aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem.moulin@fripost.org>2012-08-20 19:33:21 +0200
committerGuilhem Moulin <guilhem.moulin@fripost.org>2012-08-20 19:33:21 +0200
commitf440b191204f129408b9f068e8f436f59493c482 (patch)
tree5476506d5ff2bc00e7d7423f6789783513089ed0
parent392970b125000b5b467afd43406b05d90ec1d06e (diff)
Constraint overlay
-rw-r--r--ldap/acl.ldif76
-rw-r--r--ldap/modules.ldif5
-rw-r--r--ldap/populate.ldif2
3 files changed, 30 insertions, 53 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index 5af52aa..755697f 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -31,73 +31,64 @@ replace: olcAccess
## 1. Users/Services/Managers can change their password (but not read it).
## 2. Anonymous users/services/managers can bind.
## 3. Else, we inspect the 2 following ACLs.
-#add: olcAccess
olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
attrs=userPassword
by self =w
by anonymous auth
by users none break
--
+#
# The postmaster of a domain can change (replace) his/her users' password.
-add: olcAccess
olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=fripostVirtualMailbox)
attrs=userPassword
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =w
--
+#
# No permission on the userPassword attribute for other users.
# (That's a catch-all, just to be sure that services, etc. cannot read the passwords).
-add: olcAccess
olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
attrs=userPassword
by * none
-#-
+##
## Services can read the whole subtree (minus the userPassword attributes).
-#add: olcAccess
#olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
# attrs=entry,creatorsName,@fripostVirtualDomain,@fripostVirtualMailbox,@fripostVirtualAlias,@fripostVirtualML
# by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=org" read
# by users * break
--
+#
# Users can search (e.g., to list the entries they have created).
# Additional permissions may be added later on.
-add: olcAccess
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanCreateAlias,fripostCanCreateML
by users =s break
--
+#
# Everyone can delete domains. (Provided he has +d access to the "entry"
# attribute of the domains he wants to delete.)
-add: olcAccess
olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=children
by users =z
--
+#
# 1. The postmaster of a domain can give (or take back) people the right to create
# aliases.
# 2,3. People that can create aliases can list the members of the group.
-add: olcAccess
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
filter=(objectClass=fripostVirtualDomain)
attrs=fripostCanCreateAlias
by dnattr=fripostPostmaster write
by dnattr=fripostOwner read
by set.exact="this/fripostCanCreateAlias & (user | user/-1)" read
--
+#
# 1. The postmaster of a domain can give (or take back) people the right to create
# mailing lists.
# 2,3. People that can create mailing lists can list the members of the group.
-add: olcAccess
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
filter=(objectClass=fripostVirtualDomain)
attrs=fripostCanCreateML
by dnattr=fripostPostmaster write
by dnattr=fripostOwner read
by set.exact="this/fripostCanCreateML & (user | user/-1)" read
--
+#
# 1-3. Noone (but the managers) can appoint domain Owners or Postmasters.
# But people that can create aliases and mailing lists can list the members of their group.
-add: olcAccess
olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=fripostVirtualDomain)
attrs=fripostOwner,fripostPostmaster
@@ -106,21 +97,19 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML)& (user | user/-1)" read
by dn.onelevel,expand="$1" +d
by users +0
--
+#
# Every one can add or delete children, but we will be carefull with the
# kid's "entry" attribute, which require +a and +z to add and delete
# respectively.
-add: olcAccess
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
filter=(objectClass=fripostVirtualDomain)
attrs=children
by users +w
--
+#
# 1. Domain owners can edit their entry's attributes.
# 2. So can domain postmasters.
# 3. Domain users can read the public domain attributes.
# 4. So can users with "canCreateAlias" or "canCreateML" access.
-add: olcAccess
olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=fripostVirtualDomain)
attrs=fvd,fripostIsStatusActive,description
@@ -128,22 +117,20 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
by dnattr=fripostPostmaster write
by dn.onelevel,expand="$1" read
by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML) & (user | user/-1)" read
--
+#
# 1. Domain owners can edit their entry's attributes.
# 2. So can domain postmasters.
-add: olcAccess
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
filter=(objectClass=fripostVirtualDomain)
attrs=@fripostVirtualDomain
by dnattr=fripostOwner write
by dnattr=fripostPostmaster write
by users +0
--
+#
# 1. Domain owners can delete the domain (and read the entry).
# 2. So can domain postmasters.
# 3. Domain users can read the domain entry (but not delete it).
# 4. So can users with "canCreateAlias" or "canCreateML" rights.
-add: olcAccess
olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=fripostVirtualDomain)
attrs=entry
@@ -152,46 +139,41 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
by dn.onelevel,expand="$1" +rd
by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML) & (user | user/-1)" +rd
by users +0
--
+#
# Noone (but the managers) can change quotas.
-add: olcAccess
olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=fripostVirtualMailbox)
attrs=fripostMailboxQuota
by self read
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read
--
+#
# 1. Users can modify their own entry.
# 2. So can their postmasters.
-add: olcAccess
olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=fripostVirtualMailbox)
attrs=@FripostVirtualMailbox
by self write
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
--
+#
# 1. Postmasters can create mailboxes (but not delete them).
# (Provided that they have +a access to the parent's "children" attribute.)
# 2. Users can read their entry (but not delete it).
-add: olcAccess
olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=fripostVirtualMailbox)
attrs=entry
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard
by self +rd
--
+#
# Reserved aliases cannot be deactivated. (But the alias definition may be changed by the
# domain owner.)
-add: olcAccess
olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=fripostVirtualAlias)
attrs=fripostIsStatusActive,fripostOwner,fva
by group/fripostVirtualDomain/fripostOwner.expand="$2" read
by group/fripostVirtualDomain/fripostPostmaster.expand="$2" read
by users +0
--
+#
# Reserved aliases cannot be deleted.
-add: olcAccess
olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=fripostVirtualAlias)
attrs=entry
@@ -199,11 +181,10 @@ olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHost
by group/fripostVirtualDomain/fripostPostmaster.expand="$2" +ard
by set.exact="this/-1/fripostCanCreateAlias & (user | user/-1)" +a
by users +0
--
+#
# 1. The alias owner can list the ownership of the entry.
# 2. The domain owner can add/delete/change the ownership of the entry.
# 3. So can the domain postmasters.
-add: olcAccess
olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=fripostVirtualAlias)
attrs=fripostOwner
@@ -211,24 +192,22 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by group/fripostVirtualDomain/fripostOwner.expand="$1" write
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
by users +0
--
+#
# 1. The alias owners can edit the rest of their entry's attributes.
# 2. So can the domain owners.
# 3. So can the domain postmasters.
-add: olcAccess
olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=fripostVirtualAlias)
attrs=@FripostVirtualAlias
by dnattr=fripostOwner write
by group/fripostVirtualDomain/fripostOwner.expand="$1" write
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
--
+#
# 1. The alias owners can read and delete the entry.
# 2. So can the domain owner.
# 3. So can the domain postmaster.
# 4. Users with "canCreateAlias" access (either explicitely, or as a wildcard) for the domain can create aliases for that domain.
# (But *not* delete them, unless also owner.)
-add: olcAccess
olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=fripostVirtualAlias)
attrs=entry
@@ -237,11 +216,10 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +wrd
by set.exact="this/-1/fripostCanCreateAlias & (user | user/-1)" +a
by users +0
--
+#
# 1. The mailing list owner can list the ownership of the entry.
# 2. The domain owner can add/delete/change the ownership of the entry.
# 3. So can the domain postmasters.
-add: olcAccess
olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=fripostVirtualML)
attrs=fripostOwner
@@ -249,35 +227,32 @@ olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripo
by group/fripostVirtualDomain/fripostOwner.expand="$1" write
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
by users +0
--
+#
# 1. The mailing list owner read (but not edit) the transport-related attributes.
# 2. So can the domain ower.
# 3. So can the domain postmaster.
-add: olcAccess
olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=fripostVirtualML)
attrs=fripostMLManager,fripostMLCommand
by dnattr=fripostOwner read
by group/fripostVirtualDomain/fripostOwner.expand="$1" read
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read
--
+#
# 1. The mailing list owners can edit their entry's attributes.
# 2. So can the domain owners.
# 3. So can the domain postmasters.
-add: olcAccess
olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=fripostVirtualML)
attrs=@FripostVirtualML
by dnattr=fripostOwner write
by group/fripostVirtualDomain/fripostOwner.expand="$1" write
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
--
+#
# 1. The mailing list owners can read and delete the entry.
# 2. So can the domain's Owner.
# 3. So can the domain's Postmaster.
# 4. Users with "canCreateML" capability (either explicitely, or as a wildcard) for the domain can create mailing lists for that domain.
# (But *not* delete them, unless also owner.)
-add: olcAccess
olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=fripostVirtualML)
attrs=entry
@@ -286,8 +261,7 @@ olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripo
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rwd
by set.exact="this/-1/fripostCanCreateML & (user | user/-1)" +a
by users +0
--
+#
# Catch the "break" control above.
-add: olcAccess
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
by users +0
diff --git a/ldap/modules.ldif b/ldap/modules.ldif
index 0e63819..cc4da57 100644
--- a/ldap/modules.ldif
+++ b/ldap/modules.ldif
@@ -2,7 +2,7 @@
#
# ldapmodify -Y EXTERNAL -H ldapi:/// -f modules.ldif
#
-# It will load the "syncprov" module.
+# It will load the "syncprov" and "constraint" modules.
#
#
# References:
@@ -14,3 +14,6 @@ dn: cn=module{0}, cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov.la
+-
+add: olcModuleLoad
+olcModuleLoad: constraint.la
diff --git a/ldap/populate.ldif b/ldap/populate.ldif
index 57681b5..cd2b5f2 100644
--- a/ldap/populate.ldif
+++ b/ldap/populate.ldif
@@ -5,7 +5,7 @@
# It will populate the directory for testing purposes.
# If "o=mailHosting,dc=fripost,dc=dev" exists, you can delete it with
#
-# ldapdelete -Y EXTERNAL -H ldapi:/// -r "ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+# ldapdelete -Y EXTERNAL -H ldapi:/// -r "o=mailHosting,dc=fripost,dc=dev"
# ou=quotas,o=mailHosting,dc=fripost,dc=dev
# |- fvd=fripost.org