aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem.moulin@fripost.org>2013-01-22 01:41:47 +0100
committerGuilhem Moulin <guilhem.moulin@fripost.org>2013-01-22 01:41:47 +0100
commit48d39ff63e2bfa2bdb7759bc4a99f69778d5ee22 (patch)
treebd006f42a8cfe578decf237f318952869137d707
parent4ea8953f745a08d13c8966588b81f667f2339103 (diff)
Reorganized the ACL.
-rw-r--r--ldap/acl.ldif190
-rw-r--r--ldap/base.ldif5
-rwxr-xr-xldap/test-user-acl.sh60
3 files changed, 130 insertions, 125 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index 3cbbd24..eef10a9 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -24,147 +24,112 @@ dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
#
-# Services have read access to the attribute they need. We put this ACL
-# first as it's likely to be the most used.
-# TODO: for postfix, it'd be more efficient and more secure to SASL-bind
-# on a UNIX socket (EXTERNAL mechanism); wait for Postfix 2.8.
-# TODO: IMAP, SASLauth, Amavis
-# TODO: if possible, make use GSSAPI/EXTERNAL for the services.
+########################################################################
+# Most common services: Postfix, Amavis, SASLauth, Dovecot
+# (Most used ACLs are cheaper when written first.)
+#
+# Everyone can search the objectclass
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
- attrs=entry,fvd,fvu,fva,fvl,fvlc,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias
- filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))
- by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd
- by users =0 break
+ attrs=objectClass
+ by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =s
+ by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s
#
+# Postfix have read access to the attribute they need.
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
- attrs=objectClass,fripostPendingToken,fripostIsStatusActive
- filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))
- by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =sd
+ attrs=entry,fvd,fvu,fva,fvl,fvlc,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias
+ filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(!(fripostIsStatusActive=FALSE))(!(fripostPendingToken=*)))
+ by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd
by users =0 break
#
-#olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
-# attrs=entry,objectClass,fripostIsStatusActive,fripostPendingToken,fvu,@amavisAccount
-# filter=(&(objectClass=FripostVirtualUser)(objectClass=amavisAccount)(fripostIsStatusActive=TRUE)(fripostPendingToken=FALSE))
-# by dn.exact="gidNumber=113+uidNumber=116,cn=peercred,cn=external,cn=auth" =rsd
-# by users =0 break
-#
# Anonymous can authenticate into the services. (But not read or write the password.)
olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
attrs=userPassword
by realanonymous =xd
#
# That's necessary for SASL proxy Authorize the web application.
-olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
+olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=dev"
attrs=entry,objectClass,authzTo
by realanonymous =x
#
-# 1. Managers have read/write access to the "virtual" subtree.
-# 2. The list creator needs further access.
-# 3. Other services have no access other than the one above.
-# 4,5. Other users need further access.
-olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
- by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd
- by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
- by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
- by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0
- by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break
- by anonymous =0 break
-#
-# 1. Users can change their password (but not read it).
-# 2. Anonymous users can bind.
-# 3. Else, we inspect the 2 following ACLs.
-olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
- attrs=userPassword
- by realself =w
- by anonymous =xd
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =0 break
-#
-# The postmaster of a domain can change (replace) his/her users' password (but not read it).
+# 1. Anonymous users can bind.
+# 2. Users can change their password (but not read it).
+# 3. The postmaster of a domain can change (replace) his/her users' password (but not read it).
olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualUser)
attrs=userPassword
+ by realanonymous =xd
+ by realself =w
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =w
+ by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd
#
-# No permission on the userPassword attribute for other users.
-# (That's a catch-all, just to be sure that services, etc. cannot read the passwords).
-olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
- attrs=userPassword
- by * =0
#
-# 1. Users can search (e.g., to list the entries they have created).
-# 2. So can the list creator.
-olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
- attrs=objectClass
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s
- by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =s
- by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =s
+########################################################################
+# Virtual subtree, general access
#
-# 1. Users can search (e.g., to list the entries they have created).
-# 2. Additional permissions may be added later on.
+# 1,2. Services that need particular access on the tree.
+# 3. Other users need further access.
+# 4. Managers have read/write access to the "virtual" subtree.
+# 5. Other services have no access other than the one above.
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
- attrs=entry,fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break
- by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
-#
-# Noone may create children under a pending entry. This is important
-# since otherwise we couldn't delete old pending entries
-# non-recursively.
-olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
- filter=(fripostPendingToken=*)
- attrs=children
- by * =0
+ by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
+ by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
+ by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break
+ by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd
+ by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0
#
# Our service can list and delete (old) pending entries.
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
filter=(fripostPendingToken=*)
attrs=entry
by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =zrd break
- by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break
+ by dn.children="o=mailHosting,dc=fripost,dc=dev" =0 break
#
# Our service can search anywhere in the tree (for old pending entries).
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=entry
- by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break
- by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" +s
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +s break
+ by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" +s
+ by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
#
# Our service needs to have 'z' access on the 'children' of the parent of the entry that is
# to be deleted. (And 'z' access of the 'entry' attribute of this entry.)
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=children
by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =z
- by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break
+ by dn.children="o=mailHosting,dc=fripost,dc=dev" =0 break
#
# Our service needs search access to list (old) pending entries.
-olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
filter=(fripostPendingToken=*)
attrs=createTimestamp,fripostPendingToken
- by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =sd
- by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break
+ by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =s
+ by dn.children="o=mailHosting,dc=fripost,dc=dev" +0 break
+#
+# Users can search (e.g., to list the entries they have created).
+olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ attrs=fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break
+#
#
-# Everyone can create/delete domains. (Provided s/he has +a/+z access to the
+########################################################################
+# Virtual subtree, domains
+#
+# 1. Everyone can create/delete domains. (Provided s/he has +a/+z access to the
# "entry" attribute of the domains s/he wants to delete.)
+# 2. The relevant service can delete (old) pending entries.
olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=children
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w
+ by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =z
#
-# Reserved local parts are reserved. /!\ The case must be insensitive
-# - postmaster: RFC 822, appendix C.6
-# - abuse: RFC 2142, section 4
-olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
- by * =0
-#
-# Everyone can check for the non-presence of the 'pending' status.
+# Everyone can check for the absence of a 'pending' status.
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
filter=(&(objectClass=FripostVirtualDomain)(!(fripostPendingToken=*)))
attrs=fripostPendingToken
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s
#
-# Only the domain Postmasters and Owners can search the unlock token and delete the
-# 'pending' status (but not read).
+# Only the domain Postmasters and Owners can search the unlock token and delete
+# the 'pending' status (but not read).
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
filter=(objectClass=FripostVirtualDomain)
attrs=fripostPendingToken
@@ -222,11 +187,13 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
by dnattr=fripostPostmaster =wrscd
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
#
-# Everyone can add or delete children, but we will be carefull with the
-# kid's "entry" attribute, which require +a and +z to add and delete
-# respectively.
+# Everyone can add or delete children, but we will be carefull with
+# the kid's "entry" attribute, which require +a and +z to add and delete
+# respectively. Note that it is forbidden add a child under a pending
+# entry; This is important since otherwise we couldn't delete pending
+# entry non-recursively.
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
- filter=(objectClass=FripostVirtualDomain)
+ filter=(&(objectClass=FripostVirtualDomain)(!(fripostPendingToken=*)))
attrs=children
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w
#
@@ -245,7 +212,17 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" +rd
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
#
-# Noone (but the managers) can change quotas.
+# Reserved local parts are reserved. /!\ The case must be insensitive
+# - postmaster: RFC 822, appendix C.6
+# - abuse: RFC 2142, section 4
+olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+ by * =0
+#
+#
+########################################################################
+# Virtual subtree, users
+#
+# Users and their postmaster can read the quota (but not change it).
olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualUser)
attrs=fripostUserQuota
@@ -260,14 +237,19 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by self =wrscd
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
#
-# 1. Postmasters can create users (but not delete them).
+# 1. Users can read their entry (but not delete it).
+# 2. Postmasters can create users (but not delete them).
# (Provided that they have +a access to the parent's "children" attribute.)
-# 2. Users can read their entry (but not delete it).
olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualUser)
attrs=entry
- by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard
by self +rd
+ by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard
+ by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
+#
+#
+########################################################################
+# Virtual subtree, aliases
#
# 1. The alias owner can list the ownership of the entry.
# 2. The domain owner can add/delete/change the ownership of the entry.
@@ -304,6 +286,10 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by set.exact="this/-1/fripostCanAddAlias & (user | user/-1)" +a
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
#
+#
+########################################################################
+# Virtual subtree, lists
+#
# 1. The list owner can list the ownership of the entry.
# 2. The domain owner can add/delete/change the ownership of the entry.
# 3. So can the domain postmasters.
@@ -325,8 +311,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by group/fripostVirtualDomain/fripostOwner.expand="$1" =rscd
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =rscd
#
-# 1,2,3. The list owner and the domain Owner and Postmaster can search
-# (but not read) the 'pending' token.
+# 1,2,3. The list owner and the domain Owner and Postmaster can search the 'pending' token.
# 4. The list creator can remove the "pending" flag.
# (We don't need to limit the search to presence only here, since when present the value is
# always 'TRUE')
@@ -364,9 +349,9 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd
#
-# The List Creator can add list commands.
+# The List Creator can add list commands under non-pending lists.
olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev"
- filter=(objectClass=FripostVirtualList)
+ filter=(&(objectClass=FripostVirtualList)(!(fripostPendingToken=*)))
attrs=children
by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a
#
@@ -376,6 +361,9 @@ olcAccess: to dn.regex="^fvlc=[^,]+,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting
attrs=entry
by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a
#
-# Catch the "break" control above.
+#
+########################################################################
+# Catchall
+#
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
diff --git a/ldap/base.ldif b/ldap/base.ldif
index 525fca6..e1a14fd 100644
--- a/ldap/base.ldif
+++ b/ldap/base.ldif
@@ -22,7 +22,10 @@ fripostCanAddDomain: fvu=test,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripos
fripostCanAddDomain: fvu=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
description: Virtual mail hosting
-
+# TODO: for postfix, it'd be more efficient and more secure to SASL-bind
+# on a UNIX socket (EXTERNAL mechanism); wait for Postfix 2.8.
+# TODO: IMAP, SASLauth, Amavis
+# TODO: if possible, make use GSSAPI/EXTERNAL for the services.
dn: ou=services,o=mailHosting,dc=fripost,dc=dev
objectClass: organizationalUnit
diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh
index 648f9c6..3e53b48 100755
--- a/ldap/test-user-acl.sh
+++ b/ldap/test-user-acl.sh
@@ -1024,94 +1024,108 @@ done | grep -Ev '^(objectClass|creatorsName)=' | isOK '=0$' entry
###########################################################################
-SUFFIX0="${SUFFIX}"
SUFFIX="${SUFFIXS}"
echo
echo "Service SMTP"
+msg "Have =0 access on non-active or pending entries"
+for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
+ search -s base -b "${X},${SUFFIXV}" "(|(fripostIsStatusActive=TRUE)(fripostPendingToken=*))" | grep -q '^dn: ' && \
+ checkACL "cn=SMTP" "${D}"
+done | isOK '=0$' entry
+[ $? -eq 0 ] || exit $?
+
msg "Can read and search the domain attributes it needs"
for D in ${DOMAINS}; do
+ search -s base -b "${D},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \
checkACL "cn=SMTP" "${D}" entry fvd fripostOptionalMaildrop
done | isOK '=rsd$' entry
[ $? -eq 0 ] || exit $?
msg "Can search the domain attributes it needs"
for D in ${DOMAINS}; do
- checkACL "cn=SMTP" "${D}" objectClass fripostPendingToken fripostIsStatusActive
-done | isOK '=sd$' objectClass
+ search -s base -b "${D},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \
+ checkACL "cn=SMTP" "${D}" objectClass
+done | isOK '=s$' objectClass
[ $? -eq 0 ] || exit $?
msg "Have =0 access on other domain attributes"
for D in ${DOMAINS}; do
- checkACL "cn=SMTP" "${D}" children ${OPERATTRS} fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description
+ checkACL "cn=SMTP" "${D}" children ${OPERATTRS} fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description fripostPendingToken fripostIsStatusActive
done | isOK '=0$' children
[ $? -eq 0 ] || exit $?
msg "Can read and search the user attributes it needs"
for U in ${USERS}; do
+ search -s base -b "${U},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \
checkACL "cn=SMTP" "${U}" entry fvu fripostOptionalMaildrop
done | isOK '=rsd$' entry
[ $? -eq 0 ] || exit $?
msg "Can search the user attributes it needs"
for U in ${USERS}; do
- checkACL "cn=SMTP" "${U}" objectClass fripostIsStatusActive
-done | isOK '=sd$' objectClass
+ search -s base -b "${U},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \
+ checkACL "cn=SMTP" "${U}" objectClass
+done | isOK '=s$' objectClass
[ $? -eq 0 ] || exit $?
msg "Have =0 access on other user attributes"
for U in ${USERS}; do
- checkACL "cn=SMTP" "${U}" children ${OPERATTRS} userPassword fripostUserQuota description
+ checkACL "cn=SMTP" "${U}" children ${OPERATTRS} userPassword fripostUserQuota description fripostIsStatusActive
done | isOK '=0$' children
[ $? -eq 0 ] || exit $?
msg "Can read and search the alias attributes it needs"
for A in ${ALIASES}; do
+ search -s base -b "${A},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \
checkACL "cn=SMTP" "${A}" entry fva fripostMaildrop
done | isOK '=rsd$' entry
[ $? -eq 0 ] || exit $?
msg "Can search the alias attributes it needs"
for A in ${ALIASES}; do
- checkACL "cn=SMTP" "${A}" objectClass fripostIsStatusActive
-done | isOK '=sd$' objectClass
+ search -s base -b "${A},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \
+ checkACL "cn=SMTP" "${A}" objectClass
+done | isOK '=s$' objectClass
[ $? -eq 0 ] || exit $?
msg "Have =0 access on other alias attributes"
for A in ${ALIASES}; do
- checkACL "cn=SMTP" "${A}" children ${OPERATTRS} fripostOwner description
+ checkACL "cn=SMTP" "${A}" children ${OPERATTRS} fripostOwner description fripostIsStatusActive
done | isOK '=0$' children
[ $? -eq 0 ] || exit $?
msg "Can read and search the list attributes it needs"
for L in ${LISTS}; do
+ search -s base -b "${L},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \
checkACL "cn=SMTP" "${L}" entry fvl fripostLocalAlias
done | isOK '=rsd$' entry
[ $? -eq 0 ] || exit $?
msg "Can search the list attributes it needs"
for L in ${LISTS}; do
- checkACL "cn=SMTP" "${L}" objectClass fripostIsStatusActive fripostPendingToken
-done | isOK '=sd$' objectClass
+ search -s base -b "${L},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \
+ checkACL "cn=SMTP" "${L}" objectClass
+done | isOK '=s$' objectClass
[ $? -eq 0 ] || exit $?
msg "Have =0 access on other list attributes"
for L in ${LISTS}; do
- checkACL "cn=SMTP" "${L}" children ${OPERATTRS} fripostListManager fripostOwner description
+ checkACL "cn=SMTP" "${L}" children ${OPERATTRS} fripostListManager fripostOwner description fripostIsStatusActive fripostPendingToken
done | isOK '=0$' children
[ $? -eq 0 ] || exit $?
msg "Can read and search the list command attributes it needs"
for LC in ${LISTSC}; do
- checkACL "cn=SMTP" "${LC}" entry fvlc
+ checkACL "cn=SMTP" "${LC}" entry fvlc fripostLocalAlias
done | isOK '=rsd$' entry
[ $? -eq 0 ] || exit $?
msg "Can search the list command attributes it needs"
for LC in ${LISTSC}; do
checkACL "cn=SMTP" "${LC}" objectClass
-done | isOK '=sd$' objectClass
+done | isOK '=s$' objectClass
[ $? -eq 0 ] || exit $?
msg "Have =0 access on other list command attributes"
@@ -1158,7 +1172,7 @@ done | isOK '=rsd$'
msg "Have =a access on lists' children attribute"
for L in ${LISTS}; do
- search -s base -b "${L},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
+ search -s base -b "${L},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
checkACL "cn=CreateList" "${L}" children
done | isOK '=a$'
[ $? -eq 0 ] || exit $?
@@ -1190,14 +1204,14 @@ echo "Service DeletePendingEntries"
msg "Have =z access on the \"children\" attribute of non-pending entries"
(checkACL "cn=DeletePendingEntries" "" children
for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
- search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
+ search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
checkACL "cn=DeletePendingEntries" "${X}" children
done) | isOK '=z$' children
[ $? -eq 0 ] || exit $?
msg "Have =zrsd access on the \"entry\" attribute of pending entries"
for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
- search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \
+ search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \
checkACL "cn=DeletePendingEntries" "${X}" entry
done | isOK '=zrsd$' entry
[ $? -eq 0 ] || exit $?
@@ -1205,21 +1219,21 @@ done | isOK '=zrsd$' entry
msg "Have =s access on the \"entry\" attribute of non-pending entries"
(checkACL "cn=DeletePendingEntries" "" entry
for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
- search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
+ search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
checkACL "cn=DeletePendingEntries" "${X}" entry
done) | isOK '=s$' entry
[ $? -eq 0 ] || exit $?
-msg "Have =sd access on the attributes it needs on pending entries"
+msg "Have =s access on the attributes it needs on pending entries"
for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
- search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \
+ search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \
checkACL "cn=DeletePendingEntries" "${X}" createTimestamp fripostPendingToken
-done | isOK '=sd$' fripostPendingToken
+done | isOK '=s$' fripostPendingToken
[ $? -eq 0 ] || exit $?
msg "Have =0 access these attributes for non-pending entries"
for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
- search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
+ search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
checkACL "cn=DeletePendingEntries" "${X}" createTimestamp fripostPendingToken
done | isOK '=0$' fripostPendingToken
[ $? -eq 0 ] || exit $?