aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ldap/acl.ldif277
-rw-r--r--ldap/base.ldif8
-rw-r--r--ldap/fripost.ldif62
-rw-r--r--ldap/index.ldif5
-rw-r--r--ldap/populate.ldif99
-rw-r--r--ldap/syncrepl.ldif4
-rwxr-xr-xldap/test-user-acl.sh347
7 files changed, 445 insertions, 357 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index 69b8c30..e7272f0 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -28,16 +28,10 @@ replace: olcAccess
# Most common services: Postfix, Amavis, SASLauth, Dovecot
# (Most used ACLs are cheaper when written first.)
#
-# Everyone can search the objectclass
-olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
- attrs=objectClass
- by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =s
- by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s
-#
# Postfix have read access to the attribute they need.
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
- attrs=entry,fvd,fvu,fva,fvl,fvlc,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias
- filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(!(fripostIsStatusActive=FALSE))(!(fripostPendingToken=*)))
+ attrs=entry,objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias
+ filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE)))
by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd
by users =0 break
#
@@ -54,58 +48,116 @@ olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc
# 1. Anonymous users can bind.
# 2. Users can change their password (but not read it).
# 3. The postmaster of a domain can change (replace) his/her users' password (but not read it).
-olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualUser)
attrs=userPassword
by realanonymous =xd
by realself =w
- by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =w
- by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd
+ by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =w
+ by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =w
+#
+# A catch-all, to be sure that noone else have access to the passwords.
+olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
+ attrs=userPassword
+ by * =0
#
#
########################################################################
-# Virtual subtree, general access
+# Virtual subtree, pending token and general access
#
-# 1,2. Services that need particular access on the tree.
-# 3. Other users need further access.
+# 1. Users need further access. We use a set to deny all access to non-users without
+# having a need for an expensive LDAP search (URL) in the AuthzTo.
+# /!\ The objectClass "FripostVirtualUser" is case-sensitive in this case!
+# 2,3. Services that need particular access on the tree.
# 4. Managers have read/write access to the "virtual" subtree.
-# 5. Other services have no access other than the one above.
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ by set.exact="user/objectClass & [FripostVirtualUser]" =0 break
by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
- by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break
by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd
- by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0
#
-# Our service can list and delete (old) pending entries.
+# Only the domain Postmasters and Owners can delete the 'pending' status on domains.
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+ filter=(&(objectClass=FripostVirtualDomain)(objectClass=FripostPendingEntry))
+ attrs=objectClass val=FripostPendingEntry
+ by dnattr=fripostPostmaster =z break
+ by dnattr=fripostOwner =z break
+ by * =0 break
+#
+# The list creation service can delete the 'pending' status on lists.
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+ filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry))
+ attrs=objectClass val=FripostPendingEntry
+ by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =z break
+ by * +0 break
+#
+# ObjectClass is a public attribute: everyone can read and search it.
+olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ attrs=objectClass
+ by * +rscd
+#
+# The pending token is not public, but domain owner and postmasters can check their and
+# delete it (upon success, but it's done on the library side).
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+ filter=(&(objectClass=FripostVirtualDomain)(objectClass=FripostPendingEntry))
+ attrs=fripostPendingToken
+ by dnattr=fripostPostmaster =zcd break
+ by dnattr=fripostOwner =zcd break
+ by * +0 break
+#
+# The list creation service can delete the 'pending' status on lists.
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+ filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry))
+ attrs=fripostPendingToken
+ by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" +z
+ by * +0
+#
+# The cleaning service can list the (expired) pending entries and delete them.
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
- filter=(fripostPendingToken=*)
+ filter=(objectClass=FripostPendingEntry)
attrs=entry
by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =zrd break
- by dn.children="o=mailHosting,dc=fripost,dc=dev" =0 break
+ by * =0 break
#
-# Our service can search anywhere in the tree (for old pending entries).
+# Only the list creation service may add list commands. (It seems unsafe since it can create
+# arbitrary commands, but as other services it run in safe environments only.)
+# (Listcommands are not concerned by the cleaning service.)
+olcAccess: to dn.regex="^fvl=[^,]+-[^,-]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+ filter=(objectClass=FripostVirtualListCommand)
+ attrs=entry
+ by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a
+#
+# One can search search everywhere in the virtual tree.
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=entry
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +s break
by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" +s
- by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
+ by * =s break
#
-# Our service needs to have 'z' access on the 'children' of the parent of the entry that is
-# to be deleted. (And 'z' access of the 'entry' attribute of this entry.)
-olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+# We're giving away create/delete access on the children attributes, but we will be carefull
+# with the 'entry' permissions.
+olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ filter=(objectClass=FripostVirtual)
+ attrs=children
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w
+ by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =z
+olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ filter=(objectClass=FripostVirtualDomain)
attrs=children
by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =z
- by dn.children="o=mailHosting,dc=fripost,dc=dev" =0 break
+ by * break
+olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry)))
+ attrs=children
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w
+ by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a
#
-# Our service needs search access to list (old) pending entries.
+# The cleaning service needs to know when entries have been created.
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
- filter=(fripostPendingToken=*)
- attrs=createTimestamp,fripostPendingToken
+ filter=(objectClass=FripostPendingEntry)
+ attrs=createTimestamp
by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =s
- by dn.children="o=mailHosting,dc=fripost,dc=dev" +0 break
#
-# Users can search (e.g., to list the entries they have created).
+# Users can use these in filters (e.g., to list the entries they have created).
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break
@@ -114,28 +166,6 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
########################################################################
# Virtual subtree, domains
#
-# 1. Everyone can create/delete domains. (Provided s/he has +a/+z access to the
-# "entry" attribute of the domains s/he wants to delete.)
-# 2. The relevant service can delete (old) pending entries.
-olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
- attrs=children
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w
- by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =z
-#
-# Everyone can check for the absence of a 'pending' status.
-olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
- filter=(&(objectClass=FripostVirtualDomain)(!(fripostPendingToken=*)))
- attrs=fripostPendingToken
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s
-#
-# Only the domain Postmasters and Owners can search the unlock token and delete
-# the 'pending' status (but not read).
-olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
- filter=(objectClass=FripostVirtualDomain)
- attrs=fripostPendingToken
- by dnattr=fripostPostmaster =zscd
- by dnattr=fripostOwner =zscd
-#
# 1. The postmaster of a domain can give (or take back) people the right to create
# aliases.
# 2,3. People that can create aliases can list the members of the group.
@@ -164,7 +194,7 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
by dnattr=fripostPostmaster =rscd
by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" =rscd
by dn.onelevel,expand="$1" +d
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
+ by * +0
#
# 1. Domain owners can edit their entry's attributes.
# 2. So can domain postmasters.
@@ -185,27 +215,23 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
attrs=@fripostVirtualDomain
by dnattr=fripostOwner =wrscd
by dnattr=fripostPostmaster =wrscd
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
+ by * +0
#
-# Everyone can add or delete children, but we will be carefull with
-# the kid's "entry" attribute, which require +a and +z to add and delete
-# respectively. Note that it is forbidden add a child under a pending
-# entry; This is important since otherwise we couldn't delete pending
-# entry non-recursively.
-olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
- filter=(&(objectClass=FripostVirtualDomain)(!(fripostPendingToken=*)))
- attrs=children
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w
+# Users with "addDomain" access can create new entries, but only if
+# there is a pending token.
+olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(&(objectClass=FripostVirtualDomain)(objectClass=FripostPendingEntry)(fripostPendingToken=*))
+ attrs=entry
+ by set.exact="this/-1/fripostCanAddDomain & (user | user/-1)" +a break
+ by * +0 break
#
-# 1. Users with "addDomain" access can create new entries.
-# 2. Domain owners can delete their domain (and read the entry).
-# 3. So can domain postmasters.
-# 4. Domain users can read the domain entry (but not delete it).
-# 5. So can users with "canAddAlias" or "canAddList" rights.
+# 1. Domain owners can delete their domain (and read the entry).
+# 2. So can domain postmasters.
+# 3. Domain users can read the domain entry (but not delete it).
+# 4. So can users with "canAddAlias" or "canAddList" rights.
olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualDomain)
attrs=entry
- by set.exact="this/-1/fripostCanAddDomain & (user | user/-1)" +a continue
by dnattr=fripostOwner +zrd
by dnattr=fripostPostmaster +zrd
by dn.onelevel,expand="$1" +rd
@@ -215,7 +241,7 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
# Reserved local parts are reserved. /!\ The case must be insensitive
# - postmaster: RFC 822, appendix C.6
# - abuse: RFC 2142, section 4
-olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+olcAccess: to dn.regex="^fvl=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
by * =0
#
#
@@ -223,29 +249,28 @@ olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o
# Virtual subtree, users
#
# Users and their postmaster can read the quota (but not change it).
-olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualUser)
attrs=fripostUserQuota
by self =rscd
- by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =rscd
+ by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =rscd
#
# 1. Users can modify their own entry.
# 2. So can their postmasters.
-olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualUser)
attrs=@FripostVirtualUser
by self =wrscd
- by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
+ by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
#
# 1. Users can read their entry (but not delete it).
# 2. Postmasters can create users (but not delete them).
# (Provided that they have +a access to the parent's "children" attribute.)
-olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualUser)
attrs=entry
by self +rd
- by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard
- by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
+ by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +ard
#
#
########################################################################
@@ -254,35 +279,35 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
# 1. The alias owner can list the ownership of the entry.
# 2. The domain owner can add/delete/change the ownership of the entry.
# 3. So can the domain postmasters.
-olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualAlias)
attrs=fripostOwner
by dnattr=fripostOwner =rscd continue
- by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd
- by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
+ by group/FripostVirtualDomain/fripostOwner.expand="$1" =wrscd
+ by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
+ by * +0
#
# 1. The alias owners can edit the rest of their entry's attributes.
# 2. So can the domain owners.
# 3. So can the domain postmasters.
-olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualAlias)
attrs=@FripostVirtualAlias
by dnattr=fripostOwner =wrscd
- by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd
- by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
+ by group/FripostVirtualDomain/fripostOwner.expand="$1" =wrscd
+ by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
#
# 1. The alias owners can read and delete the entry.
# 2. So can the domain owner.
# 3. So can the domain postmaster.
# 4. Users with "canAddAlias" access (either explicitely, or as a wildcard) for the domain can create aliases for that domain.
# (But *not* delete them, unless also owner.)
-olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualAlias)
attrs=entry
by dnattr=fripostOwner +zrd continue
- by group/fripostVirtualDomain/fripostOwner.expand="$1" +wrd
- by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +wrd
+ by group/FripostVirtualDomain/fripostOwner.expand="$1" +wrd
+ by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +wrd
by set.exact="this/-1/fripostCanAddAlias & (user | user/-1)" +a
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
#
@@ -297,9 +322,9 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
filter=(objectClass=FripostVirtualList)
attrs=fripostOwner
by dnattr=fripostOwner =rscd continue
- by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd
- by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
+ by group/FripostVirtualDomain/fripostOwner.expand="$1" =wrscd
+ by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
+ by * +0
#
# 1. The list owner read (but not edit) the transport-related attributes.
# 2. So can the domain ower.
@@ -308,20 +333,8 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
filter=(objectClass=FripostVirtualList)
attrs=fripostListManager
by dnattr=fripostOwner =rscd
- by group/fripostVirtualDomain/fripostOwner.expand="$1" =rscd
- by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =rscd
-#
-# 1,2,3. The list owner and the domain Owner and Postmaster can search the 'pending' token.
-# 4. The list creator can remove the "pending" flag.
-# (We don't need to limit the search to presence only here, since when present the value is
-# always 'TRUE')
-olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
- filter=(objectClass=FripostVirtualList)
- attrs=fripostPendingToken
- by dnattr=fripostOwner =scd
- by group/fripostVirtualDomain/fripostOwner.expand="$1" =scd
- by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =scd
- by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =zsd
+ by group/FripostVirtualDomain/fripostOwner.expand="$1" =rscd
+ by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =rscd
#
# 1. The list owners can edit their entry's attributes.
# 2. So can the domain owners.
@@ -330,40 +343,46 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
filter=(objectClass=FripostVirtualList)
attrs=@FripostVirtualList
by dnattr=fripostOwner =wrscd
- by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd
- by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
+ by group/FripostVirtualDomain/fripostOwner.expand="$1" =wrscd
+ by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
+#
+# 1-3. People with "canAddList" access can create lists, but only with a
+# 'pending' status.
+# 4. The list creation service can search and browse the entry.
+olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry))
+ attrs=entry
+ by group/FripostVirtualDomain/fripostOwner.expand="$1" +a break
+ by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +a break
+ by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a break
+ by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" +rd
+ by * +0 break
#
# 1. The list owners can read the entry.
# 2. So can the domain's Owner.
# 3. So can the domain's Postmaster.
-# 4. Users with "canAddList" capability (either explicitely, or as a wildcard) for the domain can create lists for that domain.
-# (But *not* delete them, unless also owner.)
-# 6. The list creator can read the entry.
olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualList)
attrs=entry
- by dnattr=fripostOwner +rd continue
- by group/fripostVirtualDomain/fripostOwner.expand="$1" +rad
- by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rad
- by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a
- by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
- by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd
-#
-# The List Creator can add list commands under non-pending lists.
-olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
- filter=(&(objectClass=FripostVirtualList)(!(fripostPendingToken=*)))
- attrs=children
- by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a
-#
-# The List Creator can add list commands.
-olcAccess: to dn.regex="^fvlc=[^,]+,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
- filter=(objectClass=FripostVirtualListCommand)
- attrs=entry
- by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a
+ by dnattr=fripostOwner +rd
+ by group/FripostVirtualDomain/fripostOwner.expand="$1" +rd
+ by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +rd
+ by * +0
#
#
########################################################################
# Catchall
#
+# Users with "canAddDomain" access can see that they have the right
+# to create domains.
+olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ filter=(objectClass=FripostVirtual)
+ attrs=entry
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +rd
+olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ filter=(objectClass=FripostVirtual)
+ attrs=fripostCanAddDomain
+ by set.exact="this/fripostCanAddDomain & (user | user/-1)" =rscd
+# Catch the break above
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
diff --git a/ldap/base.ldif b/ldap/base.ldif
index c31e109..c102beb 100644
--- a/ldap/base.ldif
+++ b/ldap/base.ldif
@@ -18,8 +18,8 @@ dn: ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: organizationalUnit
objectClass: fripostVirtual
fripostCanAddDomain: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-fripostCanAddDomain: fvu=test,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-fripostCanAddDomain: fvu=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostCanAddDomain: fvl=test,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostCanAddDomain: fvl=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
description: Virtual mail hosting
# TODO: for postfix, it'd be more efficient and more secure to SASL-bind
@@ -52,4 +52,6 @@ objectClass: simpleSecurityObject
objectClass: organizationalRole
description: The adminstrator Web Panel
userPassword: panel
-authzTo: dn.regex:^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$
+authzTo: dn.regex:^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$
+#authzTo: ldap:///ou=virtual,o=mailHosting,dc=fripost,dc=dev??sub?(objectClass=FripostVirtualUser)
+# NOTE: ^ This is an expensive operation, and requires search perms for the service.
diff --git a/ldap/fripost.ldif b/ldap/fripost.ldif
index 862d480..2aa7bd0 100644
--- a/ldap/fripost.ldif
+++ b/ldap/fripost.ldif
@@ -46,37 +46,19 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.1 NAME 'fvd'
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.2 NAME 'fvu'
- DESC 'The local part of a virtual user'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.2 NAME 'fvl'
+ DESC 'The local part of a virtual user, alias, list or list command'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.3 NAME 'fva'
- DESC 'The local part of a virtual mail alias'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
-#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.4 NAME 'fvl'
- DESC 'The local part of a virtual list'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
-#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.5 NAME 'fvlc'
- DESC 'The local part of a virtual list command'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
-#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.6 NAME 'fripostLocalAlias'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.3 NAME 'fripostLocalAlias'
DESC 'A local alias, typically localpart#domainpart.tld'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.7 NAME 'fripostMaildrop'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.4 NAME 'fripostMaildrop'
DESC 'An email address the virtual alias should be mapped to'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
@@ -85,48 +67,48 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.7 NAME 'fripostMaildrop'
# We are creating a new attribute, optional in virtual domains and
# users, because the presence index should *not* apply to the
# mandatory attribute above.
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.8 NAME 'fripostOptionalMaildrop'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.5 NAME 'fripostOptionalMaildrop'
DESC 'An optional email address for catch-all aliases on domains and users'
EQUALITY caseIgnoreIA5Match
SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.9 NAME 'fripostIsStatusActive'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.6 NAME 'fripostIsStatusActive'
DESC 'When present, a token locking the entry in an inactive state'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostPendingToken'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.7 NAME 'fripostPendingToken'
DESC 'Is the entry pending?'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} SINGLE-VALUE )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostUserQuota'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.8 NAME 'fripostUserQuota'
DESC 'The quota on a user e.g., "50MB"'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32} SINGLE-VALUE )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostCanAddDomain'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.9 NAME 'fripostCanAddDomain'
DESC 'A user/domain that can add domains'
SUP distinguishedName )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostCanAddAlias'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostCanAddAlias'
DESC 'A user/domain that can add aliases under the parent domain'
SUP distinguishedName )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.14 NAME 'fripostCanAddList'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostCanAddList'
DESC 'A user/domain that can add lists under the parent domain'
SUP distinguishedName )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.15 NAME 'fripostOwner'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostOwner'
DESC 'A user that owns under parent domain'
SUP distinguishedName )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.16 NAME 'fripostPostmaster'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostPostmaster'
DESC 'A user that is a postmaster of the parent domain'
SUP distinguishedName )
#
-olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.17 NAME 'fripostListManager'
+olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.14 NAME 'fripostListManager'
DESC 'The list manager'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
@@ -146,29 +128,33 @@ olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualDomain'
MUST ( fvd $ fripostIsStatusActive )
MAY ( fripostCanAddAlias $ fripostCanAddList $
fripostOwner $ fripostPostmaster $
- fripostOptionalMaildrop $ fripostPendingToken $ description ) )
+ fripostOptionalMaildrop $ description ) )
#
# | TODO: add limits here
olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualUser'
SUP top STRUCTURAL
DESC 'Virtual user'
- MUST ( fvu $ userPassword $ fripostIsStatusActive )
+ MUST ( fvl $ userPassword $ fripostIsStatusActive )
MAY ( fripostUserQuota $ fripostOptionalMaildrop $ description) )
#
olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualAlias'
SUP top STRUCTURAL
DESC 'Virtual alias'
- MUST ( fva $ fripostMaildrop $ fripostIsStatusActive )
+ MUST ( fvl $ fripostMaildrop $ fripostIsStatusActive )
MAY ( fripostOwner $ description ) )
#
olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualList'
SUP top STRUCTURAL
DESC 'Virtual list'
MUST ( fvl $ fripostListManager $ fripostIsStatusActive $ fripostLocalAlias )
- MAY ( fripostOwner $ description $ fripostPendingToken ) )
+ MAY ( fripostOwner $ description ) )
#
olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostVirtualListCommand'
SUP top STRUCTURAL
DESC 'Virtual list command'
- MUST ( fvlc $ fripostLocalAlias ) )
-
+ MUST ( fvl $ fripostLocalAlias ) )
+#
+olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.7 NAME 'FripostPendingEntry'
+ SUP top AUXILIARY
+ DESC 'Virtual pending entry'
+ MAY ( fripostPendingToken ) )
diff --git a/ldap/index.ldif b/ldap/index.ldif
index 3a4f548..6ddd754 100644
--- a/ldap/index.ldif
+++ b/ldap/index.ldif
@@ -28,10 +28,7 @@ olcDbIndex: objectClass eq
-
# Let us make Postfix's life easier.
add: olcDbIndex
-olcDbIndex: fripostIsStatusActive,fvd,fvu,fva,fvl,fvlc eq
--
-add: olcDbIndex
-olcDbIndex: fripostPendingToken pres
+olcDbIndex: fripostIsStatusActive,fvd,fvl eq
-
add: olcDbIndex
olcDbIndex: fripostOptionalMaildrop pres
diff --git a/ldap/populate.ldif b/ldap/populate.ldif
index b93816d..edd5d73 100644
--- a/ldap/populate.ldif
+++ b/ldap/populate.ldif
@@ -14,11 +14,11 @@
# An independent domain, not self managed
dn: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualDomain
-fripostCanAddAlias: fvu=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-fripostCanAddList: fvu=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostCanAddAlias: fvl=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostCanAddList: fvl=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostIsStatusActive: TRUE
-dn: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+dn: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualUser
userPassword: user1
fripostIsStatusActive: TRUE
@@ -27,23 +27,23 @@ fripostOptionalMaildrop: user1@external.org
fripostOptionalMaildrop: user1@external2.org
fripostOptionalMaildrop: user1@external3.org
-dn: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+dn: fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualUser
userPassword: user2
fripostIsStatusActive: TRUE
# A owned alias
-dn: fva=alias1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+dn: fvl=alias1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualAlias
fripostIsStatusActive: TRUE
-fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostOwner: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostMaildrop: user1@fripost.org
fripostMaildrop: user1@example.org
# Bogus owner
fripostOwner: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
# An independent alias
-dn: fva=alias2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+dn: fvl=alias2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualAlias
fripostIsStatusActive: TRUE
fripostMaildrop: user2@fripost.org
@@ -56,14 +56,14 @@ objectClass: FripostVirtualList
fripostListManager: mailman
fripostIsStatusActive: TRUE
fripostLocalAlias: list1#fripost.org
-fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostOwner: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
# An independent list (for user1)
dn: fvl=list2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualList
fripostListManager: schleuder
fripostIsStatusActive: TRUE
-fripostOwner: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostOwner: fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
# Bogus owner
fripostOwner: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostLocalAlias: list2#fripost.org
@@ -71,12 +71,12 @@ fripostLocalAlias: list2#fripost.org
dn: fvl=test-mailman,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualList
objectClass: SimpleSecurityObject
+objectClass: FripostPendingEntry
userPassword: bogus
fripostListManager: mailman
fripostIsStatusActive: TRUE
-fripostPendingToken: TRUE
fripostLocalAlias: test-mailman#fripost.org
-fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostOwner: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
# An independent domain, with canAddAlias options
@@ -95,17 +95,18 @@ description: occaecat cupidatat non proident, sunt in culpa qui officia deserunt
description: mollit anim id est laborum.
# A owned alias
-dn: fva=alias1,fvd=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+dn: fvl=alias1,fvd=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualAlias
fripostIsStatusActive: FALSE
-fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostOwner: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostMaildrop: user1@fripost.org
dn: fvd=example0.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualDomain
fripostIsStatusActive: TRUE
+objectClass: FripostPendingEntry
fripostPendingToken: pending
-fripostPostmaster: fvu=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostPostmaster: fvl=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
# An independent domain, with canAddList options
dn: fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
@@ -118,20 +119,28 @@ dn: fvl=list1,fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualList
fripostIsStatusActive: TRUE
fripostListManager: schleuder
-fripostOwner: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostOwner: fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostLocalAlias: list1#example2.org
-dn: fva=alias1,fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+dn: fvl=list2,fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+objectClass: FripostVirtualList
+objectClass: FripostPendingEntry
+fripostIsStatusActive: TRUE
+fripostListManager: schleuder
+fripostOwner: fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostLocalAlias: list1#example2.org
+
+dn: fvl=alias1,fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualAlias
fripostIsStatusActive: FALSE
-fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostOwner: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostMaildrop: user1@fripost.org
# An independent domain, with both can createAlias and canAddList options
dn: fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualDomain
-fripostCanAddAlias: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-fripostCanAddList: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostCanAddAlias: fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostCanAddList: fvl=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostIsStatusActive: TRUE
# An owned list
@@ -139,7 +148,15 @@ dn: fvl=list,fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualList
fripostIsStatusActive: TRUE
fripostListManager: mailman
-fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostOwner: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostLocalAlias: list#example3.org
+
+dn: fvl=list2,fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+objectClass: FripostVirtualList
+objectClass: FripostPendingEntry
+fripostIsStatusActive: TRUE
+fripostListManager: schleuder
+fripostOwner: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostLocalAlias: list#example3.org
@@ -147,14 +164,14 @@ fripostLocalAlias: list#example3.org
dn: fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualDomain
fripostIsStatusActive: TRUE
-fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostOwner: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
# Bogus owner
fripostOwner: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostOptionalMaildrop: catch-all@example.org
fripostOptionalMaildrop: @example2.org
fripostOptionalMaildrop: @xn--v4h.net
-dn: fva=alias,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+dn: fvl=alias,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualAlias
fripostIsStatusActive: TRUE
fripostMaildrop: user1@fripost.org
@@ -165,7 +182,7 @@ fripostListManager: mailman
fripostIsStatusActive: TRUE
fripostLocalAlias: list#owned.org
-dn: fvu=user,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+dn: fvl=user,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualUser
userPassword: user
fripostIsStatusActive: TRUE
@@ -176,17 +193,17 @@ dn: fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualDomain
fripostIsStatusActive: TRUE
fripostCanAddAlias: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-fripostPostmaster: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-fripostPostmaster: fvu=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-fripostPostmaster: fvu=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostPostmaster: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostPostmaster: fvl=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostPostmaster: fvl=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost,dc=dev
# Bogus postmaster
fripostPostmaster: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-fripostCanAddAlias: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostCanAddAlias: fvl=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
fripostOptionalMaildrop: catch-all@example.org
fripostOptionalMaildrop: @example2.org
fripostOptionalMaildrop: @xn--v4h.net
-dn: fva=alias,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+dn: fvl=alias,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualAlias
fripostIsStatusActive: TRUE
fripostMaildrop: user1@fripost.org
@@ -197,19 +214,19 @@ fripostListManager: mailman
fripostIsStatusActive: TRUE
FripostLocalAlias: list#postmastered.org
-dn: fvlc=list-request,fvl=list,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+dn: fvl=list-request,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualListCommand
FripostLocalAlias: list-request#postmastered.org
objectClass: SimpleSecurityObject
userPassword: bogus
-dn: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+dn: fvl=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualUser
userPassword: user
fripostIsStatusActive: TRUE
fripostUserQuota: 10MB
-dn: fvu=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+dn: fvl=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualUser
userPassword: bigbrother
fripostIsStatusActive: TRUE
@@ -219,12 +236,26 @@ objectClass: FripostVirtualDomain
fripostIsStatusActive: TRUE
description: Test domain internalization (☮.net)
description: Net::TLD doesn't work with international TLDs.
-fripostPostmaster: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-fripostPostmaster: fvu=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostPostmaster: fvl=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+fripostPostmaster: fvl=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost,dc=dev
-dn: fvu=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+dn: fvl=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost,dc=dev
objectClass: FripostVirtualUser
fripostIsStatusActive: TRUE
userPassword: user
description: Test domain internalization (user@☮.net).
description: Unicode is not allowed in the local part.
+
+dn: fvl=list2,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+objectClass: FripostVirtualList
+objectClass: FripostPendingEntry
+fripostIsStatusActive: TRUE
+fripostListManager: mailman
+fripostLocalAlias: list2#owned.org
+
+dn: fvl=list2,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev
+objectClass: FripostVirtualList
+objectClass: FripostPendingEntry
+fripostIsStatusActive: TRUE
+fripostListManager: mailman
+fripostLocalAlias: list2#postmastered.org
diff --git a/ldap/syncrepl.ldif b/ldap/syncrepl.ldif
index 441974b..7cded17 100644
--- a/ldap/syncrepl.ldif
+++ b/ldap/syncrepl.ldif
@@ -26,8 +26,8 @@ credentials="xxxxxx"
type=refreshAndPersist
retry="5 5 300 +"
searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org"
-filter="(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList))(fripostIsStatusActive=TRUE))"
-attrs="fripostIsStatusActive,fripostMaildrop,fripostOptionalMaildrop,fvd,fvu,fva,fvl,fripostListCommand,fripostListManager"
+filter="(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualListCommand)(objectClass=FripostVirtualList))(fripostIsStatusActive=TRUE))"
+attrs="fripostIsStatusActive,fripostMaildrop,fripostOptionalMaildrop,fvd,fvl"
scope=sub
schemachecking=off
diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh
index 221415c..ee09fc9 100755
--- a/ldap/test-user-acl.sh
+++ b/ldap/test-user-acl.sh
@@ -71,13 +71,13 @@ search () {
DOMAINS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualDomain" dn | \
grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+),.*/fvd=\1/')
USERS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualUser" dn | \
- grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvu=\1,fvd=\2/')
+ grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvl=\1,fvd=\2/')
ALIASES=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualAlias" dn | \
- grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fva=\1,fvd=\2/')
+ grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvl=\1,fvd=\2/')
LISTS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualList" dn | \
grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvl=\1,fvd=\2/')
LISTSC=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualListCommand" dn | \
- grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+), *([^,]+),.*/fvlc=\1,fvl=\2,fvd=\3/')
+ grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), **([^,]+),.*/fvl=\1,fvd=\2/')
OPERATTRS="structuralObjectClass creatorsName entryUUID createTimestamp entryCSN modifiersName modifyTimestamp"
@@ -88,8 +88,9 @@ OPERATTRS="structuralObjectClass creatorsName entryUUID createTimestamp entryCSN
echo "Anonymous users:"
-# Anonymous need to bind to any fvu
-msg "Have =xd access to \"userPassword\" attributes"
+# Anonymous need to bind to any user, but shouldn't be able to bind to
+# anything else.
+msg "Have =xd access to \"userPassword\" attributes of users"
for U in ${USERS}; do
checkACL "" "${U}" userPassword
done | isOK '=xd$'
@@ -187,7 +188,6 @@ done | isOK '=0$' entry
###########################################################################
-
echo
echo "Authenticated users, access to the base"
@@ -199,10 +199,37 @@ usersB () {
}
-msg "Have =s access on the base's \"entry\" attribute"
-usersB entry | isOK '=s' entry
+msg "Have =rsd access on the base's \"entry\" attribute"
+usersB entry | isOK '=rsd' entry
+[ $? -eq 0 ] || exit $?
+
+msg "Have =rscd access on the base's \"objectClass\" attribute"
+usersB objectClass | isOK '=rscd' objectClass
[ $? -eq 0 ] || exit $?
+msg "Have =rscd access on the base's \"canAddDomain\" attribute (if member, exact)"
+for U in ${USERS}; do
+ search -s base -b "${SUFFIX}" "(fripostCanAddDomain=${U},${SUFFIX})" | grep -q '^dn: ' && \
+ checkACL "${U}" "" fripostCanAddDomain
+done | isOK '=rscd' fripostCanAddDomain
+[ $? -eq 0 ] || exit $?
+
+msg "Have =rscd access on the base's \"canAddDomain\" attribute (if member, wildcard)"
+for U in ${USERS}; do
+ DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ search -s base -b "${SUFFIX}" "(fripostCanAddDomain=${DU},${SUFFIX})" | grep -q '^dn: ' && \
+ checkACL "${U}" "" fripostCanAddDomain
+done | isOK '=rscd' fripostCanAddDomain
+[ $? -eq 0 ] || exit $?
+
+msg "Have =0 access to the base's \"canAddDomain\" attribute (unless member)"
+for U in ${USERS}; do
+ DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ search -s base -b "${SUFFIX}" "(|(fripostCanAddDomain=${U},${SUFFIX})
+ (fripostCanAddDomain=${DU},${SUFFIX}))" | grep -q '^dn: ' || \
+ checkACL "${U}" "" fripostCanAddDomain
+done | isOK '=0' fripostCanAddDomain
+[ $? -eq 0 ] || exit $?
# Needed to create/delete domains.
msg "Have =w access on the base's \"children\" attribute"
@@ -218,13 +245,22 @@ usersB ${OPERATTRS} | isOK '=0$' entryUUID
msg "Cannot create children under a pending entry"
for U in ${USERS}; do
for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
- search -s base -b "${X},${SUFFIX}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \
+ search -s base -b "${X},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \
checkACL "${U}" "${X}" children
done
done | isOK '=0$' children
[ $? -eq 0 ] || exit $?
+msg "Cannot add, read or search the pending token"
+for U in ${USERS}; do
+ for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
+ checkACL "${U}" "${X}" fripostPendingToken/add fripostPendingToken/read fripostPendingToken/search
+ done
+done | isOK 'DENIED$' fripostPendingToken add
+[ $? -eq 0 ] || exit $?
+
+
###########################################################################
@@ -239,7 +275,8 @@ echo "Authenticated users, access to domain entries"
# * children:
# =w for all (non-pending entries)
# * objectClass:
-# =s for all
+# =rscd for all
+# +z for FripostPendingEntry, if owner or postmaster
# * fvd:
# =rscd if children, canAdd{Alias,List}, owner or postmaster
# +w if owner or postmaster
@@ -247,8 +284,7 @@ echo "Authenticated users, access to domain entries"
# =rscd if children, canAdd{Alias,List}, owner or postmaster
# +w if owner or postmaster
# * fripostPendingToken
-# =zscd if owner or postmaster
-# =s for all if there is no pending token
+# =z if owner or postmaster
# * fripostCanAddAlias
# =rscd if canAddAlias, owner or postmaster
# +w if postmaster
@@ -285,37 +321,27 @@ usersD fripostOwner/add fripostOwner/delete \
[ $? -eq 0 ] || exit $?
-msg "Have =s rights on the \"pending\" status if absent"
-for U in ${USERS}; do
- for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "(!(fripostPendingToken=*))" | grep -q '^dn: ' && \
- checkACL "${U}" "${D}" fripostPendingToken
- done
-done | isOK '=s$'
-[ $? -eq 0 ] || exit $?
-
-
msg "Have =0 rights on the \"pending\" status if present (unless owner or postmaster)"
for U in ${USERS}; do
for D in ${DOMAINS}; do
search -s base -b "${D},${SUFFIX}" "(&(!(|(fripostOwner=${U},${SUFFIX})
(fripostPostmaster=${U},${SUFFIX})))
- (fripostPendingToken=*))" | grep -q '^dn: ' && \
+ (objectClass=FripostPendingEntry))" | grep -q '^dn: ' && \
checkACL "${U}" "${D}" fripostPendingToken
done
done | isOK '=0$'
[ $? -eq 0 ] || exit $?
-msg "Have =zscd access on the \"pending\" status if present (if owner or postmaster)"
+msg "Have =zcd access on the \"pending\" status if present (if owner or postmaster)"
for U in ${USERS}; do
for D in ${DOMAINS}; do
search -s base -b "${D},${SUFFIX}" "(&(|(fripostOwner=${U},${SUFFIX})
(fripostPostmaster=${U},${SUFFIX}))
- (fripostPendingToken=*))" | grep -q '^dn: ' && \
+ (objectClass=FripostPendingEntry))" | grep -q '^dn: ' && \
checkACL "${U}" "${D}" fripostPendingToken
done
-done | isOK '=zscd$'
+done | isOK '=zcd$'
[ $? -eq 0 ] || exit $?
@@ -324,6 +350,7 @@ msg "Have >=a access to \"entry\" (if CanAddDomain, exact)"
for U in ${USERS}; do
for D in ${DOMAINS}; do
search -s base -b "${SUFFIX}" "fripostCanAddDomain=${U},${SUFFIX}" | grep -q '^dn: ' && \
+ search -s base -b "${D},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \
checkACL "${U}" "${D}" entry/add
done
done | isOK 'ALLOWED$' entry add
@@ -336,6 +363,7 @@ for U in ${USERS}; do
DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
for D in ${DOMAINS}; do
search -s base -b "${SUFFIX}" "fripostCanAddDomain=${DU},${SUFFIX}" | grep -q '^dn: ' && \
+ search -s base -b "${D},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \
checkACL "${U}" "${D}" entry/add
done
done | isOK 'ALLOWED$' entry add
@@ -358,16 +386,32 @@ done | isOK 'DENIED$' entry add
msg "Have =w access to \"children\" (for non-pending attributes)"
for U in ${USERS}; do
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
+ search -s base -b "${D},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \
checkACL "${U}" "${D}" children
done
done | isOK '=w$' children
[ $? -eq 0 ] || exit $?
-msg "Have =s access to \"objectClass\""
-usersD objectClass | isOK '=s' objectClass
+msg "Have =zrscd access to \"objectClass:FripostPendingEntry\" (if owner,postmaster)"
+for U in ${USERS}; do
+ for D in ${DOMAINS}; do
+ search -s base -b "${D},${SUFFIX}" "(&(|(fripostOwner=${U},${SUFFIX})
+ (fripostPostmaster=${U},${SUFFIX}))
+ (objectClass=FripostPendingEntry))" | grep -q '^dn: ' && \
+ checkACL "${U}" "${D}" objectClass:FripostPendingEntry
+ done
+done | isOK '=zrscd$'
+[ $? -eq 0 ] || exit $?
+
+msg "Have =rscd access to \"objectClass\" otherwise"
+for U in ${USERS}; do
+ for D in ${DOMAINS}; do
+ checkACL "${U}" "${D}" objectClass
+ done
+done | isOK '=rscd$'
[ $? -eq 0 ] || exit $?
+
msg "Have >=s access on \"entry\", \"fripostOwner\" and \"fripostPostmaster\""
usersD entry/search fripostOwner/search fripostPostmaster/search | isOK 'ALLOWED$' entry
[ $? -eq 0 ] || exit $?
@@ -406,7 +450,7 @@ ATTRSA="fripostOwner/read fripostOwner/compare
msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanAddAlias, exact)"
for U in ${USERS}; do
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddAlias=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \
+ search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddAlias=${U},${SUFFIX})(!(objectClass=FripostPendingEntry)))" | grep -q '^dn: ' && \
checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSA}
done
done | isOK 'ALLOWED$' children
@@ -418,7 +462,7 @@ msg "Have >=rscd to the public attributes and >=a to \"children\" (if CanAddAlia
for U in ${USERS}; do
DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddAlias=${DU},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \
+ search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddAlias=${DU},${SUFFIX})(!(objectClass=FripostPendingEntry)))" | grep -q '^dn: ' && \
checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSA}
done
done | isOK 'ALLOWED$' children
@@ -432,7 +476,7 @@ ATTRSL="fripostOwner/read fripostOwner/compare
msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanAddList, exact)"
for U in ${USERS}; do
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddList=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \
+ search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddList=${U},${SUFFIX})(!(objectClass=FripostPendingEntry)))" | grep -q '^dn: ' && \
checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL}
done
done | isOK 'ALLOWED$' children
@@ -444,7 +488,7 @@ msg "Have >=rscd access to the public attributes and >=a to \"children\" (if Can
for U in ${USERS}; do
DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddList=${DU},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \
+ search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddList=${DU},${SUFFIX})(!(objectClass=FripostPendingEntry)))" | grep -q '^dn: ' && \
checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL}
done
done | isOK 'ALLOWED$' children
@@ -463,7 +507,7 @@ ATTRSO="entry/delete
description/add description/delete"
for U in ${USERS}; do
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "(&(fripostOwner=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \
+ search -s base -b "${D},${SUFFIX}" "(&(fripostOwner=${U},${SUFFIX})(!(objectClass=FripostPendingEntry)))" | grep -q '^dn: ' && \
checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSL} ${ATTRSO}
done
done | isOK 'ALLOWED$' children
@@ -479,7 +523,7 @@ ATTRSP="fripostCanAddAlias/add fripostCanAddAlias/delete
fripostCanAddList/add fripostCanAddList/delete"
for U in ${USERS}; do
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "(&(fripostPostmaster=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \
+ search -s base -b "${D},${SUFFIX}" "(&(fripostPostmaster=${U},${SUFFIX})(!(objectClass=FripostPendingEntry)))" | grep -q '^dn: ' && \
checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSL} ${ATTRSO} ${ATTRSP}
done
done | isOK 'ALLOWED$' children
@@ -587,8 +631,8 @@ echo "Authenticated users, access to user entries"
# * children:
# =0 for all
# * objectClass:
-# =s for all
-# * fvu:
+# =rscd for all
+# * fvl:
# =wrscd if account owner or domain postmaster
# * userPassword:
# =w if account owner or domain postmaster
@@ -608,7 +652,7 @@ usersU () {
}
# They would need write access to their fripostUserQuota.
-# In practice they can't write fvu either, since it's single valued.
+# In practice they can't write fvl either, since it's single valued.
msg "Have =rscd access to their \"fripostUserQuota\""
usersU fripostUserQuota | isOK '=rscd$'
[ $? -eq 0 ] || exit $?
@@ -618,20 +662,20 @@ usersU userPassword | isOK '=w$'
[ $? -eq 0 ] || exit $?
msg "Have =wrscd access to the other attributes of their own entry"
-usersU fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK '=wrscd$' fvu
+usersU fvl fripostIsStatusActive fripostOptionalMaildrop description | isOK '=wrscd$' fvl
[ $? -eq 0 ] || exit $?
msg "Have >=rsd access to the \"entry\" attribute of their own entry"
-usersU entry/read entry/search entry/disclose fvu/read \
- | isOK 'ALLOWED$' fvu # fvu is useless here, but it's just to get the count
+usersU entry/read entry/search entry/disclose fvl/read \
+ | isOK 'ALLOWED$' fvl # fvl is useless here, but it's just to get the count
[ $? -eq 0 ] || exit $?
msg "Have =0 access to their \"children\" and operational attributes"
usersU children ${OPERATTRS} | isOK '=0$' children
[ $? -eq 0 ] || exit $?
-msg "Have =s access to \"objectClass\""
-usersD objectClass | isOK '=s' objectClass
+msg "Have =rscd access to \"objectClass\""
+usersD objectClass | isOK '=rscd' objectClass
[ $? -eq 0 ] || exit $?
msg "Have =0 access to other user entries (unless Postmaster)"
@@ -641,7 +685,7 @@ for U1 in ${USERS}; do
[ "x${U1}" = "x${U2}" ] || \
search -s base -b "${D2},${SUFFIX}" "(fripostPostmaster=${U1},${SUFFIX})" | grep -q '^dn: ' || \
checkACL "${U1}" "${U2}" entry children \
- fvu userPassword \
+ fvl userPassword \
fripostIsStatusActive \
fripostUserQuota \
fripostOptionalMaildrop \
@@ -671,7 +715,7 @@ usersP userPassword | isOK '=w$'
[ $? -eq 0 ] || exit $?
msg "Have =wrscd access to the other attributes of their users' entry (if Postmaster)"
-usersP fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK '=wrscd$' fvu
+usersP fvl fripostIsStatusActive fripostOptionalMaildrop description | isOK '=wrscd$' fvl
[ $? -eq 0 ] || exit $?
# "+a" is needed to create new accounts. "+z" would be required to
@@ -698,8 +742,8 @@ echo "Authenticated users, access to alias entries"
# * children:
# =0 for all
# * objectClass:
-# =s for all
-# * fva:
+# =rscd for all
+# * fvl:
# =wrscd if alias owner, domain owner or domain postmaster
# * fripostMaildrop:
# =wrscd if alias owner, domain owner or domain postmaster
@@ -730,13 +774,13 @@ msg "Have =0 access to the \"children\" and operational attributes"
usersA children ${OPERATTRS} | isOK '=0$' children
[ $? -eq 0 ] || exit $?
-msg "Have =s access to \"objectClass\""
-usersD objectClass | isOK '=s' objectClass
+msg "Have =rscd access to \"objectClass\""
+usersD objectClass | isOK '=rscd' objectClass
[ $? -eq 0 ] || exit $?
ATTRS="entry/delete entry/read entry/disclose
- fva/write fva/read fva/search fva/compare fva/disclose
+ fvl/write fvl/read fvl/search fvl/compare fvl/disclose
fripostMaildrop/add fripostMaildrop/delete fripostMaildrop/read fripostMaildrop/search fripostMaildrop/compare fripostMaildrop/disclose
fripostIsStatusActive/write fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose
fripostOwner/read fripostOwner/compare fripostOwner/disclose
@@ -853,14 +897,14 @@ echo "Authenticated users, access to list entries"
# +rd if list owner, domain owner or domain postmaster
# * children:
# =0 for all
+# * objectClass
+# =rscd for all
# * fvl:
# =wrscd if list owner, domain owner or domain postmaster
# * fripostListManager:
# =rscd if list owner, domain owner or domain postmaster
# * fripostIsStatusActive:
# =wrscd if list owner, domain owner or domain postmaster
-# * fripostPendingToken:
-# =scd if list owner, domain owner or domain postmaster
# * fripostOwner:
# =d for all
# +rsc if list owner, domain owner or domain postmaster
@@ -896,10 +940,10 @@ done | isOK 'DENIED$' fripostListManager
[ $? -eq 0 ] || exit $?
-msg "Cannot read or delete the pending status; Cannot delete entry"
+msg "Cannot delete entry or the pending status"
for U in ${USERS}; do
for L in ${LISTS}; do
- checkACL "${U}" "${L}" fripostPendingToken/read fripostPendingToken/add fripostPendingToken/delete entry/delete
+ checkACL "${U}" "${L}" objectClass/delete:FripostPendingEntry entry/delete
done
done | isOK 'DENIED$' entry
[ $? -eq 0 ] || exit $?
@@ -909,7 +953,6 @@ ATTRS="entry/read entry/disclose
fvl/write fvl/read fvl/search fvl/compare fvl/disclose
fripostListManager/read fripostListManager/search fripostListManager/compare fripostListManager/disclose
fripostIsStatusActive/write fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose
- fripostPendingToken/search fripostPendingToken/compare fripostPendingToken/disclose
fripostOwner/read fripostOwner/compare fripostOwner/disclose
description/add description/delete description/read description/compare description/disclose"
ATTRS2="fripostOwner/add fripostOwner/delete"
@@ -924,25 +967,51 @@ done | isOK 'ALLOWED$' entry read
[ $? -eq 0 ] || exit $?
-msg "Can edit/create list (if domain Owner)"
+msg "Can edit list (if domain Owner)"
+[ $? -eq 0 ] || exit $?
+for U in ${USERS}; do
+ for L in ${LISTS}; do
+ DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ search -s base -b "${DL},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \
+ checkACL "${U}" "${L}" ${ATTRS} ${ATTRS2}
+ done
+done | isOK 'ALLOWED$' entry read
+[ $? -eq 0 ] || exit $?
+
+
+msg "Can edit list (if domain Postmaster)"
+[ $? -eq 0 ] || exit $?
+for U in ${USERS}; do
+ for L in ${LISTS}; do
+ DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ search -s base -b "${DL},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \
+ checkACL "${U}" "${L}" ${ATTRS} ${ATTRS2}
+ done
+done | isOK 'ALLOWED$' entry read
+[ $? -eq 0 ] || exit $?
+
+
+msg "Can create list (if domain Owner)"
[ $? -eq 0 ] || exit $?
for U in ${USERS}; do
for L in ${LISTS}; do
DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
search -s base -b "${DL},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \
- checkACL "${U}" "${L}" ${ATTRS} ${ATTRS2} entry/add
+ search -s base -b "${L},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \
+ checkACL "${U}" "${L}" entry/add
done
done | isOK 'ALLOWED$' entry add
[ $? -eq 0 ] || exit $?
-msg "Can edit/create list (if domain Postmaster)"
+msg "Can create list (if domain Postmaster)"
[ $? -eq 0 ] || exit $?
for U in ${USERS}; do
for L in ${LISTS}; do
DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
search -s base -b "${DL},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \
- checkACL "${U}" "${L}" ${ATTRS} ${ATTRS2} entry/add
+ search -s base -b "${L},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \
+ checkACL "${U}" "${L}" entry/add
done
done | isOK 'ALLOWED$' entry add
[ $? -eq 0 ] || exit $?
@@ -954,6 +1023,7 @@ for U in ${USERS}; do
for L in ${LISTS}; do
DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
search -s base -b "${DL},${SUFFIX}" "fripostCanAddList=${U},${SUFFIX}" | grep -q '^dn: ' && \
+ search -s base -b "${L},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \
checkACL "${U}" "${L}" entry/add
done
done | isOK 'ALLOWED$' entry
@@ -967,6 +1037,7 @@ for U in ${USERS}; do
for L in ${LISTS}; do
DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
search -s base -b "${DL},${SUFFIX}" "fripostCanAddList=${DU},${SUFFIX}" | grep -q '^dn: ' && \
+ search -s base -b "${L},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \
checkACL "${U}" "${L}" entry/add
done
done | isOK 'ALLOWED$' entry
@@ -978,10 +1049,11 @@ for U in ${USERS}; do
DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
for L in ${LISTS}; do
DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- search -s base -b "${DL},${SUFFIX}" "(|(fripostCanAddList=${U},${SUFFIX})
- (fripostCanAddList=${DU},${SUFFIX})
- (fripostOwner=${U},${SUFFIX})
- (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
+ search -s base -b "${DL},${SUFFIX}" "(!(|(fripostCanAddList=${U},${SUFFIX})
+ (fripostCanAddList=${DU},${SUFFIX})
+ (fripostOwner=${U},${SUFFIX})
+ (fripostPostmaster=${U},${SUFFIX})))" | grep -q '^dn: ' || \
+ search -s base -b "${L},${SUFFIX}" "(!(objectClass=FripostPendingEntry))" | grep -q '^dn: ' && \
checkACL "${U}" "${L}" entry/add
done
done | isOK 'DENIED$' entry
@@ -990,11 +1062,11 @@ done | isOK 'DENIED$' entry
msg "Cannot manage ownership (unless domain owner/domain postmaster)"
for U in ${USERS}; do
- for A in ${ALIASES}; do
- DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
- search -s base -b "${DA},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX})
+ for L in ${LISTS}; do
+ DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+ search -s base -b "${DL},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX})
(fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
- checkACL "${U}" "${A}" ${ATTRS2}
+ checkACL "${U}" "${L}" ${ATTRS2}
done
done | isOK 'DENIED$' fripostOwner add
[ $? -eq 0 ] || exit $?
@@ -1017,7 +1089,7 @@ for U in ${USERS}; do
for LC in ${LISTSC}; do
checkACL "${U}" "${LC}"
done
-done | grep -Ev '^(objectClass|creatorsName)=' | isOK '=0$' entry
+done | grep -Ev '^objectClass=' | isOK '=0$' entry
[ $? -eq 0 ] || exit $?
@@ -1031,25 +1103,18 @@ echo "Service Postfix"
msg "Have =0 access on non-active or pending entries"
for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
- search -s base -b "${X},${SUFFIXV}" "(|(fripostIsStatusActive=TRUE)(fripostPendingToken=*))" | grep -q '^dn: ' && \
+ search -s base -b "${X},${SUFFIXV}" "(|(fripostIsStatusActive=TRUE)(objectClass=FripostPendingEntry))" | grep -q '^dn: ' && \
checkACL "cn=Postfix" "${D}"
done | isOK '=0$' entry
[ $? -eq 0 ] || exit $?
msg "Can read and search the domain attributes it needs"
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \
- checkACL "cn=Postfix" "${D}" entry fvd fripostOptionalMaildrop
+ search -s base -b "${D},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(objectClass=FripostPendingEntry))" | grep -q '^dn: ' || \
+ checkACL "cn=Postfix" "${D}" entry objectClass fvd fripostOptionalMaildrop
done | isOK '=rsd$' entry
[ $? -eq 0 ] || exit $?
-msg "Can search the domain attributes it needs"
-for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \
- checkACL "cn=Postfix" "${D}" objectClass
-done | isOK '=s$' objectClass
-[ $? -eq 0 ] || exit $?
-
msg "Have =0 access on other domain attributes"
for D in ${DOMAINS}; do
checkACL "cn=Postfix" "${D}" children ${OPERATTRS} fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description fripostPendingToken fripostIsStatusActive
@@ -1058,18 +1123,11 @@ done | isOK '=0$' children
msg "Can read and search the user attributes it needs"
for U in ${USERS}; do
- search -s base -b "${U},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \
- checkACL "cn=Postfix" "${U}" entry fvu fripostOptionalMaildrop
+ search -s base -b "${U},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(objectClass=FripostPendingEntry))" | grep -q '^dn: ' || \
+ checkACL "cn=Postfix" "${U}" entry objectClass fvl fripostOptionalMaildrop
done | isOK '=rsd$' entry
[ $? -eq 0 ] || exit $?
-msg "Can search the user attributes it needs"
-for U in ${USERS}; do
- search -s base -b "${U},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \
- checkACL "cn=Postfix" "${U}" objectClass
-done | isOK '=s$' objectClass
-[ $? -eq 0 ] || exit $?
-
msg "Have =0 access on other user attributes"
for U in ${USERS}; do
checkACL "cn=Postfix" "${U}" children ${OPERATTRS} userPassword fripostUserQuota description fripostIsStatusActive
@@ -1078,18 +1136,11 @@ done | isOK '=0$' children
msg "Can read and search the alias attributes it needs"
for A in ${ALIASES}; do
- search -s base -b "${A},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \
- checkACL "cn=Postfix" "${A}" entry fva fripostMaildrop
+ search -s base -b "${A},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(objectClass=FripostPendingEntry))" | grep -q '^dn: ' || \
+ checkACL "cn=Postfix" "${A}" entry objectClass fvl fripostMaildrop
done | isOK '=rsd$' entry
[ $? -eq 0 ] || exit $?
-msg "Can search the alias attributes it needs"
-for A in ${ALIASES}; do
- search -s base -b "${A},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \
- checkACL "cn=Postfix" "${A}" objectClass
-done | isOK '=s$' objectClass
-[ $? -eq 0 ] || exit $?
-
msg "Have =0 access on other alias attributes"
for A in ${ALIASES}; do
checkACL "cn=Postfix" "${A}" children ${OPERATTRS} fripostOwner description fripostIsStatusActive
@@ -1098,18 +1149,11 @@ done | isOK '=0$' children
msg "Can read and search the list attributes it needs"
for L in ${LISTS}; do
- search -s base -b "${L},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \
- checkACL "cn=Postfix" "${L}" entry fvl fripostLocalAlias
+ search -s base -b "${L},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(objectClass=FripostPendingEntry))" | grep -q '^dn: ' || \
+ checkACL "cn=Postfix" "${L}" entry objectClass fvl fripostLocalAlias
done | isOK '=rsd$' entry
[ $? -eq 0 ] || exit $?
-msg "Can search the list attributes it needs"
-for L in ${LISTS}; do
- search -s base -b "${L},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \
- checkACL "cn=Postfix" "${L}" objectClass
-done | isOK '=s$' objectClass
-[ $? -eq 0 ] || exit $?
-
msg "Have =0 access on other list attributes"
for L in ${LISTS}; do
checkACL "cn=Postfix" "${L}" children ${OPERATTRS} fripostListManager fripostOwner description fripostIsStatusActive fripostPendingToken
@@ -1118,16 +1162,11 @@ done | isOK '=0$' children
msg "Can read and search the list command attributes it needs"
for LC in ${LISTSC}; do
- checkACL "cn=Postfix" "${LC}" entry fvlc fripostLocalAlias
+ search -s base -b "${LC},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(objectClass=FripostPendingEntry))" | grep -q '^dn: ' || \
+ checkACL "cn=Postfix" "${LC}" entry objectClass fvl fripostLocalAlias
done | isOK '=rsd$' entry
[ $? -eq 0 ] || exit $?
-msg "Can search the list command attributes it needs"
-for LC in ${LISTSC}; do
- checkACL "cn=Postfix" "${LC}" objectClass
-done | isOK '=s$' objectClass
-[ $? -eq 0 ] || exit $?
-
msg "Have =0 access on other list command attributes"
for LC in ${LISTSC}; do
checkACL "cn=Postfix" "${LC}" children ${OPERATTRS}
@@ -1142,38 +1181,53 @@ echo "Service CreateList"
msg "Have =0 access on domain attributes"
for D in ${DOMAINS}; do
- checkACL "cn=CreateList" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description fripostPendingToken
+ checkACL "cn=CreateList" "${D}" entry ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description fripostPendingToken
done | isOK '=0$' entry
[ $? -eq 0 ] || exit $?
msg "Have =0 access on user attributes"
for U in ${USERS}; do
- checkACL "cn=CreateList" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description
+ checkACL "cn=CreateList" "${U}" entry children ${OPERATTRS} fvl userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description
done | isOK '=0$' entry
[ $? -eq 0 ] || exit $?
msg "Have =0 access on alias attributes"
for A in ${ALIASES}; do
- checkACL "cn=CreateList" "${A}" entry children ${OPERATTRS} fva fripostMaildrop fripostIsStatusActive fripostOwner description
+ checkACL "cn=CreateList" "${A}" entry children ${OPERATTRS} fvl fripostMaildrop fripostIsStatusActive fripostOwner description
done | isOK '=0$' entry
[ $? -eq 0 ] || exit $?
-msg "Have =zsd access on lists' pending status"
+msg "Can remove the 'pending' status on lists"
+for L in ${LISTS}; do
+ search -s base -b "${L},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \
+ checkACL "cn=CreateList" "${L}" objectClass/delete:FripostPendingEntry fripostPendingToken/delete
+done | isOK 'ALLOWED$'
+[ $? -eq 0 ] || exit $?
+
+msg "Cannot create a 'pending' satus"
for L in ${LISTS}; do
- checkACL "cn=CreateList" "${L}" fripostPendingToken
-done | isOK '=zsd$'
+ search -s base -b "${L},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \
+ checkACL "cn=CreateList" "${L}" objectClass/delete:FripostPendingEntry fripostPendingToken/delete
+done | isOK 'DENIED$'
[ $? -eq 0 ] || exit $?
+msg "Have =rscd access on objectClass"
+for L in ${LISTS}; do
+ search -s base -b "${L},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \
+ checkACL "cn=CreateList" "${L}" objectClass
+done | isOK '=rscd$'
+
msg "Have =rsd access on lists' entry attribute"
for L in ${LISTS}; do
+ search -s base -b "${L},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \
checkACL "cn=CreateList" "${L}" entry
done | isOK '=rsd$'
[ $? -eq 0 ] || exit $?
-msg "Have =a access on lists' children attribute"
-for L in ${LISTS}; do
- search -s base -b "${L},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
- checkACL "cn=CreateList" "${L}" children
+msg "Have =a access on domains' children attribute"
+for D in ${DOMAINS}; do
+ search -s base -b "${D},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \
+ checkACL "cn=CreateList" "${D}" children
done | isOK '=a$'
[ $? -eq 0 ] || exit $?
@@ -1191,7 +1245,7 @@ done | isOK '=a$'
msg "Have =0 access on other list command attributes"
for LC in ${LISTSC}; do
- checkACL "cn=CreateList" "${LC}" children ${OPERATTRS} fvlc fripostLocalAlias
+ checkACL "cn=CreateList" "${LC}" children ${OPERATTRS} fvl fripostLocalAlias
done | isOK '=0$' children
[ $? -eq 0 ] || exit $?
@@ -1201,17 +1255,16 @@ done | isOK '=0$' children
echo
echo "Service DeletePendingEntries"
-msg "Have =z access on the \"children\" attribute of non-pending entries"
+msg "Have =z access on the \"children\" attribute"
(checkACL "cn=DeletePendingEntries" "" children
-for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
- search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
- checkACL "cn=DeletePendingEntries" "${X}" children
-done) | isOK '=z$' children
+ for D in ${DOMAINS}; do
+ checkACL "cn=DeletePendingEntries" "${D}" children
+ done) | isOK '=z$' children
[ $? -eq 0 ] || exit $?
msg "Have =zrsd access on the \"entry\" attribute of pending entries"
for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
- search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \
+ search -s base -b "${X},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \
checkACL "cn=DeletePendingEntries" "${X}" entry
done | isOK '=zrsd$' entry
[ $? -eq 0 ] || exit $?
@@ -1219,29 +1272,29 @@ done | isOK '=zrsd$' entry
msg "Have =s access on the \"entry\" attribute of non-pending entries"
(checkACL "cn=DeletePendingEntries" "" entry
for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
- search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
+ search -s base -b "${X},${SUFFIXV}" "(|(objectClass=FripostVirtualListCommand)(objectClass=FripostPendingEntry))" | grep -q '^dn: ' || \
checkACL "cn=DeletePendingEntries" "${X}" entry
done) | isOK '=s$' entry
[ $? -eq 0 ] || exit $?
msg "Have =s access on the attributes it needs on pending entries"
for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
- search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \
- checkACL "cn=DeletePendingEntries" "${X}" createTimestamp fripostPendingToken
-done | isOK '=s$' fripostPendingToken
+ search -s base -b "${X},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \
+ checkACL "cn=DeletePendingEntries" "${X}" createTimestamp
+done | isOK '=s$' createTimestamp
[ $? -eq 0 ] || exit $?
msg "Have =0 access these attributes for non-pending entries"
for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
- search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
- checkACL "cn=DeletePendingEntries" "${X}" createTimestamp fripostPendingToken
-done | isOK '=0$' fripostPendingToken
+ search -s base -b "${X},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \
+ checkACL "cn=DeletePendingEntries" "${X}" createTimestamp
+done | isOK '=0$' createTimestamp
[ $? -eq 0 ] || exit $?
-msg "Have =s access on the object class"
+msg "Have =rscd access on objectClass"
for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
checkACL "cn=DeletePendingEntries" "${X}" objectClass
-done | isOK '=s$' objectClass
+done | isOK '=rscd$' objectClass
[ $? -eq 0 ] || exit $?
msg "Have =0 access on other domain attributes"
@@ -1252,14 +1305,14 @@ done | isOK '=0$' fvd
msg "Have =0 access on other user attributes"
for U in ${USERS}; do
- checkACL "cn=DeletePendingEntries" "${U}" fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description
-done | isOK '=0$' fvu
+ checkACL "cn=DeletePendingEntries" "${U}" fvl userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description
+done | isOK '=0$' fvl
[ $? -eq 0 ] || exit $?
msg "Have =0 access on other alias attributes"
for A in ${ALIASES}; do
- checkACL "cn=DeletePendingEntries" "${A}" fva fripostMaildrop fripostIsStatusActive fripostOwner description
-done | isOK '=0$' fva
+ checkACL "cn=DeletePendingEntries" "${A}" fvl fripostMaildrop fripostIsStatusActive fripostOwner description
+done | isOK '=0$' fvl
[ $? -eq 0 ] || exit $?
msg "Have =0 access on other list attributes"
@@ -1270,8 +1323,8 @@ done | isOK '=0$' fvl
msg "Have =0 access on other list command attributes"
for LC in ${LISTSC}; do
- checkACL "cn=AdminWebPanel" "${LC}" fvlc fripostLocalAlias
-done | isOK '=0$' fvlc
+ checkACL "cn=AdminWebPanel" "${LC}" fvl fripostLocalAlias
+done | isOK '=0$' fvl
[ $? -eq 0 ] || exit $?
@@ -1288,13 +1341,13 @@ done | isOK '=0$' entry
msg "Have =0 access on user attributes"
for U in ${USERS}; do
- checkACL "cn=AdminWebPanel" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description
+ checkACL "cn=AdminWebPanel" "${U}" entry children ${OPERATTRS} fvl userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description
done | isOK '=0$' entry
[ $? -eq 0 ] || exit $?
msg "Have =0 access on alias attributes"
for A in ${ALIASES}; do
- checkACL "cn=AdminWebPanel" "${A}" entry children ${OPERATTRS} fva fripostMaildrop fripostIsStatusActive fripostOwner description
+ checkACL "cn=AdminWebPanel" "${A}" entry children ${OPERATTRS} fvl fripostMaildrop fripostIsStatusActive fripostOwner description
done | isOK '=0$' entry
[ $? -eq 0 ] || exit $?
@@ -1306,7 +1359,7 @@ done | isOK '=0$' entry
msg "Have =0 access on list command attributes"
for LC in ${LISTSC}; do
- checkACL "cn=AdminWebPanel" "${LC}" entry children ${OPERATTRS} fvlc fripostLocalAlias
+ checkACL "cn=AdminWebPanel" "${LC}" entry children ${OPERATTRS} fvl fripostLocalAlias
done | isOK '=0$' entry
[ $? -eq 0 ] || exit $?