Adding new domains.

author: Guilhem Moulin <guilhem.moulin@fripost.org> 2013-01-20 03:39:35 +0100
committer: Guilhem Moulin <guilhem.moulin@fripost.org> 2013-01-20 03:42:31 +0100
commit: 6295612701cb5b7cab131a8c0fcfa69846d11207 (patch)
tree: 49f755b4f07c56854f69a4f2d5db6af9ab5b891b /ldap/acl.ldif
parent: 03415210a74739563a54c1b3a9ae786027a0d8be (diff)
1 files changed, 34 insertions, 17 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index 0528545..c090925 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -28,14 +28,20 @@ replace: olcAccess
 # first as it's likely to be the most used.
 # TODO: for postfix, it'd be more efficient and more secure to SASL-bind
 # on a UNIX socket (EXTERNAL mechanism); wait for Postfix 2.8.
-# TODO: IMAP & SASLauth
-# TODO: if possible, make use GSSAPI for the services.
+# TODO: IMAP, SASLauth, Amavis
+# TODO: if possible, make use GSSAPI/EXTERNAL for the services.
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
         attrs=entry,objectClass,fvd,fripostIsStatusActive,fripostIsStatusPending,fripostOptionalMaildrop,fvu,fva,fripostMaildrop,fvl,fvlc,fripostLocalAlias
         filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))
     by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd
     by users none break
 #
+#olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+#    attrs=entry,objectClass,fripostIsStatusActive,fripostIsStatusPending,fvu,@amavisAccount
+#    filter=(&(objectClass=FripostVirtualUser)(objectClass=amavisAccount)(fripostIsStatusActive=TRUE)(fripostIsStatusPending=FALSE))
+#    by dn.exact="gidNumber=113+uidNumber=116,cn=peercred,cn=external,cn=auth" =rsd
+#    by users none break
+#
 # Anonymous can authenticate into the services. (But not read or write the password.)
 olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
         attrs=userPassword
@@ -60,7 +66,7 @@ olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
 # 1. Users can change their password (but not read it).
 # 2. Anonymous users can bind.
 # 3. Else, we inspect the 2 following ACLs.
-olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
         attrs=userPassword
     by self =w
     by anonymous auth
@@ -89,20 +95,30 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
 # Users can search (e.g., to list the entries they have created).
 # Additional permissions may be added later on.
 olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
-        attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList
+        attrs=entry,fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList
     by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break
     by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none break
 #
-# Everyone can delete domains. (Provided s/he has +d access to the "entry"
-# attribute of the domains s/he wants to delete.)
+# Everyone can create/delete domains. (Provided s/he has +a/+z access to the
+# "entry" attribute of the domains s/he wants to delete.)
 olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
         attrs=children
-    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =z
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w
 #
-# Reserved local parts are reserved.
+# Reserved local parts are reserved. /!\ The case be insensitive
+#  postmaster # RFC 822, appendix C.6
+#  abuse      # RFC 2142, section 4
 olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
     by * none
 #
+# Only the domain postmaster can read and search the unlock token and delete the
+# 'pending' status.
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+        filter=(objectClass=FripostVirtualDomain)
+        attrs=fripostIsStatusPending
+    by dnattr=fripostPostmaster =zrsd
+    by dnattr=fripostOwner =zrsd
+#
 # 1. The postmaster of a domain can give (or take back) people the right to create
 # aliases.
 # 2,3. People that can create aliases can list the members of the group.
@@ -133,14 +149,6 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
     by dn.onelevel,expand="$1" +d
     by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
 #
-# Every one can add or delete children, but we will be carefull with the
-# kid's "entry" attribute, which require +a and +z to add and delete
-# respectively.
-olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
-        filter=(objectClass=FripostVirtualDomain)
-        attrs=children
-    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w
-#
 # 1. Domain owners can edit their entry's attributes.
 # 2. So can domain postmasters.
 # 3. Domain users can read the public domain attributes.
@@ -162,6 +170,14 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
     by dnattr=fripostPostmaster write
     by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
 #
+# Every one can add or delete children, but we will be carefull with the
+# kid's "entry" attribute, which require +a and +z to add and delete
+# respectively.
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+        filter=(objectClass=FripostVirtualDomain)
+        attrs=children
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w
+#
 # 1. Domain owners can delete the domain (and read the entry).
 # 2. So can domain postmasters.
 # 3. Domain users can read the domain entry (but not delete it).
@@ -169,6 +185,7 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
 olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
         filter=(objectClass=FripostVirtualDomain)
         attrs=entry
+    by set.exact="this/-1/fripostCanAddDomain & (user | user/-1)" +a continue
     by dnattr=fripostOwner +zrd
     by dnattr=fripostPostmaster +zrd
     by dn.onelevel,expand="$1" +rd
@@ -262,7 +279,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
     by dnattr=fripostOwner read
     by group/fripostVirtualDomain/fripostOwner.expand="$1" read
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read
-    by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =zrd
+    by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =zsd
 #
 # 1. The list owners can edit their entry's attributes.
 # 2. So can the domain owners.
author	Guilhem Moulin <guilhem.moulin@fripost.org>	2013-01-20 03:39:35 +0100
committer	Guilhem Moulin <guilhem.moulin@fripost.org>	2013-01-20 03:42:31 +0100
commit	6295612701cb5b7cab131a8c0fcfa69846d11207 (patch)
tree	49f755b4f07c56854f69a4f2d5db6af9ab5b891b /ldap/acl.ldif
parent	03415210a74739563a54c1b3a9ae786027a0d8be (diff)