aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ldap/Makefile16
-rw-r--r--ldap/acl.ldif178
-rw-r--r--ldap/base.ldif3
-rw-r--r--ldap/fripost.ldif8
-rw-r--r--ldap/index.ldif2
-rw-r--r--ldap/populate.ldif19
-rwxr-xr-xldap/test-user-acl.sh300
7 files changed, 366 insertions, 160 deletions
diff --git a/ldap/Makefile b/ldap/Makefile
index e771a72..5efa7e7 100644
--- a/ldap/Makefile
+++ b/ldap/Makefile
@@ -31,12 +31,16 @@ install-mx:
@rmdir "$(BACKUPSLAPD)"
install:
- # ldapadd -Y EXTERNAL -H ldapi:/// -f fripost.ldif
- # ldapadd -Y EXTERNAL -H ldapi:/// -f index.ldif
- # ldapadd -Y EXTERNAL -H ldapi:/// -f constraint.ldif
- # ldapadd -Y EXTERNAL -H ldapi:/// -f acl.ldif
- # ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif
- # ldapadd -Y EXTERNAL -H ldapi:/// -f populate.ldif
+ # WARN!
+ ldapadd -Y EXTERNAL -H ldapi:/// -f fripost.ldif
+ ldapadd -Y EXTERNAL -H ldapi:/// -f index.ldif
+ ldapadd -Y EXTERNAL -H ldapi:/// -f constraint.ldif
+ ldapadd -Y EXTERNAL -H ldapi:/// -f acl.ldif
+ ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif
+ ldapadd -Y EXTERNAL -H ldapi:/// -f populate.ldif
+
+test:
+ sh ./test-user-acl.sh
install-schema:
@ldapadd -Q -Y EXTERNAL -H ldapi:/// -f fripost.ldif
diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index c090925..ce2aa4c 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -31,49 +31,54 @@ replace: olcAccess
# TODO: IMAP, SASLauth, Amavis
# TODO: if possible, make use GSSAPI/EXTERNAL for the services.
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
- attrs=entry,objectClass,fvd,fripostIsStatusActive,fripostIsStatusPending,fripostOptionalMaildrop,fvu,fva,fripostMaildrop,fvl,fvlc,fripostLocalAlias
+ attrs=entry,fvd,fvu,fva,fvl,fvlc,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias
filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))
by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd
- by users none break
+ by users =0 break
+#
+olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ attrs=objectClass,fripostPendingToken,fripostIsStatusActive
+ filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))
+ by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =sd
+ by users =0 break
#
#olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
-# attrs=entry,objectClass,fripostIsStatusActive,fripostIsStatusPending,fvu,@amavisAccount
-# filter=(&(objectClass=FripostVirtualUser)(objectClass=amavisAccount)(fripostIsStatusActive=TRUE)(fripostIsStatusPending=FALSE))
+# attrs=entry,objectClass,fripostIsStatusActive,fripostPendingToken,fvu,@amavisAccount
+# filter=(&(objectClass=FripostVirtualUser)(objectClass=amavisAccount)(fripostIsStatusActive=TRUE)(fripostPendingToken=FALSE))
# by dn.exact="gidNumber=113+uidNumber=116,cn=peercred,cn=external,cn=auth" =rsd
-# by users none break
+# by users =0 break
#
# Anonymous can authenticate into the services. (But not read or write the password.)
olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
attrs=userPassword
- by anonymous auth
+ by realanonymous =xd
#
# That's necessary for SASL proxy Authorize the web application.
olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
attrs=entry,objectClass,authzTo
- by * =x
+ by realanonymous =x
#
# 1. Managers have read/write access to the "virtual" subtree.
# 2. The list creator needs further access.
# 3. Other services have no access other than the one above.
# 4,5. Other users need further access.
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
- by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" write
- by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" none break
- by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" none break
- by anonymous none break
+ by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd
+ by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
+ by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0
+ by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break
+ by anonymous =0 break
#
# 1. Users can change their password (but not read it).
# 2. Anonymous users can bind.
# 3. Else, we inspect the 2 following ACLs.
olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
attrs=userPassword
- by self =w
- by anonymous auth
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" none break
+ by realself =w
+ by anonymous =xd
+ by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break
#
-# The postmaster of a domain can change (replace) his/her users'
-# password (but not see it).
+# The postmaster of a domain can change (replace) his/her users' password (but not read it).
olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualUser)
attrs=userPassword
@@ -83,41 +88,41 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
# (That's a catch-all, just to be sure that services, etc. cannot read the passwords).
olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
attrs=userPassword
- by * none
+ by * =0
#
# 1. Users can search (e.g., to list the entries they have created).
# 2. So can the list creator.
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=objectClass
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s
+ by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s
by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =s
#
-# Users can search (e.g., to list the entries they have created).
-# Additional permissions may be added later on.
+# 1. Users can search (e.g., to list the entries they have created).
+# 2. Additional permissions may be added later on.
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=entry,fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break
- by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none break
+ by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s break
+ by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
#
# Everyone can create/delete domains. (Provided s/he has +a/+z access to the
# "entry" attribute of the domains s/he wants to delete.)
olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=children
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w
+ by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =w
#
-# Reserved local parts are reserved. /!\ The case be insensitive
-# postmaster # RFC 822, appendix C.6
-# abuse # RFC 2142, section 4
+# Reserved local parts are reserved. /!\ The case must be insensitive
+# - postmaster: RFC 822, appendix C.6
+# - abuse: RFC 2142, section 4
olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
- by * none
+ by * =0
#
-# Only the domain postmaster can read and search the unlock token and delete the
-# 'pending' status.
+# Only the domain Postmasters and Owners can read and search the unlock token and
+# delete the 'pending' status.
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
filter=(objectClass=FripostVirtualDomain)
- attrs=fripostIsStatusPending
- by dnattr=fripostPostmaster =zrsd
- by dnattr=fripostOwner =zrsd
+ attrs=fripostPendingToken
+ by dnattr=fripostPostmaster =zscd
+ by dnattr=fripostOwner =zscd
#
# 1. The postmaster of a domain can give (or take back) people the right to create
# aliases.
@@ -125,29 +130,29 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
filter=(objectClass=FripostVirtualDomain)
attrs=fripostCanAddAlias
- by dnattr=fripostPostmaster write
- by dnattr=fripostOwner read
- by set.exact="this/fripostCanAddAlias & (user | user/-1)" read
+ by dnattr=fripostPostmaster =wrscd
+ by dnattr=fripostOwner =rscd
+ by set.exact="this/fripostCanAddAlias & (user | user/-1)" =rscd
#
# 1. The postmaster of a domain can give (or take back) people the right to create lists.
# 2,3. People that can create lists can list the members of the group.
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
filter=(objectClass=FripostVirtualDomain)
attrs=fripostCanAddList
- by dnattr=fripostPostmaster write
- by dnattr=fripostOwner read
- by set.exact="this/fripostCanAddList & (user | user/-1)" read
+ by dnattr=fripostPostmaster =wrscd
+ by dnattr=fripostOwner =rscd
+ by set.exact="this/fripostCanAddList & (user | user/-1)" =rscd
#
# 1-3. Noone (but the managers) can appoint domain Owners or Postmasters.
# But people that can create aliases and lists can list the members of their group.
olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualDomain)
attrs=fripostOwner,fripostPostmaster
- by dnattr=fripostOwner read
- by dnattr=fripostPostmaster read
- by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" read
+ by dnattr=fripostOwner =rscd
+ by dnattr=fripostPostmaster =rscd
+ by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" =rscd
by dn.onelevel,expand="$1" +d
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
+ by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
#
# 1. Domain owners can edit their entry's attributes.
# 2. So can domain postmasters.
@@ -156,19 +161,19 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualDomain)
attrs=fvd,fripostIsStatusActive,description
- by dnattr=fripostOwner write
- by dnattr=fripostPostmaster write
- by dn.onelevel,expand="$1" read
- by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" read
+ by dnattr=fripostOwner =wrscd
+ by dnattr=fripostPostmaster =wrscd
+ by dn.onelevel,expand="$1" =rscd
+ by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" =rscd
#
# 1. Domain owners can edit their entry's attributes.
# 2. So can domain postmasters.
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
filter=(objectClass=FripostVirtualDomain)
attrs=@fripostVirtualDomain
- by dnattr=fripostOwner write
- by dnattr=fripostPostmaster write
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
+ by dnattr=fripostOwner =wrscd
+ by dnattr=fripostPostmaster =wrscd
+ by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
#
# Every one can add or delete children, but we will be carefull with the
# kid's "entry" attribute, which require +a and +z to add and delete
@@ -176,12 +181,13 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
filter=(objectClass=FripostVirtualDomain)
attrs=children
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w
+ by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +w
#
-# 1. Domain owners can delete the domain (and read the entry).
-# 2. So can domain postmasters.
-# 3. Domain users can read the domain entry (but not delete it).
-# 4. So can users with "canAddAlias" or "canAddList" rights.
+# 1. Users with "addDomain" access can create new entries.
+# 2. Domain owners can delete their domain (and read the entry).
+# 3. So can domain postmasters.
+# 4. Domain users can read the domain entry (but not delete it).
+# 5. So can users with "canAddAlias" or "canAddList" rights.
olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualDomain)
attrs=entry
@@ -190,22 +196,22 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
by dnattr=fripostPostmaster +zrd
by dn.onelevel,expand="$1" +rd
by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" +rd
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
+ by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
#
# Noone (but the managers) can change quotas.
olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualUser)
attrs=fripostUserQuota
- by self read
- by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read
+ by self =rscd
+ by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =rscd
#
# 1. Users can modify their own entry.
# 2. So can their postmasters.
olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualUser)
attrs=@FripostVirtualUser
- by self write
- by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
+ by self =wrscd
+ by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
#
# 1. Postmasters can create users (but not delete them).
# (Provided that they have +a access to the parent's "children" attribute.)
@@ -222,10 +228,10 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualAlias)
attrs=fripostOwner
- by dnattr=fripostOwner read continue
- by group/fripostVirtualDomain/fripostOwner.expand="$1" write
- by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
+ by dnattr=fripostOwner =rscd continue
+ by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd
+ by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
+ by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
#
# 1. The alias owners can edit the rest of their entry's attributes.
# 2. So can the domain owners.
@@ -233,9 +239,9 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualAlias)
attrs=@FripostVirtualAlias
- by dnattr=fripostOwner write
- by group/fripostVirtualDomain/fripostOwner.expand="$1" write
- by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
+ by dnattr=fripostOwner =wrscd
+ by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd
+ by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
#
# 1. The alias owners can read and delete the entry.
# 2. So can the domain owner.
@@ -249,7 +255,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by group/fripostVirtualDomain/fripostOwner.expand="$1" +wrd
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +wrd
by set.exact="this/-1/fripostCanAddAlias & (user | user/-1)" +a
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
+ by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
#
# 1. The list owner can list the ownership of the entry.
# 2. The domain owner can add/delete/change the ownership of the entry.
@@ -257,10 +263,10 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualList)
attrs=fripostOwner
- by dnattr=fripostOwner read continue
- by group/fripostVirtualDomain/fripostOwner.expand="$1" write
- by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
+ by dnattr=fripostOwner =rscd continue
+ by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd
+ by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
+ by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
#
# 1. The list owner read (but not edit) the transport-related attributes.
# 2. So can the domain ower.
@@ -268,17 +274,19 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualList)
attrs=fripostListManager
- by dnattr=fripostOwner read
- by group/fripostVirtualDomain/fripostOwner.expand="$1" read
- by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read
+ by dnattr=fripostOwner =rscd
+ by group/fripostVirtualDomain/fripostOwner.expand="$1" =rscd
+ by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =rscd
#
-# Only the list creator can remove the "pending" flag
+# 1,2,3. The list owner and the domain Owner and Postmaster can search
+# (but not read) the 'pending' token.
+# 4. The list creator can remove the "pending" flag.
olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualList)
- attrs=fripostIsStatusPending
- by dnattr=fripostOwner read
- by group/fripostVirtualDomain/fripostOwner.expand="$1" read
- by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read
+ attrs=fripostPendingToken
+ by dnattr=fripostOwner =scd
+ by group/fripostVirtualDomain/fripostOwner.expand="$1" =scd
+ by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =scd
by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =zsd
#
# 1. The list owners can edit their entry's attributes.
@@ -287,9 +295,9 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualList)
attrs=@FripostVirtualList
- by dnattr=fripostOwner write
- by group/fripostVirtualDomain/fripostOwner.expand="$1" write
- by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
+ by dnattr=fripostOwner =wrscd
+ by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd
+ by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
#
# 1. The list owners can read the entry.
# 2. So can the domain's Owner.
@@ -304,7 +312,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by group/fripostVirtualDomain/fripostOwner.expand="$1" +rad
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rad
by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
+ by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd
#
# The List Creator can add list commands.
@@ -321,4 +329,4 @@ olcAccess: to dn.regex="^fvlc=[^,]+,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting
#
# Catch the "break" control above.
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
+ by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
diff --git a/ldap/base.ldif b/ldap/base.ldif
index bdc9896..ff48497 100644
--- a/ldap/base.ldif
+++ b/ldap/base.ldif
@@ -19,6 +19,7 @@ objectClass: organizationalUnit
objectClass: fripostVirtual
fripostCanAddDomain: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostCanAddDomain: fvu=test,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostCanAddDomain: fvu=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
description: Virtual mail hosting
@@ -38,6 +39,8 @@ description: The entity that is authorized to add list commands
userPassword: listcreator
dn: cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=dev
+objectClass: simpleSecurityObject
objectClass: organizationalRole
description: The adminstrator Web Panel
+userPassword: panel
authzTo: dn.regex:^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$
diff --git a/ldap/fripost.ldif b/ldap/fripost.ldif
index 71abdf4..862d480 100644
--- a/ldap/fripost.ldif
+++ b/ldap/fripost.ldif
@@ -92,11 +92,11 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.8 NAME 'fripostOptionalMaildrop'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
#
olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.9 NAME 'fripostIsStatusActive'
- DESC 'Is the entry active?'
+ DESC 'When present, a token locking the entry in an inactive state'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostIsStatusPending'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostPendingToken'
DESC 'Is the entry pending?'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} SINGLE-VALUE )
@@ -146,7 +146,7 @@ olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualDomain'
MUST ( fvd $ fripostIsStatusActive )
MAY ( fripostCanAddAlias $ fripostCanAddList $
fripostOwner $ fripostPostmaster $
- fripostOptionalMaildrop $ fripostIsStatusPending $ description ) )
+ fripostOptionalMaildrop $ fripostPendingToken $ description ) )
#
# | TODO: add limits here
olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualUser'
@@ -165,7 +165,7 @@ olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualList'
SUP top STRUCTURAL
DESC 'Virtual list'
MUST ( fvl $ fripostListManager $ fripostIsStatusActive $ fripostLocalAlias )
- MAY ( fripostOwner $ description $ fripostIsStatusPending ) )
+ MAY ( fripostOwner $ description $ fripostPendingToken ) )
#
olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostVirtualListCommand'
SUP top STRUCTURAL
diff --git a/ldap/index.ldif b/ldap/index.ldif
index 7db5288..77b0e5a 100644
--- a/ldap/index.ldif
+++ b/ldap/index.ldif
@@ -31,7 +31,7 @@ add: olcDbIndex
olcDbIndex: fripostIsStatusActive,fvd,fvu,fva,fvl,fvlc eq
-
add: olcDbIndex
-olcDbIndex: fripostIsStatusPending pres
+olcDbIndex: fripostPendingToken pres
-
add: olcDbIndex
olcDbIndex: fripostOptionalMaildrop pres
diff --git a/ldap/populate.ldif b/ldap/populate.ldif
index 9844275..3401259 100644
--- a/ldap/populate.ldif
+++ b/ldap/populate.ldif
@@ -39,7 +39,7 @@ fripostIsStatusActive: TRUE
fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostMaildrop: user1@fripost.org
fripostMaildrop: user1@example.org
-# Buggy owner
+# Bogus owner
fripostOwner: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
# An independent alias
@@ -47,6 +47,8 @@ dn: fva=alias2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualAlias
fripostIsStatusActive: TRUE
fripostMaildrop: user2@fripost.org
+objectClass: SimpleSecurityObject
+userPassword: bogus
# An owned list
dn: fvl=list1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
@@ -62,15 +64,17 @@ objectClass: FripostVirtualList
fripostListManager: schleuder
fripostIsStatusActive: TRUE
fripostOwner: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-# Buggy owner
+# Bogus owner
fripostOwner: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostLocalAlias: list2#fripost.org
dn: fvl=test-mailman,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualList
+objectClass: SimpleSecurityObject
+userPassword: bogus
fripostListManager: mailman
fripostIsStatusActive: TRUE
-fripostIsStatusPending: TRUE
+fripostPendingToken: TRUE
fripostLocalAlias: test-mailman#fripost.org
fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
@@ -80,6 +84,9 @@ dn: fvd=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualDomain
fripostCanAddAlias: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostIsStatusActive: FALSE
+fripostPendingToken: pending
+objectClass: SimpleSecurityObject
+userPassword: bogus
description: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod
description: tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim
description: veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea
@@ -132,7 +139,7 @@ dn: fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualDomain
fripostIsStatusActive: TRUE
fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-# Buggy owner
+# Bogus owner
fripostOwner: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostOptionalMaildrop: catch-all@example.org
fripostOptionalMaildrop: @example2.org
@@ -163,7 +170,7 @@ fripostCanAddAlias: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostPostmaster: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostPostmaster: fvu=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostPostmaster: fvu=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-# Buggy owner
+# Bogus postmaster
fripostPostmaster: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostCanAddAlias: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostOptionalMaildrop: catch-all@example.org
@@ -184,6 +191,8 @@ FripostLocalAlias: list#postmastered.org
dn: fvlc=list-request,fvl=list,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualListCommand
FripostLocalAlias: list-request#postmastered.org
+objectClass: SimpleSecurityObject
+userPassword: bogus
dn: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualUser
diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh
index 9b954c7..1dda3dc 100755
--- a/ldap/test-user-acl.sh
+++ b/ldap/test-user-acl.sh
@@ -19,7 +19,7 @@ RES=$(tempfile) || exit 1
checkACL () {
CMD=${SLAPACL}
- BIND="${1},${SUFFIX}"
+ if [ x"${1}" = x"''" ]; then BIND=${SUFFIX}; else BIND="${1},${SUFFIX}"; fi
if [ -n "${1}" ]; then CMD="${CMD} -D ${BIND}"; fi
if [ -n "${2}" ]; then BASE="${2},${SUFFIXV}"; else BASE="${SUFFIXV}"; fi
shift; shift
@@ -79,7 +79,7 @@ LISTS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualList" dn | \
LISTSC=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualListCommand" dn | \
grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+), *([^,]+),.*/fvlc=\1,fvl=\2,fvd=\3/')
-OPERATTRS="structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp"
+OPERATTRS="structuralObjectClass creatorsName entryUUID createTimestamp entryCSN modifiersName modifyTimestamp"
########################################################################
@@ -92,40 +92,96 @@ echo "Anonymous users:"
msg "Have =xd access to \"userPassword\" attributes"
for U in ${USERS}; do
checkACL "" "${U}" userPassword
-done | isOK 'auth(=xd)$'
+done | isOK '=xd$'
[ $? -eq 0 ] || exit $?
msg "Have =0 access to the rest of user entries"
for U in ${USERS}; do
checkACL "" "${U}"
-done | grep -v '^userPassword=.*: auth(=xd)$' | isOK '=0$' entry
+done | grep -v '^userPassword=.*: =xd$' | isOK '=0$' entry
[ $? -eq 0 ] || exit $?
msg "Have =0 access to alias entries"
for A in ${ALIASES}; do
checkACL "" "${A}"
-done | isOK '=0' entry
+done | isOK '=0$' entry
[ $? -eq 0 ] || exit $?
msg "Have =0 access to list entries"
for L in ${LISTS}; do
checkACL "" "${L}"
-done | isOK '=0' entry
+done | isOK '=0$' entry
+[ $? -eq 0 ] || exit $?
+
+
+msg "Have =0 access to list commands entries"
+for LC in ${LISTSC}; do
+ checkACL "" "${LC}"
+done | isOK '=0$' entry
[ $? -eq 0 ] || exit $?
msg "Have =0 access to domain entries"
for D in ${DOMAINS}; do
checkACL "" "${D}"
-done | isOK '=0' entry
+done | isOK '=0$' entry
+[ $? -eq 0 ] || exit $?
+
+
+msg "Have =0 access to the base"
+checkACL "" "" | isOK '=0$' entry
+[ $? -eq 0 ] || exit $?
+
+
+###########################################################################
+
+echo
+echo "Authenticated non-users"
+NU="'' ${DOMAINS} ${ALIASES} ${LISTS} ${LISTSC}"
+
+msg "Have =0 access to alias entries"
+for X in ${NU}; do
+ for A in ${ALIASES}; do
+ checkACL "${X}" "${A}"
+ done
+done | isOK '=0$' entry
+[ $? -eq 0 ] || exit $?
+
+
+msg "Have =0 access to list entries"
+for X in ${NU}; do
+ for L in ${LISTS}; do
+ checkACL "${X}" "${L}"
+ done
+done | isOK '=0$' entry
+[ $? -eq 0 ] || exit $?
+
+
+msg "Have =0 access to list commands entries"
+for X in ${NU}; do
+ for LC in ${LISTSC}; do
+ checkACL "${X}" "${LC}"
+ done
+done | isOK '=0$' entry
+[ $? -eq 0 ] || exit $?
+
+
+msg "Have =0 access to domain entries"
+for X in ${NU}; do
+ for D in ${DOMAINS}; do
+ checkACL "${X}" "${D}"
+ done
+done | isOK '=0$' entry
[ $? -eq 0 ] || exit $?
msg "Have =0 access to the base"
-checkACL "" "" | isOK '=0' entry
+for X in ${NU}; do
+ checkACL "${X}" ""
+done | isOK '=0$' entry
[ $? -eq 0 ] || exit $?
@@ -148,10 +204,9 @@ usersB entry | isOK '=s' entry
[ $? -eq 0 ] || exit $?
-# Needed to delete domains. They cannot create domains though, as they
-# would need =a on the "children" attribute.
-msg "Have =z access on the base's \"children\" attribute"
-usersB children | isOK '=z$' children
+# Needed to create/delete domains.
+msg "Have =w access on the base's \"children\" attribute"
+usersB children | isOK '=w$' children
[ $? -eq 0 ] || exit $?
@@ -167,7 +222,8 @@ echo
echo "Authenticated users, access to domain entries"
# * entry:
-# =s-a for all
+# =s for all
+# +a if canAddDomain
# +rd if children, canAdd{Alias,List}, owner or postmaster
# +z if owner or postmaster
# * children:
@@ -180,6 +236,8 @@ echo "Authenticated users, access to domain entries"
# * fripostIsStatusActive
# =rscd if children, canAdd{Alias,List}, owner or postmaster
# +w if owner or postmaster
+# * fripostPendingToken
+# =zscd if owner or postmaster
# * fripostCanAddAlias
# =rscd if canAddAlias, owner or postmaster
# +w if postmaster
@@ -208,11 +266,68 @@ usersD () {
done
}
-msg "Cannot appoint domain Owners or Postmasters; Cannot add a domain"
+msg "Cannot appoint domain Owners or Postmasters"
usersD fripostOwner/add fripostOwner/delete \
fripostPostmaster/add fripostPostmaster/delete \
- entry/add \
- | isOK 'DENIED$' entry
+ entryUUID/add \
+ | isOK 'DENIED$' entryUUID
+[ $? -eq 0 ] || exit $?
+
+
+msg "Have =0 rights on the \"pending\" status (unless owner or postmaster)"
+for U in ${USERS}; do
+ for D in ${DOMAINS}; do
+ search -s base -b "${D},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX})
+ (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
+ checkACL "${U}" "${D}" fripostPendingToken
+ done
+done | isOK '=0$'
+[ $? -eq 0 ] || exit $?
+
+
+msg "Have =zscd access on the \"pending\" status (if owner or postmaster)"
+for U in ${USERS}; do
+ for D in ${DOMAINS}; do
+ search -s base -b "${D},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX})
+ (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' && \
+ checkACL "${U}" "${D}" fripostPendingToken
+ done
+done | isOK '=zscd$'
+[ $? -eq 0 ] || exit $?
+
+
+# Needed to create new entries. ("+z" is required to delete, btw.)
+msg "Have >=a access to \"entry\" (if CanAddDomain, exact)"
+for U in ${USERS}; do
+ for D in ${DOMAINS}; do
+ search -s base -b "${SUFFIX}" "fripostCanAddDomain=${U},${SUFFIX}" | grep -q '^dn: ' && \
+ checkACL "${U}" "${D}" entry/add
+ done
+done | isOK 'ALLOWED$' entry add
+[ $? -eq 0 ] || exit $?
+
+
+# Needed to create new entries. ("+z" is required to delete, btw.)
+msg "Have >=a access to \"entry\" (if CanAddDomain, wildcard)"
+for U in ${USERS}; do
+ DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ for D in ${DOMAINS}; do
+ search -s base -b "${SUFFIX}" "fripostCanAddDomain=${DU},${SUFFIX}" | grep -q '^dn: ' && \
+ checkACL "${U}" "${D}" entry/add
+ done
+done | isOK 'ALLOWED$' entry add
+[ $? -eq 0 ] || exit $?
+
+
+msg "Do not have >=a access to \"entry\" (unless canAddDomain)"
+for U in ${USERS}; do
+ DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ for D in ${DOMAINS}; do
+ search -s base -b "${SUFFIX}" "(|(fripostCanAddDomain=${U},${SUFFIX})
+ (fripostCanAddDomain=${DU},${SUFFIX}))" | grep -q '^dn: ' || \
+ checkACL "${U}" "${D}" entry/add
+ done
+done | isOK 'DENIED$' entry add
[ $? -eq 0 ] || exit $?
# We ensure not to give +a/+z access to the \"entry\" attribute of the
@@ -372,9 +487,9 @@ for U in ${USERS}; do
(fripostCanAddList=${DU},${SUFFIX})
(fripostOwner=${U},${SUFFIX})
(fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
- checkACL "${U}" "${D}" ${ATTRSA} ${ATTRSL} entry/add
+ checkACL "${U}" "${D}" ${ATTRSA} ${ATTRSL} entryUUID/add
done
-done | isOK 'DENIED$' entry # "entry" here is useless, but it's just to get the count
+done | isOK 'DENIED$' entryUUID # "entryUUID" here is useless, but it's just to get the count
[ $? -eq 0 ] || exit $?
@@ -387,9 +502,9 @@ for U in ${USERS}; do
(fripostCanAddAlias=${DU},${SUFFIX})
(fripostOwner=${U},${SUFFIX})
(fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
- checkACL "${U}" "${D}" fripostCanAddAlias entry/add
+ checkACL "${U}" "${D}" fripostCanAddAlias entryUUID/add
done
-done | isOK '\(=0\|DENIED\)$' entry # "entry" here is useless, but it's just to get the count
+done | isOK '\(=0\|DENIED\)$' entryUUID # "entryUUID" here is useless, but it's just to get the count
[ $? -eq 0 ] || exit $?
@@ -402,9 +517,9 @@ for U in ${USERS}; do
(fripostCanAddList=${DU},${SUFFIX})
(fripostOwner=${U},${SUFFIX})
(fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
- checkACL "${U}" "${D}" fripostCanAddList entry/add
+ checkACL "${U}" "${D}" fripostCanAddList entryUUID/add
done
-done | isOK '\(=0\|DENIED\)$' entry # "entry" here is useless, but it's just to get the count
+done | isOK '\(=0\|DENIED\)$' entryUUID # "entryUUID" here is useless, but it's just to get the count
[ $? -eq 0 ] || exit $?
@@ -425,9 +540,9 @@ msg "Do not have >=w access to \"canAdd{Alias,List}\" (unless Postmaster)"
for U in ${USERS}; do
for D in ${DOMAINS}; do
search -s base -b "${D},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' || \
- checkACL "${U}" "${D}" ${ATTRSP} entry/add
+ checkACL "${U}" "${D}" ${ATTRSP} entryUUID/add
done
-done | isOK 'DENIED$' entry # "entry" here is useless, but it's just to get the count
+done | isOK 'DENIED$' entryUUID # "entryUUID" here is useless, but it's just to get the count
[ $? -eq 0 ] || exit $?
@@ -466,16 +581,16 @@ usersU () {
# They would need write access to their fripostUserQuota.
# In practice they can't write fvu either, since it's single valued.
-msg "Have =rscxd access to their \"fripostUserQuota\""
-usersU fripostUserQuota | isOK 'read(=rscxd)$'
+msg "Have =rscd access to their \"fripostUserQuota\""
+usersU fripostUserQuota | isOK '=rscd$'
[ $? -eq 0 ] || exit $?
-msg "Have =wd access to their own \"userPassword\""
+msg "Have =w access to their own \"userPassword\""
usersU userPassword | isOK '=w$'
[ $? -eq 0 ] || exit $?
-msg "Have =wrscxd access to the other attributes of their own entry"
-usersU fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK 'write(=wrscxd)$' fvu
+msg "Have =wrscd access to the other attributes of their own entry"
+usersU fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK '=wrscd$' fvu
[ $? -eq 0 ] || exit $?
msg "Have >=rsd access to the \"entry\" attribute of their own entry"
@@ -519,16 +634,16 @@ usersP () {
done
}
-msg "Have =rscxd access to their user's \"fripostUserQuota\" (if Postmaster)"
-usersP fripostUserQuota | isOK 'read(=rscxd)$'
+msg "Have =rscd access to their user's \"fripostUserQuota\" (if Postmaster)"
+usersP fripostUserQuota | isOK '=rscd$'
[ $? -eq 0 ] || exit $?
msg "Have =wd access to their user's \"userPassword\" (if Postmaster)"
usersP userPassword | isOK '=w$'
[ $? -eq 0 ] || exit $?
-msg "Have =wrscxd access to the other attributes of their users' entry (if Postmaster)"
-usersP fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK 'write(=wrscxd)$' fvu
+msg "Have =wrscd access to the other attributes of their users' entry (if Postmaster)"
+usersP fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK '=wrscd$' fvu
[ $? -eq 0 ] || exit $?
# "+a" is needed to create new accounts. "+z" would be required to
@@ -716,7 +831,7 @@ echo "Authenticated users, access to list entries"
# =rscd if list owner, domain owner or domain postmaster
# * fripostIsStatusActive:
# =wrscd if list owner, domain owner or domain postmaster
-# * fripostIsStatusPending:
+# * fripostPendingToken:
# =rscd if list owner, domain owner or domain postmaster
# * fripostOwner:
# =d for all
@@ -753,12 +868,12 @@ done | isOK 'DENIED$' fripostListManager
[ $? -eq 0 ] || exit $?
-msg "Cannot edit pending status; Cannot delete entry"
+msg "Cannot read or delete the pending status; Cannot delete entry"
for U in ${USERS}; do
for L in ${LISTS}; do
- checkACL "${U}" "${L}" fripostIsStatusPending/write entry/delete
+ checkACL "${U}" "${L}" fripostPendingToken/read fripostPendingToken/add fripostPendingToken/delete entry/delete
done
-done | isOK 'DENIED$' fripostIsStatusPending
+done | isOK 'DENIED$' entry
[ $? -eq 0 ] || exit $?
@@ -766,7 +881,7 @@ ATTRS="entry/read entry/disclose
fvl/write fvl/read fvl/search fvl/compare fvl/disclose
fripostListManager/read fripostListManager/search fripostListManager/compare fripostListManager/disclose
fripostIsStatusActive/write fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose
- fripostIsStatusPending/read fripostIsStatusPending/search fripostIsStatusPending/compare fripostIsStatusPending/disclose
+ fripostPendingToken/search fripostPendingToken/compare fripostPendingToken/disclose
fripostOwner/read fripostOwner/compare fripostOwner/disclose
description/add description/delete description/read description/compare description/disclose"
ATTRS2="fripostOwner/add fripostOwner/delete"
@@ -888,53 +1003,93 @@ echo "Service SMTP"
msg "Can read and search the domain attributes it needs"
for D in ${DOMAINS}; do
- checkACL "cn=SMTP" "${D}" entry objectClass fvd fripostIsStatusActive fripostOptionalMaildrop
+ checkACL "cn=SMTP" "${D}" entry fvd fripostOptionalMaildrop
done | isOK '=rsd$' entry
+[ $? -eq 0 ] || exit $?
+
+msg "Can search the domain attributes it needs"
+for D in ${DOMAINS}; do
+ checkACL "cn=SMTP" "${D}" objectClass fripostPendingToken fripostIsStatusActive
+done | isOK '=sd$' objectClass
+[ $? -eq 0 ] || exit $?
msg "Have =0 access on other domain attributes"
for D in ${DOMAINS}; do
checkACL "cn=SMTP" "${D}" children ${OPERATTRS} fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description
-done | isOK 'none(=0)$' children
+done | isOK '=0$' children
+[ $? -eq 0 ] || exit $?
msg "Can read and search the user attributes it needs"
for U in ${USERS}; do
- checkACL "cn=SMTP" "${U}" entry objectClass fvu fripostIsStatusActive fripostOptionalMaildrop
+ checkACL "cn=SMTP" "${U}" entry fvu fripostOptionalMaildrop
done | isOK '=rsd$' entry
+[ $? -eq 0 ] || exit $?
+
+msg "Can search the user attributes it needs"
+for U in ${USERS}; do
+ checkACL "cn=SMTP" "${U}" objectClass fripostIsStatusActive
+done | isOK '=sd$' objectClass
+[ $? -eq 0 ] || exit $?
msg "Have =0 access on other user attributes"
for U in ${USERS}; do
- checkACL "cn=SMTP" "${U}" children ${OPERATTRS} userPassword fripostUser description
-done | isOK 'none(=0)$' children
+ checkACL "cn=SMTP" "${U}" children ${OPERATTRS} userPassword fripostUserQuota description
+done | isOK '=0$' children
+[ $? -eq 0 ] || exit $?
msg "Can read and search the alias attributes it needs"
for A in ${ALIASES}; do
- checkACL "cn=SMTP" "${A}" entry objectClass fva fripostMaildrop fripostIsStatusActive
+ checkACL "cn=SMTP" "${A}" entry fva fripostMaildrop
done | isOK '=rsd$' entry
+[ $? -eq 0 ] || exit $?
+
+msg "Can search the alias attributes it needs"
+for A in ${ALIASES}; do
+ checkACL "cn=SMTP" "${A}" objectClass fripostIsStatusActive
+done | isOK '=sd$' objectClass
+[ $? -eq 0 ] || exit $?
msg "Have =0 access on other alias attributes"
for A in ${ALIASES}; do
checkACL "cn=SMTP" "${A}" children ${OPERATTRS} fripostOwner description
-done | isOK 'none(=0)$' children
+done | isOK '=0$' children
+[ $? -eq 0 ] || exit $?
msg "Can read and search the list attributes it needs"
for L in ${LISTS}; do
- checkACL "cn=SMTP" "${L}" entry objectClass fvl fripostIsStatusActive fripostLocalAlias fripostIsStatusPending
+ checkACL "cn=SMTP" "${L}" entry fvl fripostLocalAlias
done | isOK '=rsd$' entry
+[ $? -eq 0 ] || exit $?
+
+msg "Can search the list attributes it needs"
+for L in ${LISTS}; do
+ checkACL "cn=SMTP" "${L}" objectClass fripostIsStatusActive fripostPendingToken
+done | isOK '=sd$' objectClass
+[ $? -eq 0 ] || exit $?
msg "Have =0 access on other list attributes"
for L in ${LISTS}; do
checkACL "cn=SMTP" "${L}" children ${OPERATTRS} fripostListManager fripostOwner description
-done | isOK 'none(=0)$' children
+done | isOK '=0$' children
+[ $? -eq 0 ] || exit $?
msg "Can read and search the list command attributes it needs"
for LC in ${LISTSC}; do
- checkACL "cn=SMTP" "${LC}" entry objectClass fvlc fripostIsStatusActive fripostLocalAlias
+ checkACL "cn=SMTP" "${LC}" entry fvlc
done | isOK '=rsd$' entry
+[ $? -eq 0 ] || exit $?
+
+msg "Can search the list command attributes it needs"
+for LC in ${LISTSC}; do
+ checkACL "cn=SMTP" "${LC}" objectClass
+done | isOK '=sd$' objectClass
+[ $? -eq 0 ] || exit $?
msg "Have =0 access on other list command attributes"
for LC in ${LISTSC}; do
checkACL "cn=SMTP" "${LC}" children ${OPERATTRS}
-done | isOK 'none(=0)$' children
+done | isOK '=0$' children
+[ $? -eq 0 ] || exit $?
###########################################################################
@@ -946,46 +1101,55 @@ msg "Have =0 access on domain attributes"
for D in ${DOMAINS}; do
checkACL "cn=ListCreator" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description
done | isOK '=0$' entry
+[ $? -eq 0 ] || exit $?
msg "Have =0 access on user attributes"
for U in ${USERS}; do
checkACL "cn=ListCreator" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description
done | isOK '=0$' entry
+[ $? -eq 0 ] || exit $?
msg "Have =0 access on alias attributes"
for A in ${ALIASES}; do
checkACL "cn=ListCreator" "${A}" entry children ${OPERATTRS} fva fripostMaildrop fripostIsStatusActive fripostOwner description
done | isOK '=0$' entry
+[ $? -eq 0 ] || exit $?
-msg "Have =zrd access on lists' pending status"
+msg "Have =zsd access on lists' pending status"
for L in ${LISTS}; do
- checkACL "cn=ListCreator" "${L}" fripostIsStatusPending
-done | isOK '=zrd$'
+ checkACL "cn=ListCreator" "${L}" fripostPendingToken
+done | isOK '=zsd$'
+[ $? -eq 0 ] || exit $?
msg "Have =rsd access on lists' entry attribute"
for L in ${LISTS}; do
checkACL "cn=ListCreator" "${L}" entry
done | isOK '=rsd$'
+[ $? -eq 0 ] || exit $?
msg "Have =a access on lists' children attribute"
for L in ${LISTS}; do
checkACL "cn=ListCreator" "${L}" children
done | isOK '=a$'
+[ $? -eq 0 ] || exit $?
msg "Have =0 access on other list attributes"
for L in ${LISTS}; do
checkACL "cn=ListCreator" "${L}" ${OPERATTRS} fvl fripostListManager fripostIsStatusActive fripostLocalAlias fripostOwner description
done | isOK '=0$' fvl
+[ $? -eq 0 ] || exit $?
msg "Have =a access on list commands' entry attribute"
for LC in ${LISTSC}; do
checkACL "cn=ListCreator" "${LC}" entry
done | isOK '=a$'
+[ $? -eq 0 ] || exit $?
msg "Have =0 access on other list command attributes"
for LC in ${LISTSC}; do
checkACL "cn=ListCreator" "${LC}" children ${OPERATTRS} fvlc fripostLocalAlias
done | isOK '=0$' children
+[ $? -eq 0 ] || exit $?
###########################################################################
@@ -996,28 +1160,46 @@ echo "Service AdminWebPanel"
msg "Have =0 access on domain attributes"
for D in ${DOMAINS}; do
checkACL "cn=AdminWebPanel" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description
-done | isOK 'none(=0)$' entry
+done | isOK '=0$' entry
+[ $? -eq 0 ] || exit $?
msg "Have =0 access on user attributes"
for U in ${USERS}; do
checkACL "cn=AdminWebPanel" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description
-done | isOK 'none(=0)$' entry
+done | isOK '=0$' entry
+[ $? -eq 0 ] || exit $?
msg "Have =0 access on alias attributes"
for A in ${ALIASES}; do
checkACL "cn=AdminWebPanel" "${A}" entry children ${OPERATTRS} fva fripostMaildrop fripostIsStatusActive fripostOwner description
-done | isOK 'none(=0)$' entry
+done | isOK '=0$' entry
+[ $? -eq 0 ] || exit $?
msg "Have =0 access on list attributes"
for L in ${LISTS}; do
- checkACL "cn=AdminWebPanel" "${L}" entry children ${OPERATTRS} fvl fripostListManager fripostIsStatusActive fripostLocalAlias fripostOwner description fripostIsStatusPending
-done | isOK 'none(=0)$' entry
+ checkACL "cn=AdminWebPanel" "${L}" entry children ${OPERATTRS} fvl fripostListManager fripostIsStatusActive fripostLocalAlias fripostOwner description fripostPendingToken
+done | isOK '=0$' entry
+[ $? -eq 0 ] || exit $?
msg "Have =0 access on other list command attributes"
for LC in ${LISTSC}; do
checkACL "cn=AdminWebPanel" "${LC}" entry children ${OPERATTRS} fvlc fripostLocalAlias
-done | isOK 'none(=0)$' entry
+done | isOK '=0$' entry
+[ $? -eq 0 ] || exit $?
+
+MECH='DIGEST-MD5'
+PANEL='AdminWebPanel@fripost.org'
+msg "Check authcID"
+slapauth -U "${PANEL}" 2>&1 | grep '^ID: ' | isOK 'check succeeded$'
+[ $? -eq 0 ] || exit $?
+
+msg "Can proxy authorize (${MECH})"
+for U in ${USERS}; do
+ DN=$(echo "dn:${U},${SUFFIXV}" | tr [A-Z] [a-z])
+ slapauth -U "${PANEL}" -X "${DN}" 2>&1 | grep '^authorization '
+done | isOK '^authorization failed$'
+# TODO: is that needed?
if test -x /usr/bin/sudo && sudo -u fpanel klist >/dev/null; then
msg "Can SASL authenticate (GSSAPI)"
DN=$(echo "dn:cn=AdminWebPanel,${SUFFIXS}" | tr [A-Z] [a-z])
@@ -1031,7 +1213,7 @@ if test -x /usr/bin/sudo && sudo -u fpanel klist >/dev/null; then
if [ "${DN}" = "${DN2}" ]; then echo ok; else echo fail; fi
done | isOK '^ok$'
else
- echo "WARN: No valid ticket found. Didn't check SSAL authentication"
+ echo "WARN: No valid ticket found. Didn't check SASL GSSAPI authentication"
fi
rm "${RES}"