diff options
Diffstat (limited to 'ldap')
-rw-r--r-- | ldap/Makefile | 16 | ||||
-rw-r--r-- | ldap/acl.ldif | 178 | ||||
-rw-r--r-- | ldap/base.ldif | 3 | ||||
-rw-r--r-- | ldap/fripost.ldif | 8 | ||||
-rw-r--r-- | ldap/index.ldif | 2 | ||||
-rw-r--r-- | ldap/populate.ldif | 19 | ||||
-rwxr-xr-x | ldap/test-user-acl.sh | 300 |
7 files changed, 366 insertions, 160 deletions
diff --git a/ldap/Makefile b/ldap/Makefile index e771a72..5efa7e7 100644 --- a/ldap/Makefile +++ b/ldap/Makefile @@ -31,12 +31,16 @@ install-mx: @rmdir "$(BACKUPSLAPD)" install: - # ldapadd -Y EXTERNAL -H ldapi:/// -f fripost.ldif - # ldapadd -Y EXTERNAL -H ldapi:/// -f index.ldif - # ldapadd -Y EXTERNAL -H ldapi:/// -f constraint.ldif - # ldapadd -Y EXTERNAL -H ldapi:/// -f acl.ldif - # ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif - # ldapadd -Y EXTERNAL -H ldapi:/// -f populate.ldif + # WARN! + ldapadd -Y EXTERNAL -H ldapi:/// -f fripost.ldif + ldapadd -Y EXTERNAL -H ldapi:/// -f index.ldif + ldapadd -Y EXTERNAL -H ldapi:/// -f constraint.ldif + ldapadd -Y EXTERNAL -H ldapi:/// -f acl.ldif + ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif + ldapadd -Y EXTERNAL -H ldapi:/// -f populate.ldif + +test: + sh ./test-user-acl.sh install-schema: @ldapadd -Q -Y EXTERNAL -H ldapi:/// -f fripost.ldif diff --git a/ldap/acl.ldif b/ldap/acl.ldif index c090925..ce2aa4c 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -31,49 +31,54 @@ replace: olcAccess # TODO: IMAP, SASLauth, Amavis # TODO: if possible, make use GSSAPI/EXTERNAL for the services. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - attrs=entry,objectClass,fvd,fripostIsStatusActive,fripostIsStatusPending,fripostOptionalMaildrop,fvu,fva,fripostMaildrop,fvl,fvlc,fripostLocalAlias + attrs=entry,fvd,fvu,fva,fvl,fvlc,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand)) by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd - by users none break + by users =0 break +# +olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + attrs=objectClass,fripostPendingToken,fripostIsStatusActive + filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand)) + by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =sd + by users =0 break # #olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" -# attrs=entry,objectClass,fripostIsStatusActive,fripostIsStatusPending,fvu,@amavisAccount -# filter=(&(objectClass=FripostVirtualUser)(objectClass=amavisAccount)(fripostIsStatusActive=TRUE)(fripostIsStatusPending=FALSE)) +# attrs=entry,objectClass,fripostIsStatusActive,fripostPendingToken,fvu,@amavisAccount +# filter=(&(objectClass=FripostVirtualUser)(objectClass=amavisAccount)(fripostIsStatusActive=TRUE)(fripostPendingToken=FALSE)) # by dn.exact="gidNumber=113+uidNumber=116,cn=peercred,cn=external,cn=auth" =rsd -# by users none break +# by users =0 break # # Anonymous can authenticate into the services. (But not read or write the password.) olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev" attrs=userPassword - by anonymous auth + by realanonymous =xd # # That's necessary for SASL proxy Authorize the web application. olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev" attrs=entry,objectClass,authzTo - by * =x + by realanonymous =x # # 1. Managers have read/write access to the "virtual" subtree. # 2. The list creator needs further access. # 3. Other services have no access other than the one above. # 4,5. Other users need further access. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" write - by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" none break - by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" none break - by anonymous none break + by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd + by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break + by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break + by anonymous =0 break # # 1. Users can change their password (but not read it). # 2. Anonymous users can bind. # 3. Else, we inspect the 2 following ACLs. olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" attrs=userPassword - by self =w - by anonymous auth - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" none break + by realself =w + by anonymous =xd + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break # -# The postmaster of a domain can change (replace) his/her users' -# password (but not see it). +# The postmaster of a domain can change (replace) his/her users' password (but not read it). olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=userPassword @@ -83,41 +88,41 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos # (That's a catch-all, just to be sure that services, etc. cannot read the passwords). olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" attrs=userPassword - by * none + by * =0 # # 1. Users can search (e.g., to list the entries they have created). # 2. So can the list creator. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=objectClass - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =s # -# Users can search (e.g., to list the entries they have created). -# Additional permissions may be added later on. +# 1. Users can search (e.g., to list the entries they have created). +# 2. Additional permissions may be added later on. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=entry,fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break - by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none break + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s break + by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break # # Everyone can create/delete domains. (Provided s/he has +a/+z access to the # "entry" attribute of the domains s/he wants to delete.) olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=children - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =w # -# Reserved local parts are reserved. /!\ The case be insensitive -# postmaster # RFC 822, appendix C.6 -# abuse # RFC 2142, section 4 +# Reserved local parts are reserved. /!\ The case must be insensitive +# - postmaster: RFC 822, appendix C.6 +# - abuse: RFC 2142, section 4 olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - by * none + by * =0 # -# Only the domain postmaster can read and search the unlock token and delete the -# 'pending' status. +# Only the domain Postmasters and Owners can read and search the unlock token and +# delete the 'pending' status. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=FripostVirtualDomain) - attrs=fripostIsStatusPending - by dnattr=fripostPostmaster =zrsd - by dnattr=fripostOwner =zrsd + attrs=fripostPendingToken + by dnattr=fripostPostmaster =zscd + by dnattr=fripostOwner =zscd # # 1. The postmaster of a domain can give (or take back) people the right to create # aliases. @@ -125,29 +130,29 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=FripostVirtualDomain) attrs=fripostCanAddAlias - by dnattr=fripostPostmaster write - by dnattr=fripostOwner read - by set.exact="this/fripostCanAddAlias & (user | user/-1)" read + by dnattr=fripostPostmaster =wrscd + by dnattr=fripostOwner =rscd + by set.exact="this/fripostCanAddAlias & (user | user/-1)" =rscd # # 1. The postmaster of a domain can give (or take back) people the right to create lists. # 2,3. People that can create lists can list the members of the group. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=FripostVirtualDomain) attrs=fripostCanAddList - by dnattr=fripostPostmaster write - by dnattr=fripostOwner read - by set.exact="this/fripostCanAddList & (user | user/-1)" read + by dnattr=fripostPostmaster =wrscd + by dnattr=fripostOwner =rscd + by set.exact="this/fripostCanAddList & (user | user/-1)" =rscd # # 1-3. Noone (but the managers) can appoint domain Owners or Postmasters. # But people that can create aliases and lists can list the members of their group. olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualDomain) attrs=fripostOwner,fripostPostmaster - by dnattr=fripostOwner read - by dnattr=fripostPostmaster read - by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" read + by dnattr=fripostOwner =rscd + by dnattr=fripostPostmaster =rscd + by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" =rscd by dn.onelevel,expand="$1" +d - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 # # 1. Domain owners can edit their entry's attributes. # 2. So can domain postmasters. @@ -156,19 +161,19 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualDomain) attrs=fvd,fripostIsStatusActive,description - by dnattr=fripostOwner write - by dnattr=fripostPostmaster write - by dn.onelevel,expand="$1" read - by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" read + by dnattr=fripostOwner =wrscd + by dnattr=fripostPostmaster =wrscd + by dn.onelevel,expand="$1" =rscd + by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" =rscd # # 1. Domain owners can edit their entry's attributes. # 2. So can domain postmasters. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=FripostVirtualDomain) attrs=@fripostVirtualDomain - by dnattr=fripostOwner write - by dnattr=fripostPostmaster write - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by dnattr=fripostOwner =wrscd + by dnattr=fripostPostmaster =wrscd + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 # # Every one can add or delete children, but we will be carefull with the # kid's "entry" attribute, which require +a and +z to add and delete @@ -176,12 +181,13 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=FripostVirtualDomain) attrs=children - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +w # -# 1. Domain owners can delete the domain (and read the entry). -# 2. So can domain postmasters. -# 3. Domain users can read the domain entry (but not delete it). -# 4. So can users with "canAddAlias" or "canAddList" rights. +# 1. Users with "addDomain" access can create new entries. +# 2. Domain owners can delete their domain (and read the entry). +# 3. So can domain postmasters. +# 4. Domain users can read the domain entry (but not delete it). +# 5. So can users with "canAddAlias" or "canAddList" rights. olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualDomain) attrs=entry @@ -190,22 +196,22 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ by dnattr=fripostPostmaster +zrd by dn.onelevel,expand="$1" +rd by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" +rd - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 # # Noone (but the managers) can change quotas. olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=fripostUserQuota - by self read - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read + by self =rscd + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =rscd # # 1. Users can modify their own entry. # 2. So can their postmasters. olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=@FripostVirtualUser - by self write - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write + by self =wrscd + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd # # 1. Postmasters can create users (but not delete them). # (Provided that they have +a access to the parent's "children" attribute.) @@ -222,10 +228,10 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualAlias) attrs=fripostOwner - by dnattr=fripostOwner read continue - by group/fripostVirtualDomain/fripostOwner.expand="$1" write - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by dnattr=fripostOwner =rscd continue + by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 # # 1. The alias owners can edit the rest of their entry's attributes. # 2. So can the domain owners. @@ -233,9 +239,9 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualAlias) attrs=@FripostVirtualAlias - by dnattr=fripostOwner write - by group/fripostVirtualDomain/fripostOwner.expand="$1" write - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write + by dnattr=fripostOwner =wrscd + by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd # # 1. The alias owners can read and delete the entry. # 2. So can the domain owner. @@ -249,7 +255,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by group/fripostVirtualDomain/fripostOwner.expand="$1" +wrd by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +wrd by set.exact="this/-1/fripostCanAddAlias & (user | user/-1)" +a - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 # # 1. The list owner can list the ownership of the entry. # 2. The domain owner can add/delete/change the ownership of the entry. @@ -257,10 +263,10 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualList) attrs=fripostOwner - by dnattr=fripostOwner read continue - by group/fripostVirtualDomain/fripostOwner.expand="$1" write - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by dnattr=fripostOwner =rscd continue + by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 # # 1. The list owner read (but not edit) the transport-related attributes. # 2. So can the domain ower. @@ -268,17 +274,19 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualList) attrs=fripostListManager - by dnattr=fripostOwner read - by group/fripostVirtualDomain/fripostOwner.expand="$1" read - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read + by dnattr=fripostOwner =rscd + by group/fripostVirtualDomain/fripostOwner.expand="$1" =rscd + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =rscd # -# Only the list creator can remove the "pending" flag +# 1,2,3. The list owner and the domain Owner and Postmaster can search +# (but not read) the 'pending' token. +# 4. The list creator can remove the "pending" flag. olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualList) - attrs=fripostIsStatusPending - by dnattr=fripostOwner read - by group/fripostVirtualDomain/fripostOwner.expand="$1" read - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read + attrs=fripostPendingToken + by dnattr=fripostOwner =scd + by group/fripostVirtualDomain/fripostOwner.expand="$1" =scd + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =scd by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =zsd # # 1. The list owners can edit their entry's attributes. @@ -287,9 +295,9 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualList) attrs=@FripostVirtualList - by dnattr=fripostOwner write - by group/fripostVirtualDomain/fripostOwner.expand="$1" write - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write + by dnattr=fripostOwner =wrscd + by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd # # 1. The list owners can read the entry. # 2. So can the domain's Owner. @@ -304,7 +312,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by group/fripostVirtualDomain/fripostOwner.expand="$1" +rad by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rad by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd # # The List Creator can add list commands. @@ -321,4 +329,4 @@ olcAccess: to dn.regex="^fvlc=[^,]+,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting # # Catch the "break" control above. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 diff --git a/ldap/base.ldif b/ldap/base.ldif index bdc9896..ff48497 100644 --- a/ldap/base.ldif +++ b/ldap/base.ldif @@ -19,6 +19,7 @@ objectClass: organizationalUnit objectClass: fripostVirtual fripostCanAddDomain: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostCanAddDomain: fvu=test,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostCanAddDomain: fvu=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev description: Virtual mail hosting @@ -38,6 +39,8 @@ description: The entity that is authorized to add list commands userPassword: listcreator dn: cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=dev +objectClass: simpleSecurityObject objectClass: organizationalRole description: The adminstrator Web Panel +userPassword: panel authzTo: dn.regex:^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$ diff --git a/ldap/fripost.ldif b/ldap/fripost.ldif index 71abdf4..862d480 100644 --- a/ldap/fripost.ldif +++ b/ldap/fripost.ldif @@ -92,11 +92,11 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.8 NAME 'fripostOptionalMaildrop' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) # olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.9 NAME 'fripostIsStatusActive' - DESC 'Is the entry active?' + DESC 'When present, a token locking the entry in an inactive state' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostIsStatusPending' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostPendingToken' DESC 'Is the entry pending?' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} SINGLE-VALUE ) @@ -146,7 +146,7 @@ olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualDomain' MUST ( fvd $ fripostIsStatusActive ) MAY ( fripostCanAddAlias $ fripostCanAddList $ fripostOwner $ fripostPostmaster $ - fripostOptionalMaildrop $ fripostIsStatusPending $ description ) ) + fripostOptionalMaildrop $ fripostPendingToken $ description ) ) # # | TODO: add limits here olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualUser' @@ -165,7 +165,7 @@ olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualList' SUP top STRUCTURAL DESC 'Virtual list' MUST ( fvl $ fripostListManager $ fripostIsStatusActive $ fripostLocalAlias ) - MAY ( fripostOwner $ description $ fripostIsStatusPending ) ) + MAY ( fripostOwner $ description $ fripostPendingToken ) ) # olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostVirtualListCommand' SUP top STRUCTURAL diff --git a/ldap/index.ldif b/ldap/index.ldif index 7db5288..77b0e5a 100644 --- a/ldap/index.ldif +++ b/ldap/index.ldif @@ -31,7 +31,7 @@ add: olcDbIndex olcDbIndex: fripostIsStatusActive,fvd,fvu,fva,fvl,fvlc eq - add: olcDbIndex -olcDbIndex: fripostIsStatusPending pres +olcDbIndex: fripostPendingToken pres - add: olcDbIndex olcDbIndex: fripostOptionalMaildrop pres diff --git a/ldap/populate.ldif b/ldap/populate.ldif index 9844275..3401259 100644 --- a/ldap/populate.ldif +++ b/ldap/populate.ldif @@ -39,7 +39,7 @@ fripostIsStatusActive: TRUE fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostMaildrop: user1@fripost.org fripostMaildrop: user1@example.org -# Buggy owner +# Bogus owner fripostOwner: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev # An independent alias @@ -47,6 +47,8 @@ dn: fva=alias2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualAlias fripostIsStatusActive: TRUE fripostMaildrop: user2@fripost.org +objectClass: SimpleSecurityObject +userPassword: bogus # An owned list dn: fvl=list1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev @@ -62,15 +64,17 @@ objectClass: FripostVirtualList fripostListManager: schleuder fripostIsStatusActive: TRUE fripostOwner: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -# Buggy owner +# Bogus owner fripostOwner: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostLocalAlias: list2#fripost.org dn: fvl=test-mailman,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualList +objectClass: SimpleSecurityObject +userPassword: bogus fripostListManager: mailman fripostIsStatusActive: TRUE -fripostIsStatusPending: TRUE +fripostPendingToken: TRUE fripostLocalAlias: test-mailman#fripost.org fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev @@ -80,6 +84,9 @@ dn: fvd=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualDomain fripostCanAddAlias: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostIsStatusActive: FALSE +fripostPendingToken: pending +objectClass: SimpleSecurityObject +userPassword: bogus description: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod description: tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim description: veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea @@ -132,7 +139,7 @@ dn: fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualDomain fripostIsStatusActive: TRUE fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -# Buggy owner +# Bogus owner fripostOwner: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostOptionalMaildrop: catch-all@example.org fripostOptionalMaildrop: @example2.org @@ -163,7 +170,7 @@ fripostCanAddAlias: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostPostmaster: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostPostmaster: fvu=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostPostmaster: fvu=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost,dc=dev -# Buggy owner +# Bogus postmaster fripostPostmaster: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostCanAddAlias: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostOptionalMaildrop: catch-all@example.org @@ -184,6 +191,8 @@ FripostLocalAlias: list#postmastered.org dn: fvlc=list-request,fvl=list,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualListCommand FripostLocalAlias: list-request#postmastered.org +objectClass: SimpleSecurityObject +userPassword: bogus dn: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualUser diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh index 9b954c7..1dda3dc 100755 --- a/ldap/test-user-acl.sh +++ b/ldap/test-user-acl.sh @@ -19,7 +19,7 @@ RES=$(tempfile) || exit 1 checkACL () { CMD=${SLAPACL} - BIND="${1},${SUFFIX}" + if [ x"${1}" = x"''" ]; then BIND=${SUFFIX}; else BIND="${1},${SUFFIX}"; fi if [ -n "${1}" ]; then CMD="${CMD} -D ${BIND}"; fi if [ -n "${2}" ]; then BASE="${2},${SUFFIXV}"; else BASE="${SUFFIXV}"; fi shift; shift @@ -79,7 +79,7 @@ LISTS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualList" dn | \ LISTSC=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualListCommand" dn | \ grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+), *([^,]+),.*/fvlc=\1,fvl=\2,fvd=\3/') -OPERATTRS="structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp" +OPERATTRS="structuralObjectClass creatorsName entryUUID createTimestamp entryCSN modifiersName modifyTimestamp" ######################################################################## @@ -92,40 +92,96 @@ echo "Anonymous users:" msg "Have =xd access to \"userPassword\" attributes" for U in ${USERS}; do checkACL "" "${U}" userPassword -done | isOK 'auth(=xd)$' +done | isOK '=xd$' [ $? -eq 0 ] || exit $? msg "Have =0 access to the rest of user entries" for U in ${USERS}; do checkACL "" "${U}" -done | grep -v '^userPassword=.*: auth(=xd)$' | isOK '=0$' entry +done | grep -v '^userPassword=.*: =xd$' | isOK '=0$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access to alias entries" for A in ${ALIASES}; do checkACL "" "${A}" -done | isOK '=0' entry +done | isOK '=0$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access to list entries" for L in ${LISTS}; do checkACL "" "${L}" -done | isOK '=0' entry +done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? + + +msg "Have =0 access to list commands entries" +for LC in ${LISTSC}; do + checkACL "" "${LC}" +done | isOK '=0$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access to domain entries" for D in ${DOMAINS}; do checkACL "" "${D}" -done | isOK '=0' entry +done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? + + +msg "Have =0 access to the base" +checkACL "" "" | isOK '=0$' entry +[ $? -eq 0 ] || exit $? + + +########################################################################### + +echo +echo "Authenticated non-users" +NU="'' ${DOMAINS} ${ALIASES} ${LISTS} ${LISTSC}" + +msg "Have =0 access to alias entries" +for X in ${NU}; do + for A in ${ALIASES}; do + checkACL "${X}" "${A}" + done +done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? + + +msg "Have =0 access to list entries" +for X in ${NU}; do + for L in ${LISTS}; do + checkACL "${X}" "${L}" + done +done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? + + +msg "Have =0 access to list commands entries" +for X in ${NU}; do + for LC in ${LISTSC}; do + checkACL "${X}" "${LC}" + done +done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? + + +msg "Have =0 access to domain entries" +for X in ${NU}; do + for D in ${DOMAINS}; do + checkACL "${X}" "${D}" + done +done | isOK '=0$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access to the base" -checkACL "" "" | isOK '=0' entry +for X in ${NU}; do + checkACL "${X}" "" +done | isOK '=0$' entry [ $? -eq 0 ] || exit $? @@ -148,10 +204,9 @@ usersB entry | isOK '=s' entry [ $? -eq 0 ] || exit $? -# Needed to delete domains. They cannot create domains though, as they -# would need =a on the "children" attribute. -msg "Have =z access on the base's \"children\" attribute" -usersB children | isOK '=z$' children +# Needed to create/delete domains. +msg "Have =w access on the base's \"children\" attribute" +usersB children | isOK '=w$' children [ $? -eq 0 ] || exit $? @@ -167,7 +222,8 @@ echo echo "Authenticated users, access to domain entries" # * entry: -# =s-a for all +# =s for all +# +a if canAddDomain # +rd if children, canAdd{Alias,List}, owner or postmaster # +z if owner or postmaster # * children: @@ -180,6 +236,8 @@ echo "Authenticated users, access to domain entries" # * fripostIsStatusActive # =rscd if children, canAdd{Alias,List}, owner or postmaster # +w if owner or postmaster +# * fripostPendingToken +# =zscd if owner or postmaster # * fripostCanAddAlias # =rscd if canAddAlias, owner or postmaster # +w if postmaster @@ -208,11 +266,68 @@ usersD () { done } -msg "Cannot appoint domain Owners or Postmasters; Cannot add a domain" +msg "Cannot appoint domain Owners or Postmasters" usersD fripostOwner/add fripostOwner/delete \ fripostPostmaster/add fripostPostmaster/delete \ - entry/add \ - | isOK 'DENIED$' entry + entryUUID/add \ + | isOK 'DENIED$' entryUUID +[ $? -eq 0 ] || exit $? + + +msg "Have =0 rights on the \"pending\" status (unless owner or postmaster)" +for U in ${USERS}; do + for D in ${DOMAINS}; do + search -s base -b "${D},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) + (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ + checkACL "${U}" "${D}" fripostPendingToken + done +done | isOK '=0$' +[ $? -eq 0 ] || exit $? + + +msg "Have =zscd access on the \"pending\" status (if owner or postmaster)" +for U in ${USERS}; do + for D in ${DOMAINS}; do + search -s base -b "${D},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) + (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' && \ + checkACL "${U}" "${D}" fripostPendingToken + done +done | isOK '=zscd$' +[ $? -eq 0 ] || exit $? + + +# Needed to create new entries. ("+z" is required to delete, btw.) +msg "Have >=a access to \"entry\" (if CanAddDomain, exact)" +for U in ${USERS}; do + for D in ${DOMAINS}; do + search -s base -b "${SUFFIX}" "fripostCanAddDomain=${U},${SUFFIX}" | grep -q '^dn: ' && \ + checkACL "${U}" "${D}" entry/add + done +done | isOK 'ALLOWED$' entry add +[ $? -eq 0 ] || exit $? + + +# Needed to create new entries. ("+z" is required to delete, btw.) +msg "Have >=a access to \"entry\" (if CanAddDomain, wildcard)" +for U in ${USERS}; do + DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + for D in ${DOMAINS}; do + search -s base -b "${SUFFIX}" "fripostCanAddDomain=${DU},${SUFFIX}" | grep -q '^dn: ' && \ + checkACL "${U}" "${D}" entry/add + done +done | isOK 'ALLOWED$' entry add +[ $? -eq 0 ] || exit $? + + +msg "Do not have >=a access to \"entry\" (unless canAddDomain)" +for U in ${USERS}; do + DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + for D in ${DOMAINS}; do + search -s base -b "${SUFFIX}" "(|(fripostCanAddDomain=${U},${SUFFIX}) + (fripostCanAddDomain=${DU},${SUFFIX}))" | grep -q '^dn: ' || \ + checkACL "${U}" "${D}" entry/add + done +done | isOK 'DENIED$' entry add [ $? -eq 0 ] || exit $? # We ensure not to give +a/+z access to the \"entry\" attribute of the @@ -372,9 +487,9 @@ for U in ${USERS}; do (fripostCanAddList=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ - checkACL "${U}" "${D}" ${ATTRSA} ${ATTRSL} entry/add + checkACL "${U}" "${D}" ${ATTRSA} ${ATTRSL} entryUUID/add done -done | isOK 'DENIED$' entry # "entry" here is useless, but it's just to get the count +done | isOK 'DENIED$' entryUUID # "entryUUID" here is useless, but it's just to get the count [ $? -eq 0 ] || exit $? @@ -387,9 +502,9 @@ for U in ${USERS}; do (fripostCanAddAlias=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ - checkACL "${U}" "${D}" fripostCanAddAlias entry/add + checkACL "${U}" "${D}" fripostCanAddAlias entryUUID/add done -done | isOK '\(=0\|DENIED\)$' entry # "entry" here is useless, but it's just to get the count +done | isOK '\(=0\|DENIED\)$' entryUUID # "entryUUID" here is useless, but it's just to get the count [ $? -eq 0 ] || exit $? @@ -402,9 +517,9 @@ for U in ${USERS}; do (fripostCanAddList=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ - checkACL "${U}" "${D}" fripostCanAddList entry/add + checkACL "${U}" "${D}" fripostCanAddList entryUUID/add done -done | isOK '\(=0\|DENIED\)$' entry # "entry" here is useless, but it's just to get the count +done | isOK '\(=0\|DENIED\)$' entryUUID # "entryUUID" here is useless, but it's just to get the count [ $? -eq 0 ] || exit $? @@ -425,9 +540,9 @@ msg "Do not have >=w access to \"canAdd{Alias,List}\" (unless Postmaster)" for U in ${USERS}; do for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' || \ - checkACL "${U}" "${D}" ${ATTRSP} entry/add + checkACL "${U}" "${D}" ${ATTRSP} entryUUID/add done -done | isOK 'DENIED$' entry # "entry" here is useless, but it's just to get the count +done | isOK 'DENIED$' entryUUID # "entryUUID" here is useless, but it's just to get the count [ $? -eq 0 ] || exit $? @@ -466,16 +581,16 @@ usersU () { # They would need write access to their fripostUserQuota. # In practice they can't write fvu either, since it's single valued. -msg "Have =rscxd access to their \"fripostUserQuota\"" -usersU fripostUserQuota | isOK 'read(=rscxd)$' +msg "Have =rscd access to their \"fripostUserQuota\"" +usersU fripostUserQuota | isOK '=rscd$' [ $? -eq 0 ] || exit $? -msg "Have =wd access to their own \"userPassword\"" +msg "Have =w access to their own \"userPassword\"" usersU userPassword | isOK '=w$' [ $? -eq 0 ] || exit $? -msg "Have =wrscxd access to the other attributes of their own entry" -usersU fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK 'write(=wrscxd)$' fvu +msg "Have =wrscd access to the other attributes of their own entry" +usersU fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK '=wrscd$' fvu [ $? -eq 0 ] || exit $? msg "Have >=rsd access to the \"entry\" attribute of their own entry" @@ -519,16 +634,16 @@ usersP () { done } -msg "Have =rscxd access to their user's \"fripostUserQuota\" (if Postmaster)" -usersP fripostUserQuota | isOK 'read(=rscxd)$' +msg "Have =rscd access to their user's \"fripostUserQuota\" (if Postmaster)" +usersP fripostUserQuota | isOK '=rscd$' [ $? -eq 0 ] || exit $? msg "Have =wd access to their user's \"userPassword\" (if Postmaster)" usersP userPassword | isOK '=w$' [ $? -eq 0 ] || exit $? -msg "Have =wrscxd access to the other attributes of their users' entry (if Postmaster)" -usersP fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK 'write(=wrscxd)$' fvu +msg "Have =wrscd access to the other attributes of their users' entry (if Postmaster)" +usersP fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK '=wrscd$' fvu [ $? -eq 0 ] || exit $? # "+a" is needed to create new accounts. "+z" would be required to @@ -716,7 +831,7 @@ echo "Authenticated users, access to list entries" # =rscd if list owner, domain owner or domain postmaster # * fripostIsStatusActive: # =wrscd if list owner, domain owner or domain postmaster -# * fripostIsStatusPending: +# * fripostPendingToken: # =rscd if list owner, domain owner or domain postmaster # * fripostOwner: # =d for all @@ -753,12 +868,12 @@ done | isOK 'DENIED$' fripostListManager [ $? -eq 0 ] || exit $? -msg "Cannot edit pending status; Cannot delete entry" +msg "Cannot read or delete the pending status; Cannot delete entry" for U in ${USERS}; do for L in ${LISTS}; do - checkACL "${U}" "${L}" fripostIsStatusPending/write entry/delete + checkACL "${U}" "${L}" fripostPendingToken/read fripostPendingToken/add fripostPendingToken/delete entry/delete done -done | isOK 'DENIED$' fripostIsStatusPending +done | isOK 'DENIED$' entry [ $? -eq 0 ] || exit $? @@ -766,7 +881,7 @@ ATTRS="entry/read entry/disclose fvl/write fvl/read fvl/search fvl/compare fvl/disclose fripostListManager/read fripostListManager/search fripostListManager/compare fripostListManager/disclose fripostIsStatusActive/write fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose - fripostIsStatusPending/read fripostIsStatusPending/search fripostIsStatusPending/compare fripostIsStatusPending/disclose + fripostPendingToken/search fripostPendingToken/compare fripostPendingToken/disclose fripostOwner/read fripostOwner/compare fripostOwner/disclose description/add description/delete description/read description/compare description/disclose" ATTRS2="fripostOwner/add fripostOwner/delete" @@ -888,53 +1003,93 @@ echo "Service SMTP" msg "Can read and search the domain attributes it needs" for D in ${DOMAINS}; do - checkACL "cn=SMTP" "${D}" entry objectClass fvd fripostIsStatusActive fripostOptionalMaildrop + checkACL "cn=SMTP" "${D}" entry fvd fripostOptionalMaildrop done | isOK '=rsd$' entry +[ $? -eq 0 ] || exit $? + +msg "Can search the domain attributes it needs" +for D in ${DOMAINS}; do + checkACL "cn=SMTP" "${D}" objectClass fripostPendingToken fripostIsStatusActive +done | isOK '=sd$' objectClass +[ $? -eq 0 ] || exit $? msg "Have =0 access on other domain attributes" for D in ${DOMAINS}; do checkACL "cn=SMTP" "${D}" children ${OPERATTRS} fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description -done | isOK 'none(=0)$' children +done | isOK '=0$' children +[ $? -eq 0 ] || exit $? msg "Can read and search the user attributes it needs" for U in ${USERS}; do - checkACL "cn=SMTP" "${U}" entry objectClass fvu fripostIsStatusActive fripostOptionalMaildrop + checkACL "cn=SMTP" "${U}" entry fvu fripostOptionalMaildrop done | isOK '=rsd$' entry +[ $? -eq 0 ] || exit $? + +msg "Can search the user attributes it needs" +for U in ${USERS}; do + checkACL "cn=SMTP" "${U}" objectClass fripostIsStatusActive +done | isOK '=sd$' objectClass +[ $? -eq 0 ] || exit $? msg "Have =0 access on other user attributes" for U in ${USERS}; do - checkACL "cn=SMTP" "${U}" children ${OPERATTRS} userPassword fripostUser description -done | isOK 'none(=0)$' children + checkACL "cn=SMTP" "${U}" children ${OPERATTRS} userPassword fripostUserQuota description +done | isOK '=0$' children +[ $? -eq 0 ] || exit $? msg "Can read and search the alias attributes it needs" for A in ${ALIASES}; do - checkACL "cn=SMTP" "${A}" entry objectClass fva fripostMaildrop fripostIsStatusActive + checkACL "cn=SMTP" "${A}" entry fva fripostMaildrop done | isOK '=rsd$' entry +[ $? -eq 0 ] || exit $? + +msg "Can search the alias attributes it needs" +for A in ${ALIASES}; do + checkACL "cn=SMTP" "${A}" objectClass fripostIsStatusActive +done | isOK '=sd$' objectClass +[ $? -eq 0 ] || exit $? msg "Have =0 access on other alias attributes" for A in ${ALIASES}; do checkACL "cn=SMTP" "${A}" children ${OPERATTRS} fripostOwner description -done | isOK 'none(=0)$' children +done | isOK '=0$' children +[ $? -eq 0 ] || exit $? msg "Can read and search the list attributes it needs" for L in ${LISTS}; do - checkACL "cn=SMTP" "${L}" entry objectClass fvl fripostIsStatusActive fripostLocalAlias fripostIsStatusPending + checkACL "cn=SMTP" "${L}" entry fvl fripostLocalAlias done | isOK '=rsd$' entry +[ $? -eq 0 ] || exit $? + +msg "Can search the list attributes it needs" +for L in ${LISTS}; do + checkACL "cn=SMTP" "${L}" objectClass fripostIsStatusActive fripostPendingToken +done | isOK '=sd$' objectClass +[ $? -eq 0 ] || exit $? msg "Have =0 access on other list attributes" for L in ${LISTS}; do checkACL "cn=SMTP" "${L}" children ${OPERATTRS} fripostListManager fripostOwner description -done | isOK 'none(=0)$' children +done | isOK '=0$' children +[ $? -eq 0 ] || exit $? msg "Can read and search the list command attributes it needs" for LC in ${LISTSC}; do - checkACL "cn=SMTP" "${LC}" entry objectClass fvlc fripostIsStatusActive fripostLocalAlias + checkACL "cn=SMTP" "${LC}" entry fvlc done | isOK '=rsd$' entry +[ $? -eq 0 ] || exit $? + +msg "Can search the list command attributes it needs" +for LC in ${LISTSC}; do + checkACL "cn=SMTP" "${LC}" objectClass +done | isOK '=sd$' objectClass +[ $? -eq 0 ] || exit $? msg "Have =0 access on other list command attributes" for LC in ${LISTSC}; do checkACL "cn=SMTP" "${LC}" children ${OPERATTRS} -done | isOK 'none(=0)$' children +done | isOK '=0$' children +[ $? -eq 0 ] || exit $? ########################################################################### @@ -946,46 +1101,55 @@ msg "Have =0 access on domain attributes" for D in ${DOMAINS}; do checkACL "cn=ListCreator" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? msg "Have =0 access on user attributes" for U in ${USERS}; do checkACL "cn=ListCreator" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? msg "Have =0 access on alias attributes" for A in ${ALIASES}; do checkACL "cn=ListCreator" "${A}" entry children ${OPERATTRS} fva fripostMaildrop fripostIsStatusActive fripostOwner description done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? -msg "Have =zrd access on lists' pending status" +msg "Have =zsd access on lists' pending status" for L in ${LISTS}; do - checkACL "cn=ListCreator" "${L}" fripostIsStatusPending -done | isOK '=zrd$' + checkACL "cn=ListCreator" "${L}" fripostPendingToken +done | isOK '=zsd$' +[ $? -eq 0 ] || exit $? msg "Have =rsd access on lists' entry attribute" for L in ${LISTS}; do checkACL "cn=ListCreator" "${L}" entry done | isOK '=rsd$' +[ $? -eq 0 ] || exit $? msg "Have =a access on lists' children attribute" for L in ${LISTS}; do checkACL "cn=ListCreator" "${L}" children done | isOK '=a$' +[ $? -eq 0 ] || exit $? msg "Have =0 access on other list attributes" for L in ${LISTS}; do checkACL "cn=ListCreator" "${L}" ${OPERATTRS} fvl fripostListManager fripostIsStatusActive fripostLocalAlias fripostOwner description done | isOK '=0$' fvl +[ $? -eq 0 ] || exit $? msg "Have =a access on list commands' entry attribute" for LC in ${LISTSC}; do checkACL "cn=ListCreator" "${LC}" entry done | isOK '=a$' +[ $? -eq 0 ] || exit $? msg "Have =0 access on other list command attributes" for LC in ${LISTSC}; do checkACL "cn=ListCreator" "${LC}" children ${OPERATTRS} fvlc fripostLocalAlias done | isOK '=0$' children +[ $? -eq 0 ] || exit $? ########################################################################### @@ -996,28 +1160,46 @@ echo "Service AdminWebPanel" msg "Have =0 access on domain attributes" for D in ${DOMAINS}; do checkACL "cn=AdminWebPanel" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description -done | isOK 'none(=0)$' entry +done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? msg "Have =0 access on user attributes" for U in ${USERS}; do checkACL "cn=AdminWebPanel" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description -done | isOK 'none(=0)$' entry +done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? msg "Have =0 access on alias attributes" for A in ${ALIASES}; do checkACL "cn=AdminWebPanel" "${A}" entry children ${OPERATTRS} fva fripostMaildrop fripostIsStatusActive fripostOwner description -done | isOK 'none(=0)$' entry +done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? msg "Have =0 access on list attributes" for L in ${LISTS}; do - checkACL "cn=AdminWebPanel" "${L}" entry children ${OPERATTRS} fvl fripostListManager fripostIsStatusActive fripostLocalAlias fripostOwner description fripostIsStatusPending -done | isOK 'none(=0)$' entry + checkACL "cn=AdminWebPanel" "${L}" entry children ${OPERATTRS} fvl fripostListManager fripostIsStatusActive fripostLocalAlias fripostOwner description fripostPendingToken +done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? msg "Have =0 access on other list command attributes" for LC in ${LISTSC}; do checkACL "cn=AdminWebPanel" "${LC}" entry children ${OPERATTRS} fvlc fripostLocalAlias -done | isOK 'none(=0)$' entry +done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? + +MECH='DIGEST-MD5' +PANEL='AdminWebPanel@fripost.org' +msg "Check authcID" +slapauth -U "${PANEL}" 2>&1 | grep '^ID: ' | isOK 'check succeeded$' +[ $? -eq 0 ] || exit $? + +msg "Can proxy authorize (${MECH})" +for U in ${USERS}; do + DN=$(echo "dn:${U},${SUFFIXV}" | tr [A-Z] [a-z]) + slapauth -U "${PANEL}" -X "${DN}" 2>&1 | grep '^authorization ' +done | isOK '^authorization failed$' +# TODO: is that needed? if test -x /usr/bin/sudo && sudo -u fpanel klist >/dev/null; then msg "Can SASL authenticate (GSSAPI)" DN=$(echo "dn:cn=AdminWebPanel,${SUFFIXS}" | tr [A-Z] [a-z]) @@ -1031,7 +1213,7 @@ if test -x /usr/bin/sudo && sudo -u fpanel klist >/dev/null; then if [ "${DN}" = "${DN2}" ]; then echo ok; else echo fail; fi done | isOK '^ok$' else - echo "WARN: No valid ticket found. Didn't check SSAL authentication" + echo "WARN: No valid ticket found. Didn't check SASL GSSAPI authentication" fi rm "${RES}" |