Added a service to delete expired pending entries.

author: Guilhem Moulin <guilhem.moulin@fripost.org> 2013-01-21 23:17:41 +0100
committer: Guilhem Moulin <guilhem.moulin@fripost.org> 2013-01-21 23:17:41 +0100
commit: f0f87bd9b13cb0bd5c37472e5a9b4e0d36d1384d (patch)
tree: 37c7f14acce7c993bc9c5d227d84ffdd36b82d68 /ldap/acl.ldif
parent: 192be467f1d05e5e148481c5497444ffc97603eb (diff)
1 files changed, 57 insertions, 14 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index 4cf7e10..153470f 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -65,6 +65,7 @@ olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
 olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
     by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd
     by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
+    by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
     by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0
     by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break
     by anonymous =0 break
@@ -76,7 +77,7 @@ olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost
         attrs=userPassword
     by realself =w
     by anonymous =xd
-    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =0 break
 #
 # The postmaster of a domain can change (replace) his/her users' password (but not read it).
 olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
@@ -94,21 +95,61 @@ olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
 # 2. So can the list creator.
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
         attrs=objectClass
-    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s
     by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =s
+    by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =s
 #
 # 1. Users can search (e.g., to list the entries they have created).
 # 2. Additional permissions may be added later on.
 olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
         attrs=entry,fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList
-    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s break
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break
     by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
 #
+# Noone may create children under a pending entry. This is important
+# since otherwise we couldn't delete old pending entries
+# non-recursively.
+olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+        filter=(fripostPendingToken=*)
+        attrs=children
+    by * =0
+#
+# Our service can list and delete (old) pending entries.
+olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+        filter=(fripostPendingToken=*)
+        attrs=entry
+    by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =zrd break
+    by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break
+#
+# Our service can search anywhere in the tree (for old pending entries).
+olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+        attrs=entry
+    by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break
+    by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" +s
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break
+#
+# Our service needs to have 'z' access on the 'children' of the parent of the entry that is
+# to be deleted. (And 'z' access of the 'entry' attribute of this entry.)
+olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+        attrs=children
+    by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =z
+    by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break
+#
+# Our service needs search access to list (old) pending entries.
+olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+        filter=(fripostPendingToken=*)
+        attrs=createTimestamp,fripostPendingToken
+    by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =sd
+    by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break
+#
 # Everyone can create/delete domains. (Provided s/he has +a/+z access to the
 # "entry" attribute of the domains s/he wants to delete.)
 olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
         attrs=children
-    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =w
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w
 #
 # Reserved local parts are reserved. /!\ The case must be insensitive
 # - postmaster: RFC 822, appendix C.6
@@ -120,7 +161,7 @@ olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o
 olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
         filter=(&(objectClass=FripostVirtualDomain)(!(fripostPendingToken=*)))
         attrs=fripostPendingToken
-    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s
 #
 # Only the domain Postmasters and Owners can search the unlock token and delete the
 # 'pending' status (but not read).
@@ -158,7 +199,7 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
     by dnattr=fripostPostmaster =rscd
     by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" =rscd
     by dn.onelevel,expand="$1" +d
-    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
 #
 # 1. Domain owners can edit their entry's attributes.
 # 2. So can domain postmasters.
@@ -179,7 +220,7 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
         attrs=@fripostVirtualDomain
     by dnattr=fripostOwner =wrscd
     by dnattr=fripostPostmaster =wrscd
-    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
 #
 # Everyone can add or delete children, but we will be carefull with the
 # kid's "entry" attribute, which require +a and +z to add and delete
@@ -187,7 +228,7 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
 olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
         filter=(objectClass=FripostVirtualDomain)
         attrs=children
-    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +w
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w
 #
 # 1. Users with "addDomain" access can create new entries.
 # 2. Domain owners can delete their domain (and read the entry).
@@ -202,7 +243,7 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
     by dnattr=fripostPostmaster +zrd
     by dn.onelevel,expand="$1" +rd
     by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" +rd
-    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
 #
 # Noone (but the managers) can change quotas.
 olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
@@ -237,7 +278,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
     by dnattr=fripostOwner =rscd continue
     by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
-    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
 #
 # 1. The alias owners can edit the rest of their entry's attributes.
 # 2. So can the domain owners.
@@ -261,7 +302,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
     by group/fripostVirtualDomain/fripostOwner.expand="$1" +wrd
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +wrd
     by set.exact="this/-1/fripostCanAddAlias & (user | user/-1)" +a
-    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
 #
 # 1. The list owner can list the ownership of the entry.
 # 2. The domain owner can add/delete/change the ownership of the entry.
@@ -272,7 +313,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
     by dnattr=fripostOwner =rscd continue
     by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
-    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
 #
 # 1. The list owner read (but not edit) the transport-related attributes.
 # 2. So can the domain ower.
@@ -287,6 +328,8 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
 # 1,2,3. The list owner and the domain Owner and Postmaster can search
 # (but not read) the 'pending' token.
 # 4. The list creator can remove the "pending" flag.
+# (We don't need to limit the search to presence only here, since when present the value is
+# always 'TRUE')
 olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
         filter=(objectClass=FripostVirtualList)
         attrs=fripostPendingToken
@@ -318,7 +361,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
     by group/fripostVirtualDomain/fripostOwner.expand="$1" +rad
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rad
     by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a
-    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
     by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd
 #
 # The List Creator can add list commands.
@@ -335,4 +378,4 @@ olcAccess: to dn.regex="^fvlc=[^,]+,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting
 #
 # Catch the "break" control above.
 olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
-    by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
author	Guilhem Moulin <guilhem.moulin@fripost.org>	2013-01-21 23:17:41 +0100
committer	Guilhem Moulin <guilhem.moulin@fripost.org>	2013-01-21 23:17:41 +0100
commit	f0f87bd9b13cb0bd5c37472e5a9b4e0d36d1384d (patch)
tree	37c7f14acce7c993bc9c5d227d84ffdd36b82d68 /ldap/acl.ldif
parent	192be467f1d05e5e148481c5497444ffc97603eb (diff)