Adapted the test suite to domain creation.

author: Guilhem Moulin <guilhem.moulin@fripost.org> 2013-01-21 02:15:29 +0100
committer: Guilhem Moulin <guilhem.moulin@fripost.org> 2013-01-21 02:23:48 +0100
commit: 4697625becadbd2d3eea9feb3eaacd2bf91ecdd4 (patch)
tree: 67e03adbf52c17536b2a67029287ec281b32a23f /ldap/acl.ldif
parent: 6295612701cb5b7cab131a8c0fcfa69846d11207 (diff)
1 files changed, 93 insertions, 85 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index c090925..ce2aa4c 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -31,49 +31,54 @@ replace: olcAccess
 # TODO: IMAP, SASLauth, Amavis
 # TODO: if possible, make use GSSAPI/EXTERNAL for the services.
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
-        attrs=entry,objectClass,fvd,fripostIsStatusActive,fripostIsStatusPending,fripostOptionalMaildrop,fvu,fva,fripostMaildrop,fvl,fvlc,fripostLocalAlias
+        attrs=entry,fvd,fvu,fva,fvl,fvlc,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias
         filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))
     by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd
-    by users none break
+    by users =0 break
+#
+olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+        attrs=objectClass,fripostPendingToken,fripostIsStatusActive
+        filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))
+    by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =sd
+    by users =0 break
 #
 #olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
-#    attrs=entry,objectClass,fripostIsStatusActive,fripostIsStatusPending,fvu,@amavisAccount
-#    filter=(&(objectClass=FripostVirtualUser)(objectClass=amavisAccount)(fripostIsStatusActive=TRUE)(fripostIsStatusPending=FALSE))
+#    attrs=entry,objectClass,fripostIsStatusActive,fripostPendingToken,fvu,@amavisAccount
+#    filter=(&(objectClass=FripostVirtualUser)(objectClass=amavisAccount)(fripostIsStatusActive=TRUE)(fripostPendingToken=FALSE))
 #    by dn.exact="gidNumber=113+uidNumber=116,cn=peercred,cn=external,cn=auth" =rsd
-#    by users none break
+#    by users =0 break
 #
 # Anonymous can authenticate into the services. (But not read or write the password.)
 olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
         attrs=userPassword
-    by anonymous auth
+    by realanonymous =xd
 #
 # That's necessary for SASL proxy Authorize the web application.
 olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
         attrs=entry,objectClass,authzTo
-    by * =x
+    by realanonymous =x
 #
 # 1. Managers have read/write access to the "virtual" subtree.
 # 2. The list creator needs further access.
 # 3. Other services have no access other than the one above.
 # 4,5. Other users need further access.
 olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
-    by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" write
-    by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" none break
-    by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none
-    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" none break
-    by anonymous none break
+    by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd
+    by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
+    by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0
+    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break
+    by anonymous =0 break
 #
 # 1. Users can change their password (but not read it).
 # 2. Anonymous users can bind.
 # 3. Else, we inspect the 2 following ACLs.
 olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
         attrs=userPassword
-    by self =w
-    by anonymous auth
-    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" none break
+    by realself =w
+    by anonymous =xd
+    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break
 #
-# The postmaster of a domain can change (replace) his/her users'
-# password (but not see it).
+# The postmaster of a domain can change (replace) his/her users' password (but not read it).
 olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
         filter=(objectClass=FripostVirtualUser)
         attrs=userPassword
@@ -83,41 +88,41 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
 # (That's a catch-all, just to be sure that services, etc. cannot read the passwords).
 olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
         attrs=userPassword
-    by * none
+    by * =0
 #
 # 1. Users can search (e.g., to list the entries they have created).
 # 2. So can the list creator.
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
         attrs=objectClass
-    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s
+    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s
     by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =s
 #
-# Users can search (e.g., to list the entries they have created).
-# Additional permissions may be added later on.
+# 1. Users can search (e.g., to list the entries they have created).
+# 2. Additional permissions may be added later on.
 olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
         attrs=entry,fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList
-    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break
-    by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none break
+    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s break
+    by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
 #
 # Everyone can create/delete domains. (Provided s/he has +a/+z access to the
 # "entry" attribute of the domains s/he wants to delete.)
 olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
         attrs=children
-    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w
+    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =w
 #
-# Reserved local parts are reserved. /!\ The case be insensitive
-#  postmaster # RFC 822, appendix C.6
-#  abuse      # RFC 2142, section 4
+# Reserved local parts are reserved. /!\ The case must be insensitive
+# - postmaster: RFC 822, appendix C.6
+# - abuse:      RFC 2142, section 4
 olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
-    by * none
+    by * =0
 #
-# Only the domain postmaster can read and search the unlock token and delete the
-# 'pending' status.
+# Only the domain Postmasters and Owners can read and search the unlock token and
+# delete the 'pending' status.
 olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
         filter=(objectClass=FripostVirtualDomain)
-        attrs=fripostIsStatusPending
-    by dnattr=fripostPostmaster =zrsd
-    by dnattr=fripostOwner =zrsd
+        attrs=fripostPendingToken
+    by dnattr=fripostPostmaster =zscd
+    by dnattr=fripostOwner =zscd
 #
 # 1. The postmaster of a domain can give (or take back) people the right to create
 # aliases.
@@ -125,29 +130,29 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
 olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
         filter=(objectClass=FripostVirtualDomain)
         attrs=fripostCanAddAlias
-    by dnattr=fripostPostmaster write
-    by dnattr=fripostOwner read
-    by set.exact="this/fripostCanAddAlias & (user | user/-1)" read
+    by dnattr=fripostPostmaster =wrscd
+    by dnattr=fripostOwner =rscd
+    by set.exact="this/fripostCanAddAlias & (user | user/-1)" =rscd
 #
 # 1. The postmaster of a domain can give (or take back) people the right to create lists.
 # 2,3. People that can create lists can list the members of the group.
 olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
         filter=(objectClass=FripostVirtualDomain)
         attrs=fripostCanAddList
-    by dnattr=fripostPostmaster write
-    by dnattr=fripostOwner read
-    by set.exact="this/fripostCanAddList & (user | user/-1)" read
+    by dnattr=fripostPostmaster =wrscd
+    by dnattr=fripostOwner =rscd
+    by set.exact="this/fripostCanAddList & (user | user/-1)" =rscd
 #
 # 1-3. Noone (but the managers) can appoint domain Owners or Postmasters.
 # But people that can create aliases and lists can list the members of their group.
 olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
         filter=(objectClass=FripostVirtualDomain)
         attrs=fripostOwner,fripostPostmaster
-    by dnattr=fripostOwner read
-    by dnattr=fripostPostmaster read
-    by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" read
+    by dnattr=fripostOwner =rscd
+    by dnattr=fripostPostmaster =rscd
+    by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" =rscd
     by dn.onelevel,expand="$1" +d
-    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
+    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
 #
 # 1. Domain owners can edit their entry's attributes.
 # 2. So can domain postmasters.
@@ -156,19 +161,19 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
 olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
         filter=(objectClass=FripostVirtualDomain)
         attrs=fvd,fripostIsStatusActive,description
-    by dnattr=fripostOwner write
-    by dnattr=fripostPostmaster write
-    by dn.onelevel,expand="$1" read
-    by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" read
+    by dnattr=fripostOwner =wrscd
+    by dnattr=fripostPostmaster =wrscd
+    by dn.onelevel,expand="$1" =rscd
+    by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" =rscd
 #
 # 1. Domain owners can edit their entry's attributes.
 # 2. So can domain postmasters.
 olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
         filter=(objectClass=FripostVirtualDomain)
         attrs=@fripostVirtualDomain
-    by dnattr=fripostOwner write
-    by dnattr=fripostPostmaster write
-    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
+    by dnattr=fripostOwner =wrscd
+    by dnattr=fripostPostmaster =wrscd
+    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
 #
 # Every one can add or delete children, but we will be carefull with the
 # kid's "entry" attribute, which require +a and +z to add and delete
@@ -176,12 +181,13 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
 olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
         filter=(objectClass=FripostVirtualDomain)
         attrs=children
-    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w
+    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +w
 #
-# 1. Domain owners can delete the domain (and read the entry).
-# 2. So can domain postmasters.
-# 3. Domain users can read the domain entry (but not delete it).
-# 4. So can users with "canAddAlias" or "canAddList" rights.
+# 1. Users with "addDomain" access can create new entries.
+# 2. Domain owners can delete their domain (and read the entry).
+# 3. So can domain postmasters.
+# 4. Domain users can read the domain entry (but not delete it).
+# 5. So can users with "canAddAlias" or "canAddList" rights.
 olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
         filter=(objectClass=FripostVirtualDomain)
         attrs=entry
@@ -190,22 +196,22 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
     by dnattr=fripostPostmaster +zrd
     by dn.onelevel,expand="$1" +rd
     by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" +rd
-    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
+    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
 #
 # Noone (but the managers) can change quotas.
 olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
         filter=(objectClass=FripostVirtualUser)
         attrs=fripostUserQuota
-    by self read
-    by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read
+    by self =rscd
+    by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =rscd
 #
 # 1. Users can modify their own entry.
 # 2. So can their postmasters.
 olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
         filter=(objectClass=FripostVirtualUser)
         attrs=@FripostVirtualUser
-    by self write
-    by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
+    by self =wrscd
+    by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
 #
 # 1. Postmasters can create users (but not delete them).
 # (Provided that they have +a access to the parent's "children" attribute.)
@@ -222,10 +228,10 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
 olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
         filter=(objectClass=FripostVirtualAlias)
         attrs=fripostOwner
-    by dnattr=fripostOwner read continue
-    by group/fripostVirtualDomain/fripostOwner.expand="$1" write
-    by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
-    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
+    by dnattr=fripostOwner =rscd continue
+    by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd
+    by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
+    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
 #
 # 1. The alias owners can edit the rest of their entry's attributes.
 # 2. So can the domain owners.
@@ -233,9 +239,9 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
 olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
         filter=(objectClass=FripostVirtualAlias)
         attrs=@FripostVirtualAlias
-    by dnattr=fripostOwner write
-    by group/fripostVirtualDomain/fripostOwner.expand="$1" write
-    by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
+    by dnattr=fripostOwner =wrscd
+    by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd
+    by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
 #
 # 1. The alias owners can read and delete the entry.
 # 2. So can the domain owner.
@@ -249,7 +255,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
     by group/fripostVirtualDomain/fripostOwner.expand="$1" +wrd
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +wrd
     by set.exact="this/-1/fripostCanAddAlias & (user | user/-1)" +a
-    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
+    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
 #
 # 1. The list owner can list the ownership of the entry.
 # 2. The domain owner can add/delete/change the ownership of the entry.
@@ -257,10 +263,10 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
 olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
         filter=(objectClass=FripostVirtualList)
         attrs=fripostOwner
-    by dnattr=fripostOwner read continue
-    by group/fripostVirtualDomain/fripostOwner.expand="$1" write
-    by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
-    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
+    by dnattr=fripostOwner =rscd continue
+    by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd
+    by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
+    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
 #
 # 1. The list owner read (but not edit) the transport-related attributes.
 # 2. So can the domain ower.
@@ -268,17 +274,19 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
 olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
         filter=(objectClass=FripostVirtualList)
         attrs=fripostListManager
-    by dnattr=fripostOwner read
-    by group/fripostVirtualDomain/fripostOwner.expand="$1" read
-    by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read
+    by dnattr=fripostOwner =rscd
+    by group/fripostVirtualDomain/fripostOwner.expand="$1" =rscd
+    by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =rscd
 #
-# Only the list creator can remove the "pending" flag
+# 1,2,3. The list owner and the domain Owner and Postmaster can search
+# (but not read) the 'pending' token.
+# 4. The list creator can remove the "pending" flag.
 olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
         filter=(objectClass=FripostVirtualList)
-        attrs=fripostIsStatusPending
-    by dnattr=fripostOwner read
-    by group/fripostVirtualDomain/fripostOwner.expand="$1" read
-    by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read
+        attrs=fripostPendingToken
+    by dnattr=fripostOwner =scd
+    by group/fripostVirtualDomain/fripostOwner.expand="$1" =scd
+    by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =scd
     by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =zsd
 #
 # 1. The list owners can edit their entry's attributes.
@@ -287,9 +295,9 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
 olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
         filter=(objectClass=FripostVirtualList)
         attrs=@FripostVirtualList
-    by dnattr=fripostOwner write
-    by group/fripostVirtualDomain/fripostOwner.expand="$1" write
-    by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
+    by dnattr=fripostOwner =wrscd
+    by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd
+    by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
 #
 # 1. The list owners can read the entry.
 # 2. So can the domain's Owner.
@@ -304,7 +312,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
     by group/fripostVirtualDomain/fripostOwner.expand="$1" +rad
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rad
     by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a
-    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
+    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
     by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd
 #
 # The List Creator can add list commands.
@@ -321,4 +329,4 @@ olcAccess: to dn.regex="^fvlc=[^,]+,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting
 #
 # Catch the "break" control above.
 olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
-    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
+    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
author	Guilhem Moulin <guilhem.moulin@fripost.org>	2013-01-21 02:15:29 +0100
committer	Guilhem Moulin <guilhem.moulin@fripost.org>	2013-01-21 02:23:48 +0100
commit	4697625becadbd2d3eea9feb3eaacd2bf91ecdd4 (patch)
tree	67e03adbf52c17536b2a67029287ec281b32a23f /ldap/acl.ldif
parent	6295612701cb5b7cab131a8c0fcfa69846d11207 (diff)