diff options
-rw-r--r-- | ldap/acl.ldif | 57 | ||||
-rw-r--r-- | ldap/authz.ldif | 13 | ||||
-rw-r--r-- | ldap/base.ldif | 9 | ||||
-rw-r--r-- | ldap/populate.ldif | 14 |
4 files changed, 64 insertions, 29 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif index eb28872..212d4d9 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -23,15 +23,39 @@ dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcAccess -## Managers have read/write access to the "virtual" subtree. -#olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" -# by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" write -# by * break -#- -## 1. Users/Services/Managers can change their password (but not read it). -## 2. Anonymous users/services/managers can bind. -## 3. Else, we inspect the 2 following ACLs. -olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" +# +# Services have read access to the attribute they need. We put this ACL +# first as it's likely to be the most used. +# TODO: for postfix, it'd be more efficient and more secure to SASL-bind +# on a UNIX socket (EXTERNAL mechanism); wait for Postfix 2.8. +# TODO: IMAP & SASLauth +olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + attrs=entry,objectClass,fvd,fripostIsStatusActive,fripostOptionalMaildrop,fvu,fripostOptionalMaildrop,fva,fripostMaildrop,fvl,fripostListCommand + filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualMailbox)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)) + by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd + by users none break +# +# Anonymous can authenticate into the services. (But not read or write the password.) +olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev" + attrs=userPassword + by anonymous auth +# +# That's necessary for SASL proxy Authorize the web application. +olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev" + attrs=entry,objectClass,authzTo + by * =x +# +# 1. Services have no access other than the one above. +# 2. Managers have read/write access to the "virtual" subtree. +olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none + by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" write + by * none break +# +# 1. Users can change their password (but not read it). +# 2. Anonymous users/services/managers can bind. +# 3. Else, we inspect the 2 following ACLs. +olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=userPassword by self =w by anonymous auth @@ -49,17 +73,6 @@ olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" attrs=userPassword by * none # -# That's necessary for SASL proxy Authorize the web application. -olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev" - attrs=entry,objectClass,authzTo - by * =x -## -## Services can read the whole subtree (minus the userPassword attributes). -#olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" -# attrs=entry,creatorsName,@fripostVirtualDomain,@fripostVirtualMailbox,@fripostVirtualAlias,@fripostVirtualList -# by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" read -# by users none break -# # Users can search (e.g., to list the entries they have created). olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=objectClass @@ -270,6 +283,10 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rwd by set.exact="this/-1/fripostCanCreateList & (user | user/-1)" +a by users +0 +#TODO +#olcAccess: to dn.regex="^fvl=([^,]+)-request,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +# filter=(objectClass=FripostVirtualListCommand) +# by users read # # Catch the "break" control above. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" diff --git a/ldap/authz.ldif b/ldap/authz.ldif index 8f88d80..657d718 100644 --- a/ldap/authz.ldif +++ b/ldap/authz.ldif @@ -1,14 +1,18 @@ # Load this file with # -# ldapadd -Y EXTERNAL -H ldapi:/// -f authz.ldif +# ldapmodify -Y EXTERNAL -H ldapi:/// -f authz.ldif # # That will allow the SASL-authenticated user (service) to be # reformatted into a proper DN under our services directory. # # SASL authentication can be checked with: # -# ldapwhoami -W -Y PLAIN -U FPanel -H ldapi:// -# ldapwhoami -W -Y PLAIN -U FPanel -H ldapi:// -X "dn:fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev" +# ldapwhoami -W -Y PLAIN -U AdminWebPanel@fripost.org -H ldapi:// +# ldapwhoami -W -Y PLAIN -U AdminWebPanel@fripost.org -H ldapi:// -X "dn:fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev" +# +# WARNING: Beware that will also delete existing AuthzRegexp and +# AuthzPolicy. +# Note: you may have to restart slapd to flush the cache. # # References: # - http://www.openldap.org/doc/admin24/sasl.html#Direct%20Mapping @@ -18,7 +22,8 @@ dn: cn=config changetype: modify replace: olcAuthzRegexp -olcAuthzRegexp: uid=([^,]+),cn=[^,]+,cn=auth cn=$1,ou=services,o=mailHosting,dc=fripost,dc=dev +# TODO: force the mechanism here (GSSAPI) +olcAuthzRegexp: uid=(AdminWebPanel)@fripost\.org,cn=[^,]+,cn=auth cn=$1,ou=services,o=mailHosting,dc=fripost,dc=dev - replace: olcAuthzPolicy olcAuthzPolicy: to diff --git a/ldap/base.ldif b/ldap/base.ldif index f91946b..8acbe10 100644 --- a/ldap/base.ldif +++ b/ldap/base.ldif @@ -22,9 +22,16 @@ description: Virtual mail hosting dn: ou=services,o=mailHosting,dc=fripost,dc=dev objectClass: organizationalUnit -dn: cn=FPanel,ou=services,o=mailHosting,dc=fripost,dc=dev +dn: cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=dev objectClass: simpleSecurityObject objectClass: organizationalRole description: The adminstrator Web Panel userPassword: panel authzTo: dn.regex:^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$ + +dn: cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev +objectClass: simpleSecurityObject +objectClass: organizationalRole +userPassword: smtp +description: The entry the replicates bind to when fetching the LDAP + directory. Right now it is also used by Postfix for LDAP lookups. diff --git a/ldap/populate.ldif b/ldap/populate.ldif index 87c0a4b..70dcc3e 100644 --- a/ldap/populate.ldif +++ b/ldap/populate.ldif @@ -123,6 +123,9 @@ fripostIsStatusActive: TRUE fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev # Buggy owner fripostOwner: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostOptionalMaildrop: catch-all@example.org +fripostOptionalMaildrop: @example2.org +fripostOptionalMaildrop: @xn--v4h.net dn: fva=alias,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualAlias @@ -170,6 +173,9 @@ fripostPostmaster: fvu=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost, # Buggy owner fripostPostmaster: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostCanCreateAlias: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostOptionalMaildrop: catch-all@example.org +fripostOptionalMaildrop: @example2.org +fripostOptionalMaildrop: @xn--v4h.net dn: fva=alias,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualAlias @@ -195,11 +201,11 @@ fripostListManager: mailman fripostIsStatusActive: TRUE fripostListCommand: list-request fripostListCommand: list-bounces -FripostLocalAlias: postmastered.org#list-request +#FripostLocalAlias: postmastered.org#list-request -dn: fvlc=list-request,fvl=list,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: FripostVirtualListCommand -FripostLocalAlias: postmastered.org#list-request +#dn: fvlc=list-request,fvl=list,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +#objectClass: FripostVirtualListCommand +#FripostLocalAlias: postmastered.org#list-request dn: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualMailbox |