diff options
author | Guilhem Moulin <guilhem.moulin@fripost.org> | 2012-09-15 20:03:42 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem.moulin@fripost.org> | 2012-09-15 20:09:29 +0200 |
commit | 04afadf39d068affc59685fc433d3fcba2c9b9ff (patch) | |
tree | 7d104c6e2fb2e7506023ce01665ea4cecfd910ff | |
parent | 695e6662e46545d08213d3eec0c4f9956333a28e (diff) |
Reserved local parts.
-rw-r--r-- | ldap/acl.ldif | 26 | ||||
-rw-r--r-- | ldap/populate.ldif | 31 | ||||
-rwxr-xr-x | ldap/test-user-acl.sh | 87 |
3 files changed, 21 insertions, 123 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif index 212d4d9..e52e4d5 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -84,12 +84,16 @@ olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanCreateAlias,fripostCanCreateList by users =s break # -# Everyone can delete domains. (Provided he has +d access to the "entry" -# attribute of the domains he wants to delete.) +# Everyone can delete domains. (Provided s/he has +d access to the "entry" +# attribute of the domains s/he wants to delete.) olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=children by users =z # +# Reserved local parts are reserved. +olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" + by * none +# # 1. The postmaster of a domain can give (or take back) people the right to create # aliases. # 2,3. People that can create aliases can list the members of the group. @@ -186,24 +190,6 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard by self +rd # -# Reserved aliases cannot be deactivated. (But the alias definition may be changed by the -# domain owner.) -olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=FripostVirtualAlias) - attrs=fripostIsStatusActive,fripostOwner,fva - by group/fripostVirtualDomain/fripostOwner.expand="$2" read - by group/fripostVirtualDomain/fripostPostmaster.expand="$2" read - by users +0 -# -# Reserved aliases cannot be deleted. -olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=FripostVirtualAlias) - attrs=entry - by group/fripostVirtualDomain/fripostOwner.expand="$2" +ard - by group/fripostVirtualDomain/fripostPostmaster.expand="$2" +ard - by set.exact="this/-1/fripostCanCreateAlias & (user | user/-1)" +a - by users +0 -# # 1. The alias owner can list the ownership of the entry. # 2. The domain owner can add/delete/change the ownership of the entry. # 3. So can the domain postmasters. diff --git a/ldap/populate.ldif b/ldap/populate.ldif index 70dcc3e..e8098fd 100644 --- a/ldap/populate.ldif +++ b/ldap/populate.ldif @@ -22,6 +22,7 @@ dn: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualMailbox userPassword: user1 fripostIsStatusActive: TRUE +fripostOptionalMaildrop: user1@fripost.org fripostOptionalMaildrop: user1@external.org fripostOptionalMaildrop: user1@external2.org fripostOptionalMaildrop: user1@external3.org @@ -132,23 +133,6 @@ objectClass: FripostVirtualAlias fripostIsStatusActive: TRUE fripostMaildrop: user1@fripost.org -dn: fva=abuse,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: FripostVirtualAlias -fripostIsStatusActive: TRUE -fripostMaildrop: abuse@fripost.org - -dn: fva=postmaster,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: FripostVirtualAlias -fripostIsStatusActive: TRUE -fripostMaildrop: postmaster@fripost.org -description: Lorem ipsum dolor sit amet, consectetur adipisicing elit, - sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut - enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut - aliquip ex ea commo do consequat. Duis aute irure dolor in reprehenderit - in voluptate velit esse cillum dolore eu fugiat nulla pariatur. - Excepteur sint occaecat cupidatat non proident, sunt in culpa qui - officia deserunt mollit anim id est laborum. - dn: fvl=list,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualList fripostListManager: mailman @@ -182,19 +166,6 @@ objectClass: FripostVirtualAlias fripostIsStatusActive: TRUE fripostMaildrop: user1@fripost.org -dn: fva=abuse,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: FripostVirtualAlias -fripostIsStatusActive: TRUE -fripostMaildrop: abuse@fripost.org -fripostOwner: fvu=postmaster,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev - -dn: fva=postmaster,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: FripostVirtualAlias -fripostIsStatusActive: TRUE -fripostMaildrop: postmaster@fripost.org -description: test UTF8 -description: “All we are saying is: ‘give peace a chance!’” — Joe Cocker ☮ - dn: fvl=list,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualList fripostListManager: mailman diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh index 6983706..b3fd930 100755 --- a/ldap/test-user-acl.sh +++ b/ldap/test-user-acl.sh @@ -545,26 +545,21 @@ echo "Authenticated users, access to alias entries" # * entry: # =s for all # +a if canCreateAlias -# +rd if alias owner, domain owner or domain postmaster -# +z (regular alias) if alias owner -# +w (regular alias) if domain owner or domain postmaster +# +zrd if alias owner, domain owner or domain postmaster # * children: # =0 for all # * objectClass: # =s for all # * fva: -# =rscd (reserved alias) if domain owner or domain postmaster -# =wrscd (regular alias) if alias owner, domain owner or domain postmaster +# =wrscd if alias owner, domain owner or domain postmaster # * fripostMaildrop: # =wrscd if alias owner, domain owner or domain postmaster # * fripostIsStatusActive: -# =rscd (reserved alias) if domain owner or domain postmaster -# =wrscd (regular alias) if alias owner, domain owner or domain postmaster +# =wrscd if alias owner, domain owner or domain postmaster # * fripostOwner: # =d for all -# +rsc (reserved alias) if domain owner or domain postmaster -# +rsc (regular alias) if alias owner, domain owner or domain postmaster -# +w (regular alias) if domain owner or domain postmaster +# +rsc if alias owner, domain owner or domain postmaster +# +w if domain owner or domain postmaster # * description: # =wrscd if alias owner, domain owner or domain postmaster @@ -590,70 +585,16 @@ msg "Have =s access to \"objectClass\"" usersD objectClass | isOK '=s' objectClass [ $? -eq 0 ] || exit $? -RESERVED_ATTRS="entry/delete - fva/write - fripostIsStatusActive/write" -RESERVED_ATTRS2="fripostOwner/add fripostOwner/delete" -ATTRS="entry/read entry/disclose - fva/read fva/search fva/compare fva/disclose +ATTRS="entry/delete entry/read entry/disclose + fva/write fva/read fva/search fva/compare fva/disclose fripostMaildrop/add fripostMaildrop/delete fripostMaildrop/read fripostMaildrop/search fripostMaildrop/compare fripostMaildrop/disclose - fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose + fripostIsStatusActive/write fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose fripostOwner/read fripostOwner/compare fripostOwner/disclose description/add description/delete description/read description/search description/compare description/disclose" +ATTRSO="fripostOwner/add fripostOwner/delete" -msg "Cannot delete/deactivate/change ownership of reserved aliases" -for U in ${USERS}; do - for A in ${ALIASES}; do - DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - LA="$(echo "${A}" | sed -re 's/^fva=(.*),fvd=[^,]+$/\1/')" - [ "x${LA}" = "xabuse" -o "x${LA}" = "xpostmaster" ] && \ - checkACL "${U}" "${A}" ${RESERVED_ATTRS} - done -done | isOK 'DENIED$' entry -[ $? -eq 0 ] || exit $? - - -msg "Can delete/deactivate/change ownership of regular aliases (if alias Owner)" -for U in ${USERS}; do - for A in ${ALIASES}; do - DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - LA="$(echo "${A}" | sed -re 's/^fva=(.*),fvd=[^,]+$/\1/')" - [ "x${LA}" != "xabuse" -a "x${LA}" != "xpostmaster" ] && \ - search -s base -b "${A},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${A}" ${RESERVED_ATTRS} - done -done | isOK 'ALLOWED$' entry -[ $? -eq 0 ] || exit $? - - -msg "Can delete/deactivate/change ownership of regular aliases (if domain Owner)" -for U in ${USERS}; do - for A in ${ALIASES}; do - DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - LA="$(echo "${A}" | sed -re 's/^fva=(.*),fvd=[^,]+$/\1/')" - [ "x${LA}" != "xabuse" -a "x${LA}" != "xpostmaster" ] && \ - search -s base -b "${DA},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${A}" ${RESERVED_ATTRS} ${RESERVED_ATTRS2} - done -done | isOK 'ALLOWED$' entry -[ $? -eq 0 ] || exit $? - - -msg "Can delete/deactivate/change ownership of regular aliases (if domain Postmaster)" -for U in ${USERS}; do - for A in ${ALIASES}; do - DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - LA="$(echo "${A}" | sed -re 's/^fva=(.*),fvd=[^,]+$/\1/')" - [ "x${LA}" != "xabuse" -a "x${LA}" != "xpostmaster" ] && \ - search -s base -b "${DA},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${A}" ${RESERVED_ATTRS} ${RESERVED_ATTRS2} - done -done | isOK 'ALLOWED$' entry -[ $? -eq 0 ] || exit $? - - -msg "Can change destination (if alias Owner)" +msg "Can edit alias (if alias Owner)" for U in ${USERS}; do for A in ${ALIASES}; do search -s base -b "${A},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ @@ -663,7 +604,7 @@ done | isOK 'ALLOWED$' entry read [ $? -eq 0 ] || exit $? -msg "Can change destination and create new aliases (if domain Owner)" +msg "Can edit alias and create new aliases (if domain Owner)" for U in ${USERS}; do for A in ${ALIASES}; do DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" @@ -674,7 +615,7 @@ done | isOK 'ALLOWED$' entry add [ $? -eq 0 ] || exit $? -msg "Can change destination and create new aliases (if domain Postmaster)" +msg "Can edit alias and create new aliases (if domain Postmaster)" for U in ${USERS}; do for A in ${ALIASES}; do DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" @@ -731,7 +672,7 @@ for U in ${USERS}; do DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" search -s base -b "${DA},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ - checkACL "${U}" "${A}" ${RESERVED_ATTRS2} + checkACL "${U}" "${A}" ${ATTRSO} done done | isOK 'DENIED$' fripostOwner add [ $? -eq 0 ] || exit $? @@ -744,7 +685,7 @@ for U in ${USERS}; do search -s base -b "${A},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' || \ search -s base -b "${DA},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ - checkACL "${U}" "${A}" ${RESERVED_ATTRS} ${ATTRS} + checkACL "${U}" "${A}" ${ATTRS} ${ATTRSO} done done | isOK 'DENIED$' entry delete [ $? -eq 0 ] || exit $? |