diff options
Diffstat (limited to 'ldap/acl.ldif')
-rw-r--r-- | ldap/acl.ldif | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif index 5cc0ef0..970799a 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -45,12 +45,17 @@ olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc attrs=entry,objectClass,authzTo by realanonymous =x # -# 1. Anonymous users can bind. -# 2. Users can change their password (but not read it). -# 3. The postmaster of a domain can change (replace) his/her users' password (but not read it). +# 1. The WebPanel itself cannot bind, read or write passwords. This +# guarantees that, if an attacker gains its priviledge, it will *not* be +# able to change user passwords (which would allow him/her to read every +# emails). This is a trick to tackle the absence of 'realgroup'. +# 2. Anonymous users can bind. +# 3. Users can change their password (but not read it). +# 4. The postmaster of a domain can change (replace) his/her users' password (but not read it). olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=userPassword + by realdn.exact="uid=AdminWebPanel@fripost.org,cn=auth" =0 by realanonymous =xd by realself =w by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =w |