aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ldap/README4
-rw-r--r--ldap/acl.ldif71
-rw-r--r--ldap/base.ldif6
-rw-r--r--ldap/database.ldif6
-rw-r--r--ldap/index.ldif2
-rw-r--r--ldap/modules.ldif2
-rw-r--r--ldap/syncprov.ldif2
-rw-r--r--ldap/syncrepl.ldif2
-rwxr-xr-xldap/test-user-acl.sh130
-rw-r--r--todo.org2
10 files changed, 186 insertions, 41 deletions
diff --git a/ldap/README b/ldap/README
index 037ae65..7fdc088 100644
--- a/ldap/README
+++ b/ldap/README
@@ -18,11 +18,11 @@ single situation we may encounter in our directory.
Usage:
* Load the ACLs:
-
+
ldapmodify -Y EXTERNAL -H ldapi:/// -f acl.ldif
* Repopulate the database (will clear it out first!):
-
+
ldapdelete -Y EXTERNAL -H ldapi:/// -r "ou=virtual,o=mailHosting,dc=fripost,dc=dev" ; ldapadd -Y EXTERNAL -H ldapi:/// -f populate.ldif
* Running the test suite:
diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index 4cf7e10..153470f 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -65,6 +65,7 @@ olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd
by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
+ by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0
by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break
by anonymous =0 break
@@ -76,7 +77,7 @@ olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost
attrs=userPassword
by realself =w
by anonymous =xd
- by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =0 break
#
# The postmaster of a domain can change (replace) his/her users' password (but not read it).
olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
@@ -94,21 +95,61 @@ olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
# 2. So can the list creator.
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=objectClass
- by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s
by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =s
+ by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =s
#
# 1. Users can search (e.g., to list the entries they have created).
# 2. Additional permissions may be added later on.
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=entry,fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList
- by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s break
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break
by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
#
+# Noone may create children under a pending entry. This is important
+# since otherwise we couldn't delete old pending entries
+# non-recursively.
+olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ filter=(fripostPendingToken=*)
+ attrs=children
+ by * =0
+#
+# Our service can list and delete (old) pending entries.
+olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ filter=(fripostPendingToken=*)
+ attrs=entry
+ by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =zrd break
+ by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break
+#
+# Our service can search anywhere in the tree (for old pending entries).
+olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ attrs=entry
+ by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break
+ by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" +s
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break
+#
+# Our service needs to have 'z' access on the 'children' of the parent of the entry that is
+# to be deleted. (And 'z' access of the 'entry' attribute of this entry.)
+olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ attrs=children
+ by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =z
+ by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break
+#
+# Our service needs search access to list (old) pending entries.
+olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ filter=(fripostPendingToken=*)
+ attrs=createTimestamp,fripostPendingToken
+ by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =sd
+ by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break
+#
# Everyone can create/delete domains. (Provided s/he has +a/+z access to the
# "entry" attribute of the domains s/he wants to delete.)
olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=children
- by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =w
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w
#
# Reserved local parts are reserved. /!\ The case must be insensitive
# - postmaster: RFC 822, appendix C.6
@@ -120,7 +161,7 @@ olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
filter=(&(objectClass=FripostVirtualDomain)(!(fripostPendingToken=*)))
attrs=fripostPendingToken
- by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s
#
# Only the domain Postmasters and Owners can search the unlock token and delete the
# 'pending' status (but not read).
@@ -158,7 +199,7 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
by dnattr=fripostPostmaster =rscd
by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" =rscd
by dn.onelevel,expand="$1" +d
- by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
#
# 1. Domain owners can edit their entry's attributes.
# 2. So can domain postmasters.
@@ -179,7 +220,7 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
attrs=@fripostVirtualDomain
by dnattr=fripostOwner =wrscd
by dnattr=fripostPostmaster =wrscd
- by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
#
# Everyone can add or delete children, but we will be carefull with the
# kid's "entry" attribute, which require +a and +z to add and delete
@@ -187,7 +228,7 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
filter=(objectClass=FripostVirtualDomain)
attrs=children
- by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +w
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w
#
# 1. Users with "addDomain" access can create new entries.
# 2. Domain owners can delete their domain (and read the entry).
@@ -202,7 +243,7 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
by dnattr=fripostPostmaster +zrd
by dn.onelevel,expand="$1" +rd
by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" +rd
- by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
#
# Noone (but the managers) can change quotas.
olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
@@ -237,7 +278,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by dnattr=fripostOwner =rscd continue
by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
- by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
#
# 1. The alias owners can edit the rest of their entry's attributes.
# 2. So can the domain owners.
@@ -261,7 +302,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by group/fripostVirtualDomain/fripostOwner.expand="$1" +wrd
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +wrd
by set.exact="this/-1/fripostCanAddAlias & (user | user/-1)" +a
- by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
#
# 1. The list owner can list the ownership of the entry.
# 2. The domain owner can add/delete/change the ownership of the entry.
@@ -272,7 +313,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by dnattr=fripostOwner =rscd continue
by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
- by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
#
# 1. The list owner read (but not edit) the transport-related attributes.
# 2. So can the domain ower.
@@ -287,6 +328,8 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
# 1,2,3. The list owner and the domain Owner and Postmaster can search
# (but not read) the 'pending' token.
# 4. The list creator can remove the "pending" flag.
+# (We don't need to limit the search to presence only here, since when present the value is
+# always 'TRUE')
olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualList)
attrs=fripostPendingToken
@@ -318,7 +361,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by group/fripostVirtualDomain/fripostOwner.expand="$1" +rad
by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rad
by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a
- by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd
#
# The List Creator can add list commands.
@@ -335,4 +378,4 @@ olcAccess: to dn.regex="^fvlc=[^,]+,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting
#
# Catch the "break" control above.
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
- by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0
+ by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
diff --git a/ldap/base.ldif b/ldap/base.ldif
index ff48497..4a40d3c 100644
--- a/ldap/base.ldif
+++ b/ldap/base.ldif
@@ -38,6 +38,12 @@ objectClass: organizationalRole
description: The entity that is authorized to add list commands
userPassword: listcreator
+dn: cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+description: Delete expired pending entries
+userPassword: deletependingentries
+
dn: cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=dev
objectClass: simpleSecurityObject
objectClass: organizationalRole
diff --git a/ldap/database.ldif b/ldap/database.ldif
index ada28c7..eb94b87 100644
--- a/ldap/database.ldif
+++ b/ldap/database.ldif
@@ -44,15 +44,15 @@ olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
#
#
# 2. It may be a good idea to modify DB_CONFIG, depending on the output
-# of
-#
+# of
+#
# db4.8_stat -m -h /var/lib/ldap/ | head -16
#
# (For optimal performance, the Requested pages found in the cache
# should be above 95%, and the pages forced from the cache should be 0.)
#
# and
-#
+#
# db4.8_stat -m -h /var/lib/ldap/ | head -16
#
# (For optimal performance, usage should be within 85% of the configured
diff --git a/ldap/index.ldif b/ldap/index.ldif
index 77b0e5a..3a4f548 100644
--- a/ldap/index.ldif
+++ b/ldap/index.ldif
@@ -6,7 +6,7 @@
# that it's indeed the database #1 that you want to amend:
#
# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "olcSuffix=o=mailHosting,dc=fripost,dc=dev" dn
-#
+#
#
# To reindex an existing database, you have to
# * Stop slapd /etc/init.d/slapd stop
diff --git a/ldap/modules.ldif b/ldap/modules.ldif
index cc4da57..46b9ca2 100644
--- a/ldap/modules.ldif
+++ b/ldap/modules.ldif
@@ -4,7 +4,7 @@
#
# It will load the "syncprov" and "constraint" modules.
#
-#
+#
# References:
# - http://www.openldap.org/doc/admin24/replication.html#Syncrepl
# - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
diff --git a/ldap/syncprov.ldif b/ldap/syncprov.ldif
index 66ce154..b0de08d 100644
--- a/ldap/syncprov.ldif
+++ b/ldap/syncprov.ldif
@@ -7,7 +7,7 @@
#
# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "olcSuffix=o=mailHosting,dc=fripost,dc=dev" dn
#
-#
+#
# References:
# - http://www.openldap.org/doc/admin24/replication.html#Syncrepl
# - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
diff --git a/ldap/syncrepl.ldif b/ldap/syncrepl.ldif
index 2f40472..d579e5c 100644
--- a/ldap/syncrepl.ldif
+++ b/ldap/syncrepl.ldif
@@ -7,7 +7,7 @@
#
# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "olcSuffix=o=mailHosting,dc=fripost,dc=dev" dn
#
-#
+#
# References:
# - http://www.openldap.org/doc/admin24/replication.html#Syncrepl
# - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap
diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh
index 7046716..3023152 100755
--- a/ldap/test-user-acl.sh
+++ b/ldap/test-user-acl.sh
@@ -215,6 +215,16 @@ usersB ${OPERATTRS} | isOK '=0$' entryUUID
[ $? -eq 0 ] || exit $?
+msg "Cannot create children under a pending entry"
+for U in ${USERS}; do
+ for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
+ search -s base -b "${X},${SUFFIX}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \
+ checkACL "${U}" "${X}" children
+ done
+done | isOK '=0$' children
+[ $? -eq 0 ] || exit $?
+
+
###########################################################################
@@ -227,7 +237,7 @@ echo "Authenticated users, access to domain entries"
# +rd if children, canAdd{Alias,List}, owner or postmaster
# +z if owner or postmaster
# * children:
-# =w for all
+# =w for all (non-pending entries)
# * objectClass:
# =s for all
# * fvd:
@@ -345,8 +355,13 @@ done | isOK 'DENIED$' entry add
# We ensure not to give +a/+z access to the \"entry\" attribute of the
# children, unless justified (required to add/delete a child).
-msg "Have =w access to \"children\""
-usersD children | isOK '=w$' children
+msg "Have =w access to \"children\" (for non-pending attributes)"
+for U in ${USERS}; do
+ for D in ${DOMAINS}; do
+ search -s base -b "${D},${SUFFIX}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
+ checkACL "${U}" "${D}" children
+ done
+done | isOK '=w$' children
[ $? -eq 0 ] || exit $?
msg "Have =s access to \"objectClass\""
@@ -391,7 +406,7 @@ ATTRSA="fripostOwner/read fripostOwner/compare
msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanAddAlias, exact)"
for U in ${USERS}; do
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "fripostCanAddAlias=${U},${SUFFIX}" | grep -q '^dn: ' && \
+ search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddAlias=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \
checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSA}
done
done | isOK 'ALLOWED$' children
@@ -403,7 +418,7 @@ msg "Have >=rscd to the public attributes and >=a to \"children\" (if CanAddAlia
for U in ${USERS}; do
DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "fripostCanAddAlias=${DU},${SUFFIX}" | grep -q '^dn: ' && \
+ search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddAlias=${DU},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \
checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSA}
done
done | isOK 'ALLOWED$' children
@@ -417,7 +432,7 @@ ATTRSL="fripostOwner/read fripostOwner/compare
msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanAddList, exact)"
for U in ${USERS}; do
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "fripostCanAddList=${U},${SUFFIX}" | grep -q '^dn: ' && \
+ search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddList=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \
checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL}
done
done | isOK 'ALLOWED$' children
@@ -429,7 +444,7 @@ msg "Have >=rscd access to the public attributes and >=a to \"children\" (if Can
for U in ${USERS}; do
DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "fripostCanAddList=${DU},${SUFFIX}" | grep -q '^dn: ' && \
+ search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddList=${DU},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \
checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL}
done
done | isOK 'ALLOWED$' children
@@ -448,7 +463,7 @@ ATTRSO="entry/delete
description/add description/delete"
for U in ${USERS}; do
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \
+ search -s base -b "${D},${SUFFIX}" "(&(fripostOwner=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \
checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSL} ${ATTRSO}
done
done | isOK 'ALLOWED$' children
@@ -464,7 +479,7 @@ ATTRSP="fripostCanAddAlias/add fripostCanAddAlias/delete
fripostCanAddList/add fripostCanAddList/delete"
for U in ${USERS}; do
for D in ${DOMAINS}; do
- search -s base -b "${D},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \
+ search -s base -b "${D},${SUFFIX}" "(&(fripostPostmaster=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \
checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSL} ${ATTRSO} ${ATTRSP}
done
done | isOK 'ALLOWED$' children
@@ -720,8 +735,8 @@ usersD objectClass | isOK '=s' objectClass
[ $? -eq 0 ] || exit $?
-ATTRS="entry/delete entry/read entry/disclose
- fva/write fva/read fva/search fva/compare fva/disclose
+ATTRS="entry/delete entry/read entry/disclose
+ fva/write fva/read fva/search fva/compare fva/disclose
fripostMaildrop/add fripostMaildrop/delete fripostMaildrop/read fripostMaildrop/search fripostMaildrop/compare fripostMaildrop/disclose
fripostIsStatusActive/write fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose
fripostOwner/read fripostOwner/compare fripostOwner/disclose
@@ -845,7 +860,7 @@ echo "Authenticated users, access to list entries"
# * fripostIsStatusActive:
# =wrscd if list owner, domain owner or domain postmaster
# * fripostPendingToken:
-# =rscd if list owner, domain owner or domain postmaster
+# =scd if list owner, domain owner or domain postmaster
# * fripostOwner:
# =d for all
# +rsc if list owner, domain owner or domain postmaster
@@ -1000,7 +1015,7 @@ done | isOK 'DENIED$' entry delete
msg "Have =0 access to the list command entries"
for U in ${USERS}; do
for LC in ${LISTSC}; do
- checkACL "${U}" "${LC}"
+ checkACL "${U}" "${LC}"
done
done | grep -Ev '^(objectClass|creatorsName)=' | isOK '=0$' entry
[ $? -eq 0 ] || exit $?
@@ -1009,6 +1024,7 @@ done | grep -Ev '^(objectClass|creatorsName)=' | isOK '=0$' entry
###########################################################################
+SUFFIX0="${SUFFIX}"
SUFFIX="${SUFFIXS}"
echo
@@ -1100,7 +1116,7 @@ done | isOK '=sd$' objectClass
msg "Have =0 access on other list command attributes"
for LC in ${LISTSC}; do
- checkACL "cn=SMTP" "${LC}" children ${OPERATTRS}
+ checkACL "cn=SMTP" "${LC}" children ${OPERATTRS}
done | isOK '=0$' children
[ $? -eq 0 ] || exit $?
@@ -1112,7 +1128,7 @@ echo "Service ListCreator"
msg "Have =0 access on domain attributes"
for D in ${DOMAINS}; do
- checkACL "cn=ListCreator" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description
+ checkACL "cn=ListCreator" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description fripostPendingToken
done | isOK '=0$' entry
[ $? -eq 0 ] || exit $?
@@ -1142,6 +1158,7 @@ done | isOK '=rsd$'
msg "Have =a access on lists' children attribute"
for L in ${LISTS}; do
+ search -s base -b "${L},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
checkACL "cn=ListCreator" "${L}" children
done | isOK '=a$'
[ $? -eq 0 ] || exit $?
@@ -1168,11 +1185,90 @@ done | isOK '=0$' children
###########################################################################
echo
+echo "Service DeletePendingEntries"
+
+msg "Have =z access on the \"children\" attribute of non-pending entries"
+(checkACL "cn=DeletePendingEntries" "" children
+for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
+ search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
+ checkACL "cn=DeletePendingEntries" "${X}" children
+done) | isOK '=z$' children
+[ $? -eq 0 ] || exit $?
+
+msg "Have =zrsd access on the \"entry\" attribute of pending entries"
+for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
+ search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \
+ checkACL "cn=DeletePendingEntries" "${X}" entry
+done | isOK '=zrsd$' entry
+[ $? -eq 0 ] || exit $?
+
+msg "Have =s access on the \"entry\" attribute of non-pending entries"
+(checkACL "cn=DeletePendingEntries" "" entry
+for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
+ search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
+ checkACL "cn=DeletePendingEntries" "${X}" entry
+done) | isOK '=s$' entry
+[ $? -eq 0 ] || exit $?
+
+msg "Have =sd access on the attributes it needs on pending entries"
+for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
+ search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \
+ checkACL "cn=DeletePendingEntries" "${X}" createTimestamp fripostPendingToken
+done | isOK '=sd$' fripostPendingToken
+[ $? -eq 0 ] || exit $?
+
+msg "Have =0 access these attributes for non-pending entries"
+for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
+ search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
+ checkACL "cn=DeletePendingEntries" "${X}" createTimestamp fripostPendingToken
+done | isOK '=0$' fripostPendingToken
+[ $? -eq 0 ] || exit $?
+
+msg "Have =s access on the object class"
+for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
+ checkACL "cn=DeletePendingEntries" "${X}" objectClass
+done | isOK '=s$' objectClass
+[ $? -eq 0 ] || exit $?
+
+msg "Have =0 access on other domain attributes"
+for D in ${DOMAINS}; do
+ checkACL "cn=DeletePendingEntries" "${D}" fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description
+done | isOK '=0$' fvd
+[ $? -eq 0 ] || exit $?
+
+msg "Have =0 access on other user attributes"
+for U in ${USERS}; do
+ checkACL "cn=DeletePendingEntries" "${U}" fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description
+done | isOK '=0$' fvu
+[ $? -eq 0 ] || exit $?
+
+msg "Have =0 access on other alias attributes"
+for A in ${ALIASES}; do
+ checkACL "cn=DeletePendingEntries" "${A}" fva fripostMaildrop fripostIsStatusActive fripostOwner description
+done | isOK '=0$' fva
+[ $? -eq 0 ] || exit $?
+
+msg "Have =0 access on other list attributes"
+for L in ${LISTS}; do
+ checkACL "cn=DeletePendingEntries" "${L}" fvl fripostListManager fripostIsStatusActive fripostLocalAlias fripostOwner description
+done | isOK '=0$' fvl
+[ $? -eq 0 ] || exit $?
+
+msg "Have =0 access on other list command attributes"
+for LC in ${LISTSC}; do
+ checkACL "cn=AdminWebPanel" "${LC}" fvlc fripostLocalAlias
+done | isOK '=0$' fvlc
+[ $? -eq 0 ] || exit $?
+
+
+###########################################################################
+
+echo
echo "Service AdminWebPanel"
msg "Have =0 access on domain attributes"
for D in ${DOMAINS}; do
- checkACL "cn=AdminWebPanel" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description
+ checkACL "cn=AdminWebPanel" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description fripostPendingToken
done | isOK '=0$' entry
[ $? -eq 0 ] || exit $?
@@ -1194,7 +1290,7 @@ for L in ${LISTS}; do
done | isOK '=0$' entry
[ $? -eq 0 ] || exit $?
-msg "Have =0 access on other list command attributes"
+msg "Have =0 access on list command attributes"
for LC in ${LISTSC}; do
checkACL "cn=AdminWebPanel" "${LC}" entry children ${OPERATTRS} fvlc fripostLocalAlias
done | isOK '=0$' entry
diff --git a/todo.org b/todo.org
index 1df7713..a67f7c9 100644
--- a/todo.org
+++ b/todo.org
@@ -191,7 +191,7 @@ Reason for discarding: Not feasible at this point, too much overhead, not always
** Create a mail gateway to change settings
** Set up an Asterisk server (VoIP)
** Evaluate SSH-tunnels vs VPN
-** Evaluating changing Apache to nginx
+** Evaluating changing Apache to nginx
* Discarded ideas
** Improve logcheck rules (increase signal to noise ratio)
Reason for discarding: not very concrete