diff options
Diffstat (limited to 'ldap/acl.ldif')
| -rw-r--r-- | ldap/acl.ldif | 26 |
1 files changed, 6 insertions, 20 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif index 212d4d9..e52e4d5 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -84,12 +84,16 @@ olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanCreateAlias,fripostCanCreateList by users =s break # -# Everyone can delete domains. (Provided he has +d access to the "entry" -# attribute of the domains he wants to delete.) +# Everyone can delete domains. (Provided s/he has +d access to the "entry" +# attribute of the domains s/he wants to delete.) olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=children by users =z # +# Reserved local parts are reserved. +olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" + by * none +# # 1. The postmaster of a domain can give (or take back) people the right to create # aliases. # 2,3. People that can create aliases can list the members of the group. @@ -186,24 +190,6 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard by self +rd # -# Reserved aliases cannot be deactivated. (But the alias definition may be changed by the -# domain owner.) -olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=FripostVirtualAlias) - attrs=fripostIsStatusActive,fripostOwner,fva - by group/fripostVirtualDomain/fripostOwner.expand="$2" read - by group/fripostVirtualDomain/fripostPostmaster.expand="$2" read - by users +0 -# -# Reserved aliases cannot be deleted. -olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=FripostVirtualAlias) - attrs=entry - by group/fripostVirtualDomain/fripostOwner.expand="$2" +ard - by group/fripostVirtualDomain/fripostPostmaster.expand="$2" +ard - by set.exact="this/-1/fripostCanCreateAlias & (user | user/-1)" +a - by users +0 -# # 1. The alias owner can list the ownership of the entry. # 2. The domain owner can add/delete/change the ownership of the entry. # 3. So can the domain postmasters. |