aboutsummaryrefslogtreecommitdiffstats
path: root/ldap/acl.ldif
diff options
context:
space:
mode:
Diffstat (limited to 'ldap/acl.ldif')
-rw-r--r--ldap/acl.ldif293
1 files changed, 293 insertions, 0 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif
new file mode 100644
index 0000000..5af52aa
--- /dev/null
+++ b/ldap/acl.ldif
@@ -0,0 +1,293 @@
+# Load this file with
+#
+# ldapmodify -Y EXTERNAL -H ldapi:/// -f acl.ldif
+#
+# It will remove existing ACLs, and add the following instead. Ensure
+# that it's indeed the database #1 that you want to amend:
+#
+# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "olcSuffix=o=mailHosting,dc=fripost,dc=dev" dn
+#
+#
+# /!\ ATTENTION! Every modification made to this file should be
+# /!\ implemented in the test suite as well!
+#
+#
+# References:
+# - http://www.openldap.org/doc/admin24/access-control.html
+# - http://www.openldap.org/faq/data/cache/189.html
+# - http://www.openldap.org/faq/data/cache/1140.html
+# - http://www.openldap.org/faq/data/cache/1133.html
+# - man 5 slapd.access
+
+
+dn: olcDatabase={1}hdb,cn=config
+changetype: modify
+replace: olcAccess
+## Managers have read/write access to the "virtual" subtree.
+#olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+# by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" write
+# by * break
+#-
+## 1. Users/Services/Managers can change their password (but not read it).
+## 2. Anonymous users/services/managers can bind.
+## 3. Else, we inspect the 2 following ACLs.
+#add: olcAccess
+olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
+ attrs=userPassword
+ by self =w
+ by anonymous auth
+ by users none break
+-
+# The postmaster of a domain can change (replace) his/her users' password.
+add: olcAccess
+olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(objectClass=fripostVirtualMailbox)
+ attrs=userPassword
+ by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =w
+-
+# No permission on the userPassword attribute for other users.
+# (That's a catch-all, just to be sure that services, etc. cannot read the passwords).
+add: olcAccess
+olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
+ attrs=userPassword
+ by * none
+#-
+## Services can read the whole subtree (minus the userPassword attributes).
+#add: olcAccess
+#olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
+# attrs=entry,creatorsName,@fripostVirtualDomain,@fripostVirtualMailbox,@fripostVirtualAlias,@fripostVirtualML
+# by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=org" read
+# by users * break
+-
+# Users can search (e.g., to list the entries they have created).
+# Additional permissions may be added later on.
+add: olcAccess
+olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanCreateAlias,fripostCanCreateML
+ by users =s break
+-
+# Everyone can delete domains. (Provided he has +d access to the "entry"
+# attribute of the domains he wants to delete.)
+add: olcAccess
+olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ attrs=children
+ by users =z
+-
+# 1. The postmaster of a domain can give (or take back) people the right to create
+# aliases.
+# 2,3. People that can create aliases can list the members of the group.
+add: olcAccess
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+ filter=(objectClass=fripostVirtualDomain)
+ attrs=fripostCanCreateAlias
+ by dnattr=fripostPostmaster write
+ by dnattr=fripostOwner read
+ by set.exact="this/fripostCanCreateAlias & (user | user/-1)" read
+-
+# 1. The postmaster of a domain can give (or take back) people the right to create
+# mailing lists.
+# 2,3. People that can create mailing lists can list the members of the group.
+add: olcAccess
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+ filter=(objectClass=fripostVirtualDomain)
+ attrs=fripostCanCreateML
+ by dnattr=fripostPostmaster write
+ by dnattr=fripostOwner read
+ by set.exact="this/fripostCanCreateML & (user | user/-1)" read
+-
+# 1-3. Noone (but the managers) can appoint domain Owners or Postmasters.
+# But people that can create aliases and mailing lists can list the members of their group.
+add: olcAccess
+olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(objectClass=fripostVirtualDomain)
+ attrs=fripostOwner,fripostPostmaster
+ by dnattr=fripostOwner read
+ by dnattr=fripostPostmaster read
+ by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML)& (user | user/-1)" read
+ by dn.onelevel,expand="$1" +d
+ by users +0
+-
+# Every one can add or delete children, but we will be carefull with the
+# kid's "entry" attribute, which require +a and +z to add and delete
+# respectively.
+add: olcAccess
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+ filter=(objectClass=fripostVirtualDomain)
+ attrs=children
+ by users +w
+-
+# 1. Domain owners can edit their entry's attributes.
+# 2. So can domain postmasters.
+# 3. Domain users can read the public domain attributes.
+# 4. So can users with "canCreateAlias" or "canCreateML" access.
+add: olcAccess
+olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(objectClass=fripostVirtualDomain)
+ attrs=fvd,fripostIsStatusActive,description
+ by dnattr=fripostOwner write
+ by dnattr=fripostPostmaster write
+ by dn.onelevel,expand="$1" read
+ by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML) & (user | user/-1)" read
+-
+# 1. Domain owners can edit their entry's attributes.
+# 2. So can domain postmasters.
+add: olcAccess
+olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
+ filter=(objectClass=fripostVirtualDomain)
+ attrs=@fripostVirtualDomain
+ by dnattr=fripostOwner write
+ by dnattr=fripostPostmaster write
+ by users +0
+-
+# 1. Domain owners can delete the domain (and read the entry).
+# 2. So can domain postmasters.
+# 3. Domain users can read the domain entry (but not delete it).
+# 4. So can users with "canCreateAlias" or "canCreateML" rights.
+add: olcAccess
+olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(objectClass=fripostVirtualDomain)
+ attrs=entry
+ by dnattr=fripostOwner +zrd
+ by dnattr=fripostPostmaster +zrd
+ by dn.onelevel,expand="$1" +rd
+ by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML) & (user | user/-1)" +rd
+ by users +0
+-
+# Noone (but the managers) can change quotas.
+add: olcAccess
+olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(objectClass=fripostVirtualMailbox)
+ attrs=fripostMailboxQuota
+ by self read
+ by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read
+-
+# 1. Users can modify their own entry.
+# 2. So can their postmasters.
+add: olcAccess
+olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(objectClass=fripostVirtualMailbox)
+ attrs=@FripostVirtualMailbox
+ by self write
+ by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
+-
+# 1. Postmasters can create mailboxes (but not delete them).
+# (Provided that they have +a access to the parent's "children" attribute.)
+# 2. Users can read their entry (but not delete it).
+add: olcAccess
+olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(objectClass=fripostVirtualMailbox)
+ attrs=entry
+ by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard
+ by self +rd
+-
+# Reserved aliases cannot be deactivated. (But the alias definition may be changed by the
+# domain owner.)
+add: olcAccess
+olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(objectClass=fripostVirtualAlias)
+ attrs=fripostIsStatusActive,fripostOwner,fva
+ by group/fripostVirtualDomain/fripostOwner.expand="$2" read
+ by group/fripostVirtualDomain/fripostPostmaster.expand="$2" read
+ by users +0
+-
+# Reserved aliases cannot be deleted.
+add: olcAccess
+olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(objectClass=fripostVirtualAlias)
+ attrs=entry
+ by group/fripostVirtualDomain/fripostOwner.expand="$2" +ard
+ by group/fripostVirtualDomain/fripostPostmaster.expand="$2" +ard
+ by set.exact="this/-1/fripostCanCreateAlias & (user | user/-1)" +a
+ by users +0
+-
+# 1. The alias owner can list the ownership of the entry.
+# 2. The domain owner can add/delete/change the ownership of the entry.
+# 3. So can the domain postmasters.
+add: olcAccess
+olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(objectClass=fripostVirtualAlias)
+ attrs=fripostOwner
+ by dnattr=fripostOwner read continue
+ by group/fripostVirtualDomain/fripostOwner.expand="$1" write
+ by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
+ by users +0
+-
+# 1. The alias owners can edit the rest of their entry's attributes.
+# 2. So can the domain owners.
+# 3. So can the domain postmasters.
+add: olcAccess
+olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(objectClass=fripostVirtualAlias)
+ attrs=@FripostVirtualAlias
+ by dnattr=fripostOwner write
+ by group/fripostVirtualDomain/fripostOwner.expand="$1" write
+ by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
+-
+# 1. The alias owners can read and delete the entry.
+# 2. So can the domain owner.
+# 3. So can the domain postmaster.
+# 4. Users with "canCreateAlias" access (either explicitely, or as a wildcard) for the domain can create aliases for that domain.
+# (But *not* delete them, unless also owner.)
+add: olcAccess
+olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(objectClass=fripostVirtualAlias)
+ attrs=entry
+ by dnattr=fripostOwner +zrd continue
+ by group/fripostVirtualDomain/fripostOwner.expand="$1" +wrd
+ by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +wrd
+ by set.exact="this/-1/fripostCanCreateAlias & (user | user/-1)" +a
+ by users +0
+-
+# 1. The mailing list owner can list the ownership of the entry.
+# 2. The domain owner can add/delete/change the ownership of the entry.
+# 3. So can the domain postmasters.
+add: olcAccess
+olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(objectClass=fripostVirtualML)
+ attrs=fripostOwner
+ by dnattr=fripostOwner read continue
+ by group/fripostVirtualDomain/fripostOwner.expand="$1" write
+ by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
+ by users +0
+-
+# 1. The mailing list owner read (but not edit) the transport-related attributes.
+# 2. So can the domain ower.
+# 3. So can the domain postmaster.
+add: olcAccess
+olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(objectClass=fripostVirtualML)
+ attrs=fripostMLManager,fripostMLCommand
+ by dnattr=fripostOwner read
+ by group/fripostVirtualDomain/fripostOwner.expand="$1" read
+ by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read
+-
+# 1. The mailing list owners can edit their entry's attributes.
+# 2. So can the domain owners.
+# 3. So can the domain postmasters.
+add: olcAccess
+olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(objectClass=fripostVirtualML)
+ attrs=@FripostVirtualML
+ by dnattr=fripostOwner write
+ by group/fripostVirtualDomain/fripostOwner.expand="$1" write
+ by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
+-
+# 1. The mailing list owners can read and delete the entry.
+# 2. So can the domain's Owner.
+# 3. So can the domain's Postmaster.
+# 4. Users with "canCreateML" capability (either explicitely, or as a wildcard) for the domain can create mailing lists for that domain.
+# (But *not* delete them, unless also owner.)
+add: olcAccess
+olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+ filter=(objectClass=fripostVirtualML)
+ attrs=entry
+ by dnattr=fripostOwner +rzd continue
+ by group/fripostVirtualDomain/fripostOwner.expand="$1" +rwd
+ by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rwd
+ by set.exact="this/-1/fripostCanCreateML & (user | user/-1)" +a
+ by users +0
+-
+# Catch the "break" control above.
+add: olcAccess
+olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+ by users +0