diff options
-rw-r--r-- | ldap/acl.ldif | 277 | ||||
-rw-r--r-- | ldap/base.ldif | 8 | ||||
-rw-r--r-- | ldap/fripost.ldif | 62 | ||||
-rw-r--r-- | ldap/index.ldif | 5 | ||||
-rw-r--r-- | ldap/populate.ldif | 99 | ||||
-rw-r--r-- | ldap/syncrepl.ldif | 4 | ||||
-rwxr-xr-x | ldap/test-user-acl.sh | 347 |
7 files changed, 445 insertions, 357 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif index 69b8c30..e7272f0 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -28,16 +28,10 @@ replace: olcAccess # Most common services: Postfix, Amavis, SASLauth, Dovecot # (Most used ACLs are cheaper when written first.) # -# Everyone can search the objectclass -olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - attrs=objectClass - by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =s - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s -# # Postfix have read access to the attribute they need. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - attrs=entry,fvd,fvu,fva,fvl,fvlc,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias - filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(!(fripostIsStatusActive=FALSE))(!(fripostPendingToken=*))) + attrs=entry,objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias + filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE))) by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd by users =0 break # @@ -54,58 +48,116 @@ olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc # 1. Anonymous users can bind. # 2. Users can change their password (but not read it). # 3. The postmaster of a domain can change (replace) his/her users' password (but not read it). -olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=userPassword by realanonymous =xd by realself =w - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =w - by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =w + by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =w +# +# A catch-all, to be sure that noone else have access to the passwords. +olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" + attrs=userPassword + by * =0 # # ######################################################################## -# Virtual subtree, general access +# Virtual subtree, pending token and general access # -# 1,2. Services that need particular access on the tree. -# 3. Other users need further access. +# 1. Users need further access. We use a set to deny all access to non-users without +# having a need for an expensive LDAP search (URL) in the AuthzTo. +# /!\ The objectClass "FripostVirtualUser" is case-sensitive in this case! +# 2,3. Services that need particular access on the tree. # 4. Managers have read/write access to the "virtual" subtree. -# 5. Other services have no access other than the one above. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + by set.exact="user/objectClass & [FripostVirtualUser]" =0 break by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd - by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 # -# Our service can list and delete (old) pending entries. +# Only the domain Postmasters and Owners can delete the 'pending' status on domains. +olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" + filter=(&(objectClass=FripostVirtualDomain)(objectClass=FripostPendingEntry)) + attrs=objectClass val=FripostPendingEntry + by dnattr=fripostPostmaster =z break + by dnattr=fripostOwner =z break + by * =0 break +# +# The list creation service can delete the 'pending' status on lists. +olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" + filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry)) + attrs=objectClass val=FripostPendingEntry + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =z break + by * +0 break +# +# ObjectClass is a public attribute: everyone can read and search it. +olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + attrs=objectClass + by * +rscd +# +# The pending token is not public, but domain owner and postmasters can check their and +# delete it (upon success, but it's done on the library side). +olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" + filter=(&(objectClass=FripostVirtualDomain)(objectClass=FripostPendingEntry)) + attrs=fripostPendingToken + by dnattr=fripostPostmaster =zcd break + by dnattr=fripostOwner =zcd break + by * +0 break +# +# The list creation service can delete the 'pending' status on lists. +olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" + filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry)) + attrs=fripostPendingToken + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" +z + by * +0 +# +# The cleaning service can list the (expired) pending entries and delete them. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - filter=(fripostPendingToken=*) + filter=(objectClass=FripostPendingEntry) attrs=entry by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =zrd break - by dn.children="o=mailHosting,dc=fripost,dc=dev" =0 break + by * =0 break # -# Our service can search anywhere in the tree (for old pending entries). +# Only the list creation service may add list commands. (It seems unsafe since it can create +# arbitrary commands, but as other services it run in safe environments only.) +# (Listcommands are not concerned by the cleaning service.) +olcAccess: to dn.regex="^fvl=[^,]+-[^,-]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" + filter=(objectClass=FripostVirtualListCommand) + attrs=entry + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a +# +# One can search search everywhere in the virtual tree. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=entry - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +s break by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" +s - by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break + by * =s break # -# Our service needs to have 'z' access on the 'children' of the parent of the entry that is -# to be deleted. (And 'z' access of the 'entry' attribute of this entry.) -olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +# We're giving away create/delete access on the children attributes, but we will be carefull +# with the 'entry' permissions. +olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + filter=(objectClass=FripostVirtual) + attrs=children + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w + by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =z +olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + filter=(objectClass=FripostVirtualDomain) attrs=children by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =z - by dn.children="o=mailHosting,dc=fripost,dc=dev" =0 break + by * break +olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))) + attrs=children + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a # -# Our service needs search access to list (old) pending entries. +# The cleaning service needs to know when entries have been created. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - filter=(fripostPendingToken=*) - attrs=createTimestamp,fripostPendingToken + filter=(objectClass=FripostPendingEntry) + attrs=createTimestamp by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =s - by dn.children="o=mailHosting,dc=fripost,dc=dev" +0 break # -# Users can search (e.g., to list the entries they have created). +# Users can use these in filters (e.g., to list the entries they have created). olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break @@ -114,28 +166,6 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" ######################################################################## # Virtual subtree, domains # -# 1. Everyone can create/delete domains. (Provided s/he has +a/+z access to the -# "entry" attribute of the domains s/he wants to delete.) -# 2. The relevant service can delete (old) pending entries. -olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - attrs=children - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w - by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =z -# -# Everyone can check for the absence of a 'pending' status. -olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(&(objectClass=FripostVirtualDomain)(!(fripostPendingToken=*))) - attrs=fripostPendingToken - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s -# -# Only the domain Postmasters and Owners can search the unlock token and delete -# the 'pending' status (but not read). -olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(objectClass=FripostVirtualDomain) - attrs=fripostPendingToken - by dnattr=fripostPostmaster =zscd - by dnattr=fripostOwner =zscd -# # 1. The postmaster of a domain can give (or take back) people the right to create # aliases. # 2,3. People that can create aliases can list the members of the group. @@ -164,7 +194,7 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ by dnattr=fripostPostmaster =rscd by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" =rscd by dn.onelevel,expand="$1" +d - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by * +0 # # 1. Domain owners can edit their entry's attributes. # 2. So can domain postmasters. @@ -185,27 +215,23 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" attrs=@fripostVirtualDomain by dnattr=fripostOwner =wrscd by dnattr=fripostPostmaster =wrscd - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by * +0 # -# Everyone can add or delete children, but we will be carefull with -# the kid's "entry" attribute, which require +a and +z to add and delete -# respectively. Note that it is forbidden add a child under a pending -# entry; This is important since otherwise we couldn't delete pending -# entry non-recursively. -olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(&(objectClass=FripostVirtualDomain)(!(fripostPendingToken=*))) - attrs=children - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w +# Users with "addDomain" access can create new entries, but only if +# there is a pending token. +olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(&(objectClass=FripostVirtualDomain)(objectClass=FripostPendingEntry)(fripostPendingToken=*)) + attrs=entry + by set.exact="this/-1/fripostCanAddDomain & (user | user/-1)" +a break + by * +0 break # -# 1. Users with "addDomain" access can create new entries. -# 2. Domain owners can delete their domain (and read the entry). -# 3. So can domain postmasters. -# 4. Domain users can read the domain entry (but not delete it). -# 5. So can users with "canAddAlias" or "canAddList" rights. +# 1. Domain owners can delete their domain (and read the entry). +# 2. So can domain postmasters. +# 3. Domain users can read the domain entry (but not delete it). +# 4. So can users with "canAddAlias" or "canAddList" rights. olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualDomain) attrs=entry - by set.exact="this/-1/fripostCanAddDomain & (user | user/-1)" +a continue by dnattr=fripostOwner +zrd by dnattr=fripostPostmaster +zrd by dn.onelevel,expand="$1" +rd @@ -215,7 +241,7 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ # Reserved local parts are reserved. /!\ The case must be insensitive # - postmaster: RFC 822, appendix C.6 # - abuse: RFC 2142, section 4 -olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +olcAccess: to dn.regex="^fvl=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" by * =0 # # @@ -223,29 +249,28 @@ olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o # Virtual subtree, users # # Users and their postmaster can read the quota (but not change it). -olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=fripostUserQuota by self =rscd - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =rscd + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =rscd # # 1. Users can modify their own entry. # 2. So can their postmasters. -olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=@FripostVirtualUser by self =wrscd - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd # # 1. Users can read their entry (but not delete it). # 2. Postmasters can create users (but not delete them). # (Provided that they have +a access to the parent's "children" attribute.) -olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=entry by self +rd - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard - by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +ard # # ######################################################################## @@ -254,35 +279,35 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos # 1. The alias owner can list the ownership of the entry. # 2. The domain owner can add/delete/change the ownership of the entry. # 3. So can the domain postmasters. -olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualAlias) attrs=fripostOwner by dnattr=fripostOwner =rscd continue - by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by group/FripostVirtualDomain/fripostOwner.expand="$1" =wrscd + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd + by * +0 # # 1. The alias owners can edit the rest of their entry's attributes. # 2. So can the domain owners. # 3. So can the domain postmasters. -olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualAlias) attrs=@FripostVirtualAlias by dnattr=fripostOwner =wrscd - by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd + by group/FripostVirtualDomain/fripostOwner.expand="$1" =wrscd + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd # # 1. The alias owners can read and delete the entry. # 2. So can the domain owner. # 3. So can the domain postmaster. # 4. Users with "canAddAlias" access (either explicitely, or as a wildcard) for the domain can create aliases for that domain. # (But *not* delete them, unless also owner.) -olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualAlias) attrs=entry by dnattr=fripostOwner +zrd continue - by group/fripostVirtualDomain/fripostOwner.expand="$1" +wrd - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +wrd + by group/FripostVirtualDomain/fripostOwner.expand="$1" +wrd + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +wrd by set.exact="this/-1/fripostCanAddAlias & (user | user/-1)" +a by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # @@ -297,9 +322,9 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos filter=(objectClass=FripostVirtualList) attrs=fripostOwner by dnattr=fripostOwner =rscd continue - by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by group/FripostVirtualDomain/fripostOwner.expand="$1" =wrscd + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd + by * +0 # # 1. The list owner read (but not edit) the transport-related attributes. # 2. So can the domain ower. @@ -308,20 +333,8 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos filter=(objectClass=FripostVirtualList) attrs=fripostListManager by dnattr=fripostOwner =rscd - by group/fripostVirtualDomain/fripostOwner.expand="$1" =rscd - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =rscd -# -# 1,2,3. The list owner and the domain Owner and Postmaster can search the 'pending' token. -# 4. The list creator can remove the "pending" flag. -# (We don't need to limit the search to presence only here, since when present the value is -# always 'TRUE') -olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=FripostVirtualList) - attrs=fripostPendingToken - by dnattr=fripostOwner =scd - by group/fripostVirtualDomain/fripostOwner.expand="$1" =scd - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =scd - by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =zsd + by group/FripostVirtualDomain/fripostOwner.expand="$1" =rscd + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =rscd # # 1. The list owners can edit their entry's attributes. # 2. So can the domain owners. @@ -330,40 +343,46 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos filter=(objectClass=FripostVirtualList) attrs=@FripostVirtualList by dnattr=fripostOwner =wrscd - by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd + by group/FripostVirtualDomain/fripostOwner.expand="$1" =wrscd + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd +# +# 1-3. People with "canAddList" access can create lists, but only with a +# 'pending' status. +# 4. The list creation service can search and browse the entry. +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry)) + attrs=entry + by group/FripostVirtualDomain/fripostOwner.expand="$1" +a break + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +a break + by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a break + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" +rd + by * +0 break # # 1. The list owners can read the entry. # 2. So can the domain's Owner. # 3. So can the domain's Postmaster. -# 4. Users with "canAddList" capability (either explicitely, or as a wildcard) for the domain can create lists for that domain. -# (But *not* delete them, unless also owner.) -# 6. The list creator can read the entry. olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualList) attrs=entry - by dnattr=fripostOwner +rd continue - by group/fripostVirtualDomain/fripostOwner.expand="$1" +rad - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rad - by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 - by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd -# -# The List Creator can add list commands under non-pending lists. -olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(&(objectClass=FripostVirtualList)(!(fripostPendingToken=*))) - attrs=children - by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a -# -# The List Creator can add list commands. -olcAccess: to dn.regex="^fvlc=[^,]+,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(objectClass=FripostVirtualListCommand) - attrs=entry - by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a + by dnattr=fripostOwner +rd + by group/FripostVirtualDomain/fripostOwner.expand="$1" +rd + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +rd + by * +0 # # ######################################################################## # Catchall # +# Users with "canAddDomain" access can see that they have the right +# to create domains. +olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + filter=(objectClass=FripostVirtual) + attrs=entry + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +rd +olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + filter=(objectClass=FripostVirtual) + attrs=fripostCanAddDomain + by set.exact="this/fripostCanAddDomain & (user | user/-1)" =rscd +# Catch the break above olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 diff --git a/ldap/base.ldif b/ldap/base.ldif index c31e109..c102beb 100644 --- a/ldap/base.ldif +++ b/ldap/base.ldif @@ -18,8 +18,8 @@ dn: ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: organizationalUnit objectClass: fripostVirtual fripostCanAddDomain: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -fripostCanAddDomain: fvu=test,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -fripostCanAddDomain: fvu=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostCanAddDomain: fvl=test,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostCanAddDomain: fvl=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev description: Virtual mail hosting # TODO: for postfix, it'd be more efficient and more secure to SASL-bind @@ -52,4 +52,6 @@ objectClass: simpleSecurityObject objectClass: organizationalRole description: The adminstrator Web Panel userPassword: panel -authzTo: dn.regex:^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$ +authzTo: dn.regex:^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$ +#authzTo: ldap:///ou=virtual,o=mailHosting,dc=fripost,dc=dev??sub?(objectClass=FripostVirtualUser) +# NOTE: ^ This is an expensive operation, and requires search perms for the service. diff --git a/ldap/fripost.ldif b/ldap/fripost.ldif index 862d480..2aa7bd0 100644 --- a/ldap/fripost.ldif +++ b/ldap/fripost.ldif @@ -46,37 +46,19 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.1 NAME 'fvd' SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.2 NAME 'fvu' - DESC 'The local part of a virtual user' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.2 NAME 'fvl' + DESC 'The local part of a virtual user, alias, list or list command' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.3 NAME 'fva' - DESC 'The local part of a virtual mail alias' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) -# -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.4 NAME 'fvl' - DESC 'The local part of a virtual list' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) -# -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.5 NAME 'fvlc' - DESC 'The local part of a virtual list command' - EQUALITY caseIgnoreIA5Match - SUBSTR caseIgnoreIA5SubstringsMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) -# -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.6 NAME 'fripostLocalAlias' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.3 NAME 'fripostLocalAlias' DESC 'A local alias, typically localpart#domainpart.tld' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.7 NAME 'fripostMaildrop' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.4 NAME 'fripostMaildrop' DESC 'An email address the virtual alias should be mapped to' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch @@ -85,48 +67,48 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.7 NAME 'fripostMaildrop' # We are creating a new attribute, optional in virtual domains and # users, because the presence index should *not* apply to the # mandatory attribute above. -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.8 NAME 'fripostOptionalMaildrop' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.5 NAME 'fripostOptionalMaildrop' DESC 'An optional email address for catch-all aliases on domains and users' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.9 NAME 'fripostIsStatusActive' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.6 NAME 'fripostIsStatusActive' DESC 'When present, a token locking the entry in an inactive state' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostPendingToken' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.7 NAME 'fripostPendingToken' DESC 'Is the entry pending?' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} SINGLE-VALUE ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostUserQuota' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.8 NAME 'fripostUserQuota' DESC 'The quota on a user e.g., "50MB"' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32} SINGLE-VALUE ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostCanAddDomain' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.9 NAME 'fripostCanAddDomain' DESC 'A user/domain that can add domains' SUP distinguishedName ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostCanAddAlias' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostCanAddAlias' DESC 'A user/domain that can add aliases under the parent domain' SUP distinguishedName ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.14 NAME 'fripostCanAddList' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostCanAddList' DESC 'A user/domain that can add lists under the parent domain' SUP distinguishedName ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.15 NAME 'fripostOwner' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostOwner' DESC 'A user that owns under parent domain' SUP distinguishedName ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.16 NAME 'fripostPostmaster' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostPostmaster' DESC 'A user that is a postmaster of the parent domain' SUP distinguishedName ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.17 NAME 'fripostListManager' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.14 NAME 'fripostListManager' DESC 'The list manager' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch @@ -146,29 +128,33 @@ olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualDomain' MUST ( fvd $ fripostIsStatusActive ) MAY ( fripostCanAddAlias $ fripostCanAddList $ fripostOwner $ fripostPostmaster $ - fripostOptionalMaildrop $ fripostPendingToken $ description ) ) + fripostOptionalMaildrop $ description ) ) # # | TODO: add limits here olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualUser' SUP top STRUCTURAL DESC 'Virtual user' - MUST ( fvu $ userPassword $ fripostIsStatusActive ) + MUST ( fvl $ userPassword $ fripostIsStatusActive ) MAY ( fripostUserQuota $ fripostOptionalMaildrop $ description) ) # olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualAlias' SUP top STRUCTURAL DESC 'Virtual alias' - MUST ( fva $ fripostMaildrop $ fripostIsStatusActive ) + MUST ( fvl $ fripostMaildrop $ fripostIsStatusActive ) MAY ( fripostOwner $ description ) ) # olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualList' SUP top STRUCTURAL DESC 'Virtual list' MUST ( fvl $ fripostListManager $ fripostIsStatusActive $ fripostLocalAlias ) - MAY ( fripostOwner $ description $ fripostPendingToken ) ) + MAY ( fripostOwner $ description ) ) # olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostVirtualListCommand' SUP top STRUCTURAL DESC 'Virtual list command' - MUST ( fvlc $ fripostLocalAlias ) ) - + MUST ( fvl $ fripostLocalAlias ) ) +# +olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.7 NAME 'FripostPendingEntry' + SUP top AUXILIARY + DESC 'Virtual pending entry' + MAY ( fripostPendingToken ) ) diff --git a/ldap/index.ldif b/ldap/index.ldif index 3a4f548..6ddd754 100644 --- a/ldap/index.ldif +++ b/ldap/index.ldif @@ -28,10 +28,7 @@ olcDbIndex: objectClass eq - # Let us make Postfix's life easier. add: olcDbIndex -olcDbIndex: fripostIsStatusActive,fvd,fvu,fva,fvl,fvlc eq -- -add: olcDbIndex -olcDbIndex: fripostPendingToken pres +olcDbIndex: fripostIsStatusActive,fvd,fvl eq - add: olcDbIndex olcDbIndex: fripostOptionalMaildrop pres diff --git a/ldap/populate.ldif b/ldap/populate.ldif index b93816d..edd5d73 100644 --- a/ldap/populate.ldif +++ b/ldap/populate.ldif @@ -14,11 +14,11 @@ # An independent domain, not self managed dn: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualDomain -fripostCanAddAlias: fvu=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -fripostCanAddList: fvu=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostCanAddAlias: fvl=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostCanAddList: fvl=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostIsStatusActive: TRUE -dn: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +dn: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualUser userPassword: user1 fripostIsStatusActive: TRUE @@ -27,23 +27,23 @@ fripostOptionalMaildrop: user1@external.org fripostOptionalMaildrop: user1@external2.org fripostOptionalMaildrop: user1@external3.org -dn: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +dn: fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualUser userPassword: user2 fripostIsStatusActive: TRUE # A owned alias -dn: fva=alias1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +dn: fvl=alias1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualAlias fripostIsStatusActive: TRUE -fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostOwner: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostMaildrop: user1@fripost.org fripostMaildrop: user1@example.org # Bogus owner fripostOwner: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev # An independent alias -dn: fva=alias2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +dn: fvl=alias2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualAlias fripostIsStatusActive: TRUE fripostMaildrop: user2@fripost.org @@ -56,14 +56,14 @@ objectClass: FripostVirtualList fripostListManager: mailman fripostIsStatusActive: TRUE fripostLocalAlias: list1#fripost.org -fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostOwner: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev # An independent list (for user1) dn: fvl=list2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualList fripostListManager: schleuder fripostIsStatusActive: TRUE -fripostOwner: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostOwner: fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev # Bogus owner fripostOwner: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostLocalAlias: list2#fripost.org @@ -71,12 +71,12 @@ fripostLocalAlias: list2#fripost.org dn: fvl=test-mailman,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualList objectClass: SimpleSecurityObject +objectClass: FripostPendingEntry userPassword: bogus fripostListManager: mailman fripostIsStatusActive: TRUE -fripostPendingToken: TRUE fripostLocalAlias: test-mailman#fripost.org -fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostOwner: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev # An independent domain, with canAddAlias options @@ -95,17 +95,18 @@ description: occaecat cupidatat non proident, sunt in culpa qui officia deserunt description: mollit anim id est laborum. # A owned alias -dn: fva=alias1,fvd=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +dn: fvl=alias1,fvd=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualAlias fripostIsStatusActive: FALSE -fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostOwner: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostMaildrop: user1@fripost.org dn: fvd=example0.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualDomain fripostIsStatusActive: TRUE +objectClass: FripostPendingEntry fripostPendingToken: pending -fripostPostmaster: fvu=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostPostmaster: fvl=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev # An independent domain, with canAddList options dn: fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev @@ -118,20 +119,28 @@ dn: fvl=list1,fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualList fripostIsStatusActive: TRUE fripostListManager: schleuder -fripostOwner: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostOwner: fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostLocalAlias: list1#example2.org -dn: fva=alias1,fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +dn: fvl=list2,fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +objectClass: FripostVirtualList +objectClass: FripostPendingEntry +fripostIsStatusActive: TRUE +fripostListManager: schleuder +fripostOwner: fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostLocalAlias: list1#example2.org + +dn: fvl=alias1,fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualAlias fripostIsStatusActive: FALSE -fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostOwner: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostMaildrop: user1@fripost.org # An independent domain, with both can createAlias and canAddList options dn: fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualDomain -fripostCanAddAlias: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -fripostCanAddList: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostCanAddAlias: fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostCanAddList: fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostIsStatusActive: TRUE # An owned list @@ -139,7 +148,15 @@ dn: fvl=list,fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualList fripostIsStatusActive: TRUE fripostListManager: mailman -fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostOwner: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostLocalAlias: list#example3.org + +dn: fvl=list2,fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +objectClass: FripostVirtualList +objectClass: FripostPendingEntry +fripostIsStatusActive: TRUE +fripostListManager: schleuder +fripostOwner: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostLocalAlias: list#example3.org @@ -147,14 +164,14 @@ fripostLocalAlias: list#example3.org dn: fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualDomain fripostIsStatusActive: TRUE -fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostOwner: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev # Bogus owner fripostOwner: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostOptionalMaildrop: catch-all@example.org fripostOptionalMaildrop: @example2.org fripostOptionalMaildrop: @xn--v4h.net -dn: fva=alias,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +dn: fvl=alias,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualAlias fripostIsStatusActive: TRUE fripostMaildrop: user1@fripost.org @@ -165,7 +182,7 @@ fripostListManager: mailman fripostIsStatusActive: TRUE fripostLocalAlias: list#owned.org -dn: fvu=user,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +dn: fvl=user,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualUser userPassword: user fripostIsStatusActive: TRUE @@ -176,17 +193,17 @@ dn: fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualDomain fripostIsStatusActive: TRUE fripostCanAddAlias: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -fripostPostmaster: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -fripostPostmaster: fvu=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -fripostPostmaster: fvu=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostPostmaster: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostPostmaster: fvl=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostPostmaster: fvl=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost,dc=dev # Bogus postmaster fripostPostmaster: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -fripostCanAddAlias: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostCanAddAlias: fvl=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostOptionalMaildrop: catch-all@example.org fripostOptionalMaildrop: @example2.org fripostOptionalMaildrop: @xn--v4h.net -dn: fva=alias,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +dn: fvl=alias,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualAlias fripostIsStatusActive: TRUE fripostMaildrop: user1@fripost.org @@ -197,19 +214,19 @@ fripostListManager: mailman fripostIsStatusActive: TRUE FripostLocalAlias: list#postmastered.org -dn: fvlc=list-request,fvl=list,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +dn: fvl=list-request,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualListCommand FripostLocalAlias: list-request#postmastered.org objectClass: SimpleSecurityObject userPassword: bogus -dn: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +dn: fvl=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualUser userPassword: user fripostIsStatusActive: TRUE fripostUserQuota: 10MB -dn: fvu=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +dn: fvl=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualUser userPassword: bigbrother fripostIsStatusActive: TRUE @@ -219,12 +236,26 @@ objectClass: FripostVirtualDomain fripostIsStatusActive: TRUE description: Test domain internalization (☮.net) description: Net::TLD doesn't work with international TLDs. -fripostPostmaster: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -fripostPostmaster: fvu=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostPostmaster: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostPostmaster: fvl=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost,dc=dev -dn: fvu=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost,dc=dev +dn: fvl=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualUser fripostIsStatusActive: TRUE userPassword: user description: Test domain internalization (user@☮.net). description: Unicode is not allowed in the local part. + +dn: fvl=list2,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +objectClass: FripostVirtualList +objectClass: FripostPendingEntry +fripostIsStatusActive: TRUE +fripostListManager: mailman +fripostLocalAlias: list2#owned.org + +dn: fvl=list2,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +objectClass: FripostVirtualList +objectClass: FripostPendingEntry +fripostIsStatusActive: TRUE +fripostListManager: mailman +fripostLocalAlias: list2#postmastered.org diff --git a/ldap/syncrepl.ldif b/ldap/syncrepl.ldif index 441974b..7cded17 100644 --- a/ldap/syncrepl.ldif +++ b/ldap/syncrepl.ldif @@ -26,8 +26,8 @@ credentials="xxxxxx" type=refreshAndPersist retry="5 5 300 +" searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org" -filter="(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList))(fripostIsStatusActive=TRUE))" -attrs="fripostIsStatusActive,fripostMaildrop,fripostOptionalMaildrop,fvd,fvu,fva,fvl,fripostListCommand,fripostListManager" +filter="(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualListCommand)(objectClass=FripostVirtualList))(fripostIsStatusActive=TRUE))" +attrs="fripostIsStatusActive,fripostMaildrop,fripostOptionalMaildrop,fvd,fvl" scope=sub schemachecking=off diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh index 221415c..ee09fc9 100755 --- a/ldap/test-user-acl.sh +++ b/ldap/test-user-acl.sh @@ -71,13 +71,13 @@ search () { DOMAINS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualDomain" dn | \ grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+),.*/fvd=\1/') USERS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualUser" dn | \ - grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvu=\1,fvd=\2/') + grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvl=\1,fvd=\2/') ALIASES=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualAlias" dn | \ - grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fva=\1,fvd=\2/') + grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvl=\1,fvd=\2/') LISTS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualList" dn | \ grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvl=\1,fvd=\2/') LISTSC=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualListCommand" dn | \ - grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+), *([^,]+),.*/fvlc=\1,fvl=\2,fvd=\3/') + grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), **([^,]+),.*/fvl=\1,fvd=\2/') OPERATTRS="structuralObjectClass creatorsName entryUUID createTimestamp entryCSN modifiersName modifyTimestamp" @@ -88,8 +88,9 @@ OPERATTRS="structuralObjectClass creatorsName entryUUID createTimestamp entryCSN echo "Anonymous users:" -# Anonymous need to bind to any fvu -msg "Have =xd access to \"userPassword\" attributes" +# Anonymous need to bind to any user, but shouldn't be able to bind to +# anything else. +msg "Have =xd access to \"userPassword\" attributes of users" for U in ${USERS}; do checkACL "" "${U}" userPassword done | isOK '=xd$' @@ -187,7 +188,6 @@ done | isOK '=0$' entry ########################################################################### - echo echo "Authenticated users, access to the base" @@ -199,10 +199,37 @@ usersB () { } -msg "Have =s access on the base's \"entry\" attribute" -usersB entry | isOK '=s' entry +msg "Have =rsd access on the base's \"entry\" attribute" +usersB entry | isOK '=rsd' entry +[ $? -eq 0 ] || exit $? + +msg "Have =rscd access on the base's \"objectClass\" attribute" +usersB objectClass | isOK '=rscd' objectClass [ $? -eq 0 ] || exit $? +msg "Have =rscd access on the base's \"canAddDomain\" attribute (if member, exact)" +for U in ${USERS}; do + search -s base -b "${SUFFIX}" "(fripostCanAddDomain=${U},${SUFFIX})" | grep -q '^dn: ' && \ + checkACL "${U}" "" fripostCanAddDomain +done | isOK '=rscd' fripostCanAddDomain +[ $? -eq 0 ] || exit $? + +msg "Have =rscd access on the base's \"canAddDomain\" attribute (if member, wildcard)" +for U in ${USERS}; do + DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${SUFFIX}" "(fripostCanAddDomain=${DU},${SUFFIX})" | grep -q '^dn: ' && \ + checkACL "${U}" "" fripostCanAddDomain +done | isOK '=rscd' fripostCanAddDomain +[ $? -eq 0 ] || exit $? + +msg "Have =0 access to the base's \"canAddDomain\" attribute (unless member)" +for U in ${USERS}; do + DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${SUFFIX}" "(|(fripostCanAddDomain=${U},${SUFFIX}) + (fripostCanAddDomain=${DU},${SUFFIX}))" | grep -q '^dn: ' || \ + checkACL "${U}" "" fripostCanAddDomain +done | isOK '=0' fripostCanAddDomain +[ $? -eq 0 ] || exit $? # Needed to create/delete domains. msg "Have =w access on the base's \"children\" attribute" @@ -218,13 +245,22 @@ usersB ${OPERATTRS} | isOK '=0$' entryUUID msg "Cannot create children under a pending entry" for U in ${USERS}; do for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do - search -s base -b "${X},${SUFFIX}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \ + search -s base -b "${X},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \ checkACL "${U}" "${X}" children done done | isOK '=0$' children [ $? -eq 0 ] || exit $? +msg "Cannot add, read or search the pending token" +for U in ${USERS}; do + for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do + checkACL "${U}" "${X}" fripostPendingToken/add fripostPendingToken/read fripostPendingToken/search + done +done | isOK 'DENIED$' fripostPendingToken add +[ $? -eq 0 ] || exit $? + + ########################################################################### @@ -239,7 +275,8 @@ echo "Authenticated users, access to domain entries" # * children: # =w for all (non-pending entries) # * objectClass: -# =s for all +# =rscd for all +# +z for FripostPendingEntry, if owner or postmaster # * fvd: # =rscd if children, canAdd{Alias,List}, owner or postmaster # +w if owner or postmaster @@ -247,8 +284,7 @@ echo "Authenticated users, access to domain entries" # =rscd if children, canAdd{Alias,List}, owner or postmaster # +w if owner or postmaster # * fripostPendingToken -# =zscd if owner or postmaster -# =s for all if there is no pending token +# =z if owner or postmaster # * fripostCanAddAlias # =rscd if canAddAlias, owner or postmaster # +w if postmaster @@ -285,37 +321,27 @@ usersD fripostOwner/add fripostOwner/delete \ [ $? -eq 0 ] || exit $? -msg "Have =s rights on the \"pending\" status if absent" -for U in ${USERS}; do - for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "(!(fripostPendingToken=*))" | grep -q '^dn: ' && \ - checkACL "${U}" "${D}" fripostPendingToken - done -done | isOK '=s$' -[ $? -eq 0 ] || exit $? - - msg "Have =0 rights on the \"pending\" status if present (unless owner or postmaster)" for U in ${USERS}; do for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "(&(!(|(fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))) - (fripostPendingToken=*))" | grep -q '^dn: ' && \ + (objectClass=FripostPendingEntry))" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" fripostPendingToken done done | isOK '=0$' [ $? -eq 0 ] || exit $? -msg "Have =zscd access on the \"pending\" status if present (if owner or postmaster)" +msg "Have =zcd access on the \"pending\" status if present (if owner or postmaster)" for U in ${USERS}; do for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "(&(|(fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX})) - (fripostPendingToken=*))" | grep -q '^dn: ' && \ + (objectClass=FripostPendingEntry))" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" fripostPendingToken done -done | isOK '=zscd$' +done | isOK '=zcd$' [ $? -eq 0 ] || exit $? @@ -324,6 +350,7 @@ msg "Have >=a access to \"entry\" (if CanAddDomain, exact)" for U in ${USERS}; do for D in ${DOMAINS}; do search -s base -b "${SUFFIX}" "fripostCanAddDomain=${U},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" entry/add done done | isOK 'ALLOWED$' entry add @@ -336,6 +363,7 @@ for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do search -s base -b "${SUFFIX}" "fripostCanAddDomain=${DU},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" entry/add done done | isOK 'ALLOWED$' entry add @@ -358,16 +386,32 @@ done | isOK 'DENIED$' entry add msg "Have =w access to \"children\" (for non-pending attributes)" for U in ${USERS}; do for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ + search -s base -b "${D},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \ checkACL "${U}" "${D}" children done done | isOK '=w$' children [ $? -eq 0 ] || exit $? -msg "Have =s access to \"objectClass\"" -usersD objectClass | isOK '=s' objectClass +msg "Have =zrscd access to \"objectClass:FripostPendingEntry\" (if owner,postmaster)" +for U in ${USERS}; do + for D in ${DOMAINS}; do + search -s base -b "${D},${SUFFIX}" "(&(|(fripostOwner=${U},${SUFFIX}) + (fripostPostmaster=${U},${SUFFIX})) + (objectClass=FripostPendingEntry))" | grep -q '^dn: ' && \ + checkACL "${U}" "${D}" objectClass:FripostPendingEntry + done +done | isOK '=zrscd$' +[ $? -eq 0 ] || exit $? + +msg "Have =rscd access to \"objectClass\" otherwise" +for U in ${USERS}; do + for D in ${DOMAINS}; do + checkACL "${U}" "${D}" objectClass + done +done | isOK '=rscd$' [ $? -eq 0 ] || exit $? + msg "Have >=s access on \"entry\", \"fripostOwner\" and \"fripostPostmaster\"" usersD entry/search fripostOwner/search fripostPostmaster/search | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? @@ -406,7 +450,7 @@ ATTRSA="fripostOwner/read fripostOwner/compare msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanAddAlias, exact)" for U in ${USERS}; do for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddAlias=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddAlias=${U},${SUFFIX})(!(objectClass=FripostPendingEntry)))" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSA} done done | isOK 'ALLOWED$' children @@ -418,7 +462,7 @@ msg "Have >=rscd to the public attributes and >=a to \"children\" (if CanAddAlia for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddAlias=${DU},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddAlias=${DU},${SUFFIX})(!(objectClass=FripostPendingEntry)))" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSA} done done | isOK 'ALLOWED$' children @@ -432,7 +476,7 @@ ATTRSL="fripostOwner/read fripostOwner/compare msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanAddList, exact)" for U in ${USERS}; do for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddList=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddList=${U},${SUFFIX})(!(objectClass=FripostPendingEntry)))" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL} done done | isOK 'ALLOWED$' children @@ -444,7 +488,7 @@ msg "Have >=rscd access to the public attributes and >=a to \"children\" (if Can for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddList=${DU},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddList=${DU},${SUFFIX})(!(objectClass=FripostPendingEntry)))" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL} done done | isOK 'ALLOWED$' children @@ -463,7 +507,7 @@ ATTRSO="entry/delete description/add description/delete" for U in ${USERS}; do for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "(&(fripostOwner=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "(&(fripostOwner=${U},${SUFFIX})(!(objectClass=FripostPendingEntry)))" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSL} ${ATTRSO} done done | isOK 'ALLOWED$' children @@ -479,7 +523,7 @@ ATTRSP="fripostCanAddAlias/add fripostCanAddAlias/delete fripostCanAddList/add fripostCanAddList/delete" for U in ${USERS}; do for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "(&(fripostPostmaster=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "(&(fripostPostmaster=${U},${SUFFIX})(!(objectClass=FripostPendingEntry)))" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSL} ${ATTRSO} ${ATTRSP} done done | isOK 'ALLOWED$' children @@ -587,8 +631,8 @@ echo "Authenticated users, access to user entries" # * children: # =0 for all # * objectClass: -# =s for all -# * fvu: +# =rscd for all +# * fvl: # =wrscd if account owner or domain postmaster # * userPassword: # =w if account owner or domain postmaster @@ -608,7 +652,7 @@ usersU () { } # They would need write access to their fripostUserQuota. -# In practice they can't write fvu either, since it's single valued. +# In practice they can't write fvl either, since it's single valued. msg "Have =rscd access to their \"fripostUserQuota\"" usersU fripostUserQuota | isOK '=rscd$' [ $? -eq 0 ] || exit $? @@ -618,20 +662,20 @@ usersU userPassword | isOK '=w$' [ $? -eq 0 ] || exit $? msg "Have =wrscd access to the other attributes of their own entry" -usersU fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK '=wrscd$' fvu +usersU fvl fripostIsStatusActive fripostOptionalMaildrop description | isOK '=wrscd$' fvl [ $? -eq 0 ] || exit $? msg "Have >=rsd access to the \"entry\" attribute of their own entry" -usersU entry/read entry/search entry/disclose fvu/read \ - | isOK 'ALLOWED$' fvu # fvu is useless here, but it's just to get the count +usersU entry/read entry/search entry/disclose fvl/read \ + | isOK 'ALLOWED$' fvl # fvl is useless here, but it's just to get the count [ $? -eq 0 ] || exit $? msg "Have =0 access to their \"children\" and operational attributes" usersU children ${OPERATTRS} | isOK '=0$' children [ $? -eq 0 ] || exit $? -msg "Have =s access to \"objectClass\"" -usersD objectClass | isOK '=s' objectClass +msg "Have =rscd access to \"objectClass\"" +usersD objectClass | isOK '=rscd' objectClass [ $? -eq 0 ] || exit $? msg "Have =0 access to other user entries (unless Postmaster)" @@ -641,7 +685,7 @@ for U1 in ${USERS}; do [ "x${U1}" = "x${U2}" ] || \ search -s base -b "${D2},${SUFFIX}" "(fripostPostmaster=${U1},${SUFFIX})" | grep -q '^dn: ' || \ checkACL "${U1}" "${U2}" entry children \ - fvu userPassword \ + fvl userPassword \ fripostIsStatusActive \ fripostUserQuota \ fripostOptionalMaildrop \ @@ -671,7 +715,7 @@ usersP userPassword | isOK '=w$' [ $? -eq 0 ] || exit $? msg "Have =wrscd access to the other attributes of their users' entry (if Postmaster)" -usersP fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK '=wrscd$' fvu +usersP fvl fripostIsStatusActive fripostOptionalMaildrop description | isOK '=wrscd$' fvl [ $? -eq 0 ] || exit $? # "+a" is needed to create new accounts. "+z" would be required to @@ -698,8 +742,8 @@ echo "Authenticated users, access to alias entries" # * children: # =0 for all # * objectClass: -# =s for all -# * fva: +# =rscd for all +# * fvl: # =wrscd if alias owner, domain owner or domain postmaster # * fripostMaildrop: # =wrscd if alias owner, domain owner or domain postmaster @@ -730,13 +774,13 @@ msg "Have =0 access to the \"children\" and operational attributes" usersA children ${OPERATTRS} | isOK '=0$' children [ $? -eq 0 ] || exit $? -msg "Have =s access to \"objectClass\"" -usersD objectClass | isOK '=s' objectClass +msg "Have =rscd access to \"objectClass\"" +usersD objectClass | isOK '=rscd' objectClass [ $? -eq 0 ] || exit $? ATTRS="entry/delete entry/read entry/disclose - fva/write fva/read fva/search fva/compare fva/disclose + fvl/write fvl/read fvl/search fvl/compare fvl/disclose fripostMaildrop/add fripostMaildrop/delete fripostMaildrop/read fripostMaildrop/search fripostMaildrop/compare fripostMaildrop/disclose fripostIsStatusActive/write fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose fripostOwner/read fripostOwner/compare fripostOwner/disclose @@ -853,14 +897,14 @@ echo "Authenticated users, access to list entries" # +rd if list owner, domain owner or domain postmaster # * children: # =0 for all +# * objectClass +# =rscd for all # * fvl: # =wrscd if list owner, domain owner or domain postmaster # * fripostListManager: # =rscd if list owner, domain owner or domain postmaster # * fripostIsStatusActive: # =wrscd if list owner, domain owner or domain postmaster -# * fripostPendingToken: -# =scd if list owner, domain owner or domain postmaster # * fripostOwner: # =d for all # +rsc if list owner, domain owner or domain postmaster @@ -896,10 +940,10 @@ done | isOK 'DENIED$' fripostListManager [ $? -eq 0 ] || exit $? -msg "Cannot read or delete the pending status; Cannot delete entry" +msg "Cannot delete entry or the pending status" for U in ${USERS}; do for L in ${LISTS}; do - checkACL "${U}" "${L}" fripostPendingToken/read fripostPendingToken/add fripostPendingToken/delete entry/delete + checkACL "${U}" "${L}" objectClass/delete:FripostPendingEntry entry/delete done done | isOK 'DENIED$' entry [ $? -eq 0 ] || exit $? @@ -909,7 +953,6 @@ ATTRS="entry/read entry/disclose fvl/write fvl/read fvl/search fvl/compare fvl/disclose fripostListManager/read fripostListManager/search fripostListManager/compare fripostListManager/disclose fripostIsStatusActive/write fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose - fripostPendingToken/search fripostPendingToken/compare fripostPendingToken/disclose fripostOwner/read fripostOwner/compare fripostOwner/disclose description/add description/delete description/read description/compare description/disclose" ATTRS2="fripostOwner/add fripostOwner/delete" @@ -924,25 +967,51 @@ done | isOK 'ALLOWED$' entry read [ $? -eq 0 ] || exit $? -msg "Can edit/create list (if domain Owner)" +msg "Can edit list (if domain Owner)" +[ $? -eq 0 ] || exit $? +for U in ${USERS}; do + for L in ${LISTS}; do + DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ + checkACL "${U}" "${L}" ${ATTRS} ${ATTRS2} + done +done | isOK 'ALLOWED$' entry read +[ $? -eq 0 ] || exit $? + + +msg "Can edit list (if domain Postmaster)" +[ $? -eq 0 ] || exit $? +for U in ${USERS}; do + for L in ${LISTS}; do + DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \ + checkACL "${U}" "${L}" ${ATTRS} ${ATTRS2} + done +done | isOK 'ALLOWED$' entry read +[ $? -eq 0 ] || exit $? + + +msg "Can create list (if domain Owner)" [ $? -eq 0 ] || exit $? for U in ${USERS}; do for L in ${LISTS}; do DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" search -s base -b "${DL},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${L}" ${ATTRS} ${ATTRS2} entry/add + search -s base -b "${L},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \ + checkACL "${U}" "${L}" entry/add done done | isOK 'ALLOWED$' entry add [ $? -eq 0 ] || exit $? -msg "Can edit/create list (if domain Postmaster)" +msg "Can create list (if domain Postmaster)" [ $? -eq 0 ] || exit $? for U in ${USERS}; do for L in ${LISTS}; do DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" search -s base -b "${DL},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${L}" ${ATTRS} ${ATTRS2} entry/add + search -s base -b "${L},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \ + checkACL "${U}" "${L}" entry/add done done | isOK 'ALLOWED$' entry add [ $? -eq 0 ] || exit $? @@ -954,6 +1023,7 @@ for U in ${USERS}; do for L in ${LISTS}; do DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" search -s base -b "${DL},${SUFFIX}" "fripostCanAddList=${U},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${L},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \ checkACL "${U}" "${L}" entry/add done done | isOK 'ALLOWED$' entry @@ -967,6 +1037,7 @@ for U in ${USERS}; do for L in ${LISTS}; do DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" search -s base -b "${DL},${SUFFIX}" "fripostCanAddList=${DU},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${L},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \ checkACL "${U}" "${L}" entry/add done done | isOK 'ALLOWED$' entry @@ -978,10 +1049,11 @@ for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for L in ${LISTS}; do DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - search -s base -b "${DL},${SUFFIX}" "(|(fripostCanAddList=${U},${SUFFIX}) - (fripostCanAddList=${DU},${SUFFIX}) - (fripostOwner=${U},${SUFFIX}) - (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ + search -s base -b "${DL},${SUFFIX}" "(!(|(fripostCanAddList=${U},${SUFFIX}) + (fripostCanAddList=${DU},${SUFFIX}) + (fripostOwner=${U},${SUFFIX}) + (fripostPostmaster=${U},${SUFFIX})))" | grep -q '^dn: ' || \ + search -s base -b "${L},${SUFFIX}" "(!(objectClass=FripostPendingEntry))" | grep -q '^dn: ' && \ checkACL "${U}" "${L}" entry/add done done | isOK 'DENIED$' entry @@ -990,11 +1062,11 @@ done | isOK 'DENIED$' entry msg "Cannot manage ownership (unless domain owner/domain postmaster)" for U in ${USERS}; do - for A in ${ALIASES}; do - DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - search -s base -b "${DA},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) + for L in ${LISTS}; do + DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ - checkACL "${U}" "${A}" ${ATTRS2} + checkACL "${U}" "${L}" ${ATTRS2} done done | isOK 'DENIED$' fripostOwner add [ $? -eq 0 ] || exit $? @@ -1017,7 +1089,7 @@ for U in ${USERS}; do for LC in ${LISTSC}; do checkACL "${U}" "${LC}" done -done | grep -Ev '^(objectClass|creatorsName)=' | isOK '=0$' entry +done | grep -Ev '^objectClass=' | isOK '=0$' entry [ $? -eq 0 ] || exit $? @@ -1031,25 +1103,18 @@ echo "Service Postfix" msg "Have =0 access on non-active or pending entries" for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do - search -s base -b "${X},${SUFFIXV}" "(|(fripostIsStatusActive=TRUE)(fripostPendingToken=*))" | grep -q '^dn: ' && \ + search -s base -b "${X},${SUFFIXV}" "(|(fripostIsStatusActive=TRUE)(objectClass=FripostPendingEntry))" | grep -q '^dn: ' && \ checkACL "cn=Postfix" "${D}" done | isOK '=0$' entry [ $? -eq 0 ] || exit $? msg "Can read and search the domain attributes it needs" for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \ - checkACL "cn=Postfix" "${D}" entry fvd fripostOptionalMaildrop + search -s base -b "${D},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(objectClass=FripostPendingEntry))" | grep -q '^dn: ' || \ + checkACL "cn=Postfix" "${D}" entry objectClass fvd fripostOptionalMaildrop done | isOK '=rsd$' entry [ $? -eq 0 ] || exit $? -msg "Can search the domain attributes it needs" -for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \ - checkACL "cn=Postfix" "${D}" objectClass -done | isOK '=s$' objectClass -[ $? -eq 0 ] || exit $? - msg "Have =0 access on other domain attributes" for D in ${DOMAINS}; do checkACL "cn=Postfix" "${D}" children ${OPERATTRS} fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description fripostPendingToken fripostIsStatusActive @@ -1058,18 +1123,11 @@ done | isOK '=0$' children msg "Can read and search the user attributes it needs" for U in ${USERS}; do - search -s base -b "${U},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \ - checkACL "cn=Postfix" "${U}" entry fvu fripostOptionalMaildrop + search -s base -b "${U},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(objectClass=FripostPendingEntry))" | grep -q '^dn: ' || \ + checkACL "cn=Postfix" "${U}" entry objectClass fvl fripostOptionalMaildrop done | isOK '=rsd$' entry [ $? -eq 0 ] || exit $? -msg "Can search the user attributes it needs" -for U in ${USERS}; do - search -s base -b "${U},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \ - checkACL "cn=Postfix" "${U}" objectClass -done | isOK '=s$' objectClass -[ $? -eq 0 ] || exit $? - msg "Have =0 access on other user attributes" for U in ${USERS}; do checkACL "cn=Postfix" "${U}" children ${OPERATTRS} userPassword fripostUserQuota description fripostIsStatusActive @@ -1078,18 +1136,11 @@ done | isOK '=0$' children msg "Can read and search the alias attributes it needs" for A in ${ALIASES}; do - search -s base -b "${A},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \ - checkACL "cn=Postfix" "${A}" entry fva fripostMaildrop + search -s base -b "${A},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(objectClass=FripostPendingEntry))" | grep -q '^dn: ' || \ + checkACL "cn=Postfix" "${A}" entry objectClass fvl fripostMaildrop done | isOK '=rsd$' entry [ $? -eq 0 ] || exit $? -msg "Can search the alias attributes it needs" -for A in ${ALIASES}; do - search -s base -b "${A},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \ - checkACL "cn=Postfix" "${A}" objectClass -done | isOK '=s$' objectClass -[ $? -eq 0 ] || exit $? - msg "Have =0 access on other alias attributes" for A in ${ALIASES}; do checkACL "cn=Postfix" "${A}" children ${OPERATTRS} fripostOwner description fripostIsStatusActive @@ -1098,18 +1149,11 @@ done | isOK '=0$' children msg "Can read and search the list attributes it needs" for L in ${LISTS}; do - search -s base -b "${L},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \ - checkACL "cn=Postfix" "${L}" entry fvl fripostLocalAlias + search -s base -b "${L},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(objectClass=FripostPendingEntry))" | grep -q '^dn: ' || \ + checkACL "cn=Postfix" "${L}" entry objectClass fvl fripostLocalAlias done | isOK '=rsd$' entry [ $? -eq 0 ] || exit $? -msg "Can search the list attributes it needs" -for L in ${LISTS}; do - search -s base -b "${L},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \ - checkACL "cn=Postfix" "${L}" objectClass -done | isOK '=s$' objectClass -[ $? -eq 0 ] || exit $? - msg "Have =0 access on other list attributes" for L in ${LISTS}; do checkACL "cn=Postfix" "${L}" children ${OPERATTRS} fripostListManager fripostOwner description fripostIsStatusActive fripostPendingToken @@ -1118,16 +1162,11 @@ done | isOK '=0$' children msg "Can read and search the list command attributes it needs" for LC in ${LISTSC}; do - checkACL "cn=Postfix" "${LC}" entry fvlc fripostLocalAlias + search -s base -b "${LC},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(objectClass=FripostPendingEntry))" | grep -q '^dn: ' || \ + checkACL "cn=Postfix" "${LC}" entry objectClass fvl fripostLocalAlias done | isOK '=rsd$' entry [ $? -eq 0 ] || exit $? -msg "Can search the list command attributes it needs" -for LC in ${LISTSC}; do - checkACL "cn=Postfix" "${LC}" objectClass -done | isOK '=s$' objectClass -[ $? -eq 0 ] || exit $? - msg "Have =0 access on other list command attributes" for LC in ${LISTSC}; do checkACL "cn=Postfix" "${LC}" children ${OPERATTRS} @@ -1142,38 +1181,53 @@ echo "Service CreateList" msg "Have =0 access on domain attributes" for D in ${DOMAINS}; do - checkACL "cn=CreateList" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description fripostPendingToken + checkACL "cn=CreateList" "${D}" entry ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description fripostPendingToken done | isOK '=0$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access on user attributes" for U in ${USERS}; do - checkACL "cn=CreateList" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description + checkACL "cn=CreateList" "${U}" entry children ${OPERATTRS} fvl userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description done | isOK '=0$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access on alias attributes" for A in ${ALIASES}; do - checkACL "cn=CreateList" "${A}" entry children ${OPERATTRS} fva fripostMaildrop fripostIsStatusActive fripostOwner description + checkACL "cn=CreateList" "${A}" entry children ${OPERATTRS} fvl fripostMaildrop fripostIsStatusActive fripostOwner description done | isOK '=0$' entry [ $? -eq 0 ] || exit $? -msg "Have =zsd access on lists' pending status" +msg "Can remove the 'pending' status on lists" +for L in ${LISTS}; do + search -s base -b "${L},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \ + checkACL "cn=CreateList" "${L}" objectClass/delete:FripostPendingEntry fripostPendingToken/delete +done | isOK 'ALLOWED$' +[ $? -eq 0 ] || exit $? + +msg "Cannot create a 'pending' satus" for L in ${LISTS}; do - checkACL "cn=CreateList" "${L}" fripostPendingToken -done | isOK '=zsd$' + search -s base -b "${L},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \ + checkACL "cn=CreateList" "${L}" objectClass/delete:FripostPendingEntry fripostPendingToken/delete +done | isOK 'DENIED$' [ $? -eq 0 ] || exit $? +msg "Have =rscd access on objectClass" +for L in ${LISTS}; do + search -s base -b "${L},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \ + checkACL "cn=CreateList" "${L}" objectClass +done | isOK '=rscd$' + msg "Have =rsd access on lists' entry attribute" for L in ${LISTS}; do + search -s base -b "${L},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \ checkACL "cn=CreateList" "${L}" entry done | isOK '=rsd$' [ $? -eq 0 ] || exit $? -msg "Have =a access on lists' children attribute" -for L in ${LISTS}; do - search -s base -b "${L},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ - checkACL "cn=CreateList" "${L}" children +msg "Have =a access on domains' children attribute" +for D in ${DOMAINS}; do + search -s base -b "${D},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \ + checkACL "cn=CreateList" "${D}" children done | isOK '=a$' [ $? -eq 0 ] || exit $? @@ -1191,7 +1245,7 @@ done | isOK '=a$' msg "Have =0 access on other list command attributes" for LC in ${LISTSC}; do - checkACL "cn=CreateList" "${LC}" children ${OPERATTRS} fvlc fripostLocalAlias + checkACL "cn=CreateList" "${LC}" children ${OPERATTRS} fvl fripostLocalAlias done | isOK '=0$' children [ $? -eq 0 ] || exit $? @@ -1201,17 +1255,16 @@ done | isOK '=0$' children echo echo "Service DeletePendingEntries" -msg "Have =z access on the \"children\" attribute of non-pending entries" +msg "Have =z access on the \"children\" attribute" (checkACL "cn=DeletePendingEntries" "" children -for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do - search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ - checkACL "cn=DeletePendingEntries" "${X}" children -done) | isOK '=z$' children + for D in ${DOMAINS}; do + checkACL "cn=DeletePendingEntries" "${D}" children + done) | isOK '=z$' children [ $? -eq 0 ] || exit $? msg "Have =zrsd access on the \"entry\" attribute of pending entries" for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do - search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \ + search -s base -b "${X},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \ checkACL "cn=DeletePendingEntries" "${X}" entry done | isOK '=zrsd$' entry [ $? -eq 0 ] || exit $? @@ -1219,29 +1272,29 @@ done | isOK '=zrsd$' entry msg "Have =s access on the \"entry\" attribute of non-pending entries" (checkACL "cn=DeletePendingEntries" "" entry for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do - search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ + search -s base -b "${X},${SUFFIXV}" "(|(objectClass=FripostVirtualListCommand)(objectClass=FripostPendingEntry))" | grep -q '^dn: ' || \ checkACL "cn=DeletePendingEntries" "${X}" entry done) | isOK '=s$' entry [ $? -eq 0 ] || exit $? msg "Have =s access on the attributes it needs on pending entries" for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do - search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \ - checkACL "cn=DeletePendingEntries" "${X}" createTimestamp fripostPendingToken -done | isOK '=s$' fripostPendingToken + search -s base -b "${X},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \ + checkACL "cn=DeletePendingEntries" "${X}" createTimestamp +done | isOK '=s$' createTimestamp [ $? -eq 0 ] || exit $? msg "Have =0 access these attributes for non-pending entries" for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do - search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ - checkACL "cn=DeletePendingEntries" "${X}" createTimestamp fripostPendingToken -done | isOK '=0$' fripostPendingToken + search -s base -b "${X},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \ + checkACL "cn=DeletePendingEntries" "${X}" createTimestamp +done | isOK '=0$' createTimestamp [ $? -eq 0 ] || exit $? -msg "Have =s access on the object class" +msg "Have =rscd access on objectClass" for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do checkACL "cn=DeletePendingEntries" "${X}" objectClass -done | isOK '=s$' objectClass +done | isOK '=rscd$' objectClass [ $? -eq 0 ] || exit $? msg "Have =0 access on other domain attributes" @@ -1252,14 +1305,14 @@ done | isOK '=0$' fvd msg "Have =0 access on other user attributes" for U in ${USERS}; do - checkACL "cn=DeletePendingEntries" "${U}" fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description -done | isOK '=0$' fvu + checkACL "cn=DeletePendingEntries" "${U}" fvl userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description +done | isOK '=0$' fvl [ $? -eq 0 ] || exit $? msg "Have =0 access on other alias attributes" for A in ${ALIASES}; do - checkACL "cn=DeletePendingEntries" "${A}" fva fripostMaildrop fripostIsStatusActive fripostOwner description -done | isOK '=0$' fva + checkACL "cn=DeletePendingEntries" "${A}" fvl fripostMaildrop fripostIsStatusActive fripostOwner description +done | isOK '=0$' fvl [ $? -eq 0 ] || exit $? msg "Have =0 access on other list attributes" @@ -1270,8 +1323,8 @@ done | isOK '=0$' fvl msg "Have =0 access on other list command attributes" for LC in ${LISTSC}; do - checkACL "cn=AdminWebPanel" "${LC}" fvlc fripostLocalAlias -done | isOK '=0$' fvlc + checkACL "cn=AdminWebPanel" "${LC}" fvl fripostLocalAlias +done | isOK '=0$' fvl [ $? -eq 0 ] || exit $? @@ -1288,13 +1341,13 @@ done | isOK '=0$' entry msg "Have =0 access on user attributes" for U in ${USERS}; do - checkACL "cn=AdminWebPanel" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description + checkACL "cn=AdminWebPanel" "${U}" entry children ${OPERATTRS} fvl userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description done | isOK '=0$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access on alias attributes" for A in ${ALIASES}; do - checkACL "cn=AdminWebPanel" "${A}" entry children ${OPERATTRS} fva fripostMaildrop fripostIsStatusActive fripostOwner description + checkACL "cn=AdminWebPanel" "${A}" entry children ${OPERATTRS} fvl fripostMaildrop fripostIsStatusActive fripostOwner description done | isOK '=0$' entry [ $? -eq 0 ] || exit $? @@ -1306,7 +1359,7 @@ done | isOK '=0$' entry msg "Have =0 access on list command attributes" for LC in ${LISTSC}; do - checkACL "cn=AdminWebPanel" "${LC}" entry children ${OPERATTRS} fvlc fripostLocalAlias + checkACL "cn=AdminWebPanel" "${LC}" entry children ${OPERATTRS} fvl fripostLocalAlias done | isOK '=0$' entry [ $? -eq 0 ] || exit $? |