4 files changed, 62 insertions, 33 deletions

diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index 0528545..c090925 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -28,14 +28,20 @@ replace: olcAccess
 # first as it's likely to be the most used.
 # TODO: for postfix, it'd be more efficient and more secure to SASL-bind
 # on a UNIX socket (EXTERNAL mechanism); wait for Postfix 2.8.
-# TODO: IMAP & SASLauth
-# TODO: if possible, make use GSSAPI for the services.
+# TODO: IMAP, SASLauth, Amavis
+# TODO: if possible, make use GSSAPI/EXTERNAL for the services.
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
         attrs=entry,objectClass,fvd,fripostIsStatusActive,fripostIsStatusPending,fripostOptionalMaildrop,fvu,fva,fripostMaildrop,fvl,fvlc,fripostLocalAlias
         filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))
     by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd
     by users none break
 #
+#olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+#    attrs=entry,objectClass,fripostIsStatusActive,fripostIsStatusPending,fvu,@amavisAccount
+#    filter=(&(objectClass=FripostVirtualUser)(objectClass=amavisAccount)(fripostIsStatusActive=TRUE)(fripostIsStatusPending=FALSE))
+#    by dn.exact="gidNumber=113+uidNumber=116,cn=peercred,cn=external,cn=auth" =rsd
+#    by users none break
+#
 # Anonymous can authenticate into the services. (But not read or write the password.)
 olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
         attrs=userPassword
@@ -60,7 +66,7 @@ olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
 # 1. Users can change their password (but not read it).
 # 2. Anonymous users can bind.
 # 3. Else, we inspect the 2 following ACLs.
-olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
         attrs=userPassword
     by self =w
     by anonymous auth
@@ -89,20 +95,30 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
 # Users can search (e.g., to list the entries they have created).
 # Additional permissions may be added later on.
 olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
-        attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList
+        attrs=entry,fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList
     by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break
     by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none break
 #
-# Everyone can delete domains. (Provided s/he has +d access to the "entry"
-# attribute of the domains s/he wants to delete.)
+# Everyone can create/delete domains. (Provided s/he has +a/+z access to the
+# "entry" attribute of the domains s/he wants to delete.)
 olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
         attrs=children
-    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =z
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w
 #
-# Reserved local parts are reserved.
+# Reserved local parts are reserved. /!\ The case be insensitive
+#  postmaster # RFC 822, appendix C.6
+#  abuse      # RFC 2142, section 4
 olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
     by * none
 #
+# Only the domain postmaster can read and search the unlock token and delete the
+# 'pending' status.
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+        filter=(objectClass=FripostVirtualDomain)
+        attrs=fripostIsStatusPending
+    by dnattr=fripostPostmaster =zrsd
+    by dnattr=fripostOwner =zrsd
+#
 # 1. The postmaster of a domain can give (or take back) people the right to create
 # aliases.
 # 2,3. People that can create aliases can list the members of the group.
@@ -133,14 +149,6 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
     by dn.onelevel,expand="$1" +d
     by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
 #
-# Every one can add or delete children, but we will be carefull with the
-# kid's "entry" attribute, which require +a and +z to add and delete
-# respectively.
-olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
-        filter=(objectClass=FripostVirtualDomain)
-        attrs=children
-    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w
-#
 # 1. Domain owners can edit their entry's attributes.
 # 2. So can domain postmasters.
 # 3. Domain users can read the public domain attributes.
@@ -162,6 +170,14 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
     by dnattr=fripostPostmaster write
     by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
 #
+# Every one can add or delete children, but we will be carefull with the
+# kid's "entry" attribute, which require +a and +z to add and delete
+# respectively.
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+        filter=(objectClass=FripostVirtualDomain)
+        attrs=children
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w
+#
 # 1. Domain owners can delete the domain (and read the entry).
 # 2. So can domain postmasters.
 # 3. Domain users can read the domain entry (but not delete it).
@@ -169,6 +185,7 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
 olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
         filter=(objectClass=FripostVirtualDomain)
         attrs=entry
+    by set.exact="this/-1/fripostCanAddDomain & (user | user/-1)" +a continue
     by dnattr=fripostOwner +zrd
     by dnattr=fripostPostmaster +zrd
     by dn.onelevel,expand="$1" +rd
@@ -262,7 +279,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
     by dnattr=fripostOwner read
     by group/fripostVirtualDomain/fripostOwner.expand="$1" read
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read
-    by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =zrd
+    by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =zsd
 #
 # 1. The list owners can edit their entry's attributes.
 # 2. So can the domain owners.
diff --git a/ldap/base.ldif b/ldap/base.ldif
index 0f414f1..bdc9896 100644
--- a/ldap/base.ldif
+++ b/ldap/base.ldif
@@ -16,6 +16,9 @@ description: Mail hosting
 
 dn: ou=virtual,o=mailHosting,dc=fripost,dc=dev
 objectClass: organizationalUnit
+objectClass: fripostVirtual
+fripostCanAddDomain: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostCanAddDomain: fvu=test,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
 description: Virtual mail hosting
 
 
diff --git a/ldap/fripost.ldif b/ldap/fripost.ldif
index 2409b26..71abdf4 100644
--- a/ldap/fripost.ldif
+++ b/ldap/fripost.ldif
@@ -98,31 +98,35 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.9 NAME 'fripostIsStatusActive'
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostIsStatusPending'
     DESC 'Is the entry pending?'
-    EQUALITY booleanMatch
-    SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
+    EQUALITY caseExactMatch
+    SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} SINGLE-VALUE )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostUserQuota'
     DESC 'The quota on a user e.g., "50MB"'
     EQUALITY caseExactMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32} SINGLE-VALUE )
 #
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostCanAddAlias'
-    DESC 'A user/domain that can create aliases under the parent domain'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostCanAddDomain'
+    DESC 'A user/domain that can add domains'
     SUP distinguishedName )
 #
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostCanAddList'
-    DESC 'A user/domain that can create lists under the parent domain'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostCanAddAlias'
+    DESC 'A user/domain that can add aliases under the parent domain'
     SUP distinguishedName )
 #
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.14 NAME 'fripostOwner'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.14 NAME 'fripostCanAddList'
+    DESC 'A user/domain that can add lists under the parent domain'
+    SUP distinguishedName )
+#
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.15 NAME 'fripostOwner'
     DESC 'A user that owns under parent domain'
     SUP distinguishedName )
 #
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.15 NAME 'fripostPostmaster'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.16 NAME 'fripostPostmaster'
     DESC 'A user that is a postmaster of the parent domain'
     SUP distinguishedName )
 #
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.16 NAME 'fripostListManager'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.17 NAME 'fripostListManager'
     DESC 'The list manager'
     EQUALITY caseIgnoreMatch
     SUBSTR caseIgnoreSubstringsMatch
@@ -131,34 +135,39 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.16 NAME 'fripostListManager'
 #
 # Objects: 1.3.6.1.4.1.40011.1.2
 #
-olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.1 NAME 'FripostVirtualDomain'
+olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.1 NAME 'FripostVirtual'
+    AUXILIARY
+    DESC 'Virtual mail hosting'
+    MAY ( fripostCanAddDomain ) )
+#
+olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualDomain'
     SUP top STRUCTURAL
     DESC 'Virtual domain'
     MUST ( fvd $ fripostIsStatusActive )
     MAY ( fripostCanAddAlias $ fripostCanAddList $
           fripostOwner $ fripostPostmaster $
-          fripostOptionalMaildrop $ description ) )
+          fripostOptionalMaildrop $ fripostIsStatusPending $ description ) )
 #
 # | TODO: add limits here
-olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualUser'
+olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualUser'
     SUP top STRUCTURAL
     DESC 'Virtual user'
     MUST ( fvu $ userPassword $ fripostIsStatusActive )
     MAY ( fripostUserQuota $ fripostOptionalMaildrop $ description) )
 #
-olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualAlias'
+olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualAlias'
     SUP top STRUCTURAL
     DESC 'Virtual alias'
     MUST ( fva $ fripostMaildrop $ fripostIsStatusActive )
     MAY ( fripostOwner $ description ) )
 #
-olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualList'
+olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualList'
     SUP top STRUCTURAL
     DESC 'Virtual list'
     MUST ( fvl $ fripostListManager $ fripostIsStatusActive $ fripostLocalAlias )
     MAY ( fripostOwner $ description $ fripostIsStatusPending ) )
 #
-olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualListCommand'
+olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostVirtualListCommand'
     SUP top STRUCTURAL
     DESC 'Virtual list command'
     MUST ( fvlc $ fripostLocalAlias ) )
diff --git a/ldap/index.ldif b/ldap/index.ldif
index 6d720bd..7db5288 100644
--- a/ldap/index.ldif
+++ b/ldap/index.ldif
@@ -31,7 +31,7 @@ add: olcDbIndex
 olcDbIndex: fripostIsStatusActive,fvd,fvu,fva,fvl,fvlc eq
 -
 add: olcDbIndex
-olcDbIndex: fripostIsStatusPending pres,eq
+olcDbIndex: fripostIsStatusPending pres
 -
 add: olcDbIndex
 olcDbIndex: fripostOptionalMaildrop pres