diff options
Diffstat (limited to 'ldap/acl.ldif')
| -rw-r--r-- | ldap/acl.ldif | 90 |
1 files changed, 59 insertions, 31 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif index e52e4d5..ac2e19d 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -29,9 +29,10 @@ replace: olcAccess # TODO: for postfix, it'd be more efficient and more secure to SASL-bind # on a UNIX socket (EXTERNAL mechanism); wait for Postfix 2.8. # TODO: IMAP & SASLauth +# TODO: if possible, make use GSSAPI for the services. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - attrs=entry,objectClass,fvd,fripostIsStatusActive,fripostOptionalMaildrop,fvu,fripostOptionalMaildrop,fva,fripostMaildrop,fvl,fripostListCommand - filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualMailbox)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)) + attrs=entry,objectClass,fvd,fripostIsStatusActive,fripostIsStatusPending,fripostOptionalMaildrop,fvu,fva,fripostMaildrop,fvl,fvlc,fripostLocalAlias + filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualMailbox)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand)) by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd by users none break # @@ -45,23 +46,28 @@ olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev" attrs=entry,objectClass,authzTo by * =x # -# 1. Services have no access other than the one above. -# 2. Managers have read/write access to the "virtual" subtree. +# 1. Managers have read/write access to the "virtual" subtree. +# 2. The list creator needs further access. +# 3. Other services have no access other than the one above. +# 4,5. Other users need further access. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" write + by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" none break by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none - by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" write - by * none break + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" none break + by anonymous none break # # 1. Users can change their password (but not read it). -# 2. Anonymous users/services/managers can bind. +# 2. Anonymous users can bind. # 3. Else, we inspect the 2 following ACLs. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=userPassword by self =w by anonymous auth - by users none break + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" none break # -# The postmaster of a domain can change (replace) his/her users' password. +# The postmaster of a domain can change (replace) his/her users' +# password (but not see it). olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualMailbox) attrs=userPassword @@ -73,22 +79,25 @@ olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" attrs=userPassword by * none # -# Users can search (e.g., to list the entries they have created). +# 1. Users can search (e.g., to list the entries they have created). +# 2. So can the list creator. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=objectClass - by users =s + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s + by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =s # # Users can search (e.g., to list the entries they have created). # Additional permissions may be added later on. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanCreateAlias,fripostCanCreateList - by users =s break + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break + by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none break # # Everyone can delete domains. (Provided s/he has +d access to the "entry" # attribute of the domains s/he wants to delete.) olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=children - by users =z + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =z # # Reserved local parts are reserved. olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" @@ -122,7 +131,7 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ by dnattr=fripostPostmaster read by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateList)& (user | user/-1)" read by dn.onelevel,expand="$1" +d - by users +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # # Every one can add or delete children, but we will be carefull with the # kid's "entry" attribute, which require +a and +z to add and delete @@ -130,7 +139,7 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=FripostVirtualDomain) attrs=children - by users +w + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w # # 1. Domain owners can edit their entry's attributes. # 2. So can domain postmasters. @@ -151,7 +160,7 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" attrs=@fripostVirtualDomain by dnattr=fripostOwner write by dnattr=fripostPostmaster write - by users +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # # 1. Domain owners can delete the domain (and read the entry). # 2. So can domain postmasters. @@ -164,7 +173,7 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ by dnattr=fripostPostmaster +zrd by dn.onelevel,expand="$1" +rd by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateList) & (user | user/-1)" +rd - by users +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # # Noone (but the managers) can change quotas. olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" @@ -199,7 +208,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by dnattr=fripostOwner read continue by group/fripostVirtualDomain/fripostOwner.expand="$1" write by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write - by users +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # # 1. The alias owners can edit the rest of their entry's attributes. # 2. So can the domain owners. @@ -223,7 +232,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by group/fripostVirtualDomain/fripostOwner.expand="$1" +wrd by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +wrd by set.exact="this/-1/fripostCanCreateAlias & (user | user/-1)" +a - by users +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # # 1. The list owner can list the ownership of the entry. # 2. The domain owner can add/delete/change the ownership of the entry. @@ -234,18 +243,27 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by dnattr=fripostOwner read continue by group/fripostVirtualDomain/fripostOwner.expand="$1" write by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write - by users +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # # 1. The list owner read (but not edit) the transport-related attributes. # 2. So can the domain ower. # 3. So can the domain postmaster. olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualList) - attrs=fripostListManager,fripostListCommand + attrs=fripostListManager by dnattr=fripostOwner read by group/fripostVirtualDomain/fripostOwner.expand="$1" read by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read # +# Only the list creator can remove the "pending" flag +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=FripostVirtualList) + attrs=fripostIsStatusPending + by dnattr=fripostOwner read + by group/fripostVirtualDomain/fripostOwner.expand="$1" read + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read + by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =zrd +# # 1. The list owners can edit their entry's attributes. # 2. So can the domain owners. # 3. So can the domain postmasters. @@ -256,24 +274,34 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by group/fripostVirtualDomain/fripostOwner.expand="$1" write by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write # -# 1. The list owners can read and delete the entry. +# 1. The list owners can read the entry. # 2. So can the domain's Owner. # 3. So can the domain's Postmaster. # 4. Users with "canCreateList" capability (either explicitely, or as a wildcard) for the domain can create lists for that domain. # (But *not* delete them, unless also owner.) +# 6. The list creator can read the entry. olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualList) attrs=entry - by dnattr=fripostOwner +rzd continue - by group/fripostVirtualDomain/fripostOwner.expand="$1" +rwd - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rwd + by dnattr=fripostOwner +rd continue + by group/fripostVirtualDomain/fripostOwner.expand="$1" +rad + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rad by set.exact="this/-1/fripostCanCreateList & (user | user/-1)" +a - by users +0 -#TODO -#olcAccess: to dn.regex="^fvl=([^,]+)-request,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" -# filter=(objectClass=FripostVirtualListCommand) -# by users read + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd +# +# The List Creator can add list commands. +olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev" + filter=(objectClass=FripostVirtualList) + attrs=children + by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =a +# +# The List Creator can add list commands. +olcAccess: to dn.regex="^fvlc=[^,]+,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev" + filter=(objectClass=FripostVirtualListCommand) + attrs=entry + by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =a # # Catch the "break" control above. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - by users +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 |