SASL proxy authorization.

author: Guilhem Moulin <guilhem.moulin@fripost.org> 2012-09-09 23:26:26 +0200
committer: Guilhem Moulin <guilhem.moulin@fripost.org> 2012-09-09 23:26:26 +0200
commit: 0bed9611730fc434dd55175bc947dc09fc430710 (patch)
tree: 0f9dfd3e77f56ffc2ce1a1df413cd8b2fa8034c6 /ldap/acl.ldif
parent: 09ca4fea45f2548d429a59a742593ebb5ebcbfab (diff)
1 files changed, 56 insertions, 47 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index 755697f..eb28872 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -39,7 +39,7 @@ olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
 #
 # The postmaster of a domain can change (replace) his/her users' password.
 olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
-        filter=(objectClass=fripostVirtualMailbox)
+        filter=(objectClass=FripostVirtualMailbox)
         attrs=userPassword
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =w
 #
@@ -48,17 +48,27 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
 olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
         attrs=userPassword
     by * none
+#
+# That's necessary for SASL proxy Authorize the web application.
+olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
+        attrs=entry,objectClass,authzTo
+    by * =x
 ##
 ## Services can read the whole subtree (minus the userPassword attributes).
 #olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
-#        attrs=entry,creatorsName,@fripostVirtualDomain,@fripostVirtualMailbox,@fripostVirtualAlias,@fripostVirtualML
-#    by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=org" read
-#    by users * break
+#        attrs=entry,creatorsName,@fripostVirtualDomain,@fripostVirtualMailbox,@fripostVirtualAlias,@fripostVirtualList
+#    by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" read
+#    by users none break
+#
+# Users can search (e.g., to list the entries they have created).
+olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+        attrs=objectClass
+    by users =s
 #
 # Users can search (e.g., to list the entries they have created).
 # Additional permissions may be added later on.
 olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
-        attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanCreateAlias,fripostCanCreateML
+        attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanCreateAlias,fripostCanCreateList
     by users =s break
 #
 # Everyone can delete domains. (Provided he has +d access to the "entry"
@@ -71,30 +81,29 @@ olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
 # aliases.
 # 2,3. People that can create aliases can list the members of the group.
 olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
-        filter=(objectClass=fripostVirtualDomain)
+        filter=(objectClass=FripostVirtualDomain)
         attrs=fripostCanCreateAlias
     by dnattr=fripostPostmaster write
     by dnattr=fripostOwner read
     by set.exact="this/fripostCanCreateAlias & (user | user/-1)" read
 #
-# 1. The postmaster of a domain can give (or take back) people the right to create
-# mailing lists.
-# 2,3. People that can create mailing lists can list the members of the group.
+# 1. The postmaster of a domain can give (or take back) people the right to create lists.
+# 2,3. People that can create lists can list the members of the group.
 olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
-        filter=(objectClass=fripostVirtualDomain)
-        attrs=fripostCanCreateML
+        filter=(objectClass=FripostVirtualDomain)
+        attrs=fripostCanCreateList
     by dnattr=fripostPostmaster write
     by dnattr=fripostOwner read
-    by set.exact="this/fripostCanCreateML & (user | user/-1)" read
+    by set.exact="this/fripostCanCreateList & (user | user/-1)" read
 #
 # 1-3. Noone (but the managers) can appoint domain Owners or Postmasters.
-# But people that can create aliases and mailing lists can list the members of their group.
+# But people that can create aliases and lists can list the members of their group.
 olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
-        filter=(objectClass=fripostVirtualDomain)
+        filter=(objectClass=FripostVirtualDomain)
         attrs=fripostOwner,fripostPostmaster
     by dnattr=fripostOwner read
     by dnattr=fripostPostmaster read
-    by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML)& (user | user/-1)" read
+    by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateList)& (user | user/-1)" read
     by dn.onelevel,expand="$1" +d
     by users +0
 #
@@ -102,26 +111,26 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
 # kid's "entry" attribute, which require +a and +z to add and delete
 # respectively.
 olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
-        filter=(objectClass=fripostVirtualDomain)
+        filter=(objectClass=FripostVirtualDomain)
         attrs=children
     by users +w
 #
 # 1. Domain owners can edit their entry's attributes.
 # 2. So can domain postmasters.
 # 3. Domain users can read the public domain attributes.
-# 4. So can users with "canCreateAlias" or "canCreateML" access.
+# 4. So can users with "canCreateAlias" or "canCreateList" access.
 olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
-        filter=(objectClass=fripostVirtualDomain)
+        filter=(objectClass=FripostVirtualDomain)
         attrs=fvd,fripostIsStatusActive,description
     by dnattr=fripostOwner write
     by dnattr=fripostPostmaster write
     by dn.onelevel,expand="$1" read
-    by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML) & (user | user/-1)" read
+    by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateList) & (user | user/-1)" read
 #
 # 1. Domain owners can edit their entry's attributes.
 # 2. So can domain postmasters.
 olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
-        filter=(objectClass=fripostVirtualDomain)
+        filter=(objectClass=FripostVirtualDomain)
         attrs=@fripostVirtualDomain
     by dnattr=fripostOwner write
     by dnattr=fripostPostmaster write
@@ -130,19 +139,19 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
 # 1. Domain owners can delete the domain (and read the entry).
 # 2. So can domain postmasters.
 # 3. Domain users can read the domain entry (but not delete it).
-# 4. So can users with "canCreateAlias" or "canCreateML" rights.
+# 4. So can users with "canCreateAlias" or "canCreateList" rights.
 olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
-        filter=(objectClass=fripostVirtualDomain)
+        filter=(objectClass=FripostVirtualDomain)
         attrs=entry
     by dnattr=fripostOwner +zrd
     by dnattr=fripostPostmaster +zrd
     by dn.onelevel,expand="$1" +rd
-    by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML) & (user | user/-1)" +rd
+    by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateList) & (user | user/-1)" +rd
     by users +0
 #
 # Noone (but the managers) can change quotas.
 olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
-        filter=(objectClass=fripostVirtualMailbox)
+        filter=(objectClass=FripostVirtualMailbox)
         attrs=fripostMailboxQuota
     by self read
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read
@@ -150,7 +159,7 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
 # 1. Users can modify their own entry.
 # 2. So can their postmasters.
 olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
-        filter=(objectClass=fripostVirtualMailbox)
+        filter=(objectClass=FripostVirtualMailbox)
         attrs=@FripostVirtualMailbox
     by self write
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
@@ -159,7 +168,7 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
 # (Provided that they have +a access to the parent's "children" attribute.)
 # 2. Users can read their entry (but not delete it).
 olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
-        filter=(objectClass=fripostVirtualMailbox)
+        filter=(objectClass=FripostVirtualMailbox)
         attrs=entry
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard
     by self +rd
@@ -167,7 +176,7 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
 # Reserved aliases cannot be deactivated. (But the alias definition may be changed by the
 # domain owner.)
 olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
-        filter=(objectClass=fripostVirtualAlias)
+        filter=(objectClass=FripostVirtualAlias)
         attrs=fripostIsStatusActive,fripostOwner,fva
     by group/fripostVirtualDomain/fripostOwner.expand="$2" read
     by group/fripostVirtualDomain/fripostPostmaster.expand="$2" read
@@ -175,7 +184,7 @@ olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHost
 #
 # Reserved aliases cannot be deleted.
 olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
-        filter=(objectClass=fripostVirtualAlias)
+        filter=(objectClass=FripostVirtualAlias)
         attrs=entry
     by group/fripostVirtualDomain/fripostOwner.expand="$2" +ard
     by group/fripostVirtualDomain/fripostPostmaster.expand="$2" +ard
@@ -186,7 +195,7 @@ olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHost
 # 2. The domain owner can add/delete/change the ownership of the entry.
 # 3. So can the domain postmasters.
 olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
-        filter=(objectClass=fripostVirtualAlias)
+        filter=(objectClass=FripostVirtualAlias)
         attrs=fripostOwner
     by dnattr=fripostOwner read continue
     by group/fripostVirtualDomain/fripostOwner.expand="$1" write
@@ -197,7 +206,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
 # 2. So can the domain owners.
 # 3. So can the domain postmasters.
 olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
-        filter=(objectClass=fripostVirtualAlias)
+        filter=(objectClass=FripostVirtualAlias)
         attrs=@FripostVirtualAlias
     by dnattr=fripostOwner write
     by group/fripostVirtualDomain/fripostOwner.expand="$1" write
@@ -209,7 +218,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
 # 4. Users with "canCreateAlias" access (either explicitely, or as a wildcard) for the domain can create aliases for that domain.
 # (But *not* delete them, unless also owner.)
 olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
-        filter=(objectClass=fripostVirtualAlias)
+        filter=(objectClass=FripostVirtualAlias)
         attrs=entry
     by dnattr=fripostOwner +zrd continue
     by group/fripostVirtualDomain/fripostOwner.expand="$1" +wrd
@@ -217,49 +226,49 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
     by set.exact="this/-1/fripostCanCreateAlias & (user | user/-1)" +a
     by users +0
 #
-# 1. The mailing list owner can list the ownership of the entry.
+# 1. The list owner can list the ownership of the entry.
 # 2. The domain owner can add/delete/change the ownership of the entry.
 # 3. So can the domain postmasters.
-olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
-        filter=(objectClass=fripostVirtualML)
+olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+        filter=(objectClass=FripostVirtualList)
         attrs=fripostOwner
     by dnattr=fripostOwner read continue
     by group/fripostVirtualDomain/fripostOwner.expand="$1" write
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
     by users +0
 #
-# 1. The mailing list owner read (but not edit) the transport-related attributes.
+# 1. The list owner read (but not edit) the transport-related attributes.
 # 2. So can the domain ower.
 # 3. So can the domain postmaster.
-olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
-        filter=(objectClass=fripostVirtualML)
-        attrs=fripostMLManager,fripostMLCommand
+olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+        filter=(objectClass=FripostVirtualList)
+        attrs=fripostListManager,fripostListCommand
     by dnattr=fripostOwner read
     by group/fripostVirtualDomain/fripostOwner.expand="$1" read
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read
 #
-# 1. The mailing list owners can edit their entry's attributes.
+# 1. The list owners can edit their entry's attributes.
 # 2. So can the domain owners.
 # 3. So can the domain postmasters.
-olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
-        filter=(objectClass=fripostVirtualML)
-        attrs=@FripostVirtualML
+olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+        filter=(objectClass=FripostVirtualList)
+        attrs=@FripostVirtualList
     by dnattr=fripostOwner write
     by group/fripostVirtualDomain/fripostOwner.expand="$1" write
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
 #
-# 1. The mailing list owners can read and delete the entry.
+# 1. The list owners can read and delete the entry.
 # 2. So can the domain's Owner.
 # 3. So can the domain's Postmaster.
-# 4. Users with "canCreateML" capability (either explicitely, or as a wildcard) for the domain can create mailing lists for that domain.
+# 4. Users with "canCreateList" capability (either explicitely, or as a wildcard) for the domain can create lists for that domain.
 # (But *not* delete them, unless also owner.)
-olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
-        filter=(objectClass=fripostVirtualML)
+olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+        filter=(objectClass=FripostVirtualList)
         attrs=entry
     by dnattr=fripostOwner +rzd continue
     by group/fripostVirtualDomain/fripostOwner.expand="$1" +rwd
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rwd
-    by set.exact="this/-1/fripostCanCreateML & (user | user/-1)" +a
+    by set.exact="this/-1/fripostCanCreateList & (user | user/-1)" +a
     by users +0
 #
 # Catch the "break" control above.
author	Guilhem Moulin <guilhem.moulin@fripost.org>	2012-09-09 23:26:26 +0200
committer	Guilhem Moulin <guilhem.moulin@fripost.org>	2012-09-09 23:26:26 +0200
commit	0bed9611730fc434dd55175bc947dc09fc430710 (patch)
tree	0f9dfd3e77f56ffc2ce1a1df413cd8b2fa8034c6 /ldap/acl.ldif
parent	09ca4fea45f2548d429a59a742593ebb5ebcbfab (diff)