aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem.moulin@fripost.org>2012-09-15 20:03:42 +0200
committerGuilhem Moulin <guilhem.moulin@fripost.org>2012-09-15 20:09:29 +0200
commit04afadf39d068affc59685fc433d3fcba2c9b9ff (patch)
tree7d104c6e2fb2e7506023ce01665ea4cecfd910ff
parent695e6662e46545d08213d3eec0c4f9956333a28e (diff)
Reserved local parts.
-rw-r--r--ldap/acl.ldif26
-rw-r--r--ldap/populate.ldif31
-rwxr-xr-xldap/test-user-acl.sh87
3 files changed, 21 insertions, 123 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index 212d4d9..e52e4d5 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -84,12 +84,16 @@ olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanCreateAlias,fripostCanCreateList
by users =s break
#
-# Everyone can delete domains. (Provided he has +d access to the "entry"
-# attribute of the domains he wants to delete.)
+# Everyone can delete domains. (Provided s/he has +d access to the "entry"
+# attribute of the domains s/he wants to delete.)
olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=children
by users =z
#
+# Reserved local parts are reserved.
+olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+ by * none
+#
# 1. The postmaster of a domain can give (or take back) people the right to create
# aliases.
# 2,3. People that can create aliases can list the members of the group.
@@ -186,24 +190,6 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard
by self +rd
#
-# Reserved aliases cannot be deactivated. (But the alias definition may be changed by the
-# domain owner.)
-olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=FripostVirtualAlias)
- attrs=fripostIsStatusActive,fripostOwner,fva
- by group/fripostVirtualDomain/fripostOwner.expand="$2" read
- by group/fripostVirtualDomain/fripostPostmaster.expand="$2" read
- by users +0
-#
-# Reserved aliases cannot be deleted.
-olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=FripostVirtualAlias)
- attrs=entry
- by group/fripostVirtualDomain/fripostOwner.expand="$2" +ard
- by group/fripostVirtualDomain/fripostPostmaster.expand="$2" +ard
- by set.exact="this/-1/fripostCanCreateAlias & (user | user/-1)" +a
- by users +0
-#
# 1. The alias owner can list the ownership of the entry.
# 2. The domain owner can add/delete/change the ownership of the entry.
# 3. So can the domain postmasters.
diff --git a/ldap/populate.ldif b/ldap/populate.ldif
index 70dcc3e..e8098fd 100644
--- a/ldap/populate.ldif
+++ b/ldap/populate.ldif
@@ -22,6 +22,7 @@ dn: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualMailbox
userPassword: user1
fripostIsStatusActive: TRUE
+fripostOptionalMaildrop: user1@fripost.org
fripostOptionalMaildrop: user1@external.org
fripostOptionalMaildrop: user1@external2.org
fripostOptionalMaildrop: user1@external3.org
@@ -132,23 +133,6 @@ objectClass: FripostVirtualAlias
fripostIsStatusActive: TRUE
fripostMaildrop: user1@fripost.org
-dn: fva=abuse,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: FripostVirtualAlias
-fripostIsStatusActive: TRUE
-fripostMaildrop: abuse@fripost.org
-
-dn: fva=postmaster,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: FripostVirtualAlias
-fripostIsStatusActive: TRUE
-fripostMaildrop: postmaster@fripost.org
-description: Lorem ipsum dolor sit amet, consectetur adipisicing elit,
- sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut
- enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
- aliquip ex ea commo do consequat. Duis aute irure dolor in reprehenderit
- in voluptate velit esse cillum dolore eu fugiat nulla pariatur.
- Excepteur sint occaecat cupidatat non proident, sunt in culpa qui
- officia deserunt mollit anim id est laborum.
-
dn: fvl=list,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualList
fripostListManager: mailman
@@ -182,19 +166,6 @@ objectClass: FripostVirtualAlias
fripostIsStatusActive: TRUE
fripostMaildrop: user1@fripost.org
-dn: fva=abuse,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: FripostVirtualAlias
-fripostIsStatusActive: TRUE
-fripostMaildrop: abuse@fripost.org
-fripostOwner: fvu=postmaster,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-
-dn: fva=postmaster,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: FripostVirtualAlias
-fripostIsStatusActive: TRUE
-fripostMaildrop: postmaster@fripost.org
-description: test UTF8
-description: “All we are saying is: ‘give peace a chance!’” — Joe Cocker ☮
-
dn: fvl=list,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualList
fripostListManager: mailman
diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh
index 6983706..b3fd930 100755
--- a/ldap/test-user-acl.sh
+++ b/ldap/test-user-acl.sh
@@ -545,26 +545,21 @@ echo "Authenticated users, access to alias entries"
# * entry:
# =s for all
# +a if canCreateAlias
-# +rd if alias owner, domain owner or domain postmaster
-# +z (regular alias) if alias owner
-# +w (regular alias) if domain owner or domain postmaster
+# +zrd if alias owner, domain owner or domain postmaster
# * children:
# =0 for all
# * objectClass:
# =s for all
# * fva:
-# =rscd (reserved alias) if domain owner or domain postmaster
-# =wrscd (regular alias) if alias owner, domain owner or domain postmaster
+# =wrscd if alias owner, domain owner or domain postmaster
# * fripostMaildrop:
# =wrscd if alias owner, domain owner or domain postmaster
# * fripostIsStatusActive:
-# =rscd (reserved alias) if domain owner or domain postmaster
-# =wrscd (regular alias) if alias owner, domain owner or domain postmaster
+# =wrscd if alias owner, domain owner or domain postmaster
# * fripostOwner:
# =d for all
-# +rsc (reserved alias) if domain owner or domain postmaster
-# +rsc (regular alias) if alias owner, domain owner or domain postmaster
-# +w (regular alias) if domain owner or domain postmaster
+# +rsc if alias owner, domain owner or domain postmaster
+# +w if domain owner or domain postmaster
# * description:
# =wrscd if alias owner, domain owner or domain postmaster
@@ -590,70 +585,16 @@ msg "Have =s access to \"objectClass\""
usersD objectClass | isOK '=s' objectClass
[ $? -eq 0 ] || exit $?
-RESERVED_ATTRS="entry/delete
- fva/write
- fripostIsStatusActive/write"
-RESERVED_ATTRS2="fripostOwner/add fripostOwner/delete"
-ATTRS="entry/read entry/disclose
- fva/read fva/search fva/compare fva/disclose
+ATTRS="entry/delete entry/read entry/disclose
+ fva/write fva/read fva/search fva/compare fva/disclose
fripostMaildrop/add fripostMaildrop/delete fripostMaildrop/read fripostMaildrop/search fripostMaildrop/compare fripostMaildrop/disclose
- fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose
+ fripostIsStatusActive/write fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose
fripostOwner/read fripostOwner/compare fripostOwner/disclose
description/add description/delete description/read description/search description/compare description/disclose"
+ATTRSO="fripostOwner/add fripostOwner/delete"
-msg "Cannot delete/deactivate/change ownership of reserved aliases"
-for U in ${USERS}; do
- for A in ${ALIASES}; do
- DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- LA="$(echo "${A}" | sed -re 's/^fva=(.*),fvd=[^,]+$/\1/')"
- [ "x${LA}" = "xabuse" -o "x${LA}" = "xpostmaster" ] && \
- checkACL "${U}" "${A}" ${RESERVED_ATTRS}
- done
-done | isOK 'DENIED$' entry
-[ $? -eq 0 ] || exit $?
-
-
-msg "Can delete/deactivate/change ownership of regular aliases (if alias Owner)"
-for U in ${USERS}; do
- for A in ${ALIASES}; do
- DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- LA="$(echo "${A}" | sed -re 's/^fva=(.*),fvd=[^,]+$/\1/')"
- [ "x${LA}" != "xabuse" -a "x${LA}" != "xpostmaster" ] && \
- search -s base -b "${A},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \
- checkACL "${U}" "${A}" ${RESERVED_ATTRS}
- done
-done | isOK 'ALLOWED$' entry
-[ $? -eq 0 ] || exit $?
-
-
-msg "Can delete/deactivate/change ownership of regular aliases (if domain Owner)"
-for U in ${USERS}; do
- for A in ${ALIASES}; do
- DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- LA="$(echo "${A}" | sed -re 's/^fva=(.*),fvd=[^,]+$/\1/')"
- [ "x${LA}" != "xabuse" -a "x${LA}" != "xpostmaster" ] && \
- search -s base -b "${DA},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \
- checkACL "${U}" "${A}" ${RESERVED_ATTRS} ${RESERVED_ATTRS2}
- done
-done | isOK 'ALLOWED$' entry
-[ $? -eq 0 ] || exit $?
-
-
-msg "Can delete/deactivate/change ownership of regular aliases (if domain Postmaster)"
-for U in ${USERS}; do
- for A in ${ALIASES}; do
- DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- LA="$(echo "${A}" | sed -re 's/^fva=(.*),fvd=[^,]+$/\1/')"
- [ "x${LA}" != "xabuse" -a "x${LA}" != "xpostmaster" ] && \
- search -s base -b "${DA},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \
- checkACL "${U}" "${A}" ${RESERVED_ATTRS} ${RESERVED_ATTRS2}
- done
-done | isOK 'ALLOWED$' entry
-[ $? -eq 0 ] || exit $?
-
-
-msg "Can change destination (if alias Owner)"
+msg "Can edit alias (if alias Owner)"
for U in ${USERS}; do
for A in ${ALIASES}; do
search -s base -b "${A},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \
@@ -663,7 +604,7 @@ done | isOK 'ALLOWED$' entry read
[ $? -eq 0 ] || exit $?
-msg "Can change destination and create new aliases (if domain Owner)"
+msg "Can edit alias and create new aliases (if domain Owner)"
for U in ${USERS}; do
for A in ${ALIASES}; do
DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
@@ -674,7 +615,7 @@ done | isOK 'ALLOWED$' entry add
[ $? -eq 0 ] || exit $?
-msg "Can change destination and create new aliases (if domain Postmaster)"
+msg "Can edit alias and create new aliases (if domain Postmaster)"
for U in ${USERS}; do
for A in ${ALIASES}; do
DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
@@ -731,7 +672,7 @@ for U in ${USERS}; do
DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
search -s base -b "${DA},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX})
(fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
- checkACL "${U}" "${A}" ${RESERVED_ATTRS2}
+ checkACL "${U}" "${A}" ${ATTRSO}
done
done | isOK 'DENIED$' fripostOwner add
[ $? -eq 0 ] || exit $?
@@ -744,7 +685,7 @@ for U in ${USERS}; do
search -s base -b "${A},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' || \
search -s base -b "${DA},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX})
(fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
- checkACL "${U}" "${A}" ${RESERVED_ATTRS} ${ATTRS}
+ checkACL "${U}" "${A}" ${ATTRS} ${ATTRSO}
done
done | isOK 'DENIED$' entry delete
[ $? -eq 0 ] || exit $?