diff options
Diffstat (limited to 'ldap')
| -rw-r--r-- | ldap/acl.ldif | 16 | ||||
| -rw-r--r-- | ldap/authz.ldif | 2 | ||||
| -rw-r--r-- | ldap/base.ldif | 4 | ||||
| -rwxr-xr-x | ldap/test-user-acl.sh | 20 |
4 files changed, 21 insertions, 21 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif index 153470f..3cbbd24 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -64,7 +64,7 @@ olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev" # 4,5. Other users need further access. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd - by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break @@ -96,7 +96,7 @@ olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=objectClass by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s - by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =s + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =s by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =s # # 1. Users can search (e.g., to list the entries they have created). @@ -125,7 +125,7 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" # Our service can search anywhere in the tree (for old pending entries). olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=entry - by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" +s by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break # @@ -134,7 +134,7 @@ olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=children by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =z - by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break # # Our service needs search access to list (old) pending entries. @@ -336,7 +336,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by dnattr=fripostOwner =scd by group/fripostVirtualDomain/fripostOwner.expand="$1" =scd by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =scd - by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =zsd + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =zsd # # 1. The list owners can edit their entry's attributes. # 2. So can the domain owners. @@ -362,19 +362,19 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rad by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 - by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd # # The List Creator can add list commands. olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev" filter=(objectClass=FripostVirtualList) attrs=children - by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =a + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a # # The List Creator can add list commands. olcAccess: to dn.regex="^fvlc=[^,]+,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev" filter=(objectClass=FripostVirtualListCommand) attrs=entry - by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =a + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a # # Catch the "break" control above. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" diff --git a/ldap/authz.ldif b/ldap/authz.ldif index 34a02df..85a13e0 100644 --- a/ldap/authz.ldif +++ b/ldap/authz.ldif @@ -4,7 +4,7 @@ # # That will allow the SASL-authenticated user (service) to be # reformatted into a proper DN under our services directory. -# +# # SASL authentication can be checked with: # # ldapwhoami -U 'AdminWebPanel' diff --git a/ldap/base.ldif b/ldap/base.ldif index 4a40d3c..525fca6 100644 --- a/ldap/base.ldif +++ b/ldap/base.ldif @@ -32,11 +32,11 @@ objectClass: organizationalRole userPassword: smtp description: Where Postfix bind to for LDAP lookups. -dn: cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev +dn: cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev objectClass: simpleSecurityObject objectClass: organizationalRole description: The entity that is authorized to add list commands -userPassword: listcreator +userPassword: createlist dn: cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev objectClass: simpleSecurityObject diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh index 3023152..648f9c6 100755 --- a/ldap/test-user-acl.sh +++ b/ldap/test-user-acl.sh @@ -1124,60 +1124,60 @@ done | isOK '=0$' children ########################################################################### echo -echo "Service ListCreator" +echo "Service CreateList" msg "Have =0 access on domain attributes" for D in ${DOMAINS}; do - checkACL "cn=ListCreator" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description fripostPendingToken + checkACL "cn=CreateList" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description fripostPendingToken done | isOK '=0$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access on user attributes" for U in ${USERS}; do - checkACL "cn=ListCreator" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description + checkACL "cn=CreateList" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description done | isOK '=0$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access on alias attributes" for A in ${ALIASES}; do - checkACL "cn=ListCreator" "${A}" entry children ${OPERATTRS} fva fripostMaildrop fripostIsStatusActive fripostOwner description + checkACL "cn=CreateList" "${A}" entry children ${OPERATTRS} fva fripostMaildrop fripostIsStatusActive fripostOwner description done | isOK '=0$' entry [ $? -eq 0 ] || exit $? msg "Have =zsd access on lists' pending status" for L in ${LISTS}; do - checkACL "cn=ListCreator" "${L}" fripostPendingToken + checkACL "cn=CreateList" "${L}" fripostPendingToken done | isOK '=zsd$' [ $? -eq 0 ] || exit $? msg "Have =rsd access on lists' entry attribute" for L in ${LISTS}; do - checkACL "cn=ListCreator" "${L}" entry + checkACL "cn=CreateList" "${L}" entry done | isOK '=rsd$' [ $? -eq 0 ] || exit $? msg "Have =a access on lists' children attribute" for L in ${LISTS}; do search -s base -b "${L},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ - checkACL "cn=ListCreator" "${L}" children + checkACL "cn=CreateList" "${L}" children done | isOK '=a$' [ $? -eq 0 ] || exit $? msg "Have =0 access on other list attributes" for L in ${LISTS}; do - checkACL "cn=ListCreator" "${L}" ${OPERATTRS} fvl fripostListManager fripostIsStatusActive fripostLocalAlias fripostOwner description + checkACL "cn=CreateList" "${L}" ${OPERATTRS} fvl fripostListManager fripostIsStatusActive fripostLocalAlias fripostOwner description done | isOK '=0$' fvl [ $? -eq 0 ] || exit $? msg "Have =a access on list commands' entry attribute" for LC in ${LISTSC}; do - checkACL "cn=ListCreator" "${LC}" entry + checkACL "cn=CreateList" "${LC}" entry done | isOK '=a$' [ $? -eq 0 ] || exit $? msg "Have =0 access on other list command attributes" for LC in ${LISTSC}; do - checkACL "cn=ListCreator" "${LC}" children ${OPERATTRS} fvlc fripostLocalAlias + checkACL "cn=CreateList" "${LC}" children ${OPERATTRS} fvlc fripostLocalAlias done | isOK '=0$' children [ $? -eq 0 ] || exit $? |