aboutsummaryrefslogtreecommitdiffstats
path: root/ldap
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem.moulin@fripost.org>2013-01-20 03:39:35 +0100
committerGuilhem Moulin <guilhem.moulin@fripost.org>2013-01-20 03:42:31 +0100
commit6295612701cb5b7cab131a8c0fcfa69846d11207 (patch)
tree49f755b4f07c56854f69a4f2d5db6af9ab5b891b /ldap
parent03415210a74739563a54c1b3a9ae786027a0d8be (diff)
Adding new domains.
Diffstat (limited to 'ldap')
-rw-r--r--ldap/acl.ldif51
-rw-r--r--ldap/base.ldif3
-rw-r--r--ldap/fripost.ldif39
-rw-r--r--ldap/index.ldif2
4 files changed, 62 insertions, 33 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index 0528545..c090925 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -28,14 +28,20 @@ replace: olcAccess
# first as it's likely to be the most used.
# TODO: for postfix, it'd be more efficient and more secure to SASL-bind
# on a UNIX socket (EXTERNAL mechanism); wait for Postfix 2.8.
-# TODO: IMAP & SASLauth
-# TODO: if possible, make use GSSAPI for the services.
+# TODO: IMAP, SASLauth, Amavis
+# TODO: if possible, make use GSSAPI/EXTERNAL for the services.
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=entry,objectClass,fvd,fripostIsStatusActive,fripostIsStatusPending,fripostOptionalMaildrop,fvu,fva,fripostMaildrop,fvl,fvlc,fripostLocalAlias
filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))
by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd
by users none break
#
+#olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+# attrs=entry,objectClass,fripostIsStatusActive,fripostIsStatusPending,fvu,@amavisAccount
+# filter=(&(objectClass=FripostVirtualUser)(objectClass=amavisAccount)(fripostIsStatusActive=TRUE)(fripostIsStatusPending=FALSE))
+# by dn.exact="gidNumber=113+uidNumber=116,cn=peercred,cn=external,cn=auth" =rsd
+# by users none break
+#
# Anonymous can authenticate into the services. (But not read or write the password.)
olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
attrs=userPassword
@@ -60,7 +66,7 @@ olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
# 1. Users can change their password (but not read it).
# 2. Anonymous users can bind.
# 3. Else, we inspect the 2 following ACLs.
-olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
attrs=userPassword
by self =w
by anonymous auth
@@ -89,20 +95,30 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
# Users can search (e.g., to list the entries they have created).
# Additional permissions may be added later on.
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
- attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList
+ attrs=entry,fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break
by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none break
#
-# Everyone can delete domains. (Provided s/he has +d access to the "entry"
-# attribute of the domains s/he wants to delete.)
+# Everyone can create/delete domains. (Provided s/he has +a/+z access to the
+# "entry" attribute of the domains s/he wants to delete.)
olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=children
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =z
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w
#
-# Reserved local parts are reserved.
+# Reserved local parts are reserved. /!\ The case be insensitive
+# postmaster # RFC 822, appendix C.6
+# abuse # RFC 2142, section 4
olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
by * none
#
+# Only the domain postmaster can read and search the unlock token and delete the
+# 'pending' status.
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+ filter=(objectClass=FripostVirtualDomain)
+ attrs=fripostIsStatusPending
+ by dnattr=fripostPostmaster =zrsd
+ by dnattr=fripostOwner =zrsd
+#
# 1. The postmaster of a domain can give (or take back) people the right to create
# aliases.
# 2,3. People that can create aliases can list the members of the group.
@@ -133,14 +149,6 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
by dn.onelevel,expand="$1" +d
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
#
-# Every one can add or delete children, but we will be carefull with the
-# kid's "entry" attribute, which require +a and +z to add and delete
-# respectively.
-olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
- filter=(objectClass=FripostVirtualDomain)
- attrs=children
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w
-#
# 1. Domain owners can edit their entry's attributes.
# 2. So can domain postmasters.
# 3. Domain users can read the public domain attributes.
@@ -162,6 +170,14 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
by dnattr=fripostPostmaster write
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
#
+# Every one can add or delete children, but we will be carefull with the
+# kid's "entry" attribute, which require +a and +z to add and delete
+# respectively.
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+ filter=(objectClass=FripostVirtualDomain)
+ attrs=children
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w
+#
# 1. Domain owners can delete the domain (and read the entry).
# 2. So can domain postmasters.
# 3. Domain users can read the domain entry (but not delete it).
@@ -169,6 +185,7 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualDomain)
attrs=entry
+ by set.exact="this/-1/fripostCanAddDomain & (user | user/-1)" +a continue
by dnattr=fripostOwner +zrd
by dnattr=fripostPostmaster +zrd
by dn.onelevel,expand="$1" +rd
@@ -262,7 +279,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by dnattr=fripostOwner read
by group/fripostVirtualDomain/fripostOwner.expand="$1" read
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read
- by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =zrd
+ by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =zsd
#
# 1. The list owners can edit their entry's attributes.
# 2. So can the domain owners.
diff --git a/ldap/base.ldif b/ldap/base.ldif
index 0f414f1..bdc9896 100644
--- a/ldap/base.ldif
+++ b/ldap/base.ldif
@@ -16,6 +16,9 @@ description: Mail hosting
dn: ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: organizationalUnit
+objectClass: fripostVirtual
+fripostCanAddDomain: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostCanAddDomain: fvu=test,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
description: Virtual mail hosting
diff --git a/ldap/fripost.ldif b/ldap/fripost.ldif
index 2409b26..71abdf4 100644
--- a/ldap/fripost.ldif
+++ b/ldap/fripost.ldif
@@ -98,31 +98,35 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.9 NAME 'fripostIsStatusActive'
#
olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostIsStatusPending'
DESC 'Is the entry pending?'
- EQUALITY booleanMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+ EQUALITY caseExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} SINGLE-VALUE )
#
olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostUserQuota'
DESC 'The quota on a user e.g., "50MB"'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32} SINGLE-VALUE )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostCanAddAlias'
- DESC 'A user/domain that can create aliases under the parent domain'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostCanAddDomain'
+ DESC 'A user/domain that can add domains'
SUP distinguishedName )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostCanAddList'
- DESC 'A user/domain that can create lists under the parent domain'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostCanAddAlias'
+ DESC 'A user/domain that can add aliases under the parent domain'
SUP distinguishedName )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.14 NAME 'fripostOwner'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.14 NAME 'fripostCanAddList'
+ DESC 'A user/domain that can add lists under the parent domain'
+ SUP distinguishedName )
+#
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.15 NAME 'fripostOwner'
DESC 'A user that owns under parent domain'
SUP distinguishedName )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.15 NAME 'fripostPostmaster'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.16 NAME 'fripostPostmaster'
DESC 'A user that is a postmaster of the parent domain'
SUP distinguishedName )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.16 NAME 'fripostListManager'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.17 NAME 'fripostListManager'
DESC 'The list manager'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
@@ -131,34 +135,39 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.16 NAME 'fripostListManager'
#
# Objects: 1.3.6.1.4.1.40011.1.2
#
-olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.1 NAME 'FripostVirtualDomain'
+olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.1 NAME 'FripostVirtual'
+ AUXILIARY
+ DESC 'Virtual mail hosting'
+ MAY ( fripostCanAddDomain ) )
+#
+olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualDomain'
SUP top STRUCTURAL
DESC 'Virtual domain'
MUST ( fvd $ fripostIsStatusActive )
MAY ( fripostCanAddAlias $ fripostCanAddList $
fripostOwner $ fripostPostmaster $
- fripostOptionalMaildrop $ description ) )
+ fripostOptionalMaildrop $ fripostIsStatusPending $ description ) )
#
# | TODO: add limits here
-olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualUser'
+olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualUser'
SUP top STRUCTURAL
DESC 'Virtual user'
MUST ( fvu $ userPassword $ fripostIsStatusActive )
MAY ( fripostUserQuota $ fripostOptionalMaildrop $ description) )
#
-olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualAlias'
+olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualAlias'
SUP top STRUCTURAL
DESC 'Virtual alias'
MUST ( fva $ fripostMaildrop $ fripostIsStatusActive )
MAY ( fripostOwner $ description ) )
#
-olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualList'
+olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualList'
SUP top STRUCTURAL
DESC 'Virtual list'
MUST ( fvl $ fripostListManager $ fripostIsStatusActive $ fripostLocalAlias )
MAY ( fripostOwner $ description $ fripostIsStatusPending ) )
#
-olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualListCommand'
+olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostVirtualListCommand'
SUP top STRUCTURAL
DESC 'Virtual list command'
MUST ( fvlc $ fripostLocalAlias ) )
diff --git a/ldap/index.ldif b/ldap/index.ldif
index 6d720bd..7db5288 100644
--- a/ldap/index.ldif
+++ b/ldap/index.ldif
@@ -31,7 +31,7 @@ add: olcDbIndex
olcDbIndex: fripostIsStatusActive,fvd,fvu,fva,fvl,fvlc eq
-
add: olcDbIndex
-olcDbIndex: fripostIsStatusPending pres,eq
+olcDbIndex: fripostIsStatusPending pres
-
add: olcDbIndex
olcDbIndex: fripostOptionalMaildrop pres