aboutsummaryrefslogtreecommitdiffstats
path: root/ldap
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem.moulin@fripost.org>2013-01-17 20:38:37 +0100
committerGuilhem Moulin <guilhem.moulin@fripost.org>2013-01-17 20:38:37 +0100
commit6239e3f8a77a32333350d7c744db289ec9e4f6e0 (patch)
tree6bb549c646249073000ff21b410f85cc3974ec5d /ldap
parentc6e15e5272a094f37c79c48bb92f8ff9a5e60081 (diff)
Mailbox → User.
Diffstat (limited to 'ldap')
-rw-r--r--ldap/Makefile6
-rw-r--r--ldap/acl.ldif16
-rw-r--r--ldap/fripost.ldif14
-rw-r--r--ldap/populate.ldif14
-rw-r--r--ldap/syncrepl.ldif2
-rwxr-xr-xldap/test-user-acl.sh30
6 files changed, 42 insertions, 40 deletions
diff --git a/ldap/Makefile b/ldap/Makefile
index 01f20fd..4dd0faa 100644
--- a/ldap/Makefile
+++ b/ldap/Makefile
@@ -75,11 +75,13 @@ uninstall:
;fi
#
@echo "Making a new configuration directory at \`$(TMPSLAPD)'"
- @mkdir -m0700 "$(TMPSLAPD)" && slapcat -n0 | slapadd -F "$(TMPSLAPD)" -n0 && chown -R 'openldap:openldap' "$(TMPSLAPD)"
+ @mkdir -m 0700 "$(TMPSLAPD)" && slapcat -n0 | slapadd -F "$(TMPSLAPD)" -n0 && chown -R 'openldap:openldap' "$(TMPSLAPD)"
#
@echo "Deleting schema \"cn=$(SCHEMA),cn=config\"" && find "$(TMPSLAPD)/cn=config/cn=schema/" -type f -name "cn={*}$(SCHEMA).ldif" -delete
#
- @echo "Deleting constraints" && find "$(TMPSLAPD)/$(NUM2)/" -type f -name "olcOverlay={*}constraint.ldif" -delete
+ @if test -d "$(TMPSLAPD)/$(NUM2)"; then \
+ @echo "Deleting constraints" && find "$(TMPSLAPD)/$(NUM2)/" -type f -name "olcOverlay={*}constraint.ldif" -delete \
+ ;fi
#
@/etc/init.d/slapd stop
#
diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index ac2e19d..c84d328 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -32,7 +32,7 @@ replace: olcAccess
# TODO: if possible, make use GSSAPI for the services.
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=entry,objectClass,fvd,fripostIsStatusActive,fripostIsStatusPending,fripostOptionalMaildrop,fvu,fva,fripostMaildrop,fvl,fvlc,fripostLocalAlias
- filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualMailbox)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))
+ filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))
by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd
by users none break
#
@@ -69,7 +69,7 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
# The postmaster of a domain can change (replace) his/her users'
# password (but not see it).
olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=FripostVirtualMailbox)
+ filter=(objectClass=FripostVirtualUser)
attrs=userPassword
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =w
#
@@ -177,24 +177,24 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
#
# Noone (but the managers) can change quotas.
olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=FripostVirtualMailbox)
- attrs=fripostMailboxQuota
+ filter=(objectClass=FripostVirtualUser)
+ attrs=fripostUserQuota
by self read
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read
#
# 1. Users can modify their own entry.
# 2. So can their postmasters.
olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=FripostVirtualMailbox)
- attrs=@FripostVirtualMailbox
+ filter=(objectClass=FripostVirtualUser)
+ attrs=@FripostVirtualUser
by self write
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
#
-# 1. Postmasters can create mailboxes (but not delete them).
+# 1. Postmasters can create users (but not delete them).
# (Provided that they have +a access to the parent's "children" attribute.)
# 2. Users can read their entry (but not delete it).
olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=FripostVirtualMailbox)
+ filter=(objectClass=FripostVirtualUser)
attrs=entry
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard
by self +rd
diff --git a/ldap/fripost.ldif b/ldap/fripost.ldif
index e0c226d..970f924 100644
--- a/ldap/fripost.ldif
+++ b/ldap/fripost.ldif
@@ -83,10 +83,10 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.7 NAME 'fripostMaildrop'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
#
# We are creating a new attribute, optional in virtual domains and
-# mailboxes, because the presence index should *not* apply to the
+# users, because the presence index should *not* apply to the
# mandatory attribute above.
olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.8 NAME 'fripostOptionalMaildrop'
- DESC 'An optional email address for catch-all aliases on domains and mailboxes'
+ DESC 'An optional email address for catch-all aliases on domains and users'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
@@ -101,8 +101,8 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostIsStatusPending'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostMailboxQuota'
- DESC 'The quota on a mailbox e.g., "50MB"'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostUserQuota'
+ DESC 'The quota on a user e.g., "50MB"'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32} SINGLE-VALUE )
#
@@ -140,11 +140,11 @@ olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.1 NAME 'FripostVirtualDomain'
fripostOptionalMaildrop $ description ) )
#
# | TODO: add limits here
-olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualMailbox'
+olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualUser'
SUP top STRUCTURAL
- DESC 'Virtual mailbox'
+ DESC 'Virtual user'
MUST ( fvu $ userPassword $ fripostIsStatusActive )
- MAY ( fripostMailboxQuota $ fripostOptionalMaildrop $ description) )
+ MAY ( fripostUserQuota $ fripostOptionalMaildrop $ description) )
#
olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualAlias'
SUP top STRUCTURAL
diff --git a/ldap/populate.ldif b/ldap/populate.ldif
index d0f6c0b..4e0f9b6 100644
--- a/ldap/populate.ldif
+++ b/ldap/populate.ldif
@@ -19,7 +19,7 @@ fripostCanCreateList: fvu=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripo
fripostIsStatusActive: TRUE
dn: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: FripostVirtualMailbox
+objectClass: FripostVirtualUser
userPassword: user1
fripostIsStatusActive: TRUE
fripostOptionalMaildrop: user1@fripost.org
@@ -28,7 +28,7 @@ fripostOptionalMaildrop: user1@external2.org
fripostOptionalMaildrop: user1@external3.org
dn: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: FripostVirtualMailbox
+objectClass: FripostVirtualUser
userPassword: user2
fripostIsStatusActive: TRUE
@@ -150,7 +150,7 @@ fripostIsStatusActive: TRUE
fripostLocalAlias: list#owned.org
dn: fvu=user,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: FripostVirtualMailbox
+objectClass: FripostVirtualUser
userPassword: user
fripostIsStatusActive: TRUE
@@ -186,13 +186,13 @@ objectClass: FripostVirtualListCommand
FripostLocalAlias: list-request#postmastered.org
dn: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: FripostVirtualMailbox
+objectClass: FripostVirtualUser
userPassword: user
fripostIsStatusActive: TRUE
-fripostMailboxQuota: 10MB
+fripostUserQuota: 10MB
dn: fvu=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: FripostVirtualMailbox
+objectClass: FripostVirtualUser
userPassword: bigbrother
fripostIsStatusActive: TRUE
@@ -205,7 +205,7 @@ fripostPostmaster: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost
fripostPostmaster: fvu=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost,dc=dev
dn: fvu=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-objectClass: FripostVirtualMailbox
+objectClass: FripostVirtualUser
fripostIsStatusActive: TRUE
userPassword: user
description: Test domain internalization (user@☮.net).
diff --git a/ldap/syncrepl.ldif b/ldap/syncrepl.ldif
index 6fe0d06..2f40472 100644
--- a/ldap/syncrepl.ldif
+++ b/ldap/syncrepl.ldif
@@ -26,7 +26,7 @@ credentials="xxxxxx"
type=refreshAndPersist
retry="5 5 300 +"
searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org"
-filter="(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualMailbox)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList))(fripostIsStatusActive=TRUE))"
+filter="(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList))(fripostIsStatusActive=TRUE))"
attrs="fripostIsStatusActive,fripostMaildrop,fripostOptionalMaildrop,fvd,fvu,fva,fvl,fripostListCommand,fripostListManager"
scope=sub
schemachecking=off
diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh
index 12f3d14..c55916e 100755
--- a/ldap/test-user-acl.sh
+++ b/ldap/test-user-acl.sh
@@ -70,7 +70,7 @@ search () {
DOMAINS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualDomain" dn | \
grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+),.*/fvd=\1/')
-USERS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualMailbox" dn | \
+USERS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualUser" dn | \
grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvu=\1,fvd=\2/')
ALIASES=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualAlias" dn | \
grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fva=\1,fvd=\2/')
@@ -451,7 +451,7 @@ echo "Authenticated users, access to user entries"
# =w if account owner or domain postmaster
# * fripostIsStatusActive:
# =wrscd if account owner or domain postmaster
-# * fripostMailboxQuota:
+# * fripostUserQuota:
# =rscd if account owner or domain postmaster
# * fripostOptionalMaildrop:
# =wrscd if account owner or domain postmaster
@@ -464,10 +464,10 @@ usersU () {
done
}
-# They would need write access to their fripostMailboxQuota.
+# They would need write access to their fripostUserQuota.
# In practice they can't write fvu either, since it's single valued.
-msg "Have =rscxd access to their \"fripostMailboxQuota\""
-usersU fripostMailboxQuota | isOK 'read(=rscxd)$'
+msg "Have =rscxd access to their \"fripostUserQuota\""
+usersU fripostUserQuota | isOK 'read(=rscxd)$'
[ $? -eq 0 ] || exit $?
msg "Have =wd access to their own \"userPassword\""
@@ -500,7 +500,7 @@ for U1 in ${USERS}; do
checkACL "${U1}" "${U2}" entry children \
fvu userPassword \
fripostIsStatusActive \
- fripostMailboxQuota \
+ fripostUserQuota \
fripostOptionalMaildrop \
description
done
@@ -519,8 +519,8 @@ usersP () {
done
}
-msg "Have =rscxd access to their user's \"fripostMailboxQuota\" (if Postmaster)"
-usersP fripostMailboxQuota | isOK 'read(=rscxd)$'
+msg "Have =rscxd access to their user's \"fripostUserQuota\" (if Postmaster)"
+usersP fripostUserQuota | isOK 'read(=rscxd)$'
[ $? -eq 0 ] || exit $?
msg "Have =wd access to their user's \"userPassword\" (if Postmaster)"
@@ -896,14 +896,14 @@ for D in ${DOMAINS}; do
checkACL "cn=SMTP" "${D}" children ${OPERATTRS} fripostCanCreateAlias fripostCanCreateList fripostOwner fripostPostmaster description
done | isOK 'none(=0)$' children
-msg "Can read and search the mailbox attributes it needs"
+msg "Can read and search the user attributes it needs"
for U in ${USERS}; do
checkACL "cn=SMTP" "${U}" entry objectClass fvu fripostIsStatusActive fripostOptionalMaildrop
done | isOK '=rsd$' entry
-msg "Have =0 access on other mailbox attributes"
+msg "Have =0 access on other user attributes"
for U in ${USERS}; do
- checkACL "cn=SMTP" "${U}" children ${OPERATTRS} userPassword fripostMailboxQuota description
+ checkACL "cn=SMTP" "${U}" children ${OPERATTRS} userPassword fripostUser description
done | isOK 'none(=0)$' children
msg "Can read and search the alias attributes it needs"
@@ -947,9 +947,9 @@ for D in ${DOMAINS}; do
checkACL "cn=ListCreator" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanCreateAlias fripostCanCreateList fripostOwner fripostPostmaster description
done | isOK '=0$' entry
-msg "Have =0 access on mailbox attributes"
+msg "Have =0 access on user attributes"
for U in ${USERS}; do
- checkACL "cn=ListCreator" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostMailboxQuota fripostOptionalMaildrop description
+ checkACL "cn=ListCreator" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description
done | isOK '=0$' entry
msg "Have =0 access on alias attributes"
@@ -998,9 +998,9 @@ for D in ${DOMAINS}; do
checkACL "cn=AdminWebPanel" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanCreateAlias fripostCanCreateList fripostOwner fripostPostmaster description
done | isOK 'none(=0)$' entry
-msg "Have =0 access on mailbox attributes"
+msg "Have =0 access on user attributes"
for U in ${USERS}; do
- checkACL "cn=AdminWebPanel" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostMailboxQuota fripostOptionalMaildrop description
+ checkACL "cn=AdminWebPanel" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description
done | isOK 'none(=0)$' entry
msg "Have =0 access on alias attributes"