diff options
Diffstat (limited to 'ldap/acl.ldif')
| -rw-r--r-- | ldap/acl.ldif | 277 |
1 files changed, 148 insertions, 129 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif index 69b8c30..e7272f0 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -28,16 +28,10 @@ replace: olcAccess # Most common services: Postfix, Amavis, SASLauth, Dovecot # (Most used ACLs are cheaper when written first.) # -# Everyone can search the objectclass -olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - attrs=objectClass - by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =s - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s -# # Postfix have read access to the attribute they need. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - attrs=entry,fvd,fvu,fva,fvl,fvlc,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias - filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(!(fripostIsStatusActive=FALSE))(!(fripostPendingToken=*))) + attrs=entry,objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias + filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE))) by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd by users =0 break # @@ -54,58 +48,116 @@ olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc # 1. Anonymous users can bind. # 2. Users can change their password (but not read it). # 3. The postmaster of a domain can change (replace) his/her users' password (but not read it). -olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=userPassword by realanonymous =xd by realself =w - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =w - by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =w + by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =w +# +# A catch-all, to be sure that noone else have access to the passwords. +olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" + attrs=userPassword + by * =0 # # ######################################################################## -# Virtual subtree, general access +# Virtual subtree, pending token and general access # -# 1,2. Services that need particular access on the tree. -# 3. Other users need further access. +# 1. Users need further access. We use a set to deny all access to non-users without +# having a need for an expensive LDAP search (URL) in the AuthzTo. +# /!\ The objectClass "FripostVirtualUser" is case-sensitive in this case! +# 2,3. Services that need particular access on the tree. # 4. Managers have read/write access to the "virtual" subtree. -# 5. Other services have no access other than the one above. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + by set.exact="user/objectClass & [FripostVirtualUser]" =0 break by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd - by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 # -# Our service can list and delete (old) pending entries. +# Only the domain Postmasters and Owners can delete the 'pending' status on domains. +olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" + filter=(&(objectClass=FripostVirtualDomain)(objectClass=FripostPendingEntry)) + attrs=objectClass val=FripostPendingEntry + by dnattr=fripostPostmaster =z break + by dnattr=fripostOwner =z break + by * =0 break +# +# The list creation service can delete the 'pending' status on lists. +olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" + filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry)) + attrs=objectClass val=FripostPendingEntry + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =z break + by * +0 break +# +# ObjectClass is a public attribute: everyone can read and search it. +olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + attrs=objectClass + by * +rscd +# +# The pending token is not public, but domain owner and postmasters can check their and +# delete it (upon success, but it's done on the library side). +olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" + filter=(&(objectClass=FripostVirtualDomain)(objectClass=FripostPendingEntry)) + attrs=fripostPendingToken + by dnattr=fripostPostmaster =zcd break + by dnattr=fripostOwner =zcd break + by * +0 break +# +# The list creation service can delete the 'pending' status on lists. +olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" + filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry)) + attrs=fripostPendingToken + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" +z + by * +0 +# +# The cleaning service can list the (expired) pending entries and delete them. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - filter=(fripostPendingToken=*) + filter=(objectClass=FripostPendingEntry) attrs=entry by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =zrd break - by dn.children="o=mailHosting,dc=fripost,dc=dev" =0 break + by * =0 break # -# Our service can search anywhere in the tree (for old pending entries). +# Only the list creation service may add list commands. (It seems unsafe since it can create +# arbitrary commands, but as other services it run in safe environments only.) +# (Listcommands are not concerned by the cleaning service.) +olcAccess: to dn.regex="^fvl=[^,]+-[^,-]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" + filter=(objectClass=FripostVirtualListCommand) + attrs=entry + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a +# +# One can search search everywhere in the virtual tree. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=entry - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +s break by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" +s - by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break + by * =s break # -# Our service needs to have 'z' access on the 'children' of the parent of the entry that is -# to be deleted. (And 'z' access of the 'entry' attribute of this entry.) -olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +# We're giving away create/delete access on the children attributes, but we will be carefull +# with the 'entry' permissions. +olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + filter=(objectClass=FripostVirtual) + attrs=children + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w + by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =z +olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + filter=(objectClass=FripostVirtualDomain) attrs=children by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =z - by dn.children="o=mailHosting,dc=fripost,dc=dev" =0 break + by * break +olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))) + attrs=children + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a # -# Our service needs search access to list (old) pending entries. +# The cleaning service needs to know when entries have been created. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - filter=(fripostPendingToken=*) - attrs=createTimestamp,fripostPendingToken + filter=(objectClass=FripostPendingEntry) + attrs=createTimestamp by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =s - by dn.children="o=mailHosting,dc=fripost,dc=dev" +0 break # -# Users can search (e.g., to list the entries they have created). +# Users can use these in filters (e.g., to list the entries they have created). olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break @@ -114,28 +166,6 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" ######################################################################## # Virtual subtree, domains # -# 1. Everyone can create/delete domains. (Provided s/he has +a/+z access to the -# "entry" attribute of the domains s/he wants to delete.) -# 2. The relevant service can delete (old) pending entries. -olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - attrs=children - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w - by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =z -# -# Everyone can check for the absence of a 'pending' status. -olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(&(objectClass=FripostVirtualDomain)(!(fripostPendingToken=*))) - attrs=fripostPendingToken - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s -# -# Only the domain Postmasters and Owners can search the unlock token and delete -# the 'pending' status (but not read). -olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(objectClass=FripostVirtualDomain) - attrs=fripostPendingToken - by dnattr=fripostPostmaster =zscd - by dnattr=fripostOwner =zscd -# # 1. The postmaster of a domain can give (or take back) people the right to create # aliases. # 2,3. People that can create aliases can list the members of the group. @@ -164,7 +194,7 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ by dnattr=fripostPostmaster =rscd by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" =rscd by dn.onelevel,expand="$1" +d - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by * +0 # # 1. Domain owners can edit their entry's attributes. # 2. So can domain postmasters. @@ -185,27 +215,23 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" attrs=@fripostVirtualDomain by dnattr=fripostOwner =wrscd by dnattr=fripostPostmaster =wrscd - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by * +0 # -# Everyone can add or delete children, but we will be carefull with -# the kid's "entry" attribute, which require +a and +z to add and delete -# respectively. Note that it is forbidden add a child under a pending -# entry; This is important since otherwise we couldn't delete pending -# entry non-recursively. -olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(&(objectClass=FripostVirtualDomain)(!(fripostPendingToken=*))) - attrs=children - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w +# Users with "addDomain" access can create new entries, but only if +# there is a pending token. +olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(&(objectClass=FripostVirtualDomain)(objectClass=FripostPendingEntry)(fripostPendingToken=*)) + attrs=entry + by set.exact="this/-1/fripostCanAddDomain & (user | user/-1)" +a break + by * +0 break # -# 1. Users with "addDomain" access can create new entries. -# 2. Domain owners can delete their domain (and read the entry). -# 3. So can domain postmasters. -# 4. Domain users can read the domain entry (but not delete it). -# 5. So can users with "canAddAlias" or "canAddList" rights. +# 1. Domain owners can delete their domain (and read the entry). +# 2. So can domain postmasters. +# 3. Domain users can read the domain entry (but not delete it). +# 4. So can users with "canAddAlias" or "canAddList" rights. olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualDomain) attrs=entry - by set.exact="this/-1/fripostCanAddDomain & (user | user/-1)" +a continue by dnattr=fripostOwner +zrd by dnattr=fripostPostmaster +zrd by dn.onelevel,expand="$1" +rd @@ -215,7 +241,7 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ # Reserved local parts are reserved. /!\ The case must be insensitive # - postmaster: RFC 822, appendix C.6 # - abuse: RFC 2142, section 4 -olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +olcAccess: to dn.regex="^fvl=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" by * =0 # # @@ -223,29 +249,28 @@ olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o # Virtual subtree, users # # Users and their postmaster can read the quota (but not change it). -olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=fripostUserQuota by self =rscd - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =rscd + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =rscd # # 1. Users can modify their own entry. # 2. So can their postmasters. -olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=@FripostVirtualUser by self =wrscd - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd # # 1. Users can read their entry (but not delete it). # 2. Postmasters can create users (but not delete them). # (Provided that they have +a access to the parent's "children" attribute.) -olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=entry by self +rd - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard - by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +ard # # ######################################################################## @@ -254,35 +279,35 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos # 1. The alias owner can list the ownership of the entry. # 2. The domain owner can add/delete/change the ownership of the entry. # 3. So can the domain postmasters. -olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualAlias) attrs=fripostOwner by dnattr=fripostOwner =rscd continue - by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by group/FripostVirtualDomain/fripostOwner.expand="$1" =wrscd + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd + by * +0 # # 1. The alias owners can edit the rest of their entry's attributes. # 2. So can the domain owners. # 3. So can the domain postmasters. -olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualAlias) attrs=@FripostVirtualAlias by dnattr=fripostOwner =wrscd - by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd + by group/FripostVirtualDomain/fripostOwner.expand="$1" =wrscd + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd # # 1. The alias owners can read and delete the entry. # 2. So can the domain owner. # 3. So can the domain postmaster. # 4. Users with "canAddAlias" access (either explicitely, or as a wildcard) for the domain can create aliases for that domain. # (But *not* delete them, unless also owner.) -olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualAlias) attrs=entry by dnattr=fripostOwner +zrd continue - by group/fripostVirtualDomain/fripostOwner.expand="$1" +wrd - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +wrd + by group/FripostVirtualDomain/fripostOwner.expand="$1" +wrd + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +wrd by set.exact="this/-1/fripostCanAddAlias & (user | user/-1)" +a by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # @@ -297,9 +322,9 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos filter=(objectClass=FripostVirtualList) attrs=fripostOwner by dnattr=fripostOwner =rscd continue - by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by group/FripostVirtualDomain/fripostOwner.expand="$1" =wrscd + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd + by * +0 # # 1. The list owner read (but not edit) the transport-related attributes. # 2. So can the domain ower. @@ -308,20 +333,8 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos filter=(objectClass=FripostVirtualList) attrs=fripostListManager by dnattr=fripostOwner =rscd - by group/fripostVirtualDomain/fripostOwner.expand="$1" =rscd - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =rscd -# -# 1,2,3. The list owner and the domain Owner and Postmaster can search the 'pending' token. -# 4. The list creator can remove the "pending" flag. -# (We don't need to limit the search to presence only here, since when present the value is -# always 'TRUE') -olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=FripostVirtualList) - attrs=fripostPendingToken - by dnattr=fripostOwner =scd - by group/fripostVirtualDomain/fripostOwner.expand="$1" =scd - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =scd - by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =zsd + by group/FripostVirtualDomain/fripostOwner.expand="$1" =rscd + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =rscd # # 1. The list owners can edit their entry's attributes. # 2. So can the domain owners. @@ -330,40 +343,46 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos filter=(objectClass=FripostVirtualList) attrs=@FripostVirtualList by dnattr=fripostOwner =wrscd - by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd + by group/FripostVirtualDomain/fripostOwner.expand="$1" =wrscd + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd +# +# 1-3. People with "canAddList" access can create lists, but only with a +# 'pending' status. +# 4. The list creation service can search and browse the entry. +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry)) + attrs=entry + by group/FripostVirtualDomain/fripostOwner.expand="$1" +a break + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +a break + by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a break + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" +rd + by * +0 break # # 1. The list owners can read the entry. # 2. So can the domain's Owner. # 3. So can the domain's Postmaster. -# 4. Users with "canAddList" capability (either explicitely, or as a wildcard) for the domain can create lists for that domain. -# (But *not* delete them, unless also owner.) -# 6. The list creator can read the entry. olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualList) attrs=entry - by dnattr=fripostOwner +rd continue - by group/fripostVirtualDomain/fripostOwner.expand="$1" +rad - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rad - by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 - by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd -# -# The List Creator can add list commands under non-pending lists. -olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(&(objectClass=FripostVirtualList)(!(fripostPendingToken=*))) - attrs=children - by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a -# -# The List Creator can add list commands. -olcAccess: to dn.regex="^fvlc=[^,]+,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(objectClass=FripostVirtualListCommand) - attrs=entry - by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a + by dnattr=fripostOwner +rd + by group/FripostVirtualDomain/fripostOwner.expand="$1" +rd + by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +rd + by * +0 # # ######################################################################## # Catchall # +# Users with "canAddDomain" access can see that they have the right +# to create domains. +olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + filter=(objectClass=FripostVirtual) + attrs=entry + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +rd +olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + filter=(objectClass=FripostVirtual) + attrs=fripostCanAddDomain + by set.exact="this/fripostCanAddDomain & (user | user/-1)" =rscd +# Catch the break above olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 |