aboutsummaryrefslogtreecommitdiffstats
path: root/ldap
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem.moulin@fripost.org>2013-01-21 18:11:27 +0100
committerGuilhem Moulin <guilhem.moulin@fripost.org>2013-01-21 18:11:27 +0100
commit192be467f1d05e5e148481c5497444ffc97603eb (patch)
treed0362e606569f7b699c10f64313ea15b1f6da4cc /ldap
parent4697625becadbd2d3eea9feb3eaacd2bf91ecdd4 (diff)
Everyone can check for the absence of the 'pending' status.
Diffstat (limited to 'ldap')
-rw-r--r--ldap/acl.ldif12
-rw-r--r--ldap/populate.ldif11
-rwxr-xr-xldap/test-user-acl.sh25
3 files changed, 38 insertions, 10 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index ce2aa4c..4cf7e10 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -116,8 +116,14 @@ olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
by * =0
#
-# Only the domain Postmasters and Owners can read and search the unlock token and
-# delete the 'pending' status.
+# Everyone can check for the non-presence of the 'pending' status.
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+ filter=(&(objectClass=FripostVirtualDomain)(!(fripostPendingToken=*)))
+ attrs=fripostPendingToken
+ by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s
+#
+# Only the domain Postmasters and Owners can search the unlock token and delete the
+# 'pending' status (but not read).
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
filter=(objectClass=FripostVirtualDomain)
attrs=fripostPendingToken
@@ -175,7 +181,7 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
by dnattr=fripostPostmaster =wrscd
by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
#
-# Every one can add or delete children, but we will be carefull with the
+# Everyone can add or delete children, but we will be carefull with the
# kid's "entry" attribute, which require +a and +z to add and delete
# respectively.
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
diff --git a/ldap/populate.ldif b/ldap/populate.ldif
index 3401259..b93816d 100644
--- a/ldap/populate.ldif
+++ b/ldap/populate.ldif
@@ -84,7 +84,6 @@ dn: fvd=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualDomain
fripostCanAddAlias: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostIsStatusActive: FALSE
-fripostPendingToken: pending
objectClass: SimpleSecurityObject
userPassword: bogus
description: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod
@@ -102,6 +101,11 @@ fripostIsStatusActive: FALSE
fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostMaildrop: user1@fripost.org
+dn: fvd=example0.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+objectClass: FripostVirtualDomain
+fripostIsStatusActive: TRUE
+fripostPendingToken: pending
+fripostPostmaster: fvu=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
# An independent domain, with canAddList options
dn: fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
@@ -117,6 +121,11 @@ fripostListManager: schleuder
fripostOwner: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostLocalAlias: list1#example2.org
+dn: fva=alias1,fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+objectClass: FripostVirtualAlias
+fripostIsStatusActive: FALSE
+fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostMaildrop: user1@fripost.org
# An independent domain, with both can createAlias and canAddList options
dn: fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh
index 1dda3dc..7046716 100755
--- a/ldap/test-user-acl.sh
+++ b/ldap/test-user-acl.sh
@@ -238,6 +238,7 @@ echo "Authenticated users, access to domain entries"
# +w if owner or postmaster
# * fripostPendingToken
# =zscd if owner or postmaster
+# =s for all if there is no pending token
# * fripostCanAddAlias
# =rscd if canAddAlias, owner or postmaster
# +w if postmaster
@@ -274,22 +275,34 @@ usersD fripostOwner/add fripostOwner/delete \
[ $? -eq 0 ] || exit $?
-msg "Have =0 rights on the \"pending\" status (unless owner or postmaster)"
+msg "Have =s rights on the \"pending\" status if absent"
for U in ${USERS}; do
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX})
- (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
+ search -s base -b "${D},${SUFFIX}" "(!(fripostPendingToken=*))" | grep -q '^dn: ' && \
+ checkACL "${U}" "${D}" fripostPendingToken
+ done
+done | isOK '=s$'
+[ $? -eq 0 ] || exit $?
+
+
+msg "Have =0 rights on the \"pending\" status if present (unless owner or postmaster)"
+for U in ${USERS}; do
+ for D in ${DOMAINS}; do
+ search -s base -b "${D},${SUFFIX}" "(&(!(|(fripostOwner=${U},${SUFFIX})
+ (fripostPostmaster=${U},${SUFFIX})))
+ (fripostPendingToken=*))" | grep -q '^dn: ' && \
checkACL "${U}" "${D}" fripostPendingToken
done
done | isOK '=0$'
[ $? -eq 0 ] || exit $?
-msg "Have =zscd access on the \"pending\" status (if owner or postmaster)"
+msg "Have =zscd access on the \"pending\" status if present (if owner or postmaster)"
for U in ${USERS}; do
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX})
- (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' && \
+ search -s base -b "${D},${SUFFIX}" "(&(|(fripostOwner=${U},${SUFFIX})
+ (fripostPostmaster=${U},${SUFFIX}))
+ (fripostPendingToken=*))" | grep -q '^dn: ' && \
checkACL "${U}" "${D}" fripostPendingToken
done
done | isOK '=zscd$'