Prevent the WebApp from modifying the user passwords.

1 files changed, 8 insertions, 3 deletions

diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index 5cc0ef0..970799a 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -45,12 +45,17 @@ olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc
         attrs=entry,objectClass,authzTo
     by realanonymous =x
 #
-# 1. Anonymous users can bind.
-# 2. Users can change their password (but not read it).
-# 3. The postmaster of a domain can change (replace) his/her users' password (but not read it).
+# 1. The WebPanel itself cannot bind, read or write passwords. This
+# guarantees that, if an attacker gains its priviledge, it will *not* be
+# able to change user passwords (which would allow him/her to read every
+# emails). This is a trick to tackle the absence of 'realgroup'.
+# 2. Anonymous users can bind.
+# 3. Users can change their password (but not read it).
+# 4. The postmaster of a domain can change (replace) his/her users' password (but not read it).
 olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
         filter=(objectClass=FripostVirtualUser)
         attrs=userPassword
+    by realdn.exact="uid=AdminWebPanel@fripost.org,cn=auth" =0
     by realanonymous =xd
     by realself =w
     by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =w