aboutsummaryrefslogtreecommitdiffstats
path: root/ldap/acl.ldif
diff options
context:
space:
mode:
Diffstat (limited to 'ldap/acl.ldif')
-rw-r--r--ldap/acl.ldif50
1 files changed, 31 insertions, 19 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index 7b19d5f..5cc0ef0 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -84,9 +84,9 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
by dnattr=fripostOwner =z break
by * =0 break
#
-# The list creation service can delete the 'pending' status on lists.
+# The list creation service can delete the 'pending' status on lists and list commands.
olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
- filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry))
+ filter=(&(|(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(objectClass=FripostPendingEntry))
attrs=objectClass val=FripostPendingEntry
by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =z break
by * +0 break
@@ -97,7 +97,7 @@ olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
by * +rscd
#
# The pending token is not public, but domain owner and postmasters can check their and
-# delete it (upon success, but it's done on the library side).
+# delete it (if the token matches, but the check is done on the library side).
olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
filter=(&(objectClass=FripostVirtualDomain)(objectClass=FripostPendingEntry))
attrs=fripostPendingToken
@@ -105,9 +105,9 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
by dnattr=fripostOwner =zcd break
by * +0 break
#
-# The list creation service can delete the 'pending' status on lists.
+# The list creation service can delete the 'pending' status on lists and list commands.
olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
- filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry))
+ filter=(&(|(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(objectClass=FripostPendingEntry))
attrs=fripostPendingToken
by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" +z
by * +0
@@ -119,14 +119,6 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =zrd break
by * =0 break
#
-# Only the list creation service may add list commands. (It seems unsafe since it can create
-# arbitrary commands, but as other services it run in safe environments only.)
-# (Listcommands are not concerned by the cleaning service.)
-olcAccess: to dn.regex="^fvl=[^,]+-[^,-]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
- filter=(objectClass=FripostVirtualListCommand)
- attrs=entry
- by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a
-#
# One can search search everywhere in the virtual tree.
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
attrs=entry
@@ -149,7 +141,6 @@ olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry)))
attrs=children
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w
- by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a
#
# The cleaning service needs to know when entries have been created.
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
@@ -159,6 +150,7 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
#
# Users can use these in filters (e.g., to list the entries they have created).
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList))
attrs=fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break
#
@@ -352,18 +344,38 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by group/FripostVirtualDomain/fripostOwner.expand="$1" =wrscd
by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd
#
-# 1-3. People with "canAddList" access can create lists, but only with a
-# 'pending' status.
-# 4. The list creation service can search and browse the entry.
+# 1. The domain owner can create and delete lists, but only those with a 'pending' status
+# 2. So can the domain postmaster.
+# 3. The list owner can delete pending lists.
+# 4. The entry creator can delete pending lists (needed to be able to rollback).
+# 5. People with "canAddList" access can create lists, but only with a 'pending' status.
+# 6. The list creation service can search and browse the entry.
olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry))
attrs=entry
- by group/FripostVirtualDomain/fripostOwner.expand="$1" +a break
- by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +a break
+ by group/FripostVirtualDomain/fripostOwner.expand="$1" +w break
+ by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +w break
+ by dnattr=fripostOwner +z continue
+ by dnattr=creatorsName +z continue
by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a break
by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" +rd
by * +0 break
#
+# 1. The domain owner can create and delete list commands, but only those with a 'pending' status
+# 2. So can the domain postmaster.
+# 3. The entry creator can delete pending list commands (needed to be able to rollback).
+# 4. People with "canAddList" access can create list commands, but only with a 'pending' status.
+# 5. The list creation service can search and browse the entry.
+olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(&(objectClass=FripostVirtualListCommand)(objectClass=FripostPendingEntry))
+ attrs=entry
+ by group/FripostVirtualDomain/fripostOwner.expand="$1" +w
+ by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +w
+ by dnattr=creatorsName +z continue
+ by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a
+ by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" +rd
+ by * +0
+#
# 1. The list owners can read the entry.
# 2. So can the domain's Owner.
# 3. So can the domain's Postmaster.