aboutsummaryrefslogtreecommitdiffstats
path: root/ldap/acl.ldif
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem.moulin@fripost.org>2012-09-15 19:24:24 +0200
committerGuilhem Moulin <guilhem.moulin@fripost.org>2012-09-15 19:24:24 +0200
commit695e6662e46545d08213d3eec0c4f9956333a28e (patch)
treedd7bfb8e5d44932ad51e5f525fa018c8e4866806 /ldap/acl.ldif
parentcb9479f3ecd194e70f75422cd2f1511e0d772058 (diff)
SMTP service.
Diffstat (limited to 'ldap/acl.ldif')
-rw-r--r--ldap/acl.ldif57
1 files changed, 37 insertions, 20 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index eb28872..212d4d9 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -23,15 +23,39 @@
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
-## Managers have read/write access to the "virtual" subtree.
-#olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
-# by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" write
-# by * break
-#-
-## 1. Users/Services/Managers can change their password (but not read it).
-## 2. Anonymous users/services/managers can bind.
-## 3. Else, we inspect the 2 following ACLs.
-olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
+#
+# Services have read access to the attribute they need. We put this ACL
+# first as it's likely to be the most used.
+# TODO: for postfix, it'd be more efficient and more secure to SASL-bind
+# on a UNIX socket (EXTERNAL mechanism); wait for Postfix 2.8.
+# TODO: IMAP & SASLauth
+olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ attrs=entry,objectClass,fvd,fripostIsStatusActive,fripostOptionalMaildrop,fvu,fripostOptionalMaildrop,fva,fripostMaildrop,fvl,fripostListCommand
+ filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualMailbox)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList))
+ by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd
+ by users none break
+#
+# Anonymous can authenticate into the services. (But not read or write the password.)
+olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
+ attrs=userPassword
+ by anonymous auth
+#
+# That's necessary for SASL proxy Authorize the web application.
+olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
+ attrs=entry,objectClass,authzTo
+ by * =x
+#
+# 1. Services have no access other than the one above.
+# 2. Managers have read/write access to the "virtual" subtree.
+olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none
+ by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" write
+ by * none break
+#
+# 1. Users can change their password (but not read it).
+# 2. Anonymous users/services/managers can bind.
+# 3. Else, we inspect the 2 following ACLs.
+olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=userPassword
by self =w
by anonymous auth
@@ -49,17 +73,6 @@ olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
attrs=userPassword
by * none
#
-# That's necessary for SASL proxy Authorize the web application.
-olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
- attrs=entry,objectClass,authzTo
- by * =x
-##
-## Services can read the whole subtree (minus the userPassword attributes).
-#olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
-# attrs=entry,creatorsName,@fripostVirtualDomain,@fripostVirtualMailbox,@fripostVirtualAlias,@fripostVirtualList
-# by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" read
-# by users none break
-#
# Users can search (e.g., to list the entries they have created).
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=objectClass
@@ -270,6 +283,10 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rwd
by set.exact="this/-1/fripostCanCreateList & (user | user/-1)" +a
by users +0
+#TODO
+#olcAccess: to dn.regex="^fvl=([^,]+)-request,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+# filter=(objectClass=FripostVirtualListCommand)
+# by users read
#
# Catch the "break" control above.
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"