diff options
Diffstat (limited to 'ldap')
-rw-r--r-- | ldap/Makefile | 6 | ||||
-rw-r--r-- | ldap/acl.ldif | 16 | ||||
-rw-r--r-- | ldap/fripost.ldif | 14 | ||||
-rw-r--r-- | ldap/populate.ldif | 14 | ||||
-rw-r--r-- | ldap/syncrepl.ldif | 2 | ||||
-rwxr-xr-x | ldap/test-user-acl.sh | 30 |
6 files changed, 42 insertions, 40 deletions
diff --git a/ldap/Makefile b/ldap/Makefile index 01f20fd..4dd0faa 100644 --- a/ldap/Makefile +++ b/ldap/Makefile @@ -75,11 +75,13 @@ uninstall: ;fi # @echo "Making a new configuration directory at \`$(TMPSLAPD)'" - @mkdir -m0700 "$(TMPSLAPD)" && slapcat -n0 | slapadd -F "$(TMPSLAPD)" -n0 && chown -R 'openldap:openldap' "$(TMPSLAPD)" + @mkdir -m 0700 "$(TMPSLAPD)" && slapcat -n0 | slapadd -F "$(TMPSLAPD)" -n0 && chown -R 'openldap:openldap' "$(TMPSLAPD)" # @echo "Deleting schema \"cn=$(SCHEMA),cn=config\"" && find "$(TMPSLAPD)/cn=config/cn=schema/" -type f -name "cn={*}$(SCHEMA).ldif" -delete # - @echo "Deleting constraints" && find "$(TMPSLAPD)/$(NUM2)/" -type f -name "olcOverlay={*}constraint.ldif" -delete + @if test -d "$(TMPSLAPD)/$(NUM2)"; then \ + @echo "Deleting constraints" && find "$(TMPSLAPD)/$(NUM2)/" -type f -name "olcOverlay={*}constraint.ldif" -delete \ + ;fi # @/etc/init.d/slapd stop # diff --git a/ldap/acl.ldif b/ldap/acl.ldif index ac2e19d..c84d328 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -32,7 +32,7 @@ replace: olcAccess # TODO: if possible, make use GSSAPI for the services. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=entry,objectClass,fvd,fripostIsStatusActive,fripostIsStatusPending,fripostOptionalMaildrop,fvu,fva,fripostMaildrop,fvl,fvlc,fripostLocalAlias - filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualMailbox)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand)) + filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand)) by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd by users none break # @@ -69,7 +69,7 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" # The postmaster of a domain can change (replace) his/her users' # password (but not see it). olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=FripostVirtualMailbox) + filter=(objectClass=FripostVirtualUser) attrs=userPassword by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =w # @@ -177,24 +177,24 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ # # Noone (but the managers) can change quotas. olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=FripostVirtualMailbox) - attrs=fripostMailboxQuota + filter=(objectClass=FripostVirtualUser) + attrs=fripostUserQuota by self read by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read # # 1. Users can modify their own entry. # 2. So can their postmasters. olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=FripostVirtualMailbox) - attrs=@FripostVirtualMailbox + filter=(objectClass=FripostVirtualUser) + attrs=@FripostVirtualUser by self write by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write # -# 1. Postmasters can create mailboxes (but not delete them). +# 1. Postmasters can create users (but not delete them). # (Provided that they have +a access to the parent's "children" attribute.) # 2. Users can read their entry (but not delete it). olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=FripostVirtualMailbox) + filter=(objectClass=FripostVirtualUser) attrs=entry by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard by self +rd diff --git a/ldap/fripost.ldif b/ldap/fripost.ldif index e0c226d..970f924 100644 --- a/ldap/fripost.ldif +++ b/ldap/fripost.ldif @@ -83,10 +83,10 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.7 NAME 'fripostMaildrop' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) # # We are creating a new attribute, optional in virtual domains and -# mailboxes, because the presence index should *not* apply to the +# users, because the presence index should *not* apply to the # mandatory attribute above. olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.8 NAME 'fripostOptionalMaildrop' - DESC 'An optional email address for catch-all aliases on domains and mailboxes' + DESC 'An optional email address for catch-all aliases on domains and users' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) @@ -101,8 +101,8 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostIsStatusPending' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostMailboxQuota' - DESC 'The quota on a mailbox e.g., "50MB"' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostUserQuota' + DESC 'The quota on a user e.g., "50MB"' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32} SINGLE-VALUE ) # @@ -140,11 +140,11 @@ olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.1 NAME 'FripostVirtualDomain' fripostOptionalMaildrop $ description ) ) # # | TODO: add limits here -olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualMailbox' +olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualUser' SUP top STRUCTURAL - DESC 'Virtual mailbox' + DESC 'Virtual user' MUST ( fvu $ userPassword $ fripostIsStatusActive ) - MAY ( fripostMailboxQuota $ fripostOptionalMaildrop $ description) ) + MAY ( fripostUserQuota $ fripostOptionalMaildrop $ description) ) # olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualAlias' SUP top STRUCTURAL diff --git a/ldap/populate.ldif b/ldap/populate.ldif index d0f6c0b..4e0f9b6 100644 --- a/ldap/populate.ldif +++ b/ldap/populate.ldif @@ -19,7 +19,7 @@ fripostCanCreateList: fvu=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripo fripostIsStatusActive: TRUE dn: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: FripostVirtualMailbox +objectClass: FripostVirtualUser userPassword: user1 fripostIsStatusActive: TRUE fripostOptionalMaildrop: user1@fripost.org @@ -28,7 +28,7 @@ fripostOptionalMaildrop: user1@external2.org fripostOptionalMaildrop: user1@external3.org dn: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: FripostVirtualMailbox +objectClass: FripostVirtualUser userPassword: user2 fripostIsStatusActive: TRUE @@ -150,7 +150,7 @@ fripostIsStatusActive: TRUE fripostLocalAlias: list#owned.org dn: fvu=user,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: FripostVirtualMailbox +objectClass: FripostVirtualUser userPassword: user fripostIsStatusActive: TRUE @@ -186,13 +186,13 @@ objectClass: FripostVirtualListCommand FripostLocalAlias: list-request#postmastered.org dn: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: FripostVirtualMailbox +objectClass: FripostVirtualUser userPassword: user fripostIsStatusActive: TRUE -fripostMailboxQuota: 10MB +fripostUserQuota: 10MB dn: fvu=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: FripostVirtualMailbox +objectClass: FripostVirtualUser userPassword: bigbrother fripostIsStatusActive: TRUE @@ -205,7 +205,7 @@ fripostPostmaster: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost fripostPostmaster: fvu=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost,dc=dev dn: fvu=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: FripostVirtualMailbox +objectClass: FripostVirtualUser fripostIsStatusActive: TRUE userPassword: user description: Test domain internalization (user@☮.net). diff --git a/ldap/syncrepl.ldif b/ldap/syncrepl.ldif index 6fe0d06..2f40472 100644 --- a/ldap/syncrepl.ldif +++ b/ldap/syncrepl.ldif @@ -26,7 +26,7 @@ credentials="xxxxxx" type=refreshAndPersist retry="5 5 300 +" searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org" -filter="(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualMailbox)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList))(fripostIsStatusActive=TRUE))" +filter="(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList))(fripostIsStatusActive=TRUE))" attrs="fripostIsStatusActive,fripostMaildrop,fripostOptionalMaildrop,fvd,fvu,fva,fvl,fripostListCommand,fripostListManager" scope=sub schemachecking=off diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh index 12f3d14..c55916e 100755 --- a/ldap/test-user-acl.sh +++ b/ldap/test-user-acl.sh @@ -70,7 +70,7 @@ search () { DOMAINS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualDomain" dn | \ grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+),.*/fvd=\1/') -USERS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualMailbox" dn | \ +USERS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualUser" dn | \ grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvu=\1,fvd=\2/') ALIASES=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualAlias" dn | \ grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fva=\1,fvd=\2/') @@ -451,7 +451,7 @@ echo "Authenticated users, access to user entries" # =w if account owner or domain postmaster # * fripostIsStatusActive: # =wrscd if account owner or domain postmaster -# * fripostMailboxQuota: +# * fripostUserQuota: # =rscd if account owner or domain postmaster # * fripostOptionalMaildrop: # =wrscd if account owner or domain postmaster @@ -464,10 +464,10 @@ usersU () { done } -# They would need write access to their fripostMailboxQuota. +# They would need write access to their fripostUserQuota. # In practice they can't write fvu either, since it's single valued. -msg "Have =rscxd access to their \"fripostMailboxQuota\"" -usersU fripostMailboxQuota | isOK 'read(=rscxd)$' +msg "Have =rscxd access to their \"fripostUserQuota\"" +usersU fripostUserQuota | isOK 'read(=rscxd)$' [ $? -eq 0 ] || exit $? msg "Have =wd access to their own \"userPassword\"" @@ -500,7 +500,7 @@ for U1 in ${USERS}; do checkACL "${U1}" "${U2}" entry children \ fvu userPassword \ fripostIsStatusActive \ - fripostMailboxQuota \ + fripostUserQuota \ fripostOptionalMaildrop \ description done @@ -519,8 +519,8 @@ usersP () { done } -msg "Have =rscxd access to their user's \"fripostMailboxQuota\" (if Postmaster)" -usersP fripostMailboxQuota | isOK 'read(=rscxd)$' +msg "Have =rscxd access to their user's \"fripostUserQuota\" (if Postmaster)" +usersP fripostUserQuota | isOK 'read(=rscxd)$' [ $? -eq 0 ] || exit $? msg "Have =wd access to their user's \"userPassword\" (if Postmaster)" @@ -896,14 +896,14 @@ for D in ${DOMAINS}; do checkACL "cn=SMTP" "${D}" children ${OPERATTRS} fripostCanCreateAlias fripostCanCreateList fripostOwner fripostPostmaster description done | isOK 'none(=0)$' children -msg "Can read and search the mailbox attributes it needs" +msg "Can read and search the user attributes it needs" for U in ${USERS}; do checkACL "cn=SMTP" "${U}" entry objectClass fvu fripostIsStatusActive fripostOptionalMaildrop done | isOK '=rsd$' entry -msg "Have =0 access on other mailbox attributes" +msg "Have =0 access on other user attributes" for U in ${USERS}; do - checkACL "cn=SMTP" "${U}" children ${OPERATTRS} userPassword fripostMailboxQuota description + checkACL "cn=SMTP" "${U}" children ${OPERATTRS} userPassword fripostUser description done | isOK 'none(=0)$' children msg "Can read and search the alias attributes it needs" @@ -947,9 +947,9 @@ for D in ${DOMAINS}; do checkACL "cn=ListCreator" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanCreateAlias fripostCanCreateList fripostOwner fripostPostmaster description done | isOK '=0$' entry -msg "Have =0 access on mailbox attributes" +msg "Have =0 access on user attributes" for U in ${USERS}; do - checkACL "cn=ListCreator" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostMailboxQuota fripostOptionalMaildrop description + checkACL "cn=ListCreator" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description done | isOK '=0$' entry msg "Have =0 access on alias attributes" @@ -998,9 +998,9 @@ for D in ${DOMAINS}; do checkACL "cn=AdminWebPanel" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanCreateAlias fripostCanCreateList fripostOwner fripostPostmaster description done | isOK 'none(=0)$' entry -msg "Have =0 access on mailbox attributes" +msg "Have =0 access on user attributes" for U in ${USERS}; do - checkACL "cn=AdminWebPanel" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostMailboxQuota fripostOptionalMaildrop description + checkACL "cn=AdminWebPanel" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description done | isOK 'none(=0)$' entry msg "Have =0 access on alias attributes" |