aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem.moulin@fripost.org>2012-09-09 23:26:26 +0200
committerGuilhem Moulin <guilhem.moulin@fripost.org>2012-09-09 23:26:26 +0200
commit0bed9611730fc434dd55175bc947dc09fc430710 (patch)
tree0f9dfd3e77f56ffc2ce1a1df413cd8b2fa8034c6
parent09ca4fea45f2548d429a59a742593ebb5ebcbfab (diff)
SASL proxy authorization.
-rw-r--r--ldap/Makefile18
-rw-r--r--ldap/acl.ldif103
-rw-r--r--ldap/authz.ldif24
-rw-r--r--ldap/base.ldif30
-rw-r--r--ldap/constraint.ldif28
-rw-r--r--ldap/database.ldif2
-rw-r--r--ldap/fripost.ldif28
-rw-r--r--ldap/index.ldif2
-rw-r--r--ldap/populate.ldif143
-rw-r--r--ldap/syncrepl.ldif4
-rwxr-xr-xldap/test-user-acl.sh224
11 files changed, 365 insertions, 241 deletions
diff --git a/ldap/Makefile b/ldap/Makefile
index 8d6868f..01f20fd 100644
--- a/ldap/Makefile
+++ b/ldap/Makefile
@@ -4,6 +4,7 @@ TMPSLAPD := /tmp/$(shell mktemp -u slapd.d-XXXXXX)
BACKUPDB := /tmp/$(shell mktemp -u db-XXXXXX.ldif)
BACKUPCONFIG := /tmp/$(shell mktemp -u config-XXXXXX.ldif)
NUM := $(shell ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "olcSuffix=$(SUFFIX)" dn | sed -e '/^$$/d' -e 's/^dn: //')
+NUM2 := $(shell echo "$(NUM)" | sed -re 's/(.*),(cn=config)$$/\2\/\1/')
SCHEMA := $(shell grep -i '^dn: ' fripost.ldif | sed -re 's/^dn: cn=([^,]+),.*/\1/')
all:
@@ -29,6 +30,13 @@ install-mx:
@rmdir "$(BACKUPSLAPD)"
+install:
+ # ldapadd -Y EXTERNAL -H ldapi:/// -f fripost.ldif
+ # ldapadd -Y EXTERNAL -H ldapi:/// -f index.ldif
+ # ldapadd -Y EXTERNAL -H ldapi:/// -f constraint.ldif
+ # ldapadd -Y EXTERNAL -H ldapi:/// -f acl.ldif
+ # ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif
+ # ldapadd -Y EXTERNAL -H ldapi:/// -f populate.ldif
install-schema:
@ldapadd -Q -Y EXTERNAL -H ldapi:/// -f fripost.ldif
@@ -40,7 +48,7 @@ install-acl:
uninstall:
@echo "The database - suffix \"$(SUFFIX)\" - will be saved into \`$(BACKUPDB)' (if non-empty), and then *cleared* (but not deleted)."
- @echo "Also, its ACLs and indexes will be cleared as well, if there are any."
+ @echo "Also, its ACLs, indexes and constraints will be cleared as well, if there are any."
@echo "Global configuration will be saved into \`$(BACKUPCONFIG)'."
@echo "slapd will be offline for a moment - at best."
@/bin/echo -n "Are you sure you want to continue [y/N] "
@@ -65,11 +73,13 @@ uninstall:
;else \
echo "No indexes to remove" \
;fi
-
+#
@echo "Making a new configuration directory at \`$(TMPSLAPD)'"
@mkdir -m0700 "$(TMPSLAPD)" && slapcat -n0 | slapadd -F "$(TMPSLAPD)" -n0 && chown -R 'openldap:openldap' "$(TMPSLAPD)"
-
- @echo "Deleting schema \"cn=$(SCHEMA),cn=config\"" && find "$(TMPSLAPD)" -name "cn={*}$(SCHEMA).ldif" -delete
+#
+ @echo "Deleting schema \"cn=$(SCHEMA),cn=config\"" && find "$(TMPSLAPD)/cn=config/cn=schema/" -type f -name "cn={*}$(SCHEMA).ldif" -delete
+#
+ @echo "Deleting constraints" && find "$(TMPSLAPD)/$(NUM2)/" -type f -name "olcOverlay={*}constraint.ldif" -delete
#
@/etc/init.d/slapd stop
#
diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index 755697f..eb28872 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -39,7 +39,7 @@ olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
#
# The postmaster of a domain can change (replace) his/her users' password.
olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=fripostVirtualMailbox)
+ filter=(objectClass=FripostVirtualMailbox)
attrs=userPassword
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =w
#
@@ -48,17 +48,27 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
attrs=userPassword
by * none
+#
+# That's necessary for SASL proxy Authorize the web application.
+olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
+ attrs=entry,objectClass,authzTo
+ by * =x
##
## Services can read the whole subtree (minus the userPassword attributes).
#olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
-# attrs=entry,creatorsName,@fripostVirtualDomain,@fripostVirtualMailbox,@fripostVirtualAlias,@fripostVirtualML
-# by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=org" read
-# by users * break
+# attrs=entry,creatorsName,@fripostVirtualDomain,@fripostVirtualMailbox,@fripostVirtualAlias,@fripostVirtualList
+# by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" read
+# by users none break
+#
+# Users can search (e.g., to list the entries they have created).
+olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ attrs=objectClass
+ by users =s
#
# Users can search (e.g., to list the entries they have created).
# Additional permissions may be added later on.
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
- attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanCreateAlias,fripostCanCreateML
+ attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanCreateAlias,fripostCanCreateList
by users =s break
#
# Everyone can delete domains. (Provided he has +d access to the "entry"
@@ -71,30 +81,29 @@ olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
# aliases.
# 2,3. People that can create aliases can list the members of the group.
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
- filter=(objectClass=fripostVirtualDomain)
+ filter=(objectClass=FripostVirtualDomain)
attrs=fripostCanCreateAlias
by dnattr=fripostPostmaster write
by dnattr=fripostOwner read
by set.exact="this/fripostCanCreateAlias & (user | user/-1)" read
#
-# 1. The postmaster of a domain can give (or take back) people the right to create
-# mailing lists.
-# 2,3. People that can create mailing lists can list the members of the group.
+# 1. The postmaster of a domain can give (or take back) people the right to create lists.
+# 2,3. People that can create lists can list the members of the group.
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
- filter=(objectClass=fripostVirtualDomain)
- attrs=fripostCanCreateML
+ filter=(objectClass=FripostVirtualDomain)
+ attrs=fripostCanCreateList
by dnattr=fripostPostmaster write
by dnattr=fripostOwner read
- by set.exact="this/fripostCanCreateML & (user | user/-1)" read
+ by set.exact="this/fripostCanCreateList & (user | user/-1)" read
#
# 1-3. Noone (but the managers) can appoint domain Owners or Postmasters.
-# But people that can create aliases and mailing lists can list the members of their group.
+# But people that can create aliases and lists can list the members of their group.
olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=fripostVirtualDomain)
+ filter=(objectClass=FripostVirtualDomain)
attrs=fripostOwner,fripostPostmaster
by dnattr=fripostOwner read
by dnattr=fripostPostmaster read
- by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML)& (user | user/-1)" read
+ by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateList)& (user | user/-1)" read
by dn.onelevel,expand="$1" +d
by users +0
#
@@ -102,26 +111,26 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
# kid's "entry" attribute, which require +a and +z to add and delete
# respectively.
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
- filter=(objectClass=fripostVirtualDomain)
+ filter=(objectClass=FripostVirtualDomain)
attrs=children
by users +w
#
# 1. Domain owners can edit their entry's attributes.
# 2. So can domain postmasters.
# 3. Domain users can read the public domain attributes.
-# 4. So can users with "canCreateAlias" or "canCreateML" access.
+# 4. So can users with "canCreateAlias" or "canCreateList" access.
olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=fripostVirtualDomain)
+ filter=(objectClass=FripostVirtualDomain)
attrs=fvd,fripostIsStatusActive,description
by dnattr=fripostOwner write
by dnattr=fripostPostmaster write
by dn.onelevel,expand="$1" read
- by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML) & (user | user/-1)" read
+ by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateList) & (user | user/-1)" read
#
# 1. Domain owners can edit their entry's attributes.
# 2. So can domain postmasters.
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
- filter=(objectClass=fripostVirtualDomain)
+ filter=(objectClass=FripostVirtualDomain)
attrs=@fripostVirtualDomain
by dnattr=fripostOwner write
by dnattr=fripostPostmaster write
@@ -130,19 +139,19 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
# 1. Domain owners can delete the domain (and read the entry).
# 2. So can domain postmasters.
# 3. Domain users can read the domain entry (but not delete it).
-# 4. So can users with "canCreateAlias" or "canCreateML" rights.
+# 4. So can users with "canCreateAlias" or "canCreateList" rights.
olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=fripostVirtualDomain)
+ filter=(objectClass=FripostVirtualDomain)
attrs=entry
by dnattr=fripostOwner +zrd
by dnattr=fripostPostmaster +zrd
by dn.onelevel,expand="$1" +rd
- by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML) & (user | user/-1)" +rd
+ by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateList) & (user | user/-1)" +rd
by users +0
#
# Noone (but the managers) can change quotas.
olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=fripostVirtualMailbox)
+ filter=(objectClass=FripostVirtualMailbox)
attrs=fripostMailboxQuota
by self read
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read
@@ -150,7 +159,7 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
# 1. Users can modify their own entry.
# 2. So can their postmasters.
olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=fripostVirtualMailbox)
+ filter=(objectClass=FripostVirtualMailbox)
attrs=@FripostVirtualMailbox
by self write
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
@@ -159,7 +168,7 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
# (Provided that they have +a access to the parent's "children" attribute.)
# 2. Users can read their entry (but not delete it).
olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=fripostVirtualMailbox)
+ filter=(objectClass=FripostVirtualMailbox)
attrs=entry
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard
by self +rd
@@ -167,7 +176,7 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
# Reserved aliases cannot be deactivated. (But the alias definition may be changed by the
# domain owner.)
olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=fripostVirtualAlias)
+ filter=(objectClass=FripostVirtualAlias)
attrs=fripostIsStatusActive,fripostOwner,fva
by group/fripostVirtualDomain/fripostOwner.expand="$2" read
by group/fripostVirtualDomain/fripostPostmaster.expand="$2" read
@@ -175,7 +184,7 @@ olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHost
#
# Reserved aliases cannot be deleted.
olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=fripostVirtualAlias)
+ filter=(objectClass=FripostVirtualAlias)
attrs=entry
by group/fripostVirtualDomain/fripostOwner.expand="$2" +ard
by group/fripostVirtualDomain/fripostPostmaster.expand="$2" +ard
@@ -186,7 +195,7 @@ olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHost
# 2. The domain owner can add/delete/change the ownership of the entry.
# 3. So can the domain postmasters.
olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=fripostVirtualAlias)
+ filter=(objectClass=FripostVirtualAlias)
attrs=fripostOwner
by dnattr=fripostOwner read continue
by group/fripostVirtualDomain/fripostOwner.expand="$1" write
@@ -197,7 +206,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
# 2. So can the domain owners.
# 3. So can the domain postmasters.
olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=fripostVirtualAlias)
+ filter=(objectClass=FripostVirtualAlias)
attrs=@FripostVirtualAlias
by dnattr=fripostOwner write
by group/fripostVirtualDomain/fripostOwner.expand="$1" write
@@ -209,7 +218,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
# 4. Users with "canCreateAlias" access (either explicitely, or as a wildcard) for the domain can create aliases for that domain.
# (But *not* delete them, unless also owner.)
olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=fripostVirtualAlias)
+ filter=(objectClass=FripostVirtualAlias)
attrs=entry
by dnattr=fripostOwner +zrd continue
by group/fripostVirtualDomain/fripostOwner.expand="$1" +wrd
@@ -217,49 +226,49 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by set.exact="this/-1/fripostCanCreateAlias & (user | user/-1)" +a
by users +0
#
-# 1. The mailing list owner can list the ownership of the entry.
+# 1. The list owner can list the ownership of the entry.
# 2. The domain owner can add/delete/change the ownership of the entry.
# 3. So can the domain postmasters.
-olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=fripostVirtualML)
+olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(objectClass=FripostVirtualList)
attrs=fripostOwner
by dnattr=fripostOwner read continue
by group/fripostVirtualDomain/fripostOwner.expand="$1" write
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
by users +0
#
-# 1. The mailing list owner read (but not edit) the transport-related attributes.
+# 1. The list owner read (but not edit) the transport-related attributes.
# 2. So can the domain ower.
# 3. So can the domain postmaster.
-olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=fripostVirtualML)
- attrs=fripostMLManager,fripostMLCommand
+olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(objectClass=FripostVirtualList)
+ attrs=fripostListManager,fripostListCommand
by dnattr=fripostOwner read
by group/fripostVirtualDomain/fripostOwner.expand="$1" read
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read
#
-# 1. The mailing list owners can edit their entry's attributes.
+# 1. The list owners can edit their entry's attributes.
# 2. So can the domain owners.
# 3. So can the domain postmasters.
-olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=fripostVirtualML)
- attrs=@FripostVirtualML
+olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(objectClass=FripostVirtualList)
+ attrs=@FripostVirtualList
by dnattr=fripostOwner write
by group/fripostVirtualDomain/fripostOwner.expand="$1" write
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
#
-# 1. The mailing list owners can read and delete the entry.
+# 1. The list owners can read and delete the entry.
# 2. So can the domain's Owner.
# 3. So can the domain's Postmaster.
-# 4. Users with "canCreateML" capability (either explicitely, or as a wildcard) for the domain can create mailing lists for that domain.
+# 4. Users with "canCreateList" capability (either explicitely, or as a wildcard) for the domain can create lists for that domain.
# (But *not* delete them, unless also owner.)
-olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=fripostVirtualML)
+olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(objectClass=FripostVirtualList)
attrs=entry
by dnattr=fripostOwner +rzd continue
by group/fripostVirtualDomain/fripostOwner.expand="$1" +rwd
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rwd
- by set.exact="this/-1/fripostCanCreateML & (user | user/-1)" +a
+ by set.exact="this/-1/fripostCanCreateList & (user | user/-1)" +a
by users +0
#
# Catch the "break" control above.
diff --git a/ldap/authz.ldif b/ldap/authz.ldif
new file mode 100644
index 0000000..8f88d80
--- /dev/null
+++ b/ldap/authz.ldif
@@ -0,0 +1,24 @@
+# Load this file with
+#
+# ldapadd -Y EXTERNAL -H ldapi:/// -f authz.ldif
+#
+# That will allow the SASL-authenticated user (service) to be
+# reformatted into a proper DN under our services directory.
+#
+# SASL authentication can be checked with:
+#
+# ldapwhoami -W -Y PLAIN -U FPanel -H ldapi://
+# ldapwhoami -W -Y PLAIN -U FPanel -H ldapi:// -X "dn:fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+#
+# References:
+# - http://www.openldap.org/doc/admin24/sasl.html#Direct%20Mapping
+# - man 5 slapd-config
+
+
+dn: cn=config
+changetype: modify
+replace: olcAuthzRegexp
+olcAuthzRegexp: uid=([^,]+),cn=[^,]+,cn=auth cn=$1,ou=services,o=mailHosting,dc=fripost,dc=dev
+-
+replace: olcAuthzPolicy
+olcAuthzPolicy: to
diff --git a/ldap/base.ldif b/ldap/base.ldif
new file mode 100644
index 0000000..f91946b
--- /dev/null
+++ b/ldap/base.ldif
@@ -0,0 +1,30 @@
+# Load this file with
+#
+# ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif
+#
+# It will create the base directory and add services needed to for our
+# systems to work.
+# If "o=mailHosting,dc=fripost,dc=dev" exists, you can delete it with
+#
+# ldapdelete -Y EXTERNAL -H ldapi:/// -r "o=mailHosting,dc=fripost,dc=dev"
+
+
+dn: o=mailHosting,dc=fripost,dc=dev
+objectClass: organization
+description: Mail hosting
+
+
+dn: ou=virtual,o=mailHosting,dc=fripost,dc=dev
+objectClass: organizationalUnit
+description: Virtual mail hosting
+
+
+dn: ou=services,o=mailHosting,dc=fripost,dc=dev
+objectClass: organizationalUnit
+
+dn: cn=FPanel,ou=services,o=mailHosting,dc=fripost,dc=dev
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+description: The adminstrator Web Panel
+userPassword: panel
+authzTo: dn.regex:^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$
diff --git a/ldap/constraint.ldif b/ldap/constraint.ldif
new file mode 100644
index 0000000..555be85
--- /dev/null
+++ b/ldap/constraint.ldif
@@ -0,0 +1,28 @@
+# Load this file with
+#
+# ldapadd -Y EXTERNAL -H ldapi:/// -f constraint.ldif
+#
+# It will load the "constraint" overlay configuration for the database #1.
+# Ensure that it's indeed the database #1 that you want to configure:
+#
+# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "olcSuffix=o=mailHosting,dc=fripost,dc=dev" dn
+#
+#
+# References:
+# - http://www.openldap.org/doc/admin24/overlays.html#Constraints
+# - man 5 slapo-constraint
+
+
+dn: olcOverlay=constraint,olcDatabase={1}hdb,cn=config
+objectClass: olcOverlayConfig
+objectClass: olcConstraintConfig
+olcOverlay: constraint
+olcConstraintAttribute: fvd regex ^.+\..+$
+olcConstraintAttribute: fvu regex ^.+$
+olcConstraintAttribute: fva regex ^.+$
+olcConstraintAttribute: fvl regex ^.+$
+olcConstraintAttribute: fripostMaildrop regex ^.*@.+\..+$
+olcConstraintAttribute: fripostOptionalMaildrop regex ^.*@.+\..+$
+olcConstraintAttribute: fripostListCommand regex ^.+-.+$
+olcConstraintAttribute: fripostListManager regex ^(mailman|schleuder)$
+olcConstraintAttribute: userPassword count 1
diff --git a/ldap/database.ldif b/ldap/database.ldif
index 300d933..526cc89 100644
--- a/ldap/database.ldif
+++ b/ldap/database.ldif
@@ -18,7 +18,7 @@ olcDbCheckpoint: 512 30
# Require LDAPv3 protocol and authentication prior to directory
# operations.
olcRequires: LDAPv3 authc
-# We don't want to give "canCreate{Alias,ML}" write access to alias/ml
+# We don't want to give "canCreate{Alias,List}" write access to alias/list
# attributes.
olcAddContentAcl: FALSE
# The root user has all rights on the whole database (when SASL-binding
diff --git a/ldap/fripost.ldif b/ldap/fripost.ldif
index 81602d5..b110ee7 100644
--- a/ldap/fripost.ldif
+++ b/ldap/fripost.ldif
@@ -58,14 +58,14 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.3 NAME 'fva'
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.4 NAME 'fvml'
- DESC 'The local part of a virtual mailing list'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.4 NAME 'fvl'
+ DESC 'The local part of a virtual list'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.5 NAME 'fripostMLCommand'
- DESC 'The local part of a command associated with a mailing list'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.5 NAME 'fripostListCommand'
+ DESC 'The local part of a command associated with a list'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} )
@@ -99,8 +99,8 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostCanCreateAlias'
DESC 'A user/domain that can create aliases for the parent domain'
SUP distinguishedName )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostCanCreateML'
- DESC 'A user/domain that can create mailing lists for the parent domain'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostCanCreateList'
+ DESC 'A user/domain that can create lists for the parent domain'
SUP distinguishedName )
#
olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostOwner'
@@ -111,8 +111,8 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostPostmaster'
DESC 'A user that is a postmaster of the parent domain'
SUP distinguishedName )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.14 NAME 'fripostMLManager'
- DESC 'A mailing list manager'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.14 NAME 'fripostListManager'
+ DESC 'The list manager'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} SINGLE-VALUE )
@@ -124,7 +124,7 @@ olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.1 NAME 'FripostVirtualDomain'
SUP top STRUCTURAL
DESC 'Virtual domain'
MUST ( fvd $ fripostIsStatusActive )
- MAY ( fripostCanCreateAlias $ fripostCanCreateML $
+ MAY ( fripostCanCreateAlias $ fripostCanCreateList $
fripostOwner $ fripostPostmaster $
fripostOptionalMaildrop $ description ) )
#
@@ -133,7 +133,7 @@ olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualMailbox'
SUP top STRUCTURAL
DESC 'Virtual mailbox'
MUST ( fvu $ userPassword $ fripostIsStatusActive )
- MAY ( fripostMailboxQuota $ fripostOptionalMaildrop $ cn $ description) )
+ MAY ( fripostMailboxQuota $ fripostOptionalMaildrop $ description) )
#
olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualAlias'
SUP top STRUCTURAL
@@ -141,9 +141,9 @@ olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualAlias'
MUST ( fva $ fripostMaildrop $ fripostIsStatusActive )
MAY ( fripostOwner $ description ) )
#
-olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualML'
+olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualList'
SUP top STRUCTURAL
- DESC 'Mailing List'
- MUST ( fvml $ fripostMLManager $ fripostIsStatusActive )
- MAY ( fripostMLCommand $ fripostOwner $ description ) )
+ DESC 'Virtual list'
+ MUST ( fvl $ fripostListManager $ fripostIsStatusActive )
+ MAY ( fripostListCommand $ fripostOwner $ description ) )
diff --git a/ldap/index.ldif b/ldap/index.ldif
index 6d7089a..f044ebe 100644
--- a/ldap/index.ldif
+++ b/ldap/index.ldif
@@ -28,7 +28,7 @@ olcDbIndex: objectClass eq
-
# Let us make Postfix's job easier.
add: olcDbIndex
-olcDbIndex: fripostIsStatusActive,fvd,fvu,fva,fvml,fripostMLCommand,fripostMLManager eq
+olcDbIndex: fripostIsStatusActive,fvd,fvu,fva,fvl,fripostListCommand,fripostListManager eq
-
# Let us make Postfix's job easier.
add: olcDbIndex
diff --git a/ldap/populate.ldif b/ldap/populate.ldif
index cd2b5f2..475975a 100644
--- a/ldap/populate.ldif
+++ b/ldap/populate.ldif
@@ -3,9 +3,6 @@
# ldapadd -Y EXTERNAL -H ldapi:/// -f populate.ldif
#
# It will populate the directory for testing purposes.
-# If "o=mailHosting,dc=fripost,dc=dev" exists, you can delete it with
-#
-# ldapdelete -Y EXTERNAL -H ldapi:/// -r "o=mailHosting,dc=fripost,dc=dev"
# ou=quotas,o=mailHosting,dc=fripost,dc=dev
# |- fvd=fripost.org
@@ -14,37 +11,29 @@
# |-
-dn: o=mailHosting,dc=fripost,dc=dev
-objectClass: organization
-description: Mail hosting
-
-
-dn: ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: organizationalUnit
-description: Virtual mail hosting
-
-
# An independent domain, not self managed
dn: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualDomain
+objectClass: FripostVirtualDomain
fripostCanCreateAlias: fvu=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-fripostCanCreateML: fvu=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostCanCreateList: fvu=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostIsStatusActive: TRUE
dn: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualMailbox
+objectClass: FripostVirtualMailbox
userPassword: user1
fripostIsStatusActive: TRUE
fripostOptionalMaildrop: user1@external.org
+fripostOptionalMaildrop: user1@external2.org
+fripostOptionalMaildrop: user1@external3.org
dn: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualMailbox
+objectClass: FripostVirtualMailbox
userPassword: user2
fripostIsStatusActive: TRUE
# A owned alias
dn: fva=alias1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualAlias
+objectClass: FripostVirtualAlias
fripostIsStatusActive: TRUE
fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostMaildrop: user1@fripost.org
@@ -54,23 +43,23 @@ fripostOwner: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
# An independent alias
dn: fva=alias2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualAlias
+objectClass: FripostVirtualAlias
fripostIsStatusActive: TRUE
fripostMaildrop: user2@fripost.org
-# A owned mailing list
-dn: fvml=ml1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualML
-fripostMLManager: mailman
+# An owned list
+dn: fvl=list1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+objectClass: FripostVirtualList
+fripostListManager: mailman
fripostIsStatusActive: TRUE
-fripostMLCommand: ml1-request
-fripostMLCommand: ml1-bounces
+fripostListCommand: list1-request
+fripostListCommand: list1-bounces
fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-# An independent mailing list (for user1)
-dn: fvml=ml2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualML
-fripostMLManager: schleuder
+# An independent list (for user1)
+dn: fvl=list2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+objectClass: FripostVirtualList
+fripostListManager: schleuder
fripostIsStatusActive: TRUE
fripostOwner: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
# Buggy owner
@@ -79,87 +68,102 @@ fripostOwner: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
# An independent domain, with canCreateAlias options
dn: fvd=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualDomain
+objectClass: FripostVirtualDomain
fripostCanCreateAlias: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-fripostIsStatusActive: TRUE
+fripostIsStatusActive: FALSE
+description: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod
+description: tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim
+description: veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea
+description: commodo consequat. Duis aute irure dolor in reprehenderit in voluptate
+description: velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint
+description: occaecat cupidatat non proident, sunt in culpa qui officia deserunt
+description: mollit anim id est laborum.
# A owned alias
dn: fva=alias1,fvd=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualAlias
-fripostIsStatusActive: TRUE
+objectClass: FripostVirtualAlias
+fripostIsStatusActive: FALSE
fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostMaildrop: user1@fripost.org
-# An independent domain, with canCreateML options
+# An independent domain, with canCreateList options
dn: fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualDomain
-fripostCanCreateML: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+objectClass: FripostVirtualDomain
+fripostCanCreateList: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostIsStatusActive: TRUE
-# A owned mailing list
-dn: fvml=ml1,fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualML
+# An owned list
+dn: fvl=list1,fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+objectClass: FripostVirtualList
fripostIsStatusActive: TRUE
-fripostMLManager: schleuder
+fripostListManager: schleuder
fripostOwner: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-# An independent domain, with both can createAlias and canCreateML options
+# An independent domain, with both can createAlias and canCreateList options
dn: fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualDomain
+objectClass: FripostVirtualDomain
fripostCanCreateAlias: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-fripostCanCreateML: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostCanCreateList: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostIsStatusActive: TRUE
-# A owned mailing list
-dn: fvml=ml,fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualML
+# An owned list
+dn: fvl=list,fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+objectClass: FripostVirtualList
fripostIsStatusActive: TRUE
-fripostMLManager: mailman
+fripostListManager: mailman
fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
# A owned domain
dn: fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualDomain
+objectClass: FripostVirtualDomain
fripostIsStatusActive: TRUE
fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
# Buggy owner
fripostOwner: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
dn: fva=alias,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualAlias
+objectClass: FripostVirtualAlias
fripostIsStatusActive: TRUE
fripostMaildrop: user1@fripost.org
dn: fva=abuse,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualAlias
+objectClass: FripostVirtualAlias
fripostIsStatusActive: TRUE
fripostMaildrop: abuse@fripost.org
dn: fva=postmaster,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualAlias
+objectClass: FripostVirtualAlias
fripostIsStatusActive: TRUE
fripostMaildrop: postmaster@fripost.org
+description: Lorem ipsum dolor sit amet, consectetur adipisicing elit,
+ sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut
+ enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut
+ aliquip ex ea commo do consequat. Duis aute irure dolor in reprehenderit
+ in voluptate velit esse cillum dolore eu fugiat nulla pariatur.
+ Excepteur sint occaecat cupidatat non proident, sunt in culpa qui
+ officia deserunt mollit anim id est laborum.
-dn: fvml=ml,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualML
-fripostMLManager: mailman
+dn: fvl=list,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+objectClass: FripostVirtualList
+fripostListManager: mailman
fripostIsStatusActive: TRUE
-fripostMLCommand: ml-request
-fripostMLCommand: ml-bounces
+fripostListCommand: list-request
+fripostListCommand: list-bounces
dn: fvu=user,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualMailbox
+objectClass: FripostVirtualMailbox
userPassword: user
fripostIsStatusActive: TRUE
# A postmastered domain
dn: fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualDomain
+objectClass: FripostVirtualDomain
fripostIsStatusActive: TRUE
+fripostCanCreateAlias: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostPostmaster: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostPostmaster: fvu=postmaster,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
# Buggy owner
@@ -167,34 +171,37 @@ fripostPostmaster: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostCanCreateAlias: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
dn: fva=alias,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualAlias
+objectClass: FripostVirtualAlias
fripostIsStatusActive: TRUE
fripostMaildrop: user1@fripost.org
dn: fva=abuse,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualAlias
+objectClass: FripostVirtualAlias
fripostIsStatusActive: TRUE
fripostMaildrop: abuse@fripost.org
fripostOwner: fvu=postmaster,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
dn: fva=postmaster,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualAlias
+objectClass: FripostVirtualAlias
fripostIsStatusActive: TRUE
fripostMaildrop: postmaster@fripost.org
+description: test UTF8
+description: “All we are saying is: ‘give peace a chance!’” — Joe Cocker ☮
-dn: fvml=ml,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualML
-fripostMLManager: mailman
+dn: fvl=list,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+objectClass: FripostVirtualList
+fripostListManager: mailman
fripostIsStatusActive: TRUE
-fripostMLCommand: ml-request
-fripostMLCommand: ml-bounces
+fripostListCommand: list-request
+fripostListCommand: list-bounces
dn: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualMailbox
+objectClass: FripostVirtualMailbox
userPassword: user
fripostIsStatusActive: TRUE
+fripostMailboxQuota: 10MB
dn: fvu=postmaster,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: fripostVirtualMailbox
+objectClass: FripostVirtualMailbox
userPassword: postmaster
fripostIsStatusActive: TRUE
diff --git a/ldap/syncrepl.ldif b/ldap/syncrepl.ldif
index 9dbd30a..6fe0d06 100644
--- a/ldap/syncrepl.ldif
+++ b/ldap/syncrepl.ldif
@@ -26,8 +26,8 @@ credentials="xxxxxx"
type=refreshAndPersist
retry="5 5 300 +"
searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org"
-filter="(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualMailbox)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualML))(fripostIsStatusActive=TRUE))"
-attrs="fripostIsStatusActive,fripostMaildrop,fripostOptionalMaildrop,fvd,fvu,fva,fvml,fripostMLCommand,fripostMLManager"
+filter="(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualMailbox)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList))(fripostIsStatusActive=TRUE))"
+attrs="fripostIsStatusActive,fripostMaildrop,fripostOptionalMaildrop,fvd,fvu,fva,fvl,fripostListCommand,fripostListManager"
scope=sub
schemachecking=off
diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh
index 26298f9..6983706 100755
--- a/ldap/test-user-acl.sh
+++ b/ldap/test-user-acl.sh
@@ -72,8 +72,8 @@ USERS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualMailbox" dn | \
grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvu=\1,fvd=\2/')
ALIASES=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualAlias" dn | \
grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fva=\1,fvd=\2/')
-MLS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualML" dn | \
- grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvml=\1,fvd=\2/')
+LISTS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualList" dn | \
+ grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvl=\1,fvd=\2/')
########################################################################
@@ -104,9 +104,9 @@ done | isOK '=0' entry
[ $? -eq 0 ] || exit $?
-msg "Have =0 access to mailing lists entries"
-for ML in ${MLS}; do
- checkACL "" "${ML}"
+msg "Have =0 access to list entries"
+for L in ${LISTS}; do
+ checkACL "" "${L}"
done | isOK '=0' entry
[ $? -eq 0 ] || exit $?
@@ -162,34 +162,36 @@ echo "Authenticated users, access to domain entries"
# * entry:
# =s-a for all
-# +rd if children, canCreate{Alias,ML}, owner or postmaster
+# +rd if children, canCreate{Alias,List}, owner or postmaster
# +z if owner or postmaster
# * children:
# =w for all
+# * objectClass:
+# =s for all
# * fvd:
-# =rscd if children, canCreate{Alias,ML}, owner or postmaster
+# =rscd if children, canCreate{Alias,List}, owner or postmaster
# +w if owner or postmaster
# * fripostIsStatusActive
-# =rscd if children, canCreate{Alias,ML}, owner or postmaster
+# =rscd if children, canCreate{Alias,List}, owner or postmaster
# +w if owner or postmaster
# * fripostCanCreateAlias
# =rscd if canCreateAlias, owner or postmaster
# +w if postmaster
-# * fripostCanCreateML
-# =rscd if canCreateML, owner or postmaster
+# * fripostCanCreateList
+# =rscd if canCreateList, owner or postmaster
# +w if postmaster
# * fripostOwner
# =s for all
# +d if children
-# +rc if canCreate{Alias,ML}, owner or postmaster
+# +rc if canCreate{Alias,List}, owner or postmaster
# * fripostPostmaster
# =s for all
# +d if children
-# +rc if canCreate{Alias,ML}, owner or postmaster
+# +rc if canCreate{Alias,List}, owner or postmaster
# * fripostOptionalMaildrop
# =wrscd if owner or postmaster
# * description
-# =rscd if children, canCreate{Alias,ML}, owner or postmaster
+# =rscd if children, canCreate{Alias,List}, owner or postmaster
# +w if owner or postmaster
usersD () {
@@ -213,6 +215,10 @@ msg "Have =w access to \"children\""
usersD children | isOK '=w$' children
[ $? -eq 0 ] || exit $?
+msg "Have =s access to \"objectClass\""
+usersD objectClass | isOK '=s' objectClass
+[ $? -eq 0 ] || exit $?
+
msg "Have >=s access on \"entry\", \"fripostOwner\" and \"fripostPostmaster\""
usersD entry/search fripostOwner/search fripostPostmaster/search | isOK 'ALLOWED$' entry
[ $? -eq 0 ] || exit $?
@@ -225,7 +231,7 @@ usersD structuralObjectClass entryUUID createTimestamp entryCSN modifiersName mo
# We check the following permissions:
# 0. Simple user
# 1. canCreateAlias (exact,wildcard)
-# 2. canCreateML (exact,wildcard)
+# 2. canCreateList (exact,wildcard)
# 3. Owner
# 4. Postmaster
@@ -271,26 +277,26 @@ done | isOK 'ALLOWED$' children
# 2
-ATTRSML="fripostOwner/read fripostOwner/compare
- fripostPostmaster/read fripostPostmaster/compare
- fripostCanCreateML/read fripostCanCreateML/search fripostCanCreateML/compare fripostCanCreateML/disclose"
-msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanCreateML, exact)"
+ATTRSL="fripostOwner/read fripostOwner/compare
+ fripostPostmaster/read fripostPostmaster/compare
+ fripostCanCreateList/read fripostCanCreateList/search fripostCanCreateList/compare fripostCanCreateList/disclose"
+msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanCreateList, exact)"
for U in ${USERS}; do
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "fripostCanCreateML=${U},${SUFFIX}" | grep -q '^dn: ' && \
- checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSML}
+ search -s base -b "${D},${SUFFIX}" "fripostCanCreateList=${U},${SUFFIX}" | grep -q '^dn: ' && \
+ checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL}
done
done | isOK 'ALLOWED$' children
[ $? -eq 0 ] || exit $?
# 2
-msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanCreateML, wildcard)"
+msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanCreateList, wildcard)"
for U in ${USERS}; do
DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "fripostCanCreateML=${DU},${SUFFIX}" | grep -q '^dn: ' && \
- checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSML}
+ search -s base -b "${D},${SUFFIX}" "fripostCanCreateList=${DU},${SUFFIX}" | grep -q '^dn: ' && \
+ checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL}
done
done | isOK 'ALLOWED$' children
[ $? -eq 0 ] || exit $?
@@ -298,7 +304,7 @@ done | isOK 'ALLOWED$' children
# 3
# >=w to "children", =zrscd to "entry", >=rscd to "fripostCanCreateAlias" and
-# "fripostCanCreateML", and =wrscd to the rest (other than "Owner" and
+# "fripostCanCreateList", and =wrscd to the rest (other than "Owner" and
# Postmaster")
msg "Have =wrscd to the domain attributes (other than \"canCreate\"), and >=w to \"children\" (if Owner)"
ATTRSO="entry/delete
@@ -309,7 +315,7 @@ ATTRSO="entry/delete
for U in ${USERS}; do
for D in ${DOMAINS}; do
search -s base -b "${D},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \
- checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSML} ${ATTRSO}
+ checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSL} ${ATTRSO}
done
done | isOK 'ALLOWED$' children
[ $? -eq 0 ] || exit $?
@@ -317,15 +323,15 @@ done | isOK 'ALLOWED$' children
# 4
# >=w to "children", =zrscd to "entry", >=rscd to "fripostCanCreateAlias" and
-# "fripostCanCreateML", and =wrscd to the rest (other than "Owner" and
+# "fripostCanCreateList", and =wrscd to the rest (other than "Owner" and
# Postmaster")
msg "Have =wrscd to the domain attributes, and >=w to \"children\" (if Postmaster)"
ATTRSP="fripostCanCreateAlias/add fripostCanCreateAlias/delete
- fripostCanCreateML/add fripostCanCreateML/delete"
+ fripostCanCreateList/add fripostCanCreateList/delete"
for U in ${USERS}; do
for D in ${DOMAINS}; do
search -s base -b "${D},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \
- checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSML} ${ATTRSO} ${ATTRSP}
+ checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSL} ${ATTRSO} ${ATTRSP}
done
done | isOK 'ALLOWED$' children
[ $? -eq 0 ] || exit $?
@@ -339,8 +345,8 @@ for U in ${USERS}; do
[ "x${DU}" = "x${D}" ] || \
search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateAlias=${U},${SUFFIX})
(fripostCanCreateAlias=${DU},${SUFFIX})
- (fripostCanCreateML=${U},${SUFFIX})
- (fripostCanCreateML=${DU},${SUFFIX})
+ (fripostCanCreateList=${U},${SUFFIX})
+ (fripostCanCreateList=${DU},${SUFFIX})
(fripostOwner=${U},${SUFFIX})
(fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
checkACL "${U}" "${D}" ${ATTRS0}
@@ -350,17 +356,17 @@ done | isOK 'DENIED$' entry read
# not (1 or 2 or 3 or 4)
-msg "Do not have >=rc access to \"canCreate{Alias,ML}\", \"Owner\", \"Postmaster\" (unless member)"
+msg "Do not have >=rc access to \"canCreate{Alias,List}\", \"Owner\", \"Postmaster\" (unless member)"
for U in ${USERS}; do
DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
for D in ${DOMAINS}; do
search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateAlias=${U},${SUFFIX})
(fripostCanCreateAlias=${DU},${SUFFIX})
- (fripostCanCreateML=${U},${SUFFIX})
- (fripostCanCreateML=${DU},${SUFFIX})
+ (fripostCanCreateList=${U},${SUFFIX})
+ (fripostCanCreateList=${DU},${SUFFIX})
(fripostOwner=${U},${SUFFIX})
(fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
- checkACL "${U}" "${D}" ${ATTRSA} ${ATTRSML} entry/add
+ checkACL "${U}" "${D}" ${ATTRSA} ${ATTRSL} entry/add
done
done | isOK 'DENIED$' entry # "entry" here is useless, but it's just to get the count
[ $? -eq 0 ] || exit $?
@@ -382,15 +388,15 @@ done | isOK '\(=0\|DENIED\)$' entry # "entry" here is useless, but it's just to
# not (2 or 3 or 4)
-msg "Have =0 access to \"canCreateML\" (unless member, Owner, or Postmaster)"
+msg "Have =0 access to \"canCreateList\" (unless member, Owner, or Postmaster)"
for U in ${USERS}; do
DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateML=${U},${SUFFIX})
- (fripostCanCreateML=${DU},${SUFFIX})
+ search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateList=${U},${SUFFIX})
+ (fripostCanCreateList=${DU},${SUFFIX})
(fripostOwner=${U},${SUFFIX})
(fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
- checkACL "${U}" "${D}" fripostCanCreateML entry/add
+ checkACL "${U}" "${D}" fripostCanCreateList entry/add
done
done | isOK '\(=0\|DENIED\)$' entry # "entry" here is useless, but it's just to get the count
[ $? -eq 0 ] || exit $?
@@ -409,7 +415,7 @@ done | isOK 'DENIED$' entry
# not 4
-msg "Do not have >=w access to \"canCreate{Alias,ML}\" (unless Postmaster)"
+msg "Do not have >=w access to \"canCreate{Alias,List}\" (unless Postmaster)"
for U in ${USERS}; do
for D in ${DOMAINS}; do
search -s base -b "${D},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' || \
@@ -431,6 +437,8 @@ echo "Authenticated users, access to user entries"
# +a if domain postmaster
# * children:
# =0 for all
+# * objectClass:
+# =s for all
# * fvu:
# =wrscd if account owner or domain postmaster
# * userPassword:
@@ -441,8 +449,6 @@ echo "Authenticated users, access to user entries"
# =rscd if account owner or domain postmaster
# * fripostOptionalMaildrop:
# =wrscd if account owner or domain postmaster
-# * cn:
-# =wrscd if account owner or domain postmaster
# * description:
# =wrscd if account owner or domain postmaster
@@ -463,7 +469,7 @@ usersU userPassword | isOK '=w$'
[ $? -eq 0 ] || exit $?
msg "Have =wrscxd access to the other attributes of their own entry"
-usersU fvu fripostIsStatusActive fripostOptionalMaildrop cn description | isOK 'write(=wrscxd)$' fvu
+usersU fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK 'write(=wrscxd)$' fvu
[ $? -eq 0 ] || exit $?
msg "Have >=rsd access to the \"entry\" attribute of their own entry"
@@ -475,6 +481,10 @@ msg "Have =0 access to their \"children\" and operational attributes"
usersU children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children
[ $? -eq 0 ] || exit $?
+msg "Have =s access to \"objectClass\""
+usersD objectClass | isOK '=s' objectClass
+[ $? -eq 0 ] || exit $?
+
msg "Have =0 access to other user entries (unless Postmaster)"
for U1 in ${USERS}; do
for U2 in ${USERS}; do
@@ -486,7 +496,7 @@ for U1 in ${USERS}; do
fripostIsStatusActive \
fripostMailboxQuota \
fripostOptionalMaildrop \
- cn description
+ description
done
done | isOK '=0$' entry
[ $? -eq 0 ] || exit $?
@@ -512,7 +522,7 @@ usersP userPassword | isOK '=w$'
[ $? -eq 0 ] || exit $?
msg "Have =wrscxd access to the other attributes of their users' entry (if Postmaster)"
-usersP fvu fripostIsStatusActive fripostOptionalMaildrop cn description | isOK 'write(=wrscxd)$' fvu
+usersP fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK 'write(=wrscxd)$' fvu
[ $? -eq 0 ] || exit $?
# "+a" is needed to create new accounts. "+z" would be required to
@@ -540,6 +550,8 @@ echo "Authenticated users, access to alias entries"
# +w (regular alias) if domain owner or domain postmaster
# * children:
# =0 for all
+# * objectClass:
+# =s for all
# * fva:
# =rscd (reserved alias) if domain owner or domain postmaster
# =wrscd (regular alias) if alias owner, domain owner or domain postmaster
@@ -574,6 +586,10 @@ msg "Have =0 access to the \"children\" and operational attributes"
usersA children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children
[ $? -eq 0 ] || exit $?
+msg "Have =s access to \"objectClass\""
+usersD objectClass | isOK '=s' objectClass
+[ $? -eq 0 ] || exit $?
+
RESERVED_ATTRS="entry/delete
fva/write
fripostIsStatusActive/write"
@@ -739,136 +755,136 @@ done | isOK 'DENIED$' entry delete
echo
-echo "Authenticated users, access to mailing list entries"
+echo "Authenticated users, access to list entries"
# * entry:
# =s for all
-# +a if canCreateML, domain owner or domain postmaster
-# +zrd if mailing list owner, domain owner or domain postmaster
+# +a if canCreateList, domain owner or domain postmaster
+# +zrd if list owner, domain owner or domain postmaster
# * children:
# =0 for all
-# * fvml:
-# =wrscd if mailing list owner, domain owner or domain postmaster
-# * fripostMLManager:
-# =rscd if mailing list owner, domain owner or domain postmaster
+# * fvl:
+# =wrscd if list owner, domain owner or domain postmaster
+# * fripostListManager:
+# =rscd if list owner, domain owner or domain postmaster
# * fripostIsStatusActive:
-# =wrscd if mailing list owner, domain owner or domain postmaster
-# * fripostMLCommand:
-# =rscd if mailing list owner, domain owner or domain postmaster
+# =wrscd if list owner, domain owner or domain postmaster
+# * fripostListCommand:
+# =rscd if list owner, domain owner or domain postmaster
# * fripostOwner:
# =d for all
-# +rsc if mailing list owner, domain owner or domain postmaster
+# +rsc if list owner, domain owner or domain postmaster
# +w if domain owner or domain postmaster
# * description:
-# =wrscd if mailing list owner, domain owner or domain postmaster
+# =wrscd if list owner, domain owner or domain postmaster
-usersML () {
+usersL () {
for U in ${USERS}; do
- for ML in ${MLS}; do
- checkACL "${U}" "${ML}" "$@"
+ for L in ${LISTS}; do
+ checkACL "${U}" "${L}" "$@"
done
done
}
msg "Have >=s access on \"entry\" and \"fripostOwner\""
-usersML fripostOwner/search entry/search | isOK 'ALLOWED$' entry
+usersL fripostOwner/search entry/search | isOK 'ALLOWED$' entry
[ $? -eq 0 ] || exit $?
msg "Have =0 access the \"children\" and operational attributes"
-usersML children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children
+usersL children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children
[ $? -eq 0 ] || exit $?
msg "Cannot change transport-related attributes"
for U in ${USERS}; do
- for ML in ${MLS}; do
- checkACL "${U}" "${ML}" fripostMLCommand/add fripostMLCommand/delete \
- fripostMLManager/write
+ for L in ${LISTS}; do
+ checkACL "${U}" "${L}" fripostListCommand/add fripostListCommand/delete \
+ fripostListManager/write
done
-done | isOK 'DENIED$' fripostMLManager
+done | isOK 'DENIED$' fripostListManager
[ $? -eq 0 ] || exit $?
ATTRS="entry/read entry/disclose entry/delete
- fvml/write fvml/read fvml/search fvml/compare fvml/disclose
- fripostMLManager/read fripostMLManager/search fripostMLManager/compare fripostMLManager/disclose
+ fvl/write fvl/read fvl/search fvl/compare fvl/disclose
+ fripostListManager/read fripostListManager/search fripostListManager/compare fripostListManager/disclose
fripostIsStatusActive/write fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose
- fripostMLCommand/read fripostMLCommand/search fripostMLCommand/compare fripostMLCommand/disclose
+ fripostListCommand/read fripostListCommand/search fripostListCommand/compare fripostListCommand/disclose
fripostOwner/read fripostOwner/compare fripostOwner/disclose
description/add description/delete description/read description/compare description/disclose"
ATTRS2="fripostOwner/add fripostOwner/delete"
-msg "Can edit/delete mailing list (if mailing list Owner)"
+msg "Can edit/delete list (if list Owner)"
for U in ${USERS}; do
- for ML in ${MLS}; do
- search -s base -b "${ML},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \
- checkACL "${U}" "${ML}" ${ATTRS}
+ for L in ${LISTS}; do
+ search -s base -b "${L},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \
+ checkACL "${U}" "${L}" ${ATTRS}
done
done | isOK 'ALLOWED$' entry delete
[ $? -eq 0 ] || exit $?
-msg "Can edit/create/delete mailing list (if domain Owner)"
+msg "Can edit/create/delete list (if domain Owner)"
[ $? -eq 0 ] || exit $?
for U in ${USERS}; do
- for ML in ${MLS}; do
- DML="$(echo "${ML}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- search -s base -b "${DML},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \
- checkACL "${U}" "${ML}" ${ATTRS} ${ATTRS2} entry/add
+ for L in ${LISTS}; do
+ DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ search -s base -b "${DL},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \
+ checkACL "${U}" "${L}" ${ATTRS} ${ATTRS2} entry/add
done
done | isOK 'ALLOWED$' entry add
[ $? -eq 0 ] || exit $?
-msg "Can edit/create/delete mailing list (if domain Postmaster)"
+msg "Can edit/create/delete list (if domain Postmaster)"
[ $? -eq 0 ] || exit $?
for U in ${USERS}; do
- for ML in ${MLS}; do
- DML="$(echo "${ML}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- search -s base -b "${DML},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \
- checkACL "${U}" "${ML}" ${ATTRS} ${ATTRS2} entry/add
+ for L in ${LISTS}; do
+ DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ search -s base -b "${DL},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \
+ checkACL "${U}" "${L}" ${ATTRS} ${ATTRS2} entry/add
done
done | isOK 'ALLOWED$' entry add
[ $? -eq 0 ] || exit $?
# Needed to create new entries. ("+z" is required to delete, btw.)
-msg "Have >=a access to \"entry\" (if CanCreateML, exact)"
+msg "Have >=a access to \"entry\" (if CanCreateList, exact)"
for U in ${USERS}; do
- for ML in ${MLS}; do
- DML="$(echo "${ML}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- search -s base -b "${DML},${SUFFIX}" "fripostCanCreateML=${U},${SUFFIX}" | grep -q '^dn: ' && \
- checkACL "${U}" "${ML}" entry/add
+ for L in ${LISTS}; do
+ DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ search -s base -b "${DL},${SUFFIX}" "fripostCanCreateList=${U},${SUFFIX}" | grep -q '^dn: ' && \
+ checkACL "${U}" "${L}" entry/add
done
done | isOK 'ALLOWED$' entry
[ $? -eq 0 ] || exit $?
# Needed to create new entries. ("+z" is required to delete, btw.)
-msg "Have >=a access to \"entry\" (if CanCreateML, wildcard)"
+msg "Have >=a access to \"entry\" (if CanCreateList, wildcard)"
for U in ${USERS}; do
DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- for ML in ${MLS}; do
- DML="$(echo "${ML}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- search -s base -b "${DML},${SUFFIX}" "fripostCanCreateML=${DU},${SUFFIX}" | grep -q '^dn: ' && \
- checkACL "${U}" "${ML}" entry/add
+ for L in ${LISTS}; do
+ DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ search -s base -b "${DL},${SUFFIX}" "fripostCanCreateList=${DU},${SUFFIX}" | grep -q '^dn: ' && \
+ checkACL "${U}" "${L}" entry/add
done
done | isOK 'ALLOWED$' entry
[ $? -eq 0 ] || exit $?
-msg "Do not have >=a access to \"entry\" (unless canCreateML)"
+msg "Do not have >=a access to \"entry\" (unless canCreateList)"
for U in ${USERS}; do
DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- for ML in ${MLS}; do
- DML="$(echo "${ML}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- search -s base -b "${DML},${SUFFIX}" "(|(fripostCanCreateML=${U},${SUFFIX})
- (fripostCanCreateML=${DU},${SUFFIX})
+ for L in ${LISTS}; do
+ DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ search -s base -b "${DL},${SUFFIX}" "(|(fripostCanCreateList=${U},${SUFFIX})
+ (fripostCanCreateList=${DU},${SUFFIX})
(fripostOwner=${U},${SUFFIX})
(fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
- checkACL "${U}" "${ML}" entry/add
+ checkACL "${U}" "${L}" entry/add
done
done | isOK 'DENIED$' entry
[ $? -eq 0 ] || exit $?
@@ -886,14 +902,14 @@ done | isOK 'DENIED$' fripostOwner add
[ $? -eq 0 ] || exit $?
-msg "Have no access to mailing list entries (unless mailing list owner/domain owner/domain postmaster)"
+msg "Have no access to list entries (unless list owner/domain owner/domain postmaster)"
for U in ${USERS}; do
- for ML in ${MLS}; do
- DML="$(echo "${ML}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- search -s base -b "${ML},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' || \
- search -s base -b "${DML},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX})
+ for L in ${LISTS}; do
+ DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ search -s base -b "${L},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' || \
+ search -s base -b "${DL},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX})
(fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
- checkACL "${U}" "${ML}" ${ATTRS} entry/delete
+ checkACL "${U}" "${L}" ${ATTRS} entry/delete
done
done | isOK 'DENIED$' entry delete
[ $? -eq 0 ] || exit $?