diff options
-rw-r--r-- | ldap/fripost.ldif | 27 | ||||
-rw-r--r-- | ldap/index.ldif | 15 | ||||
-rw-r--r-- | ldap/populate.ldif | 1 | ||||
-rw-r--r-- | ldap/syncrepl.ldif | 2 | ||||
-rwxr-xr-x | ldap/test-user-acl.sh | 14 |
5 files changed, 32 insertions, 27 deletions
diff --git a/ldap/fripost.ldif b/ldap/fripost.ldif index e0052a3..81602d5 100644 --- a/ldap/fripost.ldif +++ b/ldap/fripost.ldif @@ -76,33 +76,42 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.6 NAME 'fripostMaildrop' SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.7 NAME 'fripostIsStatusActive' +# We are creating a new attribute, optional in virtual domains and +# mailboxes, because the presence index should *not* apply to the +# mandatory attribute above. +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.7 NAME 'fripostOptionalMaildrop' + DESC 'An optional email address for catch-all aliases on domains and mailboxes' + EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) +# +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.8 NAME 'fripostIsStatusActive' DESC 'Is the entry active?' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.8 NAME 'fripostMailboxQuota' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.9 NAME 'fripostMailboxQuota' DESC 'The quota on a mailbox e.g., "50MB"' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32} SINGLE-VALUE ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.9 NAME 'fripostCanCreateAlias' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostCanCreateAlias' DESC 'A user/domain that can create aliases for the parent domain' SUP distinguishedName ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostCanCreateML' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostCanCreateML' DESC 'A user/domain that can create mailing lists for the parent domain' SUP distinguishedName ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostOwner' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostOwner' DESC 'A user that owns the parent domain' SUP distinguishedName ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostPostmaster' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostPostmaster' DESC 'A user that is a postmaster of the parent domain' SUP distinguishedName ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostMLManager' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.14 NAME 'fripostMLManager' DESC 'A mailing list manager' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch @@ -117,14 +126,14 @@ olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.1 NAME 'FripostVirtualDomain' MUST ( fvd $ fripostIsStatusActive ) MAY ( fripostCanCreateAlias $ fripostCanCreateML $ fripostOwner $ fripostPostmaster $ - fripostMaildrop $ description ) ) + fripostOptionalMaildrop $ description ) ) # # | TODO: add limits here olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualMailbox' SUP top STRUCTURAL DESC 'Virtual mailbox' MUST ( fvu $ userPassword $ fripostIsStatusActive ) - MAY ( fripostMailboxQuota $ fripostMaildrop $ cn $ description) ) + MAY ( fripostMailboxQuota $ fripostOptionalMaildrop $ cn $ description) ) # olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualAlias' SUP top STRUCTURAL diff --git a/ldap/index.ldif b/ldap/index.ldif index d5f31a5..6d7089a 100644 --- a/ldap/index.ldif +++ b/ldap/index.ldif @@ -26,19 +26,14 @@ changetype: modify replace: olcDbIndex olcDbIndex: objectClass eq - +# Let us make Postfix's job easier. add: olcDbIndex -olcDbIndex: fripostIsStatusActive eq +olcDbIndex: fripostIsStatusActive,fvd,fvu,fva,fvml,fripostMLCommand,fripostMLManager eq - +# Let us make Postfix's job easier. add: olcDbIndex -olcDbIndex: fvd,fvu,fva,fvml,fripostMLCommand,fripostMLManager eq +olcDbIndex: fripostOptionalMaildrop pres - -add: olcDbIndex -olcDbIndex: fripostMaildrop pres -# ^ TODO: a presence index on fripostMaildrop is not optimal, as the -# attribute is not very rare... -# Having a different attribute for the virtualMailbox object class would -# be better. -- -# synprov specific indexing (provider side) +# SyncProv/SyncRepl specific indexing add: olcDbIndex olcDbIndex: entryCSN,entryUUID eq diff --git a/ldap/populate.ldif b/ldap/populate.ldif index 04d5177..57681b5 100644 --- a/ldap/populate.ldif +++ b/ldap/populate.ldif @@ -35,6 +35,7 @@ dn: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: fripostVirtualMailbox userPassword: user1 fripostIsStatusActive: TRUE +fripostOptionalMaildrop: user1@external.org dn: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: fripostVirtualMailbox diff --git a/ldap/syncrepl.ldif b/ldap/syncrepl.ldif index 6b9c378..9dbd30a 100644 --- a/ldap/syncrepl.ldif +++ b/ldap/syncrepl.ldif @@ -27,7 +27,7 @@ type=refreshAndPersist retry="5 5 300 +" searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org" filter="(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualMailbox)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualML))(fripostIsStatusActive=TRUE))" -attrs="fripostIsStatusActive,fripostMaildrop,fvd,fvu,fva,fvml,fripostMLCommand,fripostMLManager" +attrs="fripostIsStatusActive,fripostMaildrop,fripostOptionalMaildrop,fvd,fvu,fva,fvml,fripostMLCommand,fripostMLManager" scope=sub schemachecking=off diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh index 4b233ef..26298f9 100755 --- a/ldap/test-user-acl.sh +++ b/ldap/test-user-acl.sh @@ -186,7 +186,7 @@ echo "Authenticated users, access to domain entries" # =s for all # +d if children # +rc if canCreate{Alias,ML}, owner or postmaster -# * fripostMaildrop +# * fripostOptionalMaildrop # =wrscd if owner or postmaster # * description # =rscd if children, canCreate{Alias,ML}, owner or postmaster @@ -304,7 +304,7 @@ msg "Have =wrscd to the domain attributes (other than \"canCreate\"), and >=w to ATTRSO="entry/delete fvd/write fripostIsStatusActive/write - fripostMaildrop/delete fripostMaildrop/add fripostMaildrop/read fripostMaildrop/search fripostMaildrop/compare fripostMaildrop/disclose + fripostOptionalMaildrop/delete fripostOptionalMaildrop/add fripostOptionalMaildrop/read fripostOptionalMaildrop/search fripostOptionalMaildrop/compare fripostOptionalMaildrop/disclose description/add description/delete" for U in ${USERS}; do for D in ${DOMAINS}; do @@ -397,7 +397,7 @@ done | isOK '\(=0\|DENIED\)$' entry # "entry" here is useless, but it's just to # not (3 or 4) -msg "Have =0 access to \"fripostMaildrop\" (unless Owner or Postmaster)" +msg "Have =0 access to \"fripostOptionalMaildrop\" (unless Owner or Postmaster)" for U in ${USERS}; do for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) @@ -439,7 +439,7 @@ echo "Authenticated users, access to user entries" # =wrscd if account owner or domain postmaster # * fripostMailboxQuota: # =rscd if account owner or domain postmaster -# * fripostMaildrop: +# * fripostOptionalMaildrop: # =wrscd if account owner or domain postmaster # * cn: # =wrscd if account owner or domain postmaster @@ -463,7 +463,7 @@ usersU userPassword | isOK '=w$' [ $? -eq 0 ] || exit $? msg "Have =wrscxd access to the other attributes of their own entry" -usersU fvu fripostIsStatusActive fripostMaildrop cn description | isOK 'write(=wrscxd)$' fvu +usersU fvu fripostIsStatusActive fripostOptionalMaildrop cn description | isOK 'write(=wrscxd)$' fvu [ $? -eq 0 ] || exit $? msg "Have >=rsd access to the \"entry\" attribute of their own entry" @@ -485,7 +485,7 @@ for U1 in ${USERS}; do fvu userPassword \ fripostIsStatusActive \ fripostMailboxQuota \ - fripostMaildrop \ + fripostOptionalMaildrop \ cn description done done | isOK '=0$' entry @@ -512,7 +512,7 @@ usersP userPassword | isOK '=w$' [ $? -eq 0 ] || exit $? msg "Have =wrscxd access to the other attributes of their users' entry (if Postmaster)" -usersP fvu fripostIsStatusActive fripostMaildrop cn description | isOK 'write(=wrscxd)$' fvu +usersP fvu fripostIsStatusActive fripostOptionalMaildrop cn description | isOK 'write(=wrscxd)$' fvu [ $? -eq 0 ] || exit $? # "+a" is needed to create new accounts. "+z" would be required to |