aboutsummaryrefslogtreecommitdiffstats
path: root/ldap
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem.moulin@fripost.org>2013-01-19 02:21:23 +0100
committerGuilhem Moulin <guilhem.moulin@fripost.org>2013-01-19 02:21:23 +0100
commit03415210a74739563a54c1b3a9ae786027a0d8be (patch)
treea974e1ba48b4870723544cb404416326023c8cbc /ldap
parent6239e3f8a77a32333350d7c744db289ec9e4f6e0 (diff)
CanCreate → CanAdd
Diffstat (limited to 'ldap')
-rw-r--r--ldap/Makefile2
-rw-r--r--ldap/acl.ldif28
-rw-r--r--ldap/database.ldif2
-rw-r--r--ldap/fripost.ldif12
-rw-r--r--ldap/populate.ldif22
-rwxr-xr-xldap/test-user-acl.sh134
6 files changed, 100 insertions, 100 deletions
diff --git a/ldap/Makefile b/ldap/Makefile
index 4dd0faa..e771a72 100644
--- a/ldap/Makefile
+++ b/ldap/Makefile
@@ -80,7 +80,7 @@ uninstall:
@echo "Deleting schema \"cn=$(SCHEMA),cn=config\"" && find "$(TMPSLAPD)/cn=config/cn=schema/" -type f -name "cn={*}$(SCHEMA).ldif" -delete
#
@if test -d "$(TMPSLAPD)/$(NUM2)"; then \
- @echo "Deleting constraints" && find "$(TMPSLAPD)/$(NUM2)/" -type f -name "olcOverlay={*}constraint.ldif" -delete \
+ echo "Deleting constraints" && find "$(TMPSLAPD)/$(NUM2)/" -type f -name "olcOverlay={*}constraint.ldif" -delete \
;fi
#
@/etc/init.d/slapd stop
diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index c84d328..0528545 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -89,7 +89,7 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
# Users can search (e.g., to list the entries they have created).
# Additional permissions may be added later on.
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
- attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanCreateAlias,fripostCanCreateList
+ attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break
by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none break
#
@@ -108,19 +108,19 @@ olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o
# 2,3. People that can create aliases can list the members of the group.
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
filter=(objectClass=FripostVirtualDomain)
- attrs=fripostCanCreateAlias
+ attrs=fripostCanAddAlias
by dnattr=fripostPostmaster write
by dnattr=fripostOwner read
- by set.exact="this/fripostCanCreateAlias & (user | user/-1)" read
+ by set.exact="this/fripostCanAddAlias & (user | user/-1)" read
#
# 1. The postmaster of a domain can give (or take back) people the right to create lists.
# 2,3. People that can create lists can list the members of the group.
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
filter=(objectClass=FripostVirtualDomain)
- attrs=fripostCanCreateList
+ attrs=fripostCanAddList
by dnattr=fripostPostmaster write
by dnattr=fripostOwner read
- by set.exact="this/fripostCanCreateList & (user | user/-1)" read
+ by set.exact="this/fripostCanAddList & (user | user/-1)" read
#
# 1-3. Noone (but the managers) can appoint domain Owners or Postmasters.
# But people that can create aliases and lists can list the members of their group.
@@ -129,7 +129,7 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
attrs=fripostOwner,fripostPostmaster
by dnattr=fripostOwner read
by dnattr=fripostPostmaster read
- by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateList)& (user | user/-1)" read
+ by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" read
by dn.onelevel,expand="$1" +d
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
#
@@ -144,14 +144,14 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
# 1. Domain owners can edit their entry's attributes.
# 2. So can domain postmasters.
# 3. Domain users can read the public domain attributes.
-# 4. So can users with "canCreateAlias" or "canCreateList" access.
+# 4. So can users with "canAddAlias" or "canAddList" access.
olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualDomain)
attrs=fvd,fripostIsStatusActive,description
by dnattr=fripostOwner write
by dnattr=fripostPostmaster write
by dn.onelevel,expand="$1" read
- by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateList) & (user | user/-1)" read
+ by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" read
#
# 1. Domain owners can edit their entry's attributes.
# 2. So can domain postmasters.
@@ -165,14 +165,14 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
# 1. Domain owners can delete the domain (and read the entry).
# 2. So can domain postmasters.
# 3. Domain users can read the domain entry (but not delete it).
-# 4. So can users with "canCreateAlias" or "canCreateList" rights.
+# 4. So can users with "canAddAlias" or "canAddList" rights.
olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualDomain)
attrs=entry
by dnattr=fripostOwner +zrd
by dnattr=fripostPostmaster +zrd
by dn.onelevel,expand="$1" +rd
- by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateList) & (user | user/-1)" +rd
+ by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" +rd
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
#
# Noone (but the managers) can change quotas.
@@ -223,7 +223,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
# 1. The alias owners can read and delete the entry.
# 2. So can the domain owner.
# 3. So can the domain postmaster.
-# 4. Users with "canCreateAlias" access (either explicitely, or as a wildcard) for the domain can create aliases for that domain.
+# 4. Users with "canAddAlias" access (either explicitely, or as a wildcard) for the domain can create aliases for that domain.
# (But *not* delete them, unless also owner.)
olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualAlias)
@@ -231,7 +231,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by dnattr=fripostOwner +zrd continue
by group/fripostVirtualDomain/fripostOwner.expand="$1" +wrd
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +wrd
- by set.exact="this/-1/fripostCanCreateAlias & (user | user/-1)" +a
+ by set.exact="this/-1/fripostCanAddAlias & (user | user/-1)" +a
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
#
# 1. The list owner can list the ownership of the entry.
@@ -277,7 +277,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
# 1. The list owners can read the entry.
# 2. So can the domain's Owner.
# 3. So can the domain's Postmaster.
-# 4. Users with "canCreateList" capability (either explicitely, or as a wildcard) for the domain can create lists for that domain.
+# 4. Users with "canAddList" capability (either explicitely, or as a wildcard) for the domain can create lists for that domain.
# (But *not* delete them, unless also owner.)
# 6. The list creator can read the entry.
olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
@@ -286,7 +286,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by dnattr=fripostOwner +rd continue
by group/fripostVirtualDomain/fripostOwner.expand="$1" +rad
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rad
- by set.exact="this/-1/fripostCanCreateList & (user | user/-1)" +a
+ by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd
#
diff --git a/ldap/database.ldif b/ldap/database.ldif
index 526cc89..ada28c7 100644
--- a/ldap/database.ldif
+++ b/ldap/database.ldif
@@ -18,7 +18,7 @@ olcDbCheckpoint: 512 30
# Require LDAPv3 protocol and authentication prior to directory
# operations.
olcRequires: LDAPv3 authc
-# We don't want to give "canCreate{Alias,List}" write access to alias/list
+# We don't want to give "canAdd{Alias,List}" write access to alias/list
# attributes.
olcAddContentAcl: FALSE
# The root user has all rights on the whole database (when SASL-binding
diff --git a/ldap/fripost.ldif b/ldap/fripost.ldif
index 970f924..2409b26 100644
--- a/ldap/fripost.ldif
+++ b/ldap/fripost.ldif
@@ -106,16 +106,16 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostUserQuota'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32} SINGLE-VALUE )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostCanCreateAlias'
- DESC 'A user/domain that can create aliases for the parent domain'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostCanAddAlias'
+ DESC 'A user/domain that can create aliases under the parent domain'
SUP distinguishedName )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostCanCreateList'
- DESC 'A user/domain that can create lists for the parent domain'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostCanAddList'
+ DESC 'A user/domain that can create lists under the parent domain'
SUP distinguishedName )
#
olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.14 NAME 'fripostOwner'
- DESC 'A user that owns the parent domain'
+ DESC 'A user that owns under parent domain'
SUP distinguishedName )
#
olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.15 NAME 'fripostPostmaster'
@@ -135,7 +135,7 @@ olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.1 NAME 'FripostVirtualDomain'
SUP top STRUCTURAL
DESC 'Virtual domain'
MUST ( fvd $ fripostIsStatusActive )
- MAY ( fripostCanCreateAlias $ fripostCanCreateList $
+ MAY ( fripostCanAddAlias $ fripostCanAddList $
fripostOwner $ fripostPostmaster $
fripostOptionalMaildrop $ description ) )
#
diff --git a/ldap/populate.ldif b/ldap/populate.ldif
index 4e0f9b6..9844275 100644
--- a/ldap/populate.ldif
+++ b/ldap/populate.ldif
@@ -14,8 +14,8 @@
# An independent domain, not self managed
dn: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualDomain
-fripostCanCreateAlias: fvu=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-fripostCanCreateList: fvu=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostCanAddAlias: fvu=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostCanAddList: fvu=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostIsStatusActive: TRUE
dn: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
@@ -75,10 +75,10 @@ fripostLocalAlias: test-mailman#fripost.org
fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-# An independent domain, with canCreateAlias options
+# An independent domain, with canAddAlias options
dn: fvd=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualDomain
-fripostCanCreateAlias: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostCanAddAlias: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostIsStatusActive: FALSE
description: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod
description: tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim
@@ -96,10 +96,10 @@ fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=d
fripostMaildrop: user1@fripost.org
-# An independent domain, with canCreateList options
+# An independent domain, with canAddList options
dn: fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualDomain
-fripostCanCreateList: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostCanAddList: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostIsStatusActive: TRUE
# An owned list
@@ -111,11 +111,11 @@ fripostOwner: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=d
fripostLocalAlias: list1#example2.org
-# An independent domain, with both can createAlias and canCreateList options
+# An independent domain, with both can createAlias and canAddList options
dn: fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualDomain
-fripostCanCreateAlias: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-fripostCanCreateList: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostCanAddAlias: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostCanAddList: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostIsStatusActive: TRUE
# An owned list
@@ -159,13 +159,13 @@ fripostIsStatusActive: TRUE
dn: fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualDomain
fripostIsStatusActive: TRUE
-fripostCanCreateAlias: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostCanAddAlias: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostPostmaster: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostPostmaster: fvu=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostPostmaster: fvu=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost,dc=dev
# Buggy owner
fripostPostmaster: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-fripostCanCreateAlias: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostCanAddAlias: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostOptionalMaildrop: catch-all@example.org
fripostOptionalMaildrop: @example2.org
fripostOptionalMaildrop: @xn--v4h.net
diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh
index c55916e..9b954c7 100755
--- a/ldap/test-user-acl.sh
+++ b/ldap/test-user-acl.sh
@@ -168,36 +168,36 @@ echo "Authenticated users, access to domain entries"
# * entry:
# =s-a for all
-# +rd if children, canCreate{Alias,List}, owner or postmaster
+# +rd if children, canAdd{Alias,List}, owner or postmaster
# +z if owner or postmaster
# * children:
# =w for all
# * objectClass:
# =s for all
# * fvd:
-# =rscd if children, canCreate{Alias,List}, owner or postmaster
+# =rscd if children, canAdd{Alias,List}, owner or postmaster
# +w if owner or postmaster
# * fripostIsStatusActive
-# =rscd if children, canCreate{Alias,List}, owner or postmaster
+# =rscd if children, canAdd{Alias,List}, owner or postmaster
# +w if owner or postmaster
-# * fripostCanCreateAlias
-# =rscd if canCreateAlias, owner or postmaster
+# * fripostCanAddAlias
+# =rscd if canAddAlias, owner or postmaster
# +w if postmaster
-# * fripostCanCreateList
-# =rscd if canCreateList, owner or postmaster
+# * fripostCanAddList
+# =rscd if canAddList, owner or postmaster
# +w if postmaster
# * fripostOwner
# =s for all
# +d if children
-# +rc if canCreate{Alias,List}, owner or postmaster
+# +rc if canAdd{Alias,List}, owner or postmaster
# * fripostPostmaster
# =s for all
# +d if children
-# +rc if canCreate{Alias,List}, owner or postmaster
+# +rc if canAdd{Alias,List}, owner or postmaster
# * fripostOptionalMaildrop
# =wrscd if owner or postmaster
# * description
-# =rscd if children, canCreate{Alias,List}, owner or postmaster
+# =rscd if children, canAdd{Alias,List}, owner or postmaster
# +w if owner or postmaster
usersD () {
@@ -236,8 +236,8 @@ usersD ${OPERATTRS} | isOK '=0$' entryUUID
# We check the following permissions:
# 0. Simple user
-# 1. canCreateAlias (exact,wildcard)
-# 2. canCreateList (exact,wildcard)
+# 1. canAddAlias (exact,wildcard)
+# 2. canAddList (exact,wildcard)
# 3. Owner
# 4. Postmaster
@@ -259,11 +259,11 @@ done | isOK 'ALLOWED$' entry read
# 1
ATTRSA="fripostOwner/read fripostOwner/compare
fripostPostmaster/read fripostPostmaster/compare
- fripostCanCreateAlias/read fripostCanCreateAlias/search fripostCanCreateAlias/compare fripostCanCreateAlias/disclose"
-msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanCreateAlias, exact)"
+ fripostCanAddAlias/read fripostCanAddAlias/search fripostCanAddAlias/compare fripostCanAddAlias/disclose"
+msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanAddAlias, exact)"
for U in ${USERS}; do
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "fripostCanCreateAlias=${U},${SUFFIX}" | grep -q '^dn: ' && \
+ search -s base -b "${D},${SUFFIX}" "fripostCanAddAlias=${U},${SUFFIX}" | grep -q '^dn: ' && \
checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSA}
done
done | isOK 'ALLOWED$' children
@@ -271,11 +271,11 @@ done | isOK 'ALLOWED$' children
# 1
-msg "Have >=rscd to the public attributes and >=a to \"children\" (if CanCreateAlias, wildcard)"
+msg "Have >=rscd to the public attributes and >=a to \"children\" (if CanAddAlias, wildcard)"
for U in ${USERS}; do
DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "fripostCanCreateAlias=${DU},${SUFFIX}" | grep -q '^dn: ' && \
+ search -s base -b "${D},${SUFFIX}" "fripostCanAddAlias=${DU},${SUFFIX}" | grep -q '^dn: ' && \
checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSA}
done
done | isOK 'ALLOWED$' children
@@ -285,11 +285,11 @@ done | isOK 'ALLOWED$' children
# 2
ATTRSL="fripostOwner/read fripostOwner/compare
fripostPostmaster/read fripostPostmaster/compare
- fripostCanCreateList/read fripostCanCreateList/search fripostCanCreateList/compare fripostCanCreateList/disclose"
-msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanCreateList, exact)"
+ fripostCanAddList/read fripostCanAddList/search fripostCanAddList/compare fripostCanAddList/disclose"
+msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanAddList, exact)"
for U in ${USERS}; do
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "fripostCanCreateList=${U},${SUFFIX}" | grep -q '^dn: ' && \
+ search -s base -b "${D},${SUFFIX}" "fripostCanAddList=${U},${SUFFIX}" | grep -q '^dn: ' && \
checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL}
done
done | isOK 'ALLOWED$' children
@@ -297,11 +297,11 @@ done | isOK 'ALLOWED$' children
# 2
-msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanCreateList, wildcard)"
+msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanAddList, wildcard)"
for U in ${USERS}; do
DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "fripostCanCreateList=${DU},${SUFFIX}" | grep -q '^dn: ' && \
+ search -s base -b "${D},${SUFFIX}" "fripostCanAddList=${DU},${SUFFIX}" | grep -q '^dn: ' && \
checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL}
done
done | isOK 'ALLOWED$' children
@@ -309,10 +309,10 @@ done | isOK 'ALLOWED$' children
# 3
-# >=w to "children", =zrscd to "entry", >=rscd to "fripostCanCreateAlias" and
-# "fripostCanCreateList", and =wrscd to the rest (other than "Owner" and
+# >=w to "children", =zrscd to "entry", >=rscd to "fripostCanAddAlias" and
+# "fripostCanAddList", and =wrscd to the rest (other than "Owner" and
# Postmaster")
-msg "Have =wrscd to the domain attributes (other than \"canCreate\"), and >=w to \"children\" (if Owner)"
+msg "Have =wrscd to the domain attributes (other than \"canAdd\"), and >=w to \"children\" (if Owner)"
ATTRSO="entry/delete
fvd/write
fripostIsStatusActive/write
@@ -328,12 +328,12 @@ done | isOK 'ALLOWED$' children
# 4
-# >=w to "children", =zrscd to "entry", >=rscd to "fripostCanCreateAlias" and
-# "fripostCanCreateList", and =wrscd to the rest (other than "Owner" and
+# >=w to "children", =zrscd to "entry", >=rscd to "fripostCanAddAlias" and
+# "fripostCanAddList", and =wrscd to the rest (other than "Owner" and
# Postmaster")
msg "Have =wrscd to the domain attributes, and >=w to \"children\" (if Postmaster)"
-ATTRSP="fripostCanCreateAlias/add fripostCanCreateAlias/delete
- fripostCanCreateList/add fripostCanCreateList/delete"
+ATTRSP="fripostCanAddAlias/add fripostCanAddAlias/delete
+ fripostCanAddList/add fripostCanAddList/delete"
for U in ${USERS}; do
for D in ${DOMAINS}; do
search -s base -b "${D},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \
@@ -349,10 +349,10 @@ for U in ${USERS}; do
DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
for D in ${DOMAINS}; do
[ "x${DU}" = "x${D}" ] || \
- search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateAlias=${U},${SUFFIX})
- (fripostCanCreateAlias=${DU},${SUFFIX})
- (fripostCanCreateList=${U},${SUFFIX})
- (fripostCanCreateList=${DU},${SUFFIX})
+ search -s base -b "${D},${SUFFIX}" "(|(fripostCanAddAlias=${U},${SUFFIX})
+ (fripostCanAddAlias=${DU},${SUFFIX})
+ (fripostCanAddList=${U},${SUFFIX})
+ (fripostCanAddList=${DU},${SUFFIX})
(fripostOwner=${U},${SUFFIX})
(fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
checkACL "${U}" "${D}" ${ATTRS0}
@@ -362,14 +362,14 @@ done | isOK 'DENIED$' entry read
# not (1 or 2 or 3 or 4)
-msg "Do not have >=rc access to \"canCreate{Alias,List}\", \"Owner\", \"Postmaster\" (unless member)"
+msg "Do not have >=rc access to \"canAdd{Alias,List}\", \"Owner\", \"Postmaster\" (unless member)"
for U in ${USERS}; do
DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateAlias=${U},${SUFFIX})
- (fripostCanCreateAlias=${DU},${SUFFIX})
- (fripostCanCreateList=${U},${SUFFIX})
- (fripostCanCreateList=${DU},${SUFFIX})
+ search -s base -b "${D},${SUFFIX}" "(|(fripostCanAddAlias=${U},${SUFFIX})
+ (fripostCanAddAlias=${DU},${SUFFIX})
+ (fripostCanAddList=${U},${SUFFIX})
+ (fripostCanAddList=${DU},${SUFFIX})
(fripostOwner=${U},${SUFFIX})
(fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
checkACL "${U}" "${D}" ${ATTRSA} ${ATTRSL} entry/add
@@ -379,30 +379,30 @@ done | isOK 'DENIED$' entry # "entry" here is useless, but it's just to get the
# not (1 or 3 or 4)
-msg "Have =0 access to \"canCreateAlias\" (unless member, Owner, or Postmaster)"
+msg "Have =0 access to \"canAddAlias\" (unless member, Owner, or Postmaster)"
for U in ${USERS}; do
DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateAlias=${U},${SUFFIX})
- (fripostCanCreateAlias=${DU},${SUFFIX})
+ search -s base -b "${D},${SUFFIX}" "(|(fripostCanAddAlias=${U},${SUFFIX})
+ (fripostCanAddAlias=${DU},${SUFFIX})
(fripostOwner=${U},${SUFFIX})
(fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
- checkACL "${U}" "${D}" fripostCanCreateAlias entry/add
+ checkACL "${U}" "${D}" fripostCanAddAlias entry/add
done
done | isOK '\(=0\|DENIED\)$' entry # "entry" here is useless, but it's just to get the count
[ $? -eq 0 ] || exit $?
# not (2 or 3 or 4)
-msg "Have =0 access to \"canCreateList\" (unless member, Owner, or Postmaster)"
+msg "Have =0 access to \"canAddList\" (unless member, Owner, or Postmaster)"
for U in ${USERS}; do
DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateList=${U},${SUFFIX})
- (fripostCanCreateList=${DU},${SUFFIX})
+ search -s base -b "${D},${SUFFIX}" "(|(fripostCanAddList=${U},${SUFFIX})
+ (fripostCanAddList=${DU},${SUFFIX})
(fripostOwner=${U},${SUFFIX})
(fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
- checkACL "${U}" "${D}" fripostCanCreateList entry/add
+ checkACL "${U}" "${D}" fripostCanAddList entry/add
done
done | isOK '\(=0\|DENIED\)$' entry # "entry" here is useless, but it's just to get the count
[ $? -eq 0 ] || exit $?
@@ -421,7 +421,7 @@ done | isOK 'DENIED$' entry
# not 4
-msg "Do not have >=w access to \"canCreate{Alias,List}\" (unless Postmaster)"
+msg "Do not have >=w access to \"canAdd{Alias,List}\" (unless Postmaster)"
for U in ${USERS}; do
for D in ${DOMAINS}; do
search -s base -b "${D},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' || \
@@ -550,7 +550,7 @@ echo "Authenticated users, access to alias entries"
# * entry:
# =s for all
-# +a if canCreateAlias
+# +a if canAddAlias
# +zrd if alias owner, domain owner or domain postmaster
# * children:
# =0 for all
@@ -633,11 +633,11 @@ done | isOK 'ALLOWED$' entry add
# Needed to create new entries. ("+z" is required to delete, btw.)
-msg "Have >=a access to \"entry\" (if CanCreateAlias, exact)"
+msg "Have >=a access to \"entry\" (if CanAddAlias, exact)"
for U in ${USERS}; do
for A in ${ALIASES}; do
DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- search -s base -b "${DA},${SUFFIX}" "fripostCanCreateAlias=${U},${SUFFIX}" | grep -q '^dn: ' && \
+ search -s base -b "${DA},${SUFFIX}" "fripostCanAddAlias=${U},${SUFFIX}" | grep -q '^dn: ' && \
checkACL "${U}" "${A}" entry/add
done
done | isOK 'ALLOWED$' entry add
@@ -645,25 +645,25 @@ done | isOK 'ALLOWED$' entry add
# Needed to create new entries. ("+z" is required to delete, btw.)
-msg "Have >=a access to \"entry\" (if CanCreateAlias, wildcard)"
+msg "Have >=a access to \"entry\" (if CanAddAlias, wildcard)"
for U in ${USERS}; do
DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
for A in ${ALIASES}; do
DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- search -s base -b "${DA},${SUFFIX}" "fripostCanCreateAlias=${DU},${SUFFIX}" | grep -q '^dn: ' && \
+ search -s base -b "${DA},${SUFFIX}" "fripostCanAddAlias=${DU},${SUFFIX}" | grep -q '^dn: ' && \
checkACL "${U}" "${A}" entry/add
done
done | isOK 'ALLOWED$' entry add
[ $? -eq 0 ] || exit $?
-msg "Do not have >=a access to \"entry\" (unless canCreateAlias)"
+msg "Do not have >=a access to \"entry\" (unless canAddAlias)"
for U in ${USERS}; do
DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
for A in ${ALIASES}; do
DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- search -s base -b "${DA},${SUFFIX}" "(|(fripostCanCreateAlias=${U},${SUFFIX})
- (fripostCanCreateAlias=${DU},${SUFFIX})
+ search -s base -b "${DA},${SUFFIX}" "(|(fripostCanAddAlias=${U},${SUFFIX})
+ (fripostCanAddAlias=${DU},${SUFFIX})
(fripostOwner=${U},${SUFFIX})
(fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
checkACL "${U}" "${A}" entry/add
@@ -706,7 +706,7 @@ echo "Authenticated users, access to list entries"
# * entry:
# =s for all
-# +a if canCreateList, domain owner or domain postmaster
+# +a if canAddList, domain owner or domain postmaster
# +rd if list owner, domain owner or domain postmaster
# * children:
# =0 for all
@@ -806,11 +806,11 @@ done | isOK 'ALLOWED$' entry add
# Needed to create new entries. ("+z" is required to delete, btw.)
-msg "Have >=a access to \"entry\" (if CanCreateList, exact)"
+msg "Have >=a access to \"entry\" (if CanAddList, exact)"
for U in ${USERS}; do
for L in ${LISTS}; do
DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- search -s base -b "${DL},${SUFFIX}" "fripostCanCreateList=${U},${SUFFIX}" | grep -q '^dn: ' && \
+ search -s base -b "${DL},${SUFFIX}" "fripostCanAddList=${U},${SUFFIX}" | grep -q '^dn: ' && \
checkACL "${U}" "${L}" entry/add
done
done | isOK 'ALLOWED$' entry
@@ -818,25 +818,25 @@ done | isOK 'ALLOWED$' entry
# Needed to create new entries. ("+z" is required to delete, btw.)
-msg "Have >=a access to \"entry\" (if CanCreateList, wildcard)"
+msg "Have >=a access to \"entry\" (if CanAddList, wildcard)"
for U in ${USERS}; do
DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
for L in ${LISTS}; do
DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- search -s base -b "${DL},${SUFFIX}" "fripostCanCreateList=${DU},${SUFFIX}" | grep -q '^dn: ' && \
+ search -s base -b "${DL},${SUFFIX}" "fripostCanAddList=${DU},${SUFFIX}" | grep -q '^dn: ' && \
checkACL "${U}" "${L}" entry/add
done
done | isOK 'ALLOWED$' entry
[ $? -eq 0 ] || exit $?
-msg "Do not have >=a access to \"entry\" (unless canCreateList)"
+msg "Do not have >=a access to \"entry\" (unless canAddList)"
for U in ${USERS}; do
DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
for L in ${LISTS}; do
DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- search -s base -b "${DL},${SUFFIX}" "(|(fripostCanCreateList=${U},${SUFFIX})
- (fripostCanCreateList=${DU},${SUFFIX})
+ search -s base -b "${DL},${SUFFIX}" "(|(fripostCanAddList=${U},${SUFFIX})
+ (fripostCanAddList=${DU},${SUFFIX})
(fripostOwner=${U},${SUFFIX})
(fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
checkACL "${U}" "${L}" entry/add
@@ -893,7 +893,7 @@ done | isOK '=rsd$' entry
msg "Have =0 access on other domain attributes"
for D in ${DOMAINS}; do
- checkACL "cn=SMTP" "${D}" children ${OPERATTRS} fripostCanCreateAlias fripostCanCreateList fripostOwner fripostPostmaster description
+ checkACL "cn=SMTP" "${D}" children ${OPERATTRS} fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description
done | isOK 'none(=0)$' children
msg "Can read and search the user attributes it needs"
@@ -944,7 +944,7 @@ echo "Service ListCreator"
msg "Have =0 access on domain attributes"
for D in ${DOMAINS}; do
- checkACL "cn=ListCreator" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanCreateAlias fripostCanCreateList fripostOwner fripostPostmaster description
+ checkACL "cn=ListCreator" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description
done | isOK '=0$' entry
msg "Have =0 access on user attributes"
@@ -995,7 +995,7 @@ echo "Service AdminWebPanel"
msg "Have =0 access on domain attributes"
for D in ${DOMAINS}; do
- checkACL "cn=AdminWebPanel" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanCreateAlias fripostCanCreateList fripostOwner fripostPostmaster description
+ checkACL "cn=AdminWebPanel" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description
done | isOK 'none(=0)$' entry
msg "Have =0 access on user attributes"
@@ -1018,7 +1018,7 @@ for LC in ${LISTSC}; do
checkACL "cn=AdminWebPanel" "${LC}" entry children ${OPERATTRS} fvlc fripostLocalAlias
done | isOK 'none(=0)$' entry
-if sudo -u fpanel klist >/dev/null; then
+if test -x /usr/bin/sudo && sudo -u fpanel klist >/dev/null; then
msg "Can SASL authenticate (GSSAPI)"
DN=$(echo "dn:cn=AdminWebPanel,${SUFFIXS}" | tr [A-Z] [a-z])
DN2=$(sudo -u fpanel ldapwhoami -Q | tr [A-Z] [a-z])