From f440b191204f129408b9f068e8f436f59493c482 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 20 Aug 2012 19:33:21 +0200 Subject: Constraint overlay --- ldap/acl.ldif | 76 ++++++++++++++++++------------------------------------ ldap/modules.ldif | 5 +++- ldap/populate.ldif | 2 +- 3 files changed, 30 insertions(+), 53 deletions(-) diff --git a/ldap/acl.ldif b/ldap/acl.ldif index 5af52aa..755697f 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -31,73 +31,64 @@ replace: olcAccess ## 1. Users/Services/Managers can change their password (but not read it). ## 2. Anonymous users/services/managers can bind. ## 3. Else, we inspect the 2 following ACLs. -#add: olcAccess olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" attrs=userPassword by self =w by anonymous auth by users none break -- +# # The postmaster of a domain can change (replace) his/her users' password. -add: olcAccess olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualMailbox) attrs=userPassword by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =w -- +# # No permission on the userPassword attribute for other users. # (That's a catch-all, just to be sure that services, etc. cannot read the passwords). -add: olcAccess olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" attrs=userPassword by * none -#- +## ## Services can read the whole subtree (minus the userPassword attributes). -#add: olcAccess #olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" # attrs=entry,creatorsName,@fripostVirtualDomain,@fripostVirtualMailbox,@fripostVirtualAlias,@fripostVirtualML # by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=org" read # by users * break -- +# # Users can search (e.g., to list the entries they have created). # Additional permissions may be added later on. -add: olcAccess olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanCreateAlias,fripostCanCreateML by users =s break -- +# # Everyone can delete domains. (Provided he has +d access to the "entry" # attribute of the domains he wants to delete.) -add: olcAccess olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=children by users =z -- +# # 1. The postmaster of a domain can give (or take back) people the right to create # aliases. # 2,3. People that can create aliases can list the members of the group. -add: olcAccess olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=fripostVirtualDomain) attrs=fripostCanCreateAlias by dnattr=fripostPostmaster write by dnattr=fripostOwner read by set.exact="this/fripostCanCreateAlias & (user | user/-1)" read -- +# # 1. The postmaster of a domain can give (or take back) people the right to create # mailing lists. # 2,3. People that can create mailing lists can list the members of the group. -add: olcAccess olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=fripostVirtualDomain) attrs=fripostCanCreateML by dnattr=fripostPostmaster write by dnattr=fripostOwner read by set.exact="this/fripostCanCreateML & (user | user/-1)" read -- +# # 1-3. Noone (but the managers) can appoint domain Owners or Postmasters. # But people that can create aliases and mailing lists can list the members of their group. -add: olcAccess olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualDomain) attrs=fripostOwner,fripostPostmaster @@ -106,21 +97,19 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML)& (user | user/-1)" read by dn.onelevel,expand="$1" +d by users +0 -- +# # Every one can add or delete children, but we will be carefull with the # kid's "entry" attribute, which require +a and +z to add and delete # respectively. -add: olcAccess olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=fripostVirtualDomain) attrs=children by users +w -- +# # 1. Domain owners can edit their entry's attributes. # 2. So can domain postmasters. # 3. Domain users can read the public domain attributes. # 4. So can users with "canCreateAlias" or "canCreateML" access. -add: olcAccess olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualDomain) attrs=fvd,fripostIsStatusActive,description @@ -128,22 +117,20 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ by dnattr=fripostPostmaster write by dn.onelevel,expand="$1" read by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML) & (user | user/-1)" read -- +# # 1. Domain owners can edit their entry's attributes. # 2. So can domain postmasters. -add: olcAccess olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=fripostVirtualDomain) attrs=@fripostVirtualDomain by dnattr=fripostOwner write by dnattr=fripostPostmaster write by users +0 -- +# # 1. Domain owners can delete the domain (and read the entry). # 2. So can domain postmasters. # 3. Domain users can read the domain entry (but not delete it). # 4. So can users with "canCreateAlias" or "canCreateML" rights. -add: olcAccess olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualDomain) attrs=entry @@ -152,46 +139,41 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ by dn.onelevel,expand="$1" +rd by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML) & (user | user/-1)" +rd by users +0 -- +# # Noone (but the managers) can change quotas. -add: olcAccess olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualMailbox) attrs=fripostMailboxQuota by self read by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read -- +# # 1. Users can modify their own entry. # 2. So can their postmasters. -add: olcAccess olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualMailbox) attrs=@FripostVirtualMailbox by self write by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write -- +# # 1. Postmasters can create mailboxes (but not delete them). # (Provided that they have +a access to the parent's "children" attribute.) # 2. Users can read their entry (but not delete it). -add: olcAccess olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualMailbox) attrs=entry by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard by self +rd -- +# # Reserved aliases cannot be deactivated. (But the alias definition may be changed by the # domain owner.) -add: olcAccess olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualAlias) attrs=fripostIsStatusActive,fripostOwner,fva by group/fripostVirtualDomain/fripostOwner.expand="$2" read by group/fripostVirtualDomain/fripostPostmaster.expand="$2" read by users +0 -- +# # Reserved aliases cannot be deleted. -add: olcAccess olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualAlias) attrs=entry @@ -199,11 +181,10 @@ olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHost by group/fripostVirtualDomain/fripostPostmaster.expand="$2" +ard by set.exact="this/-1/fripostCanCreateAlias & (user | user/-1)" +a by users +0 -- +# # 1. The alias owner can list the ownership of the entry. # 2. The domain owner can add/delete/change the ownership of the entry. # 3. So can the domain postmasters. -add: olcAccess olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualAlias) attrs=fripostOwner @@ -211,24 +192,22 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by group/fripostVirtualDomain/fripostOwner.expand="$1" write by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write by users +0 -- +# # 1. The alias owners can edit the rest of their entry's attributes. # 2. So can the domain owners. # 3. So can the domain postmasters. -add: olcAccess olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualAlias) attrs=@FripostVirtualAlias by dnattr=fripostOwner write by group/fripostVirtualDomain/fripostOwner.expand="$1" write by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write -- +# # 1. The alias owners can read and delete the entry. # 2. So can the domain owner. # 3. So can the domain postmaster. # 4. Users with "canCreateAlias" access (either explicitely, or as a wildcard) for the domain can create aliases for that domain. # (But *not* delete them, unless also owner.) -add: olcAccess olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualAlias) attrs=entry @@ -237,11 +216,10 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +wrd by set.exact="this/-1/fripostCanCreateAlias & (user | user/-1)" +a by users +0 -- +# # 1. The mailing list owner can list the ownership of the entry. # 2. The domain owner can add/delete/change the ownership of the entry. # 3. So can the domain postmasters. -add: olcAccess olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualML) attrs=fripostOwner @@ -249,35 +227,32 @@ olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripo by group/fripostVirtualDomain/fripostOwner.expand="$1" write by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write by users +0 -- +# # 1. The mailing list owner read (but not edit) the transport-related attributes. # 2. So can the domain ower. # 3. So can the domain postmaster. -add: olcAccess olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualML) attrs=fripostMLManager,fripostMLCommand by dnattr=fripostOwner read by group/fripostVirtualDomain/fripostOwner.expand="$1" read by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read -- +# # 1. The mailing list owners can edit their entry's attributes. # 2. So can the domain owners. # 3. So can the domain postmasters. -add: olcAccess olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualML) attrs=@FripostVirtualML by dnattr=fripostOwner write by group/fripostVirtualDomain/fripostOwner.expand="$1" write by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write -- +# # 1. The mailing list owners can read and delete the entry. # 2. So can the domain's Owner. # 3. So can the domain's Postmaster. # 4. Users with "canCreateML" capability (either explicitely, or as a wildcard) for the domain can create mailing lists for that domain. # (But *not* delete them, unless also owner.) -add: olcAccess olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualML) attrs=entry @@ -286,8 +261,7 @@ olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripo by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rwd by set.exact="this/-1/fripostCanCreateML & (user | user/-1)" +a by users +0 -- +# # Catch the "break" control above. -add: olcAccess olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" by users +0 diff --git a/ldap/modules.ldif b/ldap/modules.ldif index 0e63819..cc4da57 100644 --- a/ldap/modules.ldif +++ b/ldap/modules.ldif @@ -2,7 +2,7 @@ # # ldapmodify -Y EXTERNAL -H ldapi:/// -f modules.ldif # -# It will load the "syncprov" module. +# It will load the "syncprov" and "constraint" modules. # # # References: @@ -14,3 +14,6 @@ dn: cn=module{0}, cn=config changetype: modify add: olcModuleLoad olcModuleLoad: syncprov.la +- +add: olcModuleLoad +olcModuleLoad: constraint.la diff --git a/ldap/populate.ldif b/ldap/populate.ldif index 57681b5..cd2b5f2 100644 --- a/ldap/populate.ldif +++ b/ldap/populate.ldif @@ -5,7 +5,7 @@ # It will populate the directory for testing purposes. # If "o=mailHosting,dc=fripost,dc=dev" exists, you can delete it with # -# ldapdelete -Y EXTERNAL -H ldapi:/// -r "ou=virtual,o=mailHosting,dc=fripost,dc=dev" +# ldapdelete -Y EXTERNAL -H ldapi:/// -r "o=mailHosting,dc=fripost,dc=dev" # ou=quotas,o=mailHosting,dc=fripost,dc=dev # |- fvd=fripost.org -- cgit v1.2.3