diff options
-rw-r--r-- | ldap/acl.ldif | 2 | ||||
-rw-r--r-- | ldap/base.ldif | 8 | ||||
-rw-r--r-- | ldap/syncrepl.ldif | 2 | ||||
-rwxr-xr-x | ldap/test-user-acl.sh | 34 |
4 files changed, 23 insertions, 23 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif index eef10a9..382c402 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -38,7 +38,7 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=entry,fvd,fvu,fva,fvl,fvlc,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(!(fripostIsStatusActive=FALSE))(!(fripostPendingToken=*))) - by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd + by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd by users =0 break # # Anonymous can authenticate into the services. (But not read or write the password.) diff --git a/ldap/base.ldif b/ldap/base.ldif index e1a14fd..c31e109 100644 --- a/ldap/base.ldif +++ b/ldap/base.ldif @@ -25,15 +25,15 @@ description: Virtual mail hosting # TODO: for postfix, it'd be more efficient and more secure to SASL-bind # on a UNIX socket (EXTERNAL mechanism); wait for Postfix 2.8. # TODO: IMAP, SASLauth, Amavis -# TODO: if possible, make use GSSAPI/EXTERNAL for the services. +# TODO: if possible, make use GSSAPI/EXTERNAL for the services and the replication. dn: ou=services,o=mailHosting,dc=fripost,dc=dev objectClass: organizationalUnit -dn: cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev +dn: cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=dev objectClass: simpleSecurityObject objectClass: organizationalRole -userPassword: smtp -description: Where Postfix bind to for LDAP lookups. +userPassword: postfix +description: Where Postfix binds to for its LDAP lookups. dn: cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev objectClass: simpleSecurityObject diff --git a/ldap/syncrepl.ldif b/ldap/syncrepl.ldif index d579e5c..441974b 100644 --- a/ldap/syncrepl.ldif +++ b/ldap/syncrepl.ldif @@ -21,7 +21,7 @@ replace: olcSyncRepl olcSyncRepl: rid=000 provider=ldap://127.0.0.1:3890 bindmethod=simple -binddn="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=org" +binddn="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" credentials="xxxxxx" type=refreshAndPersist retry="5 5 300 +" diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh index 3e53b48..221415c 100755 --- a/ldap/test-user-acl.sh +++ b/ldap/test-user-acl.sh @@ -1027,110 +1027,110 @@ done | grep -Ev '^(objectClass|creatorsName)=' | isOK '=0$' entry SUFFIX="${SUFFIXS}" echo -echo "Service SMTP" +echo "Service Postfix" msg "Have =0 access on non-active or pending entries" for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do search -s base -b "${X},${SUFFIXV}" "(|(fripostIsStatusActive=TRUE)(fripostPendingToken=*))" | grep -q '^dn: ' && \ - checkACL "cn=SMTP" "${D}" + checkACL "cn=Postfix" "${D}" done | isOK '=0$' entry [ $? -eq 0 ] || exit $? msg "Can read and search the domain attributes it needs" for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \ - checkACL "cn=SMTP" "${D}" entry fvd fripostOptionalMaildrop + checkACL "cn=Postfix" "${D}" entry fvd fripostOptionalMaildrop done | isOK '=rsd$' entry [ $? -eq 0 ] || exit $? msg "Can search the domain attributes it needs" for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \ - checkACL "cn=SMTP" "${D}" objectClass + checkACL "cn=Postfix" "${D}" objectClass done | isOK '=s$' objectClass [ $? -eq 0 ] || exit $? msg "Have =0 access on other domain attributes" for D in ${DOMAINS}; do - checkACL "cn=SMTP" "${D}" children ${OPERATTRS} fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description fripostPendingToken fripostIsStatusActive + checkACL "cn=Postfix" "${D}" children ${OPERATTRS} fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description fripostPendingToken fripostIsStatusActive done | isOK '=0$' children [ $? -eq 0 ] || exit $? msg "Can read and search the user attributes it needs" for U in ${USERS}; do search -s base -b "${U},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \ - checkACL "cn=SMTP" "${U}" entry fvu fripostOptionalMaildrop + checkACL "cn=Postfix" "${U}" entry fvu fripostOptionalMaildrop done | isOK '=rsd$' entry [ $? -eq 0 ] || exit $? msg "Can search the user attributes it needs" for U in ${USERS}; do search -s base -b "${U},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \ - checkACL "cn=SMTP" "${U}" objectClass + checkACL "cn=Postfix" "${U}" objectClass done | isOK '=s$' objectClass [ $? -eq 0 ] || exit $? msg "Have =0 access on other user attributes" for U in ${USERS}; do - checkACL "cn=SMTP" "${U}" children ${OPERATTRS} userPassword fripostUserQuota description fripostIsStatusActive + checkACL "cn=Postfix" "${U}" children ${OPERATTRS} userPassword fripostUserQuota description fripostIsStatusActive done | isOK '=0$' children [ $? -eq 0 ] || exit $? msg "Can read and search the alias attributes it needs" for A in ${ALIASES}; do search -s base -b "${A},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \ - checkACL "cn=SMTP" "${A}" entry fva fripostMaildrop + checkACL "cn=Postfix" "${A}" entry fva fripostMaildrop done | isOK '=rsd$' entry [ $? -eq 0 ] || exit $? msg "Can search the alias attributes it needs" for A in ${ALIASES}; do search -s base -b "${A},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \ - checkACL "cn=SMTP" "${A}" objectClass + checkACL "cn=Postfix" "${A}" objectClass done | isOK '=s$' objectClass [ $? -eq 0 ] || exit $? msg "Have =0 access on other alias attributes" for A in ${ALIASES}; do - checkACL "cn=SMTP" "${A}" children ${OPERATTRS} fripostOwner description fripostIsStatusActive + checkACL "cn=Postfix" "${A}" children ${OPERATTRS} fripostOwner description fripostIsStatusActive done | isOK '=0$' children [ $? -eq 0 ] || exit $? msg "Can read and search the list attributes it needs" for L in ${LISTS}; do search -s base -b "${L},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \ - checkACL "cn=SMTP" "${L}" entry fvl fripostLocalAlias + checkACL "cn=Postfix" "${L}" entry fvl fripostLocalAlias done | isOK '=rsd$' entry [ $? -eq 0 ] || exit $? msg "Can search the list attributes it needs" for L in ${LISTS}; do search -s base -b "${L},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \ - checkACL "cn=SMTP" "${L}" objectClass + checkACL "cn=Postfix" "${L}" objectClass done | isOK '=s$' objectClass [ $? -eq 0 ] || exit $? msg "Have =0 access on other list attributes" for L in ${LISTS}; do - checkACL "cn=SMTP" "${L}" children ${OPERATTRS} fripostListManager fripostOwner description fripostIsStatusActive fripostPendingToken + checkACL "cn=Postfix" "${L}" children ${OPERATTRS} fripostListManager fripostOwner description fripostIsStatusActive fripostPendingToken done | isOK '=0$' children [ $? -eq 0 ] || exit $? msg "Can read and search the list command attributes it needs" for LC in ${LISTSC}; do - checkACL "cn=SMTP" "${LC}" entry fvlc fripostLocalAlias + checkACL "cn=Postfix" "${LC}" entry fvlc fripostLocalAlias done | isOK '=rsd$' entry [ $? -eq 0 ] || exit $? msg "Can search the list command attributes it needs" for LC in ${LISTSC}; do - checkACL "cn=SMTP" "${LC}" objectClass + checkACL "cn=Postfix" "${LC}" objectClass done | isOK '=s$' objectClass [ $? -eq 0 ] || exit $? msg "Have =0 access on other list command attributes" for LC in ${LISTSC}; do - checkACL "cn=SMTP" "${LC}" children ${OPERATTRS} + checkACL "cn=Postfix" "${LC}" children ${OPERATTRS} done | isOK '=0$' children [ $? -eq 0 ] || exit $? |