diff options
Diffstat (limited to 'ldap')
-rw-r--r-- | ldap/acl.ldif | 51 | ||||
-rw-r--r-- | ldap/base.ldif | 3 | ||||
-rw-r--r-- | ldap/fripost.ldif | 39 | ||||
-rw-r--r-- | ldap/index.ldif | 2 |
4 files changed, 62 insertions, 33 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif index 0528545..c090925 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -28,14 +28,20 @@ replace: olcAccess # first as it's likely to be the most used. # TODO: for postfix, it'd be more efficient and more secure to SASL-bind # on a UNIX socket (EXTERNAL mechanism); wait for Postfix 2.8. -# TODO: IMAP & SASLauth -# TODO: if possible, make use GSSAPI for the services. +# TODO: IMAP, SASLauth, Amavis +# TODO: if possible, make use GSSAPI/EXTERNAL for the services. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=entry,objectClass,fvd,fripostIsStatusActive,fripostIsStatusPending,fripostOptionalMaildrop,fvu,fva,fripostMaildrop,fvl,fvlc,fripostLocalAlias filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand)) by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd by users none break # +#olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +# attrs=entry,objectClass,fripostIsStatusActive,fripostIsStatusPending,fvu,@amavisAccount +# filter=(&(objectClass=FripostVirtualUser)(objectClass=amavisAccount)(fripostIsStatusActive=TRUE)(fripostIsStatusPending=FALSE)) +# by dn.exact="gidNumber=113+uidNumber=116,cn=peercred,cn=external,cn=auth" =rsd +# by users none break +# # Anonymous can authenticate into the services. (But not read or write the password.) olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev" attrs=userPassword @@ -60,7 +66,7 @@ olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" # 1. Users can change their password (but not read it). # 2. Anonymous users can bind. # 3. Else, we inspect the 2 following ACLs. -olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" attrs=userPassword by self =w by anonymous auth @@ -89,20 +95,30 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" # Users can search (e.g., to list the entries they have created). # Additional permissions may be added later on. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList + attrs=entry,fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none break # -# Everyone can delete domains. (Provided s/he has +d access to the "entry" -# attribute of the domains s/he wants to delete.) +# Everyone can create/delete domains. (Provided s/he has +a/+z access to the +# "entry" attribute of the domains s/he wants to delete.) olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=children - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =z + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w # -# Reserved local parts are reserved. +# Reserved local parts are reserved. /!\ The case be insensitive +# postmaster # RFC 822, appendix C.6 +# abuse # RFC 2142, section 4 olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" by * none # +# Only the domain postmaster can read and search the unlock token and delete the +# 'pending' status. +olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" + filter=(objectClass=FripostVirtualDomain) + attrs=fripostIsStatusPending + by dnattr=fripostPostmaster =zrsd + by dnattr=fripostOwner =zrsd +# # 1. The postmaster of a domain can give (or take back) people the right to create # aliases. # 2,3. People that can create aliases can list the members of the group. @@ -133,14 +149,6 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ by dn.onelevel,expand="$1" +d by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # -# Every one can add or delete children, but we will be carefull with the -# kid's "entry" attribute, which require +a and +z to add and delete -# respectively. -olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(objectClass=FripostVirtualDomain) - attrs=children - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w -# # 1. Domain owners can edit their entry's attributes. # 2. So can domain postmasters. # 3. Domain users can read the public domain attributes. @@ -162,6 +170,14 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" by dnattr=fripostPostmaster write by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # +# Every one can add or delete children, but we will be carefull with the +# kid's "entry" attribute, which require +a and +z to add and delete +# respectively. +olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" + filter=(objectClass=FripostVirtualDomain) + attrs=children + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w +# # 1. Domain owners can delete the domain (and read the entry). # 2. So can domain postmasters. # 3. Domain users can read the domain entry (but not delete it). @@ -169,6 +185,7 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualDomain) attrs=entry + by set.exact="this/-1/fripostCanAddDomain & (user | user/-1)" +a continue by dnattr=fripostOwner +zrd by dnattr=fripostPostmaster +zrd by dn.onelevel,expand="$1" +rd @@ -262,7 +279,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by dnattr=fripostOwner read by group/fripostVirtualDomain/fripostOwner.expand="$1" read by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read - by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =zrd + by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =zsd # # 1. The list owners can edit their entry's attributes. # 2. So can the domain owners. diff --git a/ldap/base.ldif b/ldap/base.ldif index 0f414f1..bdc9896 100644 --- a/ldap/base.ldif +++ b/ldap/base.ldif @@ -16,6 +16,9 @@ description: Mail hosting dn: ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: organizationalUnit +objectClass: fripostVirtual +fripostCanAddDomain: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostCanAddDomain: fvu=test,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev description: Virtual mail hosting diff --git a/ldap/fripost.ldif b/ldap/fripost.ldif index 2409b26..71abdf4 100644 --- a/ldap/fripost.ldif +++ b/ldap/fripost.ldif @@ -98,31 +98,35 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.9 NAME 'fripostIsStatusActive' # olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostIsStatusPending' DESC 'Is the entry pending?' - EQUALITY booleanMatch - SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) + EQUALITY caseExactMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} SINGLE-VALUE ) # olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostUserQuota' DESC 'The quota on a user e.g., "50MB"' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32} SINGLE-VALUE ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostCanAddAlias' - DESC 'A user/domain that can create aliases under the parent domain' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostCanAddDomain' + DESC 'A user/domain that can add domains' SUP distinguishedName ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostCanAddList' - DESC 'A user/domain that can create lists under the parent domain' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostCanAddAlias' + DESC 'A user/domain that can add aliases under the parent domain' SUP distinguishedName ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.14 NAME 'fripostOwner' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.14 NAME 'fripostCanAddList' + DESC 'A user/domain that can add lists under the parent domain' + SUP distinguishedName ) +# +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.15 NAME 'fripostOwner' DESC 'A user that owns under parent domain' SUP distinguishedName ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.15 NAME 'fripostPostmaster' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.16 NAME 'fripostPostmaster' DESC 'A user that is a postmaster of the parent domain' SUP distinguishedName ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.16 NAME 'fripostListManager' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.17 NAME 'fripostListManager' DESC 'The list manager' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch @@ -131,34 +135,39 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.16 NAME 'fripostListManager' # # Objects: 1.3.6.1.4.1.40011.1.2 # -olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.1 NAME 'FripostVirtualDomain' +olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.1 NAME 'FripostVirtual' + AUXILIARY + DESC 'Virtual mail hosting' + MAY ( fripostCanAddDomain ) ) +# +olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualDomain' SUP top STRUCTURAL DESC 'Virtual domain' MUST ( fvd $ fripostIsStatusActive ) MAY ( fripostCanAddAlias $ fripostCanAddList $ fripostOwner $ fripostPostmaster $ - fripostOptionalMaildrop $ description ) ) + fripostOptionalMaildrop $ fripostIsStatusPending $ description ) ) # # | TODO: add limits here -olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualUser' +olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualUser' SUP top STRUCTURAL DESC 'Virtual user' MUST ( fvu $ userPassword $ fripostIsStatusActive ) MAY ( fripostUserQuota $ fripostOptionalMaildrop $ description) ) # -olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualAlias' +olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualAlias' SUP top STRUCTURAL DESC 'Virtual alias' MUST ( fva $ fripostMaildrop $ fripostIsStatusActive ) MAY ( fripostOwner $ description ) ) # -olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualList' +olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualList' SUP top STRUCTURAL DESC 'Virtual list' MUST ( fvl $ fripostListManager $ fripostIsStatusActive $ fripostLocalAlias ) MAY ( fripostOwner $ description $ fripostIsStatusPending ) ) # -olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualListCommand' +olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostVirtualListCommand' SUP top STRUCTURAL DESC 'Virtual list command' MUST ( fvlc $ fripostLocalAlias ) ) diff --git a/ldap/index.ldif b/ldap/index.ldif index 6d720bd..7db5288 100644 --- a/ldap/index.ldif +++ b/ldap/index.ldif @@ -31,7 +31,7 @@ add: olcDbIndex olcDbIndex: fripostIsStatusActive,fvd,fvu,fva,fvl,fvlc eq - add: olcDbIndex -olcDbIndex: fripostIsStatusPending pres,eq +olcDbIndex: fripostIsStatusPending pres - add: olcDbIndex olcDbIndex: fripostOptionalMaildrop pres |