From 192be467f1d05e5e148481c5497444ffc97603eb Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 21 Jan 2013 18:11:27 +0100 Subject: Everyone can check for the absence of the 'pending' status. --- ldap/acl.ldif | 12 +++++++++--- ldap/populate.ldif | 11 ++++++++++- ldap/test-user-acl.sh | 25 +++++++++++++++++++------ 3 files changed, 38 insertions(+), 10 deletions(-) diff --git a/ldap/acl.ldif b/ldap/acl.ldif index ce2aa4c..4cf7e10 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -116,8 +116,14 @@ olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" by * =0 # -# Only the domain Postmasters and Owners can read and search the unlock token and -# delete the 'pending' status. +# Everyone can check for the non-presence of the 'pending' status. +olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" + filter=(&(objectClass=FripostVirtualDomain)(!(fripostPendingToken=*))) + attrs=fripostPendingToken + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s +# +# Only the domain Postmasters and Owners can search the unlock token and delete the +# 'pending' status (but not read). olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=FripostVirtualDomain) attrs=fripostPendingToken @@ -175,7 +181,7 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" by dnattr=fripostPostmaster =wrscd by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 # -# Every one can add or delete children, but we will be carefull with the +# Everyone can add or delete children, but we will be carefull with the # kid's "entry" attribute, which require +a and +z to add and delete # respectively. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" diff --git a/ldap/populate.ldif b/ldap/populate.ldif index 3401259..b93816d 100644 --- a/ldap/populate.ldif +++ b/ldap/populate.ldif @@ -84,7 +84,6 @@ dn: fvd=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualDomain fripostCanAddAlias: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostIsStatusActive: FALSE -fripostPendingToken: pending objectClass: SimpleSecurityObject userPassword: bogus description: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod @@ -102,6 +101,11 @@ fripostIsStatusActive: FALSE fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostMaildrop: user1@fripost.org +dn: fvd=example0.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +objectClass: FripostVirtualDomain +fripostIsStatusActive: TRUE +fripostPendingToken: pending +fripostPostmaster: fvu=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev # An independent domain, with canAddList options dn: fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev @@ -117,6 +121,11 @@ fripostListManager: schleuder fripostOwner: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostLocalAlias: list1#example2.org +dn: fva=alias1,fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +objectClass: FripostVirtualAlias +fripostIsStatusActive: FALSE +fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostMaildrop: user1@fripost.org # An independent domain, with both can createAlias and canAddList options dn: fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh index 1dda3dc..7046716 100755 --- a/ldap/test-user-acl.sh +++ b/ldap/test-user-acl.sh @@ -238,6 +238,7 @@ echo "Authenticated users, access to domain entries" # +w if owner or postmaster # * fripostPendingToken # =zscd if owner or postmaster +# =s for all if there is no pending token # * fripostCanAddAlias # =rscd if canAddAlias, owner or postmaster # +w if postmaster @@ -274,22 +275,34 @@ usersD fripostOwner/add fripostOwner/delete \ [ $? -eq 0 ] || exit $? -msg "Have =0 rights on the \"pending\" status (unless owner or postmaster)" +msg "Have =s rights on the \"pending\" status if absent" for U in ${USERS}; do for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) - (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ + search -s base -b "${D},${SUFFIX}" "(!(fripostPendingToken=*))" | grep -q '^dn: ' && \ + checkACL "${U}" "${D}" fripostPendingToken + done +done | isOK '=s$' +[ $? -eq 0 ] || exit $? + + +msg "Have =0 rights on the \"pending\" status if present (unless owner or postmaster)" +for U in ${USERS}; do + for D in ${DOMAINS}; do + search -s base -b "${D},${SUFFIX}" "(&(!(|(fripostOwner=${U},${SUFFIX}) + (fripostPostmaster=${U},${SUFFIX}))) + (fripostPendingToken=*))" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" fripostPendingToken done done | isOK '=0$' [ $? -eq 0 ] || exit $? -msg "Have =zscd access on the \"pending\" status (if owner or postmaster)" +msg "Have =zscd access on the \"pending\" status if present (if owner or postmaster)" for U in ${USERS}; do for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) - (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "(&(|(fripostOwner=${U},${SUFFIX}) + (fripostPostmaster=${U},${SUFFIX})) + (fripostPendingToken=*))" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" fripostPendingToken done done | isOK '=zscd$' -- cgit v1.2.3