From fb21af51e202f0b40242cbff5a38e95a80d223f1 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 4 Mar 2019 09:09:04 +0100 Subject: [PATCH 01/11] Revert LDAP schema --- roles/ldap-replica/templates/schema.ldiff.j2 | 175 ++++++++++--------- 1 file changed, 88 insertions(+), 87 deletions(-) diff --git a/roles/ldap-replica/templates/schema.ldiff.j2 b/roles/ldap-replica/templates/schema.ldiff.j2 index 8cdc50b..83d716c 100644 --- a/roles/ldap-replica/templates/schema.ldiff.j2 +++ b/roles/ldap-replica/templates/schema.ldiff.j2 @@ -49,7 +49,7 @@ cn: {0}core olcAttributeTypes: {0}( 2.5.4.2 NAME 'knowledgeInformation' DESC 'RFC2256: k nowledge information' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115. 121.1.15{32768} ) -olcAttributeTypes: {1}( 2.5.4.4 NAME ( 'sn' 'surname' ) DESC 'RFC2256: last +olcAttributeTypes: {1}( 2.5.4.4 NAME ( 'sn' 'surname' ) DESC 'RFC2256: last (family) name(s) for which the entity is known by' SUP name ) olcAttributeTypes: {2}( 2.5.4.5 NAME 'serialNumber' DESC 'RFC2256: serial nu mber of the entity' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMat @@ -94,7 +94,7 @@ olcAttributeTypes: {17}( 2.5.4.21 NAME 'telexNumber' DESC 'RFC2256: Telex Nu mber' SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 ) olcAttributeTypes: {18}( 2.5.4.22 NAME 'teletexTerminalIdentifier' DESC 'RFC 2256: Teletex Terminal Identifier' SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 ) -olcAttributeTypes: {19}( 2.5.4.23 NAME ( 'facsimileTelephoneNumber' 'fax' ) +olcAttributeTypes: {19}( 2.5.4.23 NAME ( 'facsimileTelephoneNumber' 'fax' ) DESC 'RFC2256: Facsimile (Fax) Telephone Number' SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.22 ) olcAttributeTypes: {20}( 2.5.4.24 NAME 'x121Address' DESC 'RFC2256: X.121 Ad @@ -112,7 +112,7 @@ olcAttributeTypes: {23}( 2.5.4.27 NAME 'destinationIndicator' DESC 'RFC2256: olcAttributeTypes: {24}( 2.5.4.28 NAME 'preferredDeliveryMethod' DESC 'RFC22 56: preferred delivery method' SYNTAX 1.3.6.1.4.1.1466.115.121.1.14 SINGLE- VALUE ) -olcAttributeTypes: {25}( 2.5.4.29 NAME 'presentationAddress' DESC 'RFC2256: +olcAttributeTypes: {25}( 2.5.4.29 NAME 'presentationAddress' DESC 'RFC2256: presentation address' EQUALITY presentationAddressMatch SYNTAX 1.3.6.1.4.1. 1466.115.121.1.43 SINGLE-VALUE ) olcAttributeTypes: {26}( 2.5.4.30 NAME 'supportedApplicationContext' DESC 'R @@ -120,14 +120,14 @@ olcAttributeTypes: {26}( 2.5.4.30 NAME 'supportedApplicationContext' DESC 'R X 1.3.6.1.4.1.1466.115.121.1.38 ) olcAttributeTypes: {27}( 2.5.4.31 NAME 'member' DESC 'RFC2256: member of a g roup' SUP distinguishedName ) -olcAttributeTypes: {28}( 2.5.4.32 NAME 'owner' DESC 'RFC2256: owner (of the +olcAttributeTypes: {28}( 2.5.4.32 NAME 'owner' DESC 'RFC2256: owner (of the object)' SUP distinguishedName ) olcAttributeTypes: {29}( 2.5.4.33 NAME 'roleOccupant' DESC 'RFC2256: occupan t of role' SUP distinguishedName ) olcAttributeTypes: {30}( 2.5.4.36 NAME 'userCertificate' DESC 'RFC2256: X.50 9 user certificate, use ;binary' EQUALITY certificateExactMatch SYNTAX 1.3. 6.1.4.1.1466.115.121.1.8 ) -olcAttributeTypes: {31}( 2.5.4.37 NAME 'cACertificate' DESC 'RFC2256: X.509 +olcAttributeTypes: {31}( 2.5.4.37 NAME 'cACertificate' DESC 'RFC2256: X.509 CA certificate, use ;binary' EQUALITY certificateExactMatch SYNTAX 1.3.6.1. 4.1.1466.115.121.1.8 ) olcAttributeTypes: {32}( 2.5.4.38 NAME 'authorityRevocationList' DESC 'RFC22 @@ -143,7 +143,7 @@ olcAttributeTypes: {35}( 2.5.4.42 NAME ( 'givenName' 'gn' ) DESC 'RFC2256: f irst name(s) for which the entity is known by' SUP name ) olcAttributeTypes: {36}( 2.5.4.43 NAME 'initials' DESC 'RFC2256: initials of some or all of names, but not the surname(s).' SUP name ) -olcAttributeTypes: {37}( 2.5.4.44 NAME 'generationQualifier' DESC 'RFC2256: +olcAttributeTypes: {37}( 2.5.4.44 NAME 'generationQualifier' DESC 'RFC2256: name qualifier indicating a generation' SUP name ) olcAttributeTypes: {38}( 2.5.4.45 NAME 'x500UniqueIdentifier' DESC 'RFC2256: X.500 unique identifier' EQUALITY bitStringMatch SYNTAX 1.3.6.1.4.1.1466.1 @@ -151,20 +151,20 @@ olcAttributeTypes: {38}( 2.5.4.45 NAME 'x500UniqueIdentifier' DESC 'RFC2256: olcAttributeTypes: {39}( 2.5.4.46 NAME 'dnQualifier' DESC 'RFC2256: DN quali fier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR case IgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 ) -olcAttributeTypes: {40}( 2.5.4.47 NAME 'enhancedSearchGuide' DESC 'RFC2256: +olcAttributeTypes: {40}( 2.5.4.47 NAME 'enhancedSearchGuide' DESC 'RFC2256: enhanced search guide' SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 ) -olcAttributeTypes: {41}( 2.5.4.48 NAME 'protocolInformation' DESC 'RFC2256: +olcAttributeTypes: {41}( 2.5.4.48 NAME 'protocolInformation' DESC 'RFC2256: protocol information' EQUALITY protocolInformationMatch SYNTAX 1.3.6.1.4.1. 1466.115.121.1.42 ) -olcAttributeTypes: {42}( 2.5.4.50 NAME 'uniqueMember' DESC 'RFC2256: unique +olcAttributeTypes: {42}( 2.5.4.50 NAME 'uniqueMember' DESC 'RFC2256: unique member of a group' EQUALITY uniqueMemberMatch SYNTAX 1.3.6.1.4.1.1466.115.1 21.1.34 ) olcAttributeTypes: {43}( 2.5.4.51 NAME 'houseIdentifier' DESC 'RFC2256: hous e identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYN TAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) -olcAttributeTypes: {44}( 2.5.4.52 NAME 'supportedAlgorithms' DESC 'RFC2256: +olcAttributeTypes: {44}( 2.5.4.52 NAME 'supportedAlgorithms' DESC 'RFC2256: supported algorithms' SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 ) -olcAttributeTypes: {45}( 2.5.4.53 NAME 'deltaRevocationList' DESC 'RFC2256: +olcAttributeTypes: {45}( 2.5.4.53 NAME 'deltaRevocationList' DESC 'RFC2256: delta revocation list; use ;binary' SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 ) olcAttributeTypes: {46}( 2.5.4.54 NAME 'dmdName' DESC 'RFC2256: name of DMD' SUP name ) @@ -172,20 +172,20 @@ olcAttributeTypes: {47}( 2.5.4.65 NAME 'pseudonym' DESC 'X.520(4th): pseudon ym for the object' SUP name ) olcAttributeTypes: {48}( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822Mail box' ) DESC 'RFC1274: RFC822 Mailbox' EQUALITY caseIgnoreIA5Match SUBST - R caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} + R caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) olcAttributeTypes: {49}( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domainCompo nent' ) DESC 'RFC1274/2247: domain component' EQUALITY caseIgnoreIA5Match S UBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SIN GLE-VALUE ) -olcAttributeTypes: {50}( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain' +olcAttributeTypes: {50}( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain' DESC 'RFC1274: domain associated with object' EQUALITY caseIgnoreIA5Match S UBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -olcAttributeTypes: {51}( 1.2.840.113549.1.9.1 NAME ( 'email' 'emailAddress' - 'pkcs9email' ) DESC 'RFC3280: legacy attribute for email addresses in DNs' +olcAttributeTypes: {51}( 1.2.840.113549.1.9.1 NAME ( 'email' 'emailAddress' + 'pkcs9email' ) DESC 'RFC3280: legacy attribute for email addresses in DNs' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3. 6.1.4.1.1466.115.121.1.26{128} ) -olcObjectClasses: {0}( 2.5.6.2 NAME 'country' DESC 'RFC2256: a country' SUP +olcObjectClasses: {0}( 2.5.6.2 NAME 'country' DESC 'RFC2256: a country' SUP top STRUCTURAL MUST c MAY ( searchGuide $ description ) ) olcObjectClasses: {1}( 2.5.6.3 NAME 'locality' DESC 'RFC2256: a locality' SU P top STRUCTURAL MAY ( street $ seeAlso $ searchGuide $ st $ l $ descriptio @@ -195,7 +195,7 @@ olcObjectClasses: {2}( 2.5.6.4 NAME 'organization' DESC 'RFC2256: an organiz $ businessCategory $ x121Address $ registeredAddress $ destinationIndicato r $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ tel ephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street - $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName + $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) olcObjectClasses: {3}( 2.5.6.5 NAME 'organizationalUnit' DESC 'RFC2256: an o rganizational unit' SUP top STRUCTURAL MUST ou MAY ( userPassword $ searchG @@ -215,9 +215,9 @@ olcObjectClasses: {5}( 2.5.6.7 NAME 'organizationalPerson' DESC 'RFC2256: an lAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) ) olcObjectClasses: {6}( 2.5.6.8 NAME 'organizationalRole' DESC 'RFC2256: an o rganizational role' SUP top STRUCTURAL MUST cn MAY ( x121Address $ register - edAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ + edAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ fac - simileTelephoneNumber $ seeAlso $ roleOccupant $ preferredDeliveryMethod $ + simileTelephoneNumber $ seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOffic eName $ ou $ st $ l $ description ) ) olcObjectClasses: {7}( 2.5.6.9 NAME 'groupOfNames' DESC 'RFC2256: a group of @@ -230,24 +230,24 @@ olcObjectClasses: {8}( 2.5.6.10 NAME 'residentialPerson' DESC 'RFC2256: an r onaliSDNNumber $ facsimileTelephoneNumber $ preferredDeliveryMethod $ stree t $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l ) ) -olcObjectClasses: {9}( 2.5.6.11 NAME 'applicationProcess' DESC 'RFC2256: an +olcObjectClasses: {9}( 2.5.6.11 NAME 'applicationProcess' DESC 'RFC2256: an application process' SUP top STRUCTURAL MUST cn MAY ( seeAlso $ ou $ l $ de scription ) ) -olcObjectClasses: {10}( 2.5.6.12 NAME 'applicationEntity' DESC 'RFC2256: an +olcObjectClasses: {10}( 2.5.6.12 NAME 'applicationEntity' DESC 'RFC2256: an application entity' SUP top STRUCTURAL MUST ( presentationAddress $ cn ) MA Y ( supportedApplicationContext $ seeAlso $ ou $ o $ l $ description ) ) olcObjectClasses: {11}( 2.5.6.13 NAME 'dSA' DESC 'RFC2256: a directory syste m agent (a server)' SUP applicationEntity STRUCTURAL MAY knowledgeInformati on ) -olcObjectClasses: {12}( 2.5.6.14 NAME 'device' DESC 'RFC2256: a device' SUP - top STRUCTURAL MUST cn MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ +olcObjectClasses: {12}( 2.5.6.14 NAME 'device' DESC 'RFC2256: a device' SUP + top STRUCTURAL MUST cn MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) ) olcObjectClasses: {13}( 2.5.6.15 NAME 'strongAuthenticationUser' DESC 'RFC22 56: a strong authentication user' SUP top AUXILIARY MUST userCertificate ) olcObjectClasses: {14}( 2.5.6.16 NAME 'certificationAuthority' DESC 'RFC2256 : a certificate authority' SUP top AUXILIARY MUST ( authorityRevocationList $ certificateRevocationList $ cACertificate ) MAY crossCertificatePair ) -olcObjectClasses: {15}( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a +olcObjectClasses: {15}( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a group of unique names (DN and Unique Identifier)' SUP top STRUCTURAL MUST ( uniqueMember $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ de scription ) ) @@ -263,7 +263,7 @@ olcObjectClasses: {19}( 2.5.6.20 NAME 'dmd' SUP top STRUCTURAL MUST ( dmdNam e ) MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Add ress $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationali - SDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode + SDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) ) olcObjectClasses: {20}( 2.5.6.21 NAME 'pkiUser' DESC 'RFC2587: a PKI user' S UP top AUXILIARY MAY userCertificate ) @@ -278,7 +278,7 @@ olcObjectClasses: {23}( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'R olcObjectClasses: {24}( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObjec t' DESC 'RFC1274: simple security object' SUP top AUXILIARY MUST userPasswo rd ) -olcObjectClasses: {25}( 1.3.6.1.4.1.1466.344 NAME 'dcObject' DESC 'RFC2247: +olcObjectClasses: {25}( 1.3.6.1.4.1.1466.344 NAME 'dcObject' DESC 'RFC2247: domain component object' SUP top AUXILIARY MUST dc ) olcObjectClasses: {26}( 1.3.6.1.1.3.1 NAME 'uidObject' DESC 'RFC2377: uid ob ject' SUP top AUXILIARY MUST uid ) @@ -328,7 +328,7 @@ olcAttributeTypes: {10}( 0.9.2342.19200300.100.1.13 NAME 'documentVersion' D olcAttributeTypes: {11}( 0.9.2342.19200300.100.1.14 NAME 'documentAuthor' DE SC 'RFC1274: DN of author of document' EQUALITY distinguishedNameMatch SYNT AX 1.3.6.1.4.1.1466.115.121.1.12 ) -olcAttributeTypes: {12}( 0.9.2342.19200300.100.1.15 NAME 'documentLocation' +olcAttributeTypes: {12}( 0.9.2342.19200300.100.1.15 NAME 'documentLocation' DESC 'RFC1274: location of document original' EQUALITY caseIgnoreMatch SUBS TR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) olcAttributeTypes: {13}( 0.9.2342.19200300.100.1.20 NAME ( 'homePhone' 'home @@ -340,7 +340,7 @@ olcAttributeTypes: {14}( 0.9.2342.19200300.100.1.21 NAME 'secretary' DESC 'R .1466.115.121.1.12 ) olcAttributeTypes: {15}( 0.9.2342.19200300.100.1.22 NAME 'otherMailbox' SYNT AX 1.3.6.1.4.1.1466.115.121.1.39 ) -olcAttributeTypes: {16}( 0.9.2342.19200300.100.1.26 NAME 'aRecord' EQUALITY +olcAttributeTypes: {16}( 0.9.2342.19200300.100.1.26 NAME 'aRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {17}( 0.9.2342.19200300.100.1.27 NAME 'mDRecord' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) @@ -370,9 +370,9 @@ olcAttributeTypes: {26}( 0.9.2342.19200300.100.1.42 NAME ( 'pager' 'pagerTel mberMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115 .121.1.50 ) olcAttributeTypes: {27}( 0.9.2342.19200300.100.1.43 NAME ( 'co' 'friendlyCou - ntryName' ) DESC 'RFC1274: friendly country name' EQUALITY caseIgnoreMatch + ntryName' ) DESC 'RFC1274: friendly country name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) -olcAttributeTypes: {28}( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier' +olcAttributeTypes: {28}( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier' DESC 'RFC1274: unique identifer' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4. 1.1466.115.121.1.15{256} ) olcAttributeTypes: {29}( 0.9.2342.19200300.100.1.45 NAME 'organizationalStat @@ -401,7 +401,7 @@ olcAttributeTypes: {36}( 0.9.2342.19200300.100.1.52 NAME 'subtreeMaximumQual olcAttributeTypes: {37}( 0.9.2342.19200300.100.1.53 NAME 'personalSignature' DESC 'RFC1274: Personal Signature (G3 fax)' SYNTAX 1.3.6.1.4.1.1466.115.12 1.1.23 ) -olcAttributeTypes: {38}( 0.9.2342.19200300.100.1.54 NAME 'dITRedirect' DESC +olcAttributeTypes: {38}( 0.9.2342.19200300.100.1.54 NAME 'dITRedirect' DESC 'RFC1274: DIT Redirect' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1. 1466.115.121.1.12 ) olcAttributeTypes: {39}( 0.9.2342.19200300.100.1.55 NAME 'audio' DESC 'RFC12 @@ -412,16 +412,16 @@ olcAttributeTypes: {40}( 0.9.2342.19200300.100.1.56 NAME 'documentPublisher' olcObjectClasses: {0}( 0.9.2342.19200300.100.4.4 NAME ( 'pilotPerson' 'newPi lotPerson' ) SUP person STRUCTURAL MAY ( userid $ textEncodedORAddress $ rf c822Mailbox $ favouriteDrink $ roomNumber $ userClass $ homeTelephoneNumber - $ homePostalAddress $ secretary $ personalTitle $ preferredDeliveryMethod - $ businessCategory $ janetMailbox $ otherMailbox $ mobileTelephoneNumber $ + $ homePostalAddress $ secretary $ personalTitle $ preferredDeliveryMethod + $ businessCategory $ janetMailbox $ otherMailbox $ mobileTelephoneNumber $ pagerTelephoneNumber $ organizationalStatus $ mailPreferenceOption $ person alSignature ) ) olcObjectClasses: {1}( 0.9.2342.19200300.100.4.5 NAME 'account' SUP top STRU CTURAL MUST userid MAY ( description $ seeAlso $ localityName $ organizatio nName $ organizationalUnitName $ host ) ) olcObjectClasses: {2}( 0.9.2342.19200300.100.4.6 NAME 'document' SUP top STR - UCTURAL MUST documentIdentifier MAY ( commonName $ description $ seeAlso $ - localityName $ organizationName $ organizationalUnitName $ documentTitle $ + UCTURAL MUST documentIdentifier MAY ( commonName $ description $ seeAlso $ + localityName $ organizationName $ organizationalUnitName $ documentTitle $ documentVersion $ documentAuthor $ documentLocation $ documentPublisher ) ) olcObjectClasses: {3}( 0.9.2342.19200300.100.4.7 NAME 'room' SUP top STRUCTU RAL MUST commonName MAY ( roomNumber $ description $ seeAlso $ telephoneNum @@ -452,7 +452,7 @@ olcObjectClasses: {8}( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject' ciatedDomain ) olcObjectClasses: {9}( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry' SUP country STRUCTURAL MUST friendlyCountryName ) -olcObjectClasses: {10}( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization' +olcObjectClasses: {10}( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization' SUP ( organization $ organizationalUnit ) STRUCTURAL MAY buildingName ) olcObjectClasses: {11}( 0.9.2342.19200300.100.4.21 NAME 'pilotDSA' SUP dsa S TRUCTURAL MAY dSAQuality ) @@ -470,13 +470,13 @@ modifyTimestamp: 20150225150906Z dn: cn={2}nis,cn=schema,cn=config objectClass: olcSchemaConfig cn: {2}nis -olcAttributeTypes: {0}( 1.3.6.1.1.1.1.2 NAME 'gecos' DESC 'The GECOS field; +olcAttributeTypes: {0}( 1.3.6.1.1.1.1.2 NAME 'gecos' DESC 'The GECOS field; the common name' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5Substrings Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {1}( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'The absol ute path to the home directory' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4 .1.1466.115.121.1.26 SINGLE-VALUE ) -olcAttributeTypes: {2}( 1.3.6.1.1.1.1.4 NAME 'loginShell' DESC 'The path to +olcAttributeTypes: {2}( 1.3.6.1.1.1.1.4 NAME 'loginShell' DESC 'The path to the login shell' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121 .1.26 SINGLE-VALUE ) olcAttributeTypes: {3}( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' EQUALITY int @@ -496,14 +496,14 @@ olcAttributeTypes: {9}( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' EQUALITY integerM olcAttributeTypes: {10}( 1.3.6.1.1.1.1.12 NAME 'memberUid' EQUALITY caseExac tIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12 1.1.26 ) -olcAttributeTypes: {11}( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' EQUALITY +olcAttributeTypes: {11}( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.146 6.115.121.1.26 ) olcAttributeTypes: {12}( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Net group triple' SYNTAX 1.3.6.1.1.1.0.0 ) olcAttributeTypes: {13}( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' EQUALITY inte gerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -olcAttributeTypes: {14}( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' SUP name +olcAttributeTypes: {14}( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' SUP name ) olcAttributeTypes: {15}( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' EQUALITY i ntegerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) @@ -539,7 +539,7 @@ olcObjectClasses: {2}( 1.3.6.1.1.1.2.2 NAME 'posixGroup' DESC 'Abstraction o f a group of accounts' SUP top STRUCTURAL MUST ( cn $ gidNumber ) MAY ( use rPassword $ memberUid $ description ) ) olcObjectClasses: {3}( 1.3.6.1.1.1.2.3 NAME 'ipService' DESC 'Abstraction an - Internet Protocol service' SUP top STRUCTURAL MUST ( cn $ ipServicePort $ + Internet Protocol service' SUP top STRUCTURAL MUST ( cn $ ipServicePort $ ipServiceProtocol ) MAY description ) olcObjectClasses: {4}( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' DESC 'Abstraction o f an IP protocol' SUP top STRUCTURAL MUST ( cn $ ipProtocolNumber $ descrip @@ -547,24 +547,24 @@ olcObjectClasses: {4}( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' DESC 'Abstraction o olcObjectClasses: {5}( 1.3.6.1.1.1.2.5 NAME 'oncRpc' DESC 'Abstraction of an ONC/RPC binding' SUP top STRUCTURAL MUST ( cn $ oncRpcNumber $ description ) MAY description ) -olcObjectClasses: {6}( 1.3.6.1.1.1.2.6 NAME 'ipHost' DESC 'Abstraction of a - host, an IP device' SUP top AUXILIARY MUST ( cn $ ipHostNumber ) MAY ( l $ +olcObjectClasses: {6}( 1.3.6.1.1.1.2.6 NAME 'ipHost' DESC 'Abstraction of a + host, an IP device' SUP top AUXILIARY MUST ( cn $ ipHostNumber ) MAY ( l $ description $ manager ) ) olcObjectClasses: {7}( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' DESC 'Abstraction of an IP network' SUP top STRUCTURAL MUST ( cn $ ipNetworkNumber ) MAY ( ipNe tmaskNumber $ l $ description $ manager ) ) -olcObjectClasses: {8}( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' DESC 'Abstraction +olcObjectClasses: {8}( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' DESC 'Abstraction of a netgroup' SUP top STRUCTURAL MUST cn MAY ( nisNetgroupTriple $ memberN isNetgroup $ description ) ) olcObjectClasses: {9}( 1.3.6.1.1.1.2.9 NAME 'nisMap' DESC 'A generic abstrac tion of a NIS map' SUP top STRUCTURAL MUST nisMapName MAY description ) -olcObjectClasses: {10}( 1.3.6.1.1.1.2.10 NAME 'nisObject' DESC 'An entry in +olcObjectClasses: {10}( 1.3.6.1.1.1.2.10 NAME 'nisObject' DESC 'An entry in a NIS map' SUP top STRUCTURAL MUST ( cn $ nisMapEntry $ nisMapName ) MAY de scription ) olcObjectClasses: {11}( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' DESC 'A device with a MAC address' SUP top AUXILIARY MAY macAddress ) olcObjectClasses: {12}( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' DESC 'A devic - e with boot parameters' SUP top AUXILIARY MAY ( bootFile $ bootParameter ) + e with boot parameters' SUP top AUXILIARY MAY ( bootFile $ bootParameter ) ) structuralObjectClass: olcSchemaConfig entryUUID: fc8f6894-514b-1034-9c32-0faf5bc7ead5 @@ -608,7 +608,7 @@ olcAttributeTypes: {8}( 2.16.840.1.113730.3.1.216 NAME 'userPKCS12' DESC 'RF C2798: personal identity information, a PKCS #12 PFX' SYNTAX 1.3.6.1.4.1.14 66.115.121.1.5 ) olcObjectClasses: {0}( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' DESC 'RF - C2798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL + C2798: Internet Organizational Person' SUP organizationalPerson STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayNam e $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddre ss $ initials $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ page @@ -625,16 +625,16 @@ modifyTimestamp: 20150225150906Z dn: cn={4}samba,cn=schema,cn=config objectClass: olcSchemaConfig cn: {4}samba -olcAttributeTypes: {0}( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC +olcAttributeTypes: {0}( 1.3.6.1.4.1.7165.2.1.24 NAME 'sambaLMPassword' DESC 'LanManager Password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.26{32} SINGLE-VALUE ) -olcAttributeTypes: {1}( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC +olcAttributeTypes: {1}( 1.3.6.1.4.1.7165.2.1.25 NAME 'sambaNTPassword' DESC 'MD4 hash of the unicode password' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6 .1.4.1.1466.115.121.1.26{32} SINGLE-VALUE ) olcAttributeTypes: {2}( 1.3.6.1.4.1.7165.2.1.26 NAME 'sambaAcctFlags' DESC ' Account Flags' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121. 1.26{16} SINGLE-VALUE ) -olcAttributeTypes: {3}( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC +olcAttributeTypes: {3}( 1.3.6.1.4.1.7165.2.1.27 NAME 'sambaPwdLastSet' DESC 'Timestamp of the last password update' EQUALITY integerMatch SYNTAX 1.3.6. 1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {4}( 1.3.6.1.4.1.7165.2.1.28 NAME 'sambaPwdCanChange' DES @@ -646,7 +646,7 @@ olcAttributeTypes: {5}( 1.3.6.1.4.1.7165.2.1.29 NAME 'sambaPwdMustChange' DE olcAttributeTypes: {6}( 1.3.6.1.4.1.7165.2.1.30 NAME 'sambaLogonTime' DESC ' Timestamp of last logon' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115. 121.1.27 SINGLE-VALUE ) -olcAttributeTypes: {7}( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC +olcAttributeTypes: {7}( 1.3.6.1.4.1.7165.2.1.31 NAME 'sambaLogoffTime' DESC 'Timestamp of last logoff' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.11 5.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {8}( 1.3.6.1.4.1.7165.2.1.32 NAME 'sambaKickoffTime' DESC @@ -656,12 +656,12 @@ olcAttributeTypes: {9}( 1.3.6.1.4.1.7165.2.1.48 NAME 'sambaBadPasswordCount' DESC 'Bad password attempt count' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1 .1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {10}( 1.3.6.1.4.1.7165.2.1.49 NAME 'sambaBadPasswordTime' - DESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX + DESC 'Time of the last bad password attempt' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {11}( 1.3.6.1.4.1.7165.2.1.55 NAME 'sambaLogonHours' DESC 'Logon Hours' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121. 1.26{42} SINGLE-VALUE ) -olcAttributeTypes: {12}( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC +olcAttributeTypes: {12}( 1.3.6.1.4.1.7165.2.1.33 NAME 'sambaHomeDrive' DESC 'Driver letter of home directory mapping' EQUALITY caseIgnoreIA5Match SYNTA X 1.3.6.1.4.1.1466.115.121.1.26{4} SINGLE-VALUE ) olcAttributeTypes: {13}( 1.3.6.1.4.1.7165.2.1.34 NAME 'sambaLogonScript' DES @@ -694,8 +694,8 @@ olcAttributeTypes: {21}( 1.3.6.1.4.1.7165.2.1.23 NAME 'sambaPrimaryGroupSID' olcAttributeTypes: {22}( 1.3.6.1.4.1.7165.2.1.51 NAME 'sambaSIDList' DESC 'S ecurity ID List' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.12 1.1.26{64} ) -olcAttributeTypes: {23}( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC - 'NT Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 +olcAttributeTypes: {23}( 1.3.6.1.4.1.7165.2.1.19 NAME 'sambaGroupType' DESC + 'NT Group Type' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {24}( 1.3.6.1.4.1.7165.2.1.21 NAME 'sambaNextUserRid' DES C 'Next NT rid to give our for users' EQUALITY integerMatch SYNTAX 1.3.6.1. @@ -707,10 +707,10 @@ olcAttributeTypes: {26}( 1.3.6.1.4.1.7165.2.1.39 NAME 'sambaNextRid' DESC 'N ext NT rid to give out for anything' EQUALITY integerMatch SYNTAX 1.3.6.1.4 .1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {27}( 1.3.6.1.4.1.7165.2.1.40 NAME 'sambaAlgorithmicRidBa - se' DESC 'Base at which the samba RID generation algorithm should operate' + se' DESC 'Base at which the samba RID generation algorithm should operate' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -olcAttributeTypes: {28}( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC - 'Share Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 +olcAttributeTypes: {28}( 1.3.6.1.4.1.7165.2.1.41 NAME 'sambaShareName' DESC + 'Share Name' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {29}( 1.3.6.1.4.1.7165.2.1.42 NAME 'sambaOptionName' DESC 'Option Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SY @@ -739,10 +739,10 @@ olcAttributeTypes: {36}( 1.3.6.1.4.1.7165.2.1.59 NAME 'sambaPwdHistoryLength olcAttributeTypes: {37}( 1.3.6.1.4.1.7165.2.1.60 NAME 'sambaLogonToChgPwd' D ESC 'Force Users to logon for password change (default: 0 => off, 2 => on)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -olcAttributeTypes: {38}( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC - 'Maximum password age, in seconds (default: -1 => never expire passwords)' +olcAttributeTypes: {38}( 1.3.6.1.4.1.7165.2.1.61 NAME 'sambaMaxPwdAge' DESC + 'Maximum password age, in seconds (default: -1 => never expire passwords)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -olcAttributeTypes: {39}( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC +olcAttributeTypes: {39}( 1.3.6.1.4.1.7165.2.1.62 NAME 'sambaMinPwdAge' DESC 'Minimum password age, in seconds (default: 0 => allow immediate password c hange)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-V ALUE ) @@ -759,25 +759,25 @@ olcAttributeTypes: {43}( 1.3.6.1.4.1.7165.2.1.66 NAME 'sambaForceLogoff' DES C 'Disconnect Users outside logon hours (default: -1 => off, 0 => on)' EQUA LITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {44}( 1.3.6.1.4.1.7165.2.1.67 NAME 'sambaRefuseMachinePwd - Change' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY + Change' DESC 'Allow Machine Password changes (default: 0 => off)' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {45}( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaClearTextPasswor - d' DESC 'Clear text password (used for trusted domain passwords)' EQUALITY + d' DESC 'Clear text password (used for trusted domain passwords)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) olcAttributeTypes: {46}( 1.3.6.1.4.1.7165.2.1.69 NAME 'sambaPreviousClearTex tPassword' DESC 'Previous clear text password (used for trusted domain pass words)' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) -olcAttributeTypes: {47}( 1.3.6.1.4.1.7165.2.1.70 NAME 'sambaTrustType' DESC - 'Type of trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 +olcAttributeTypes: {47}( 1.3.6.1.4.1.7165.2.1.70 NAME 'sambaTrustType' DESC + 'Type of trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {48}( 1.3.6.1.4.1.7165.2.1.71 NAME 'sambaTrustAttributes' - DESC 'Trust attributes for a trusted domain' EQUALITY integerMatch SYNTAX + DESC 'Trust attributes for a trusted domain' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) -olcAttributeTypes: {49}( 1.3.6.1.4.1.7165.2.1.72 NAME 'sambaTrustDirection' +olcAttributeTypes: {49}( 1.3.6.1.4.1.7165.2.1.72 NAME 'sambaTrustDirection' DESC 'Direction of a trust' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.1 15.121.1.27 SINGLE-VALUE ) olcAttributeTypes: {50}( 1.3.6.1.4.1.7165.2.1.73 NAME 'sambaTrustPartner' DE - SC 'Fully qualified name of the domain with which a trust exists' EQUALITY + SC 'Fully qualified name of the domain with which a trust exists' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} ) olcAttributeTypes: {51}( 1.3.6.1.4.1.7165.2.1.74 NAME 'sambaFlatName' DESC ' NetBIOS name of a domain' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466. @@ -793,7 +793,7 @@ olcAttributeTypes: {54}( 1.3.6.1.4.1.7165.2.1.77 NAME 'sambaSecurityIdentifi xactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALU E ) olcAttributeTypes: {55}( 1.3.6.1.4.1.7165.2.1.78 NAME 'sambaTrustForestTrust - Info' DESC 'Forest trust information for a trusted domain object' EQUALITY + Info' DESC 'Forest trust information for a trusted domain object' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{1050} ) olcObjectClasses: {0}( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'S amba 3.0 Auxilary SAM Account' SUP top AUXILIARY MUST ( uid $ sambaSID ) MA @@ -803,7 +803,7 @@ olcObjectClasses: {0}( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'S baLogonScript $ sambaProfilePath $ description $ sambaUserWorkstations $ sa mbaPrimaryGroupSID $ sambaDomainName $ sambaMungedDial $ sambaBadPasswordCo unt $ sambaBadPasswordTime $ sambaPasswordHistory $ sambaLogonHours ) ) -olcObjectClasses: {1}( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' DESC +olcObjectClasses: {1}( 1.3.6.1.4.1.7165.2.2.4 NAME 'sambaGroupMapping' DESC 'Samba Group Mapping' SUP top AUXILIARY MUST ( gidNumber $ sambaSID $ samba GroupType ) MAY ( displayName $ description $ sambaSIDList ) ) olcObjectClasses: {2}( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' DES @@ -816,7 +816,7 @@ olcObjectClasses: {3}( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPassw olcObjectClasses: {4}( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' DESC 'Samba Domain Information' SUP top STRUCTURAL MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithm - icRidBase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd + icRidBase $ sambaMinPwdLength $ sambaPwdHistoryLength $ sambaLogonToChgPwd $ sambaMaxPwdAge $ sambaMinPwdAge $ sambaLockoutDuration $ sambaLockoutObse rvationWindow $ sambaLockoutThreshold $ sambaForceLogoff $ sambaRefuseMachi nePwdChange ) ) @@ -833,7 +833,7 @@ olcObjectClasses: {8}( 1.3.6.1.4.1.7165.2.2.10 NAME 'sambaConfig' DESC 'Samb olcObjectClasses: {9}( 1.3.6.1.4.1.7165.2.2.11 NAME 'sambaShare' DESC 'Samba Share Section' SUP top STRUCTURAL MUST sambaShareName MAY description ) olcObjectClasses: {10}( 1.3.6.1.4.1.7165.2.2.12 NAME 'sambaConfigOption' DES - C 'Samba Configuration Option' SUP top STRUCTURAL MUST sambaOptionName MAY + C 'Samba Configuration Option' SUP top STRUCTURAL MUST sambaOptionName MAY ( sambaBoolOption $ sambaIntegerOption $ sambaStringOption $ sambaStringLis toption $ description ) ) olcObjectClasses: {11}( 1.3.6.1.4.1.7165.2.2.16 NAME 'sambaTrustedDomain' DE @@ -871,12 +871,12 @@ olcAttributeTypes: {5}( 1.3.6.1.4.1.3317.4.3.1.5 NAME 'radiusCallbackNumber' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S INGLE-VALUE ) olcAttributeTypes: {6}( 1.3.6.1.4.1.3317.4.3.1.6 NAME 'radiusCalledStationId - ' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {7}( 1.3.6.1.4.1.3317.4.3.1.7 NAME 'radiusCallingStationI d' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -olcAttributeTypes: {8}( 1.3.6.1.4.1.3317.4.3.1.8 NAME 'radiusClass' DESC '' +olcAttributeTypes: {8}( 1.3.6.1.4.1.3317.4.3.1.8 NAME 'radiusClass' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {9}( 1.3.6.1.4.1.3317.4.3.1.45 NAME 'radiusClientIPAddres s' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 @@ -911,10 +911,10 @@ olcAttributeTypes: {18}( 1.3.6.1.4.1.3317.4.3.1.17 NAME 'radiusFramedMTU' DE olcAttributeTypes: {19}( 1.3.6.1.4.1.3317.4.3.1.18 NAME 'radiusFramedProtoco l' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) -olcAttributeTypes: {20}( 1.3.6.1.4.1.3317.4.3.1.19 NAME 'radiusFramedRoute' +olcAttributeTypes: {20}( 1.3.6.1.4.1.3317.4.3.1.19 NAME 'radiusFramedRoute' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {21}( 1.3.6.1.4.1.3317.4.3.1.20 NAME 'radiusFramedRouting - ' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {22}( 1.3.6.1.4.1.3317.4.3.1.46 NAME 'radiusGroupName' DE SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) @@ -922,16 +922,16 @@ olcAttributeTypes: {23}( 1.3.6.1.4.1.3317.4.3.1.47 NAME 'radiusHint' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VA LUE ) olcAttributeTypes: {24}( 1.3.6.1.4.1.3317.4.3.1.48 NAME 'radiusHuntgroupName - ' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -olcAttributeTypes: {25}( 1.3.6.1.4.1.3317.4.3.1.21 NAME 'radiusIdleTimeout' +olcAttributeTypes: {25}( 1.3.6.1.4.1.3317.4.3.1.21 NAME 'radiusIdleTimeout' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SI NGLE-VALUE ) -olcAttributeTypes: {26}( 1.3.6.1.4.1.3317.4.3.1.22 NAME 'radiusLoginIPHost' +olcAttributeTypes: {26}( 1.3.6.1.4.1.3317.4.3.1.22 NAME 'radiusLoginIPHost' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SI NGLE-VALUE ) olcAttributeTypes: {27}( 1.3.6.1.4.1.3317.4.3.1.23 NAME 'radiusLoginLATGroup - ' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {28}( 1.3.6.1.4.1.3317.4.3.1.24 NAME 'radiusLoginLATNode' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S @@ -949,15 +949,15 @@ olcAttributeTypes: {32}( 1.3.6.1.4.1.3317.4.3.1.28 NAME 'radiusLoginTCPPort' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 S INGLE-VALUE ) olcAttributeTypes: {33}( 1.3.6.1.4.1.3317.4.3.1.29 NAME 'radiusPasswordRetry - ' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 + ' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) olcAttributeTypes: {34}( 1.3.6.1.4.1.3317.4.3.1.30 NAME 'radiusPortLimit' DE SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SING LE-VALUE ) olcAttributeTypes: {35}( 1.3.6.1.4.1.3317.4.3.1.49 NAME 'radiusProfileDn' DE - SC '' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 + SC '' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) -olcAttributeTypes: {36}( 1.3.6.1.4.1.3317.4.3.1.31 NAME 'radiusPrompt' DESC +olcAttributeTypes: {36}( 1.3.6.1.4.1.3317.4.3.1.31 NAME 'radiusPrompt' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE- VALUE ) olcAttributeTypes: {37}( 1.3.6.1.4.1.3317.4.3.1.50 NAME 'radiusProxyToRealm' @@ -969,7 +969,7 @@ olcAttributeTypes: {38}( 1.3.6.1.4.1.3317.4.3.1.51 NAME 'radiusReplicateToRe olcAttributeTypes: {39}( 1.3.6.1.4.1.3317.4.3.1.52 NAME 'radiusRealm' DESC ' ' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-V ALUE ) -olcAttributeTypes: {40}( 1.3.6.1.4.1.3317.4.3.1.32 NAME 'radiusServiceType' +olcAttributeTypes: {40}( 1.3.6.1.4.1.3317.4.3.1.32 NAME 'radiusServiceType' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SI NGLE-VALUE ) olcAttributeTypes: {41}( 1.3.6.1.4.1.3317.4.3.1.33 NAME 'radiusSessionTimeou @@ -998,7 +998,7 @@ olcAttributeTypes: {48}( 1.3.6.1.4.1.3317.4.3.1.40 NAME 'radiusTunnelServerE 1.1.26 ) olcAttributeTypes: {49}( 1.3.6.1.4.1.3317.4.3.1.41 NAME 'radiusTunnelType' D ESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) -olcAttributeTypes: {50}( 1.3.6.1.4.1.3317.4.3.1.42 NAME 'radiusVSA' DESC '' +olcAttributeTypes: {50}( 1.3.6.1.4.1.3317.4.3.1.42 NAME 'radiusVSA' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcAttributeTypes: {51}( 1.3.6.1.4.1.3317.4.3.1.43 NAME 'radiusTunnelClientE ndpoint' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.12 @@ -1013,7 +1013,7 @@ olcAttributeTypes: {54}( 1.3.6.1.4.1.3317.4.3.1.55 NAME 'radiusUserCategory' INGLE-VALUE ) olcAttributeTypes: {55}( 1.3.6.1.4.1.3317.4.3.1.56 NAME 'radiusStripUserName ' DESC '' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) -olcAttributeTypes: {56}( 1.3.6.1.4.1.3317.4.3.1.57 NAME 'dialupAccess' DESC +olcAttributeTypes: {56}( 1.3.6.1.4.1.3317.4.3.1.57 NAME 'dialupAccess' DESC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE- VALUE ) olcAttributeTypes: {57}( 1.3.6.1.4.1.3317.4.3.1.58 NAME 'radiusExpiration' D @@ -1024,7 +1024,7 @@ olcAttributeTypes: {58}( 1.3.6.1.4.1.3317.4.3.1.59 NAME 'radiusCheckItem' DE olcAttributeTypes: {59}( 1.3.6.1.4.1.3317.4.3.1.60 NAME 'radiusReplyItem' DE SC '' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) olcObjectClasses: {0}( 1.3.6.1.4.1.3317.4.3.2.1 NAME 'radiusprofile' DESC '' - SUP top AUXILIARY MUST cn MAY ( radiusArapFeatures $ radiusArapSecurity $ + SUP top AUXILIARY MUST cn MAY ( radiusArapFeatures $ radiusArapSecurity $ radiusArapZoneAccess $ radiusAuthType $ radiusCallbackId $ radiusCallbackNu mber $ radiusCalledStationId $ radiusCallingStationId $ radiusClass $ radiu sClientIPAddress $ radiusFilterId $ radiusFramedAppleTalkLink $ radiusFrame @@ -1183,3 +1183,4 @@ createTimestamp: 20150305013830Z entryCSN: 20160607103125.521039Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20160607103125Z + From e769d8d5ccec8e3fa0b56cd9db23ac635434104b Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 4 Mar 2019 09:23:50 +0100 Subject: [PATCH 02/11] Merge prod and testing inventories --- hosts | 17 ++++++++++++----- hosts_testing | 27 --------------------------- 2 files changed, 12 insertions(+), 32 deletions(-) delete mode 100644 hosts_testing diff --git a/hosts b/hosts index fadd3bf..34cdde3 100644 --- a/hosts +++ b/hosts @@ -14,7 +14,7 @@ synapse.adm.auro.re codimd.adm.auro.re services-bdd.adm.auro.re phabricator.adm.auro.re -horus-wiki ansible_host=10.128.0.51 +wiki.adm.auro.re www.adm.auro.re pad.adm.auro.re proxy.adm.auro.re @@ -25,13 +25,16 @@ re2o-ldap.adm.auro.re re2o-db.adm.auro.re serge.adm.auro.re +[ovh-testing-vm] +re2o-test.adm.auro.re + [fleming-pve] -freya.adm.auro.re -odin.adm.auro.re +#freya.adm.auro.re +#odin.adm.auro.re [fleming-vm-ldap-replica] -ldap-replica-fleming1.adm.auro.re -ldap-replica-fleming2.adm.auro.re +#ldap-replica-fleming1.adm.auro.re +#ldap-replica-fleming2.adm.auro.re # everything at ovh [ovh:children] @@ -39,6 +42,10 @@ ovh-pve ovh-container ovh-vm +# everything at ovh-testing +[ovh-testing:children] +ovh-testing-vm + # everything at fleming [fleming:children] fleming-pve diff --git a/hosts_testing b/hosts_testing deleted file mode 100644 index 1e84600..0000000 --- a/hosts_testing +++ /dev/null @@ -1,27 +0,0 @@ -# Aurore servers inventory - -[ovh-testing-pve] - -[ovh-testing-container] - -[ovh-testing-vm] -re2o-test.adm.auro.re - -# everything at ovh-testing -[ovh-testing:children] -ovh-testing-pve -ovh-testing-container -ovh-testing-vm - -# every LXC container -[container:children] -ovh-testing-container - -# every virtual machine -[vm:children] -ovh-testing-vm - -# every PVE -[pve:children] -ovh-testing-pve - From dbf1edb47f7e8118e54dea5e53b4b7de73e1ae05 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 4 Mar 2019 09:26:14 +0100 Subject: [PATCH 03/11] Use adm DNS for reverse proxy --- nginx-reverse-proxy.yml | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/nginx-reverse-proxy.yml b/nginx-reverse-proxy.yml index ecbbded..426e66b 100644 --- a/nginx-reverse-proxy.yml +++ b/nginx-reverse-proxy.yml @@ -5,28 +5,25 @@ reversed_proxy_subdomains: - name: re2o from: re2o.auro.re - to: 10.128.0.10 + to: re2o-server.adm.auro.re - name: intranet from: intranet.auro.re - to: 10.128.0.10 + to: re2o-server.adm.auro.re - name: pad from: pad.auro.re - to: 10.128.0.54:9001 + to: pad.adm.auro.re:9001 - name: phabricator from: phabricator.auro.re - to: 10.128.0.50 + to: phabricator.adm.auro.re - name: wiki from: wiki.auro.re - to: 10.128.0.51 + to: wiki.adm.auro.re - name: www from: www.auro.re - to: 10.128.0.52 - - name: main - from: auro.re - to: 10.128.0.52 + to: www.adm.auro.re - name: re2o-test from: re2o-test.auro.re - to: 10.128.0.100 + to: re2o-test.adm.auro.re - name: riot from: riot.auro.re to: riot.adm.auro.re From bae6f4041d92c9591c036d7aedf117e691e18147 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 4 Mar 2019 09:34:47 +0100 Subject: [PATCH 04/11] Add synapse conf to reverse proxy --- roles/nginx-reverse-proxy/tasks/main.yml | 16 +++++ .../templates/nginx-sites-available-main.j2 | 69 +++++++++++++++++++ 2 files changed, 85 insertions(+) create mode 100644 roles/nginx-reverse-proxy/templates/nginx-sites-available-main.j2 diff --git a/roles/nginx-reverse-proxy/tasks/main.yml b/roles/nginx-reverse-proxy/tasks/main.yml index d7a93ee..339ce0b 100644 --- a/roles/nginx-reverse-proxy/tasks/main.yml +++ b/roles/nginx-reverse-proxy/tasks/main.yml @@ -29,3 +29,19 @@ state: link loop: "{{ reversed_proxy_subdomains }}" notify: Reload NGINX service + +# Install main site +- name: Configure NGINX main site + template: + src: nginx-sites-available-main.j2 + dest: /etc/nginx/sites-available/main + mode: 0644 + notify: Reload NGINX service + +# Activate main site +- name: Activate main site + file: + src: /etc/nginx/sites-available/main + dest: /etc/nginx/sites-enabled/main + state: link + notify: Reload NGINX service diff --git a/roles/nginx-reverse-proxy/templates/nginx-sites-available-main.j2 b/roles/nginx-reverse-proxy/templates/nginx-sites-available-main.j2 new file mode 100644 index 0000000..43f678f --- /dev/null +++ b/roles/nginx-reverse-proxy/templates/nginx-sites-available-main.j2 @@ -0,0 +1,69 @@ +# {{ ansible_managed }} + +server { + server_name auro.re; + include "snippets/proxy-common.conf"; + + location / { + return 302 https://$host$request_uri; + } +} + +server { + include "snippets/proxy-common-ssl.conf"; + server_name auro.re; + + # Separate log files + access_log /var/log/nginx/main.access.log; + error_log /var/log/nginx/main.error.log; + + # Use LetsEncrypt SSL + ssl_certificate /etc/letsencrypt/live/auro.re/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/auro.re/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/auro.re/chain.pem; + + location / { + proxy_redirect off; + proxy_pass http://www.adm.auro.re; + proxy_set_header Host auro.re; + proxy_set_header P-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + + # "A man is not dead while his name is still spoken." -- Going Postal + add_header X-Clacks-Overhead "GNU Terry Pratchett"; + } + + # For Matrix identity server + location /_matrix/identity { + proxy_pass http://synapse.adm.auro.re:8090/_matrix/identity; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $remote_addr; + } + + # For Matrix Synapse + location /_matrix { + proxy_pass http://synapse.adm.auro.re:8008; + proxy_set_header X-Forwarded-For $remote_addr; + } +} + +server { + listen 8448 ssl default_server; + listen [::]:8448 ssl default_server; + server_name auro.re; + + # Separate log files + access_log /var/log/nginx/main.access.log; + error_log /var/log/nginx/main.error.log; + + # Use LetsEncrypt SSL + ssl_certificate /etc/letsencrypt/live/auro.re/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/auro.re/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/auro.re/chain.pem; + + # For Matrix Synapse federation + location / { + proxy_pass http://synapse.adm.auro.re:8008; + proxy_set_header X-Forwarded-For $remote_addr; + } +} From 68d246bb242e531fa528163efef237510d40be6a Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 4 Mar 2019 15:08:05 +0100 Subject: [PATCH 05/11] Update to CodiMD 1.3.0 --- roles/codimd/handlers/main.yml | 2 +- roles/codimd/tasks/0_apt_dependencies.yml | 7 ++++++- roles/codimd/tasks/main.yml | 25 ++++++++--------------- 3 files changed, 15 insertions(+), 19 deletions(-) diff --git a/roles/codimd/handlers/main.yml b/roles/codimd/handlers/main.yml index 4dccff2..3481773 100644 --- a/roles/codimd/handlers/main.yml +++ b/roles/codimd/handlers/main.yml @@ -1,7 +1,7 @@ --- # Build front-end bundle - name: Build front-end for CodiMD - command: npm run build + command: yarn run build args: chdir: /var/local/codimd/codimd become: true diff --git a/roles/codimd/tasks/0_apt_dependencies.yml b/roles/codimd/tasks/0_apt_dependencies.yml index 158c59e..d9bc109 100644 --- a/roles/codimd/tasks/0_apt_dependencies.yml +++ b/roles/codimd/tasks/0_apt_dependencies.yml @@ -9,6 +9,11 @@ dest: /etc/apt/preferences.d/nodejs mode: 0644 +# TODO +# apt-transport-https +# curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add - +# echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list + # Install CodiMD dependencies - name: Install required packages apt: @@ -20,4 +25,4 @@ - nodejs - npm - build-essential - - zlib1g-dev # uws module + - yarn diff --git a/roles/codimd/tasks/main.yml b/roles/codimd/tasks/main.yml index 051248d..cbfd9a2 100644 --- a/roles/codimd/tasks/main.yml +++ b/roles/codimd/tasks/main.yml @@ -6,15 +6,14 @@ - include_tasks: 1_user_group.yml # Download CodiMD -# TODO : temporally disabled until 1.3.0 is out (because of uws bug) -# - name: Clone CodiMD project -# git: -# repo: https://github.com/hackmdio/codimd.git -# dest: /var/local/codimd/codimd -# version: 1.2.1 -# become: true -# become_user: codimd -# notify: Build front-end for CodiMD +- name: Clone CodiMD project + git: + repo: https://github.com/hackmdio/codimd.git + dest: /var/local/codimd/codimd + version: 1.3.0 + become: true + become_user: codimd + notify: Build front-end for CodiMD # Setup dependencies and configs - name: Install CodiMD depedencies @@ -33,14 +32,6 @@ group: codimd mode: 0600 -# Update database -- name: Migrate the db to the latest schema - command: node_modules/.bin/sequelize db:migrate - args: - chdir: /var/local/codimd/codimd - become: true - become_user: codimd - # Configure - name: Configure CodiMD template: From c7f584cae9bd5fdb67b73ce5b7ec23969d377297 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 4 Mar 2019 16:04:36 +0100 Subject: [PATCH 06/11] Fix CodiMD build --- roles/codimd/handlers/main.yml | 3 ++- roles/codimd/tasks/main.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/codimd/handlers/main.yml b/roles/codimd/handlers/main.yml index 3481773..3056062 100644 --- a/roles/codimd/handlers/main.yml +++ b/roles/codimd/handlers/main.yml @@ -1,7 +1,8 @@ --- # Build front-end bundle +# This can take very long and requires > 2GB of RAM - name: Build front-end for CodiMD - command: yarn run build + command: NODE_ENV="production" yarn run build args: chdir: /var/local/codimd/codimd become: true diff --git a/roles/codimd/tasks/main.yml b/roles/codimd/tasks/main.yml index cbfd9a2..4e80f3c 100644 --- a/roles/codimd/tasks/main.yml +++ b/roles/codimd/tasks/main.yml @@ -17,7 +17,7 @@ # Setup dependencies and configs - name: Install CodiMD depedencies - command: bin/setup + command: NODE_ENV="production" bin/setup args: chdir: /var/local/codimd/codimd become: true From 7302c83f60829032d3fda14a9527ad2229d83bd6 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 9 Mar 2019 10:18:10 +0100 Subject: [PATCH 07/11] Add new container --- hosts | 1 + 1 file changed, 1 insertion(+) diff --git a/hosts b/hosts index 34cdde3..8563253 100644 --- a/hosts +++ b/hosts @@ -18,6 +18,7 @@ wiki.adm.auro.re www.adm.auro.re pad.adm.auro.re proxy.adm.auro.re +matrix-services.adm.auro.re [ovh-vm] re2o-server.adm.auro.re From d6627f5cce323a59fe9f8c36909b2f4ea2301dd3 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 10 Mar 2019 11:10:59 +0100 Subject: [PATCH 08/11] Add matrix-appservice-discord --- matrix.yml | 6 ++ .../handlers/main.yml | 4 + .../tasks/0_apt_dependencies.yml | 20 +++++ .../tasks/1_user_group.yml | 26 ++++++ .../matrix-appservice-discord/tasks/main.yml | 57 +++++++++++++ .../templates/apt/nodejs.j2 | 5 ++ .../templates/config.yaml.j2 | 85 +++++++++++++++++++ .../matrix-appservice-discord.service.j2 | 18 ++++ 8 files changed, 221 insertions(+) create mode 100644 roles/matrix-appservice-discord/handlers/main.yml create mode 100644 roles/matrix-appservice-discord/tasks/0_apt_dependencies.yml create mode 100644 roles/matrix-appservice-discord/tasks/1_user_group.yml create mode 100644 roles/matrix-appservice-discord/tasks/main.yml create mode 100644 roles/matrix-appservice-discord/templates/apt/nodejs.j2 create mode 100644 roles/matrix-appservice-discord/templates/config.yaml.j2 create mode 100644 roles/matrix-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 diff --git a/matrix.yml b/matrix.yml index 1975e50..4767ca5 100644 --- a/matrix.yml +++ b/matrix.yml @@ -13,3 +13,9 @@ - hosts: riot.adm.auro.re roles: - matrix-riot + +# Install Matrix services +- hosts: matrix-services.adm.auro.re + roles: + - debian-backports + - matrix-appservice-discord diff --git a/roles/matrix-appservice-discord/handlers/main.yml b/roles/matrix-appservice-discord/handlers/main.yml new file mode 100644 index 0000000..ac3842d --- /dev/null +++ b/roles/matrix-appservice-discord/handlers/main.yml @@ -0,0 +1,4 @@ +--- +# Reload systemd daemons when a service file changes +- name: Reload systemd daemons + command: systemctl daemon-reload diff --git a/roles/matrix-appservice-discord/tasks/0_apt_dependencies.yml b/roles/matrix-appservice-discord/tasks/0_apt_dependencies.yml new file mode 100644 index 0000000..40fbbce --- /dev/null +++ b/roles/matrix-appservice-discord/tasks/0_apt_dependencies.yml @@ -0,0 +1,20 @@ +--- +- name: Configure NodeJS pin + when: + - ansible_distribution == 'Debian' + - ansible_distribution_release == 'stretch' + template: + src: apt/nodejs.j2 + dest: /etc/apt/preferences.d/nodejs + mode: 0644 + +- name: Install required packages + apt: + name: "{{ item }}" + state: present + update_cache: true + with_items: + - git + - nodejs + - npm + - build-essential diff --git a/roles/matrix-appservice-discord/tasks/1_user_group.yml b/roles/matrix-appservice-discord/tasks/1_user_group.yml new file mode 100644 index 0000000..2fe23be --- /dev/null +++ b/roles/matrix-appservice-discord/tasks/1_user_group.yml @@ -0,0 +1,26 @@ +--- +# Security #1 +- name: Create matrix-appservice-discord system group + group: + name: matrix-appservice-discord + system: yes + state: present + +# Security #2 +- name: Create matrix-appservice-discord user + user: + name: matrix-appservice-discord + group: matrix-appservice-discord + home: /var/local/matrix-appservice-discord + comment: Matrix Appservice Discord + system: yes + state: present + +# Security #3 +- name: Secure matrix-appservice-discord home directory + file: + path: /var/local/matrix-appservice-discord + state: directory + owner: matrix-appservice-discord + group: matrix-appservice-discord + mode: 0750 diff --git a/roles/matrix-appservice-discord/tasks/main.yml b/roles/matrix-appservice-discord/tasks/main.yml new file mode 100644 index 0000000..a625a00 --- /dev/null +++ b/roles/matrix-appservice-discord/tasks/main.yml @@ -0,0 +1,57 @@ +--- +# Install APT dependencies +- include_tasks: 0_apt_dependencies.yml + +# Create CodiMD user and group +- include_tasks: 1_user_group.yml + +# Download CodiMD +- name: Clone matrix-appservice-discord project + git: + repo: https://github.com/Half-Shot/matrix-appservice-discord.git + dest: /var/local/matrix-appservice-discord/matrix-appservice-discord + version: v0.4.0 + become: true + become_user: matrix-appservice-discord + +# Setup dependencies +- name: Install matrix-appservice-discord depedencies + command: npm ci + args: + chdir: /var/local/matrix-appservice-discord/matrix-appservice-discord + become: true + become_user: matrix-appservice-discord + +# Typescript into javascript +- name: Compile matrix-appservice-discord + command: npm run build + args: + chdir: /var/local/matrix-appservice-discord/matrix-appservice-discord + become: true + become_user: matrix-appservice-discord + +# Configure +- name: Configure matrix-appservice-discord + template: + src: config.yaml.j2 + dest: /var/local/matrix-appservice-discord/matrix-appservice-discord/config.yaml + owner: matrix-appservice-discord + group: matrix-appservice-discord + mode: 0600 + +# Service file +- name: Install matrix-appservice-discord systemd unit + template: + src: 'systemd/matrix-appservice-discord.service.j2' + dest: '/etc/systemd/system/matrix-appservice-discord.service' + owner: root + group: root + mode: 0644 + notify: Reload systemd daemons + +# Run +#- name: Ensure that matrix-appservice-discord is started +# service: +# name: matrix-appservice-discord +# state: started +# enabled: true diff --git a/roles/matrix-appservice-discord/templates/apt/nodejs.j2 b/roles/matrix-appservice-discord/templates/apt/nodejs.j2 new file mode 100644 index 0000000..65e5110 --- /dev/null +++ b/roles/matrix-appservice-discord/templates/apt/nodejs.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +Package: node* libuv1* +Pin: release a=stretch-backports +Pin-Priority: 600 diff --git a/roles/matrix-appservice-discord/templates/config.yaml.j2 b/roles/matrix-appservice-discord/templates/config.yaml.j2 new file mode 100644 index 0000000..64e17dd --- /dev/null +++ b/roles/matrix-appservice-discord/templates/config.yaml.j2 @@ -0,0 +1,85 @@ +# {{ ansible_managed }} + +bridge: + # Domain part of the bridge, e.g. matrix.org + domain: "auro.re" + # This should be your publically facing URL because Discord may use it to + # fetch media from the media store. + homeserverUrl: "https://auro.re" + # Interval at which to process users in the 'presence queue'. If you have + # 5 users, one user will be processed every 500 milliseconds according to the + # value below. This has a minimum value of 250. + # WARNING: This has a high chance of spamming the homeserver with presence + # updates since it will send one each time somebody changes state or is online. + presenceInterval: 500 + # Disable setting presence for 'ghost users' which means Discord users on Matrix + # will not be shown as away or online. + disablePresence: false + # Disable sending typing notifications when somebody on Discord types. + disableTypingNotifications: false + # Disable deleting messages on Discord if a message is redacted on Matrix. + disableDeletionForwarding: false + # Enable users to bridge rooms using !discord commands. See + # https://t2bot.io/discord for instructions. + enableSelfServiceBridging: false + # Disable sending of read receipts for Matrix events which have been + # successfully bridged to Discord. + disableReadReceipts: false +# Authentication configuration for the discord bot. +auth: + clientID: "12345" + botToken: "foobar" +logging: + # What level should the logger output to the console at. + console: "warn" #silly, verbose, info, http, warn, error, silent + lineDateFormat: "MMM-D HH:mm:ss.SSS" # This is in moment.js format + files: + - file: "warn.log" # Will capture warnings + level: "warn" + - file: "botlogs.log" # Will capture logs from DiscordBot + level: "info" + enable: + - "DiscordBot" +database: + userStorePath: "user-store.db" + roomStorePath: "room-store.db" + # You may either use SQLite or Postgresql for the bridge database, which contains + # important mappings for events and user puppeting configurations. + # Use the filename option for SQLite, or connString for Postgresql. + # If you are migrating, see https://github.com/Half-Shot/matrix-appservice-discord/blob/master/docs/howto.md#migrate-to-postgres-from-sqlite + # WARNING: You will almost certainly be fine with sqlite unless your bridge + # is in heavy demand and you suffer from IO slowness. + filename: "discord.db" + # connString: "postgresql://user:password@localhost/database_name" +room: + # Set the default visibility of alias rooms, defaults to "public". + # One of: "public", "private" + defaultVisibility: "public" +channel: + # Pattern of the name given to bridged rooms. + # Can use :guild for the guild name and :name for the channel name. + namePattern: "[Discord] :guild :name" + # Changes made to rooms when a channel is deleted. + deleteOptions: + # Prefix the room name with a string. + #namePrefix: "[Deleted]" + # Prefix the room topic with a string. + #topicPrefix: "This room has been deleted" + # Disable people from talking in the room by raising the event PL to 50 + disableMessaging: false + # Remove the discord alias from the room. + unsetRoomAlias: true + # Remove the room from the directory. + unlistFromDirectory: true + # Set the room to be unavaliable for joining without an invite. + setInviteOnly: true + # Make all the discord users leave the room. + ghostsLeave: true +limits: + # Delay in milliseconds between discord users joining a room. + roomGhostJoinDelay: 6000 + # Delay in milliseconds before sending messages to discord to avoid echos. + # (Copies of a sent message may arrive from discord before we've + # fininished handling it, causing us to echo it back to the room) + discordSendDelay: 750 + diff --git a/roles/matrix-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 b/roles/matrix-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 new file mode 100644 index 0000000..afc1b4b --- /dev/null +++ b/roles/matrix-appservice-discord/templates/systemd/matrix-appservice-discord.service.j2 @@ -0,0 +1,18 @@ +# {{ ansible_managed }} + +[Unit] +Description=A bridge between Matrix and Discord +After=syslog.target network-online.target mysql.service postgresql.service +Conflicts=shutdown.target + +[Service] +Type=simple +User=matrix-appservice-discord +Group=matrix-appservice-discord +WorkingDirectory=/var/local/matrix-appservice-discord/matrix-appservice-discord +Environment="NODE_ENV=production" +ExecStart=/usr/bin/nodejs /var/local/matrix-appservice-discord/matrix-appservice-discord/app.js +Restart=always + +[Install] +WantedBy=multi-user.target From 0b887c2abbbe2ef1a4252fdfcfe0c01f12bf082e Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sun, 10 Mar 2019 11:50:07 +0100 Subject: [PATCH 09/11] Add matrix-appservice-irc --- matrix.yml | 3 +- roles/matrix-appservice-irc/handlers/main.yml | 4 + .../tasks/0_apt_dependencies.yml | 20 + .../tasks/1_user_group.yml | 26 + roles/matrix-appservice-irc/tasks/main.yml | 48 ++ .../templates/apt/nodejs.j2 | 5 + .../templates/config.yaml.j2 | 443 ++++++++++++++++++ .../systemd/matrix-appservice-irc.service.j2 | 17 + 8 files changed, 565 insertions(+), 1 deletion(-) create mode 100644 roles/matrix-appservice-irc/handlers/main.yml create mode 100644 roles/matrix-appservice-irc/tasks/0_apt_dependencies.yml create mode 100644 roles/matrix-appservice-irc/tasks/1_user_group.yml create mode 100644 roles/matrix-appservice-irc/tasks/main.yml create mode 100644 roles/matrix-appservice-irc/templates/apt/nodejs.j2 create mode 100644 roles/matrix-appservice-irc/templates/config.yaml.j2 create mode 100644 roles/matrix-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 diff --git a/matrix.yml b/matrix.yml index 4767ca5..971ceab 100644 --- a/matrix.yml +++ b/matrix.yml @@ -8,6 +8,8 @@ - debian-backports - matrix-synapse - matrix-mxisd + - matrix-appservice-discord + - matrix-appservice-irc # Install Matrix Riot on corresponding containers - hosts: riot.adm.auro.re @@ -18,4 +20,3 @@ - hosts: matrix-services.adm.auro.re roles: - debian-backports - - matrix-appservice-discord diff --git a/roles/matrix-appservice-irc/handlers/main.yml b/roles/matrix-appservice-irc/handlers/main.yml new file mode 100644 index 0000000..ac3842d --- /dev/null +++ b/roles/matrix-appservice-irc/handlers/main.yml @@ -0,0 +1,4 @@ +--- +# Reload systemd daemons when a service file changes +- name: Reload systemd daemons + command: systemctl daemon-reload diff --git a/roles/matrix-appservice-irc/tasks/0_apt_dependencies.yml b/roles/matrix-appservice-irc/tasks/0_apt_dependencies.yml new file mode 100644 index 0000000..40fbbce --- /dev/null +++ b/roles/matrix-appservice-irc/tasks/0_apt_dependencies.yml @@ -0,0 +1,20 @@ +--- +- name: Configure NodeJS pin + when: + - ansible_distribution == 'Debian' + - ansible_distribution_release == 'stretch' + template: + src: apt/nodejs.j2 + dest: /etc/apt/preferences.d/nodejs + mode: 0644 + +- name: Install required packages + apt: + name: "{{ item }}" + state: present + update_cache: true + with_items: + - git + - nodejs + - npm + - build-essential diff --git a/roles/matrix-appservice-irc/tasks/1_user_group.yml b/roles/matrix-appservice-irc/tasks/1_user_group.yml new file mode 100644 index 0000000..1c5d507 --- /dev/null +++ b/roles/matrix-appservice-irc/tasks/1_user_group.yml @@ -0,0 +1,26 @@ +--- +# Security #1 +- name: Create matrix-appservice-irc system group + group: + name: matrix-appservice-irc + system: yes + state: present + +# Security #2 +- name: Create matrix-appservice-irc user + user: + name: matrix-appservice-irc + group: matrix-appservice-irc + home: /var/local/matrix-appservice-irc + comment: Matrix Appservice IRC + system: yes + state: present + +# Security #3 +- name: Secure matrix-appservice-irc home directory + file: + path: /var/local/matrix-appservice-irc + state: directory + owner: matrix-appservice-irc + group: matrix-appservice-irc + mode: 0750 diff --git a/roles/matrix-appservice-irc/tasks/main.yml b/roles/matrix-appservice-irc/tasks/main.yml new file mode 100644 index 0000000..0f03d5b --- /dev/null +++ b/roles/matrix-appservice-irc/tasks/main.yml @@ -0,0 +1,48 @@ +--- +# Install APT dependencies +- include_tasks: 0_apt_dependencies.yml + +# Create matrix-appservice-irc user and group +- include_tasks: 1_user_group.yml + +- name: Clone matrix-appservice-irc project + git: + repo: https://github.com/matrix-org/matrix-appservice-irc.git + dest: /var/local/matrix-appservice-irc/matrix-appservice-irc + version: 0.11.2 + become: true + become_user: matrix-appservice-irc + +# Setup dependencies +- name: Install matrix-appservice-irc depedencies + command: npm install + args: + chdir: /var/local/matrix-appservice-irc/matrix-appservice-irc + become: true + become_user: matrix-appservice-irc + +# Configure +- name: Configure matrix-appservice-irc + template: + src: config.yaml.j2 + dest: /var/local/matrix-appservice-irc/matrix-appservice-irc/config.yaml + owner: matrix-appservice-irc + group: matrix-appservice-irc + mode: 0600 + +# Service file +- name: Install matrix-appservice-irc systemd unit + template: + src: 'systemd/matrix-appservice-irc.service.j2' + dest: '/etc/systemd/system/matrix-appservice-irc.service' + owner: root + group: root + mode: 0644 + notify: Reload systemd daemons + +# Run +#- name: Ensure that matrix-appservice-irc is started +# service: +# name: matrix-appservice-irc +# state: started +# enabled: true diff --git a/roles/matrix-appservice-irc/templates/apt/nodejs.j2 b/roles/matrix-appservice-irc/templates/apt/nodejs.j2 new file mode 100644 index 0000000..65e5110 --- /dev/null +++ b/roles/matrix-appservice-irc/templates/apt/nodejs.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +Package: node* libuv1* +Pin: release a=stretch-backports +Pin-Priority: 600 diff --git a/roles/matrix-appservice-irc/templates/config.yaml.j2 b/roles/matrix-appservice-irc/templates/config.yaml.j2 new file mode 100644 index 0000000..72d1a84 --- /dev/null +++ b/roles/matrix-appservice-irc/templates/config.yaml.j2 @@ -0,0 +1,443 @@ +# {{ ansible_managed }} + +homeserver: + # The URL to the home server for client-server API calls, also used to form the + # media URLs as displayed in bridged IRC channels: + url: "https://auro.re" + # + # The URL of the homeserver hosting media files. This is only used to transform + # mxc URIs to http URIs when bridging m.room.[file|image] events. Optional. By + # default, this is the homeserver URL, specified above. + # + # media_url: "http://media.repo:8008" + + # Drop Matrix messages which are older than this number of seconds, according to + # the event's origin_server_ts. + # If the bridge is down for a while, the homeserver will attempt to send all missed + # events on reconnection. These events may be hours old, which can be confusing to + # IRC users if they are then bridged. This option allows these old messages to be + # dropped. + # CAUTION: This is a very coarse heuristic. Federated homeservers may have different + # clock times and hence produce different origin_server_ts values, which may be old + # enough to cause *all* events from the homeserver to be dropped. + # Default: 0 (don't ever drop) + dropMatrixMessagesAfterSecs: 300 # 5 minutes + + # The 'domain' part for user IDs on this home server. Usually (but not always) + # is the "domain name" part of the HS URL. + domain: "auro.re" + + # Should presence be enabled for matrix clients on this bridge. If disabled on the + # homeserver then it should also be disabled here to avoid excess traffic. + # Default: true + enablePresence: true + +# Configuration specific to the IRC service +ircService: + servers: + # The address of the server to connect to. + irc.crans.org: + # A human-readable short name. This is used to label IRC status rooms + # where matrix users control their connections. + # E.g. 'ExampleNet IRC Bridge status'. + # It is also used in the Third Party Lookup API as the instance `desc` + # property, where each server is an instance. + name: "Crans IRC Bridge status" + + additionalAddresses: [ ] + # + # [DEPRECATED] Use `name`, above, instead. + # A human-readable description string + # description: "Example.com IRC network" + + # An ID for uniquely identifying this server amongst other servers being bridged. + networkId: "crans" + + # URL to an icon used as the network icon whenever this network appear in + # a network list. (Like in the riot room directory, for instance.) + # icon: https://example.com/images/hash.png + + # The port to connect to. Optional. + port: 6697 + # Whether to use SSL or not. Default: false. + ssl: true + # Whether or not IRC server is using a self-signed cert or not providing CA Chain + sslselfsign: false + # Should the connection attempt to identify via SASL (if a server or user password is given) + # If false, this will use PASS instead. If SASL fails, we do not fallback to PASS. + sasl: false + # Whether to allow expired certs when connecting to the IRC server. + # Usually this should be off. Default: false. + allowExpiredCerts: false + # A specific CA to trust instead of the default CAs. Optional. + #ca: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + + # + # The connection password to send for all clients as a PASS (or SASL, if enabled above) command. Optional. + # password: 'pa$$w0rd' + # + # Whether or not to send connection/error notices to real Matrix users. Default: true. + sendConnectionMessages: true + + quitDebounce: + # Whether parts due to net-splits are debounced for delayMs, to allow + # time for the netsplit to resolve itself. A netsplit is detected as being + # a QUIT rate higher than quitsPerSecond. Default: false. + enabled: false + # The maximum number of quits per second acceptable above which a netsplit is + # considered ongoing. Default: 5. + quitsPerSecond: 5 + # The time window in which to wait before bridging a QUIT to Matrix that occurred during + # a netsplit. Debouncing is jittered randomly between delayMinMs and delayMaxMs so that the HS + # is not sent many requests to leave rooms all at once if a netsplit occurs and many + # people to not rejoin. + # If the user with the same IRC nick as the one who sent the quit rejoins a channel + # they are considered back online and the quit is not bridged, so long as the rejoin + # occurs before the randomly-jittered timeout is not reached. + # Default: 3600000, = 1h + delayMinMs: 3600000 # 1h + # Default: 7200000, = 2h + delayMaxMs: 7200000 # 2h + + # A map for conversion of IRC user modes to Matrix power levels. This enables bridging + # of IRC ops to Matrix power levels only, it does not enable the reverse. If a user has + # been given multiple modes, the one that maps to the highest power level will be used. + modePowerMap: + o: 50 + + botConfig: + # Enable the presence of the bot in IRC channels. The bot serves as the entity + # which maps from IRC -> Matrix. You can disable the bot entirely which + # means IRC -> Matrix chat will be shared by active "M-Nick" connections + # in the room. If there are no users in the room (or if there are users + # but their connections are not on IRC) then nothing will be bridged to + # Matrix. If you're concerned about the bot being treated as a "logger" + # entity, then you may want to disable the bot. If you want IRC->Matrix + # but don't want to have TCP connections to IRC unless a Matrix user speaks + # (because your client connection limit is low), then you may want to keep + # the bot enabled. Default: true. + # NB: If the bot is disabled, you SHOULD have matrix-to-IRC syncing turned + # on, else there will be no users and no bot in a channel (meaning no + # messages to Matrix!) until a Matrix user speaks which makes a client + # join the target IRC channel. + # NBB: The bridge bot IRC client will still join the target IRC network so + # it can service bridge-specific queries from the IRC-side e.g. so + # real IRC clients have a way to change their Matrix display name. + # See https://github.com/matrix-org/matrix-appservice-irc/issues/55 + enabled: true + # The nickname to give the AS bot. + nick: "AuroreBot" + # The password to give to NickServ or IRC Server for this nick. Optional. + # password: "helloworld" + # + # Join channels even if there are no Matrix users on the other side of + # the bridge. Set to false to prevent the bot from joining channels which have no + # real matrix users in them, even if there is a mapping for the channel. + # Default: true + joinChannelsIfNoUsers: true + + # Configuration for PMs / private 1:1 communications between users. + privateMessages: + # Enable the ability for PMs to be sent to/from IRC/Matrix. + # Default: true. + enabled: true + # Prevent Matrix users from sending PMs to the following IRC nicks. + # Optional. Default: []. + # exclude: ["Alice", "Bob"] # NOT YET IMPLEMENTED + + # Should created Matrix PM rooms be federated? If false, only users on the + # HS attached to this AS will be able to interact with this room. + # Optional. Default: true. + federate: true + + # Configuration for mappings not explicitly listed in the 'mappings' + # section. + dynamicChannels: + # Enable the ability for Matrix users to join *any* channel on this IRC + # network. + # Default: false. + enabled: true + # Should the AS create a room alias for the new Matrix room? The form of + # the alias can be modified via 'aliasTemplate'. Default: true. + createAlias: true + # Should the AS publish the new Matrix room to the public room list so + # anyone can see it? Default: true. + published: false + # What should the join_rule be for the new Matrix room? If 'public', + # anyone can join the room. If 'invite', only users with an invite can + # join the room. Note that if an IRC channel has +k or +i set on it, + # join_rules will be set to 'invite' until these modes are removed. + # Default: "public". + joinRule: public + # This will set the m.room.related_groups state event in newly created rooms + # with the given groupId. This means flares will show up on IRC users in those rooms. + # This should be set to the same thing as namespaces.users.group_id in irc_registration. + # This does not alter existing rooms. + # Leaving this option empty will not set the event. + groupId: +myircnetwork:localhost + # Should created Matrix rooms be federated? If false, only users on the + # HS attached to this AS will be able to interact with this room. + # Default: true. + federate: true + # The room alias template to apply when creating new aliases. This only + # applies if createAlias is 'true'. The following variables are exposed: + # $SERVER => The IRC server address (e.g. "irc.example.com") + # $CHANNEL => The IRC channel (e.g. "#python") + # This MUST have $CHANNEL somewhere in it. + # Default: '#irc_$SERVER_$CHANNEL' + aliasTemplate: "#irc_crans_$CHANNEL" + # A list of user IDs which the AS bot will send invites to in response + # to a !join. Only applies if joinRule is 'invite'. Default: [] + # whitelist: + # - "@foo:example.com" + # - "@bar:example.com" + # + # Prevent the given list of channels from being mapped under any + # circumstances. + # exclude: ["#foo", "#bar"] + + # Configuration for controlling how Matrix and IRC membership lists are + # synced. + membershipLists: + # Enable the syncing of membership lists between IRC and Matrix. This + # can have a significant effect on performance on startup as the lists are + # synced. This must be enabled for anything else in this section to take + # effect. Default: false. + enabled: true + + # Syncing membership lists at startup can result in hundreds of members to + # process all at once. This timer drip feeds membership entries at the + # specified rate. Default: 10000. (10s) + floodDelayMs: 10000 + + global: + ircToMatrix: + # Get a snapshot of all real IRC users on a channel (via NAMES) and + # join their virtual matrix clients to the room. + initial: false + # Make virtual matrix clients join and leave rooms as their real IRC + # counterparts join/part channels. Default: false. + incremental: true + + matrixToIrc: + # Get a snapshot of all real Matrix users in the room and join all of + # them to the mapped IRC channel on startup. Default: false. + initial: false + # Make virtual IRC clients join and leave channels as their real Matrix + # counterparts join/leave rooms. Make sure your 'maxClients' value is + # high enough! Default: false. + incremental: true + + # Apply specific rules to Matrix rooms. Only matrix-to-IRC takes effect. + rooms: + + # Apply specific rules to IRC channels. Only IRC-to-matrix takes effect. + channels: + + mappings: + # 1:many mappings from IRC channels to room IDs on this IRC server. + # The matrix room must already exist. Your matrix client should expose + # the room ID in a "settings" page for the room. + # "#thepub": ["!kieouiJuedJoxtVdaG:localhost"] + + # Configuration for virtual matrix users. The following variables are + # exposed: + # $NICK => The IRC nick + # $SERVER => The IRC server address (e.g. "irc.example.com") + matrixClients: + # The user ID template to use when creating virtual matrix users. This + # MUST have $NICK somewhere in it. + # Optional. Default: "@$SERVER_$NICK". + # Example: "@irc.example.com_Alice:example.com" + userTemplate: "@irc_$NICK" + # The display name to use for created matrix clients. This should have + # $NICK somewhere in it if it is specified. Can also use $SERVER to + # insert the IRC domain. + # Optional. Default: "$NICK (IRC)". Example: "Alice (IRC)" + displayName: "$NICK (IRC)" + # Number of tries a client can attempt to join a room before the request + # is discarded. You can also use -1 to never retry or 0 to never give up. + # Optional. Default: -1 + joinAttempts: -1 + + # Configuration for virtual IRC users. The following variables are exposed: + # $LOCALPART => The user ID localpart ("alice" in @alice:localhost) + # $USERID => The user ID + # $DISPLAY => The display name of this user, with excluded characters + # (e.g. space) removed. If the user has no display name, this + # falls back to $LOCALPART. + ircClients: + # The template to apply to every IRC client nick. This MUST have either + # $DISPLAY or $USERID or $LOCALPART somewhere in it. + # Optional. Default: "M-$DISPLAY". Example: "M-Alice". + nickTemplate: "$DISPLAY[m]" + # True to allow virtual IRC clients to change their nick on this server + # by issuing !nick commands to the IRC AS bot. + # This is completely freeform: it will NOT follow the nickTemplate. + allowNickChanges: true + # The max number of IRC clients that will connect. If the limit is + # reached, the client that spoke the longest time ago will be + # disconnected and replaced. + # Optional. Default: 30. + maxClients: 30 + # IPv6 configuration. + ipv6: + # Optional. Set to true to force IPv6 for outgoing connections. + only: false + # Optional. The IPv6 prefix to use for generating unique addresses for each + # connected user. If not specified, all users will connect from the same + # (default) address. This may require additional OS-specific work to allow + # for the node process to bind to multiple different source addresses + # e.g IP_FREEBIND on Linux, which requires an LD_PRELOAD with the library + # https://github.com/matrix-org/freebindfree as Node does not expose setsockopt. + # prefix: "2001:0db8:85a3::" # modify appropriately + # + # The maximum amount of time in seconds that the client can exist + # without sending another message before being disconnected. Use 0 to + # not apply an idle timeout. This value is ignored if this IRC server is + # mirroring matrix membership lists to IRC. Default: 172800 (48 hours) + idleTimeout: 10800 + # The number of millseconds to wait between consecutive reconnections if a + # client gets disconnected. Setting to 0 will cause the scheduling to be + # disabled, i.e. it will be scheduled immediately (with jitter. + # Otherwise, the scheduling interval will be used such that one client + # reconnect for this server will be handled every reconnectIntervalMs ms using + # a FIFO queue. + # Default: 5000 (5 seconds) + reconnectIntervalMs: 5000 + # The number of concurrent reconnects if a user has been disconnected unexpectedly + # (e.g. a netsplit). You should set this to a reasonably high number so that + # bridges are not waiting an eternity to reconnect all its clients if + # we see a massive number of disconnect. This is unrelated to the reconnectIntervalMs + # setting above which is for connecting on restart of the bridge. Set to 0 to + # immediately try to reconnect all users. + # Default: 50 + concurrentReconnectLimit: 50 + # The number of lines to allow being sent by the IRC client that has received + # a large block of text to send from matrix. If the number of lines that would + # be sent is > lineLimit, the text will instead be uploaded to matrix and the + # resulting URI is treated as a file. As such, a link will be sent to the IRC + # side instead of potentially spamming IRC and getting the IRC client kicked. + # Default: 3. + lineLimit: 3 + # A list of user modes to set on every IRC client. For example, "RiG" would set + # +R, +i and +G on every IRC connection when they have successfully connected. + # User modes vary wildly depending on the IRC network you're connecting to, + # so check before setting this value. Some modes may not work as intended + # through the bridge e.g. caller ID as there is no way to /ACCEPT. + # Default: "" (no user modes) + # userModes: "R" + + # Configuration for an ident server. If you are running a public bridge it is + # advised you setup an ident server so IRC mods can ban specific matrix users + # rather than the application service itself. + ident: + # True to listen for Ident requests and respond with the + # matrix user's user_id (converted to ASCII, respecting RFC 1413). + # Default: false. + enabled: false + # The port to listen on for incoming ident requests. + # Ports below 1024 require root to listen on, and you may not want this to + # run as root. Instead, you can get something like an Apache to yank up + # incoming requests to 113 to a high numbered port. Set the port to listen + # on instead of 113 here. + # Default: 113. + port: 1113 + # The address to listen on for incoming ident requests. + # Default: 0.0.0.0 + address: "::" + + # Configuration for logging. Optional. Default: console debug level logging + # only. + logging: + # Level to log on console/logfile. One of error|warn|info|debug + level: "info" + # The file location to log to. This is relative to the project directory. + logfile: "debug.log" + # The file location to log errors to. This is relative to the project + # directory. + errfile: "errors.log" + # Whether to log to the console or not. + toConsole: true + # The max number of files to keep. Files will be overwritten eventually due + # to rotations. + maxFiles: 5 + + # Optional. Enable Prometheus metrics. If this is enabled, you MUST install `prom-client`: + # $ npm install prom-client@6.3.0 + # Metrics will then be available via GET /metrics on the bridge listening port (-p). + metrics: + # Whether to actually enable the metric endpoint. Default: false + enabled: false + # When collecting remote user active times, which "buckets" should be used. Defaults are given below. + # The bucket name is formed of a duration and a period. (h=hours,d=days,w=weeks). + remoteUserAgeBuckets: + - "1h" + - "1d" + - "1w" + + # The nedb database URI to connect to. This is the name of the directory to + # dump .db files to. This is relative to the project directory. + # Required. + databaseUri: "nedb://data" + + # Configuration options for the debug HTTP API. To access this API, you must + # append ?access_token=$APPSERVICE_TOKEN (from the registration file) to the requests. + # + # The debug API exposes the following endpoints: + # + # GET /irc/$domain/user/$user_id => Return internal state for the IRC client for this user ID. + # + # POST /irc/$domain/user/$user_id => Issue a raw IRC command down this connection. + # Format: new line delimited commands as per IRC protocol. + # + debugApi: + # True to enable the HTTP API endpoint. Default: false. + enabled: false + # The port to host the HTTP API. + port: 11100 + + # Configuration for the provisioning API. + # + # GET /_matrix/provision/link + # GET /_matrix/provision/unlink + # GET /_matrix/provision/listlinks + # + provisioning: + # True to enable the provisioning HTTP endpoint. Default: false. + enabled: false + # The number of seconds to wait before giving up on getting a response from + # an IRC channel operator. If the channel operator does not respond within the + # allotted time period, the provisioning request will fail. + # Default: 300 seconds (5 mins) + requestTimeoutSeconds: 300 + + # WARNING: The bridge needs to send plaintext passwords to the IRC server, it cannot + # send a password hash. As a result, passwords (NOT hashes) are stored encrypted in + # the database. + # + # To generate a .pem file: + # $ openssl genpkey -out passkey.pem -outform PEM -algorithm RSA -pkeyopt rsa_keygen_bits:2048 + # + # The path to the RSA PEM-formatted private key to use when encrypting IRC passwords + # for storage in the database. Passwords are stored by using the admin room command + # `!storepass server.name passw0rd. When a connection is made to IRC on behalf of + # the Matrix user, this password will be sent as the server password (PASS command). + passwordEncryptionKeyPath: "passkey.pem" + + # Config for Matrix -> IRC bridging + matrixHandler: + # Cache this many matrix events in memory to be used for m.relates_to messages (usually replies). + eventCacheSize: 4096 + +# Options here are generally only applicable to large-scale bridges and may have +# consequences greater than other options in this configuration file. +advanced: + # The maximum number of HTTP(S) sockets to maintain. Usually this is unlimited + # however for large bridges it is important to rate limit the bridge to avoid + # accidentally overloading the homeserver. Defaults to 1000, which should be + # enough for the vast majority of use cases. + maxHttpSockets: 1000 diff --git a/roles/matrix-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 b/roles/matrix-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 new file mode 100644 index 0000000..1f25539 --- /dev/null +++ b/roles/matrix-appservice-irc/templates/systemd/matrix-appservice-irc.service.j2 @@ -0,0 +1,17 @@ +# {{ ansible_managed }} + +[Unit] +Description=A bridge between Matrix and IRC +After=syslog.target network-online.target mysql.service postgresql.service +Conflicts=shutdown.target + +[Service] +Type=simple +User=matrix-appservice-irc +Group=matrix-appservice-irc +WorkingDirectory=/var/local/matrix-appservice-irc/matrix-appservice-irc +ExecStart=/usr/bin/nodejs /var/local/matrix-appservice-irc/matrix-appservice-irc/app.js -c config.yaml -f my_registration_file.yaml -p 9999 +Restart=always + +[Install] +WantedBy=multi-user.target From 761695f9921af572594db0ae81caea20f75b6471 Mon Sep 17 00:00:00 2001 From: Vulcain Date: Sun, 10 Mar 2019 18:46:37 +0100 Subject: [PATCH 10/11] =?UTF-8?q?ajout=20des=20machines=20setup=20=C3=A0?= =?UTF-8?q?=20la=20pacaterie?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- hosts | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/hosts b/hosts index 34cdde3..bc7bbee 100644 --- a/hosts +++ b/hosts @@ -36,6 +36,11 @@ re2o-test.adm.auro.re #ldap-replica-fleming1.adm.auro.re #ldap-replica-fleming2.adm.auro.re +[pacaterie-pve] +#merlin.adm.auro.re +#leodagan.adm.auro.re +#mordred.adm.auro.re + # everything at ovh [ovh:children] ovh-pve @@ -51,6 +56,10 @@ ovh-testing-vm fleming-pve fleming-vm-ldap-replica +# everything at pacaterie +[pacaterie:children] +pacaterie-pve + # every LXC container [container:children] ovh-container @@ -64,6 +73,7 @@ fleming-vm-ldap-replica [pve:children] ovh-pve fleming-pve +pacaterie-pve # every LDAP replica [ldap-replica:children] From a08be12b41dcdeba2877f959a6a7dcb5ebda2f6c Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 11 Mar 2019 14:52:03 +0100 Subject: [PATCH 11/11] Security policies based on ANSSI recommandations --- base.yml | 1 + roles/basesecurity/tasks/main.yml | 25 +++++++++++++++++++ .../templates/sysctl.d/local.conf.j2 | 17 +++++++++++++ 3 files changed, 43 insertions(+) create mode 100644 roles/basesecurity/tasks/main.yml create mode 100644 roles/basesecurity/templates/sysctl.d/local.conf.j2 diff --git a/base.yml b/base.yml index 90e258b..e10f9d7 100644 --- a/base.yml +++ b/base.yml @@ -3,3 +3,4 @@ - hosts: all roles: - baseconfig + - basesecurity diff --git a/roles/basesecurity/tasks/main.yml b/roles/basesecurity/tasks/main.yml new file mode 100644 index 0000000..6b0f596 --- /dev/null +++ b/roles/basesecurity/tasks/main.yml @@ -0,0 +1,25 @@ +--- +- name: Configure sysctl + template: + src: 'sysctl.d/local.conf.j2' + dest: '/etc/sysctl.d/local.conf' + mode: 0644 + +# Use this command to list setuid or setgid executables +# find / -type f -perm /6000 -ls 2>/dev/null +- name: Desactivate setuid/setgid on unused binaries + file: + path: "{{ item }}" + mode: u-s,g-s + loop: + - /usr/lib/openssh/sshkeysign # Not used + - /usr/bin/gpasswd # No group auth + - /usr/bin/passwd # Only root should change passwd + - /usr/bin/expiry # With re2o + - /usr/bin/newgrp # No group auth + - /usr/bin/chage # With re2o + - /usr/bin/chsh # With re2o + - /usr/bin/chfn # With re2o + - /bin/mount # Only root should mount + - /bin/umount # Only root should umount + ignore_errors: yes # Sometimes file won't exist diff --git a/roles/basesecurity/templates/sysctl.d/local.conf.j2 b/roles/basesecurity/templates/sysctl.d/local.conf.j2 new file mode 100644 index 0000000..86ef034 --- /dev/null +++ b/roles/basesecurity/templates/sysctl.d/local.conf.j2 @@ -0,0 +1,17 @@ +# {{ ansible_managed }} +# See https://www.ssi.gouv.fr/uploads/2016/01/linux_configuration-fr-v1.2.pdf + +# Disable core dump of setuid executables +# So an user can't read privileged information in memory +fs.suid_dumpable = 0 + +# Obfuscate kernel memory addresses +kernel.kptr_restrict = 1 + +# Restrict dmesg access +# This can leak specific harware failures to exploit +kernel.dmesg_restrict = 1 + +# Do not load kernel modules after boot +# Some modules have security issues and are used in exploits +kernel.modules_disabled = 1