.sh @@ -3,5 +3,5 @@ . ./settings.sh ( - ldapsearch -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -b ${rootdn} "(objectclass=kolabinetorgperson)" dn | grep ^dn | sed -e 's/dn: //g' + ldapsearch -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -b ${hosted_domain_rootdn} "(mailalternateaddress=*)" dn | grep ^dn | sed -e 's/dn: //g' ) | ldapdelete -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" diff --git a/hosted-kolab/replace-aci b/hosted-kolab/replace-aci new file mode 100755 index 0000000..8d21d3b --- /dev/null +++ b/hosted-kolab/replace-aci @@ -0,0 +1,170 @@ +#!/bin/bash + +. ./settings.sh + +( + echo "dn: ${domain_base_dn}" + echo "changetype: modify" + echo "replace: aci" + echo "aci: (target = \"ldap:///associateddomain=*,${domain_base_dn}\")(targetattr=\"objectclass || aci || inetdomainstatus || inetdomainbasedn || associateddomain\") (version 3.0;acl \"Allow Domain Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" + echo "" +) | ldapmodify -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c + +( + echo "dn: ${hosted_domain_rootdn}" + echo "changetype: modify" + echo "replace: aci" + echo "aci: (targetattr=\"carLicense || description || displayName || facsimileTelephoneNumber || homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mobile || pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod || preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st || street || telephoneNumber || telexNumber || title || userCertificate || userPassword || userSMIMECertificate || x500UniqueIdentifier\")(version 3.0; acl \"Enable self write for common attributes\"; allow (write) userdn=\"ldap:///self\";)" + echo "aci: (targetattr = \"*\")(version 3.0; acl \"Configuration Administrators Group\"; allow (all) groupdn=\"ldap:///cn=Configuration Administrators,ou=Groups,ou=TopologyManagement,o=NetscapeRoot\";)" + echo "aci: (targetattr = \"*\")(version 3.0; acl \"Configuration Administrator\"; allow (all) userdn=\"ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot\";)" + echo "aci: (targetattr = \"*\")(version 3.0; acl \"SIE Group\"; allow (all) groupdn = \"ldap:///cn=slapd-$(hostname -s),cn=389 Directory Server,cn=Server Group,cn=$(hostname -f),ou=${domain},o=NetscapeRoot\";)" + echo "aci: (targetattr = \"*\")(version 3.0;acl \"Kolab Administrators\";allow (all) (roledn=\"ldap:///cn=admin-user,${rootdn}\");)" + echo "aci: (targetattr = \"*\")(version 3.0;acl \"Search Access\";allow (compare,search)(userdn = \"ldap:///${hosted_domain_rootdn}??sub?(objectclass=*)\");)" + echo "aci: (targetattr != \"userPassword\")(version 3.0;acl \"Service Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${domain_rootdn}\");)" + echo "aci: (target = \"ldap:///ou=*,${hosted_domain_rootdn}\")(targetattr=\"objectclass || aci || ou\") (version 3.0;acl \"Allow Domain OU Registration\"; allow (add,write)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" + echo "" +) | ldapmodify -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c + +( + echo "dn: associateddomain=self-reg.tld,${domain_base_dn}" + echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Rest\";deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///ou=self-reg.tld,${hosted_domain_rootdn}??sub?(objectclass=*)\");)" + echo "aci: (targetattr = \"*\")(version 3.0;acl \"Deny Hosted Kolab\";deny (all)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" + echo "inetDomainStatus: active" + echo "objectClass: top" + echo "objectClass: domainrelatedobject" + echo "objectClass: inetdomain" + echo "associatedDomain: self-reg.tld" + echo "" +) | ldapadd -x -h ${ldap_host} -D "uid=hosted-kolab-service,ou=Special Users,${rootdn}" -w Welcome2KolabSystems + +export hosted_domain="self-reg.tld" + +( + echo "dn: ou=${hosted_domain},${hosted_domain_rootdn}" + echo "changetype: modify" + echo "replace: aci" + echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn} || ldap:///ou=People,ou=${hosted_domain},${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\") AND NOT roledn = \"ldap:///cn=admin-user,${mgmt_domain_rootdn}\";)" + echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///ou=People,ou=${hosted_domain},${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)" + echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,ou=${hosted_domain},${hosted_domain_rootdn} || ldap:///cn=admin-user,${rootdn}\");)" + echo "aci: (target = \"ldap:///ou=*,ou=${hosted_domain},${hosted_domain_rootdn}\")(targetattr=\"objectclass || aci || ou\") (version 3.0;acl \"Allow Domain sub-OU Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" + echo "aci: (target = \"ldap:///uid=*,ou=People,ou=${hosted_domain},${hosted_domain_rootdn}\")(targetattr=\"*\") (version 3.0;acl \"Allow Domain First User Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" + echo "aci: (target = \"ldap:///cn=*,ou=${hosted_domain},${hosted_domain_rootdn}\")(targetattr=\"objectclass || cn\") (version 3.0;acl \"Allow Domain Role Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" + echo "" +) | ldapmodify -x -h ${ldap_host} -D "${ldap_binddn}" -w "${ldap_bindpw}" -c + +( + echo "dn: ou=${hosted_domain},${hosted_domain_rootdn}" + echo "ou: ${hosted_domain}" + echo "objectClass: top" + echo "objectClass: organizationalunit" + echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn} || ldap:///ou=People,ou=${hosted_domain},${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\") AND NOT roledn = \"ldap:///cn=admin-user,${mgmt_domain_rootdn}\";)" + echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///ou=People,ou=${hosted_domain},${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)" + echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,ou=${hosted_domain},${hosted_domain_rootdn} || ldap:///cn=admin-user,${rootdn}\");)" + echo "aci: (target = \"ldap:///ou=*,ou=${hosted_domain},${hosted_domain_rootdn}\")(targetattr=\"objectclass || aci || ou\") (version 3.0;acl \"Allow Domain sub-OU Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" + echo "aci: (target = \"ldap:///uid=*,ou=People,ou=${hosted_domain},${hosted_domain_rootdn}\")(targetattr=\"*\") (version 3.0;acl \"Allow Domain First User Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" + echo "aci: (target = \"ldap:///cn=*,ou=${hosted_domain},${hosted_domain_rootdn}\")(targetattr=\"objectclass || cn\") (version 3.0;acl \"Allow Domain Role Registration\"; allow (add)(userdn = \"ldap:///uid=hosted-kolab-service,ou=Special Users,${rootdn}\");)" + echo "" + + echo "dn: cn=admin-user,ou=${hosted_domain},${hosted_domain_rootdn}" + echo "objectclass: top" + echo "objectclass: ldapsubentry" + echo "objectclass: nsroledefinition" + echo "objectclass: nssimpleroledefinition" + echo "objectclass: nsmanagedroledefinition" + echo "cn: admin-user" + echo "" + + echo "dn: cn=activesync-user,ou=${hosted_domain},${hosted_domain_rootdn}" + echo "objectclass: top" + echo "objectclass: ldapsubentry" + echo "objectclass: nsroledefinition" + echo "objectclass: nssimpleroledefinition" + echo "objectclass: nsmanagedroledefinition" + echo "cn: activesync-user" + echo "" + + echo "dn: cn=imap-user,ou=${hosted_domain},${hosted_domain_rootdn}" + echo "objectclass: top" + echo "objectclass: ldapsubentry" + echo "objectclass: nsroledefinition" + echo "objectclass: nssimpleroledefinition" + echo "objectclass: nsmanagedroledefinition" + echo "cn: imap-user" + echo "" + + echo "dn: cn=kolab-user,ou=${hosted_domain},${hosted_domain_rootdn}" + echo "objectclass: top" + echo "objectclass: ldapsubentry" + echo "objectclass: nsroledefinition" + echo "objectclass: nssimpleroledefinition" + echo "objectclass: nsmanagedroledefinition" + echo "cn: kolab-user" + echo "" + + echo "dn: cn=xmpp-user,ou=${hosted_domain},${hosted_domain_rootdn}" + echo "objectclass: top" + echo "objectclass: ldapsubentry" + echo "objectclass: nsroledefinition" + echo "objectclass: nssimpleroledefinition" + echo "objectclass: nsmanagedroledefinition" + echo "cn: xmpp-user" + echo "" + + echo "dn: ou=Groups,ou=${hosted_domain},${hosted_domain_rootdn}" + echo "ou: Groups" + echo "objectClass: top" + echo "objectClass: organizationalunit" + echo "" + + echo "dn: ou=People,ou=${hosted_domain},${hosted_domain_rootdn}" + echo "ou: People" + echo "objectClass: top" + echo "objectClass: organizationalunit" + echo "" + + echo "dn: ou=Resources,ou=${hosted_domain},${hosted_domain_rootdn}" + echo "ou: Resources" + echo "objectClass: top" + echo "objectClass: organizationalunit" + echo "" + + echo "dn: ou=Shared Folders,ou=${hosted_domain},${hosted_domain_rootdn}" + echo "ou: Shared Folders" + echo "objectClass: top" + echo "objectClass: organizationalunit" + echo "" + + echo "dn: uid=kanarip@self-reg.tld,ou=People,ou=${hosted_domain},${hosted_domain_rootdn}" + echo "objectClass: top" + echo "objectClass: inetorgperson" + echo "objectClass: kolabinetorgperson" + echo "objectClass: mailrecipient" + echo "objectClass: organizationalperson" + echo "objectClass: country" + echo "objectClass: person" + echo "givenName: Jeroen" + echo "mailQuota: 1048576" + echo "preferredLanguage: en_US" + echo "sn: van Meeuwen" + echo "cn: Jeroen van Meeuwen" + echo "displayName: van Meeuwen, Jeroen" + echo "mail: kanarip@self-reg.tld" + echo "uid: kanarip@self-reg.tld" + echo "mailHost: localhost" + echo "c: CH" + echo "userPassword: ${default_user_password}" + echo "nsroledn: cn=activesync-user,ou=${hosted_domain},${hosted_domain_rootdn}" + echo "nsroledn: cn=admin-user,ou=${hosted_domain},${hosted_domain_rootdn}" + echo "nsroledn: cn=kolab-user,ou=${hosted_domain},${hosted_domain_rootdn}" + echo "" +) | ldapadd -x -h ${ldap_host} -D "uid=hosted-kolab-service,ou=Special Users,${rootdn}" -w Welcome2KolabSystems -c + +( + echo "dn: ou=${hosted_domain},${hosted_domain_rootdn}" + echo "changetype: modify" + echo "replace: aci" + echo "aci: (targetattr = \"*\") (version 3.0;acl \"Deny Unauthorized\"; deny (all)(userdn != \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///ou=People,ou=${hosted_domain},${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\") AND NOT roledn = \"ldap:///cn=admin-user,${mgmt_domain_rootdn}\";)" + echo "aci: (targetattr != \"userPassword\") (version 3.0;acl \"Search Access\";allow (read,compare,search)(userdn = \"ldap:///uid=kolab-service,ou=Special Users,${rootdn} || ldap:///ou=People,ou=${hosted_domain},${hosted_domain_rootdn}??sub?(objectclass=inetorgperson)\");)" + echo "aci: (targetattr = \"*\") (version 3.0;acl \"Kolab Administrators\";allow (all)(roledn = \"ldap:///cn=admin-user,ou=${hosted_domain},${hosted_domain_rootdn} || ldap:///cn=admin-user,${rootdn}\");)" + echo "" +) | ldapmodify -x -h ${ldap_host} -D "uid=hosted-kolab-service,ou=Special Users,${rootdn}" -w Welcome2KolabSystems -c |