From 03415210a74739563a54c1b3a9ae786027a0d8be Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 19 Jan 2013 02:21:23 +0100 Subject: =?UTF-8?q?CanCreate=20=E2=86=92=20CanAdd?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ldap/Makefile | 2 +- ldap/acl.ldif | 28 +++++------ ldap/database.ldif | 2 +- ldap/fripost.ldif | 12 ++--- ldap/populate.ldif | 22 ++++----- ldap/test-user-acl.sh | 134 +++++++++++++++++++++++++------------------------- 6 files changed, 100 insertions(+), 100 deletions(-) diff --git a/ldap/Makefile b/ldap/Makefile index 4dd0faa..e771a72 100644 --- a/ldap/Makefile +++ b/ldap/Makefile @@ -80,7 +80,7 @@ uninstall: @echo "Deleting schema \"cn=$(SCHEMA),cn=config\"" && find "$(TMPSLAPD)/cn=config/cn=schema/" -type f -name "cn={*}$(SCHEMA).ldif" -delete # @if test -d "$(TMPSLAPD)/$(NUM2)"; then \ - @echo "Deleting constraints" && find "$(TMPSLAPD)/$(NUM2)/" -type f -name "olcOverlay={*}constraint.ldif" -delete \ + echo "Deleting constraints" && find "$(TMPSLAPD)/$(NUM2)/" -type f -name "olcOverlay={*}constraint.ldif" -delete \ ;fi # @/etc/init.d/slapd stop diff --git a/ldap/acl.ldif b/ldap/acl.ldif index c84d328..0528545 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -89,7 +89,7 @@ olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" # Users can search (e.g., to list the entries they have created). # Additional permissions may be added later on. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanCreateAlias,fripostCanCreateList + attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none break # @@ -108,19 +108,19 @@ olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o # 2,3. People that can create aliases can list the members of the group. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=FripostVirtualDomain) - attrs=fripostCanCreateAlias + attrs=fripostCanAddAlias by dnattr=fripostPostmaster write by dnattr=fripostOwner read - by set.exact="this/fripostCanCreateAlias & (user | user/-1)" read + by set.exact="this/fripostCanAddAlias & (user | user/-1)" read # # 1. The postmaster of a domain can give (or take back) people the right to create lists. # 2,3. People that can create lists can list the members of the group. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=FripostVirtualDomain) - attrs=fripostCanCreateList + attrs=fripostCanAddList by dnattr=fripostPostmaster write by dnattr=fripostOwner read - by set.exact="this/fripostCanCreateList & (user | user/-1)" read + by set.exact="this/fripostCanAddList & (user | user/-1)" read # # 1-3. Noone (but the managers) can appoint domain Owners or Postmasters. # But people that can create aliases and lists can list the members of their group. @@ -129,7 +129,7 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ attrs=fripostOwner,fripostPostmaster by dnattr=fripostOwner read by dnattr=fripostPostmaster read - by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateList)& (user | user/-1)" read + by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" read by dn.onelevel,expand="$1" +d by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # @@ -144,14 +144,14 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" # 1. Domain owners can edit their entry's attributes. # 2. So can domain postmasters. # 3. Domain users can read the public domain attributes. -# 4. So can users with "canCreateAlias" or "canCreateList" access. +# 4. So can users with "canAddAlias" or "canAddList" access. olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualDomain) attrs=fvd,fripostIsStatusActive,description by dnattr=fripostOwner write by dnattr=fripostPostmaster write by dn.onelevel,expand="$1" read - by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateList) & (user | user/-1)" read + by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" read # # 1. Domain owners can edit their entry's attributes. # 2. So can domain postmasters. @@ -165,14 +165,14 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" # 1. Domain owners can delete the domain (and read the entry). # 2. So can domain postmasters. # 3. Domain users can read the domain entry (but not delete it). -# 4. So can users with "canCreateAlias" or "canCreateList" rights. +# 4. So can users with "canAddAlias" or "canAddList" rights. olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualDomain) attrs=entry by dnattr=fripostOwner +zrd by dnattr=fripostPostmaster +zrd by dn.onelevel,expand="$1" +rd - by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateList) & (user | user/-1)" +rd + by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" +rd by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # # Noone (but the managers) can change quotas. @@ -223,7 +223,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos # 1. The alias owners can read and delete the entry. # 2. So can the domain owner. # 3. So can the domain postmaster. -# 4. Users with "canCreateAlias" access (either explicitely, or as a wildcard) for the domain can create aliases for that domain. +# 4. Users with "canAddAlias" access (either explicitely, or as a wildcard) for the domain can create aliases for that domain. # (But *not* delete them, unless also owner.) olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualAlias) @@ -231,7 +231,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by dnattr=fripostOwner +zrd continue by group/fripostVirtualDomain/fripostOwner.expand="$1" +wrd by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +wrd - by set.exact="this/-1/fripostCanCreateAlias & (user | user/-1)" +a + by set.exact="this/-1/fripostCanAddAlias & (user | user/-1)" +a by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # # 1. The list owner can list the ownership of the entry. @@ -277,7 +277,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos # 1. The list owners can read the entry. # 2. So can the domain's Owner. # 3. So can the domain's Postmaster. -# 4. Users with "canCreateList" capability (either explicitely, or as a wildcard) for the domain can create lists for that domain. +# 4. Users with "canAddList" capability (either explicitely, or as a wildcard) for the domain can create lists for that domain. # (But *not* delete them, unless also owner.) # 6. The list creator can read the entry. olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" @@ -286,7 +286,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by dnattr=fripostOwner +rd continue by group/fripostVirtualDomain/fripostOwner.expand="$1" +rad by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rad - by set.exact="this/-1/fripostCanCreateList & (user | user/-1)" +a + by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd # diff --git a/ldap/database.ldif b/ldap/database.ldif index 526cc89..ada28c7 100644 --- a/ldap/database.ldif +++ b/ldap/database.ldif @@ -18,7 +18,7 @@ olcDbCheckpoint: 512 30 # Require LDAPv3 protocol and authentication prior to directory # operations. olcRequires: LDAPv3 authc -# We don't want to give "canCreate{Alias,List}" write access to alias/list +# We don't want to give "canAdd{Alias,List}" write access to alias/list # attributes. olcAddContentAcl: FALSE # The root user has all rights on the whole database (when SASL-binding diff --git a/ldap/fripost.ldif b/ldap/fripost.ldif index 970f924..2409b26 100644 --- a/ldap/fripost.ldif +++ b/ldap/fripost.ldif @@ -106,16 +106,16 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostUserQuota' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32} SINGLE-VALUE ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostCanCreateAlias' - DESC 'A user/domain that can create aliases for the parent domain' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostCanAddAlias' + DESC 'A user/domain that can create aliases under the parent domain' SUP distinguishedName ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostCanCreateList' - DESC 'A user/domain that can create lists for the parent domain' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostCanAddList' + DESC 'A user/domain that can create lists under the parent domain' SUP distinguishedName ) # olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.14 NAME 'fripostOwner' - DESC 'A user that owns the parent domain' + DESC 'A user that owns under parent domain' SUP distinguishedName ) # olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.15 NAME 'fripostPostmaster' @@ -135,7 +135,7 @@ olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.1 NAME 'FripostVirtualDomain' SUP top STRUCTURAL DESC 'Virtual domain' MUST ( fvd $ fripostIsStatusActive ) - MAY ( fripostCanCreateAlias $ fripostCanCreateList $ + MAY ( fripostCanAddAlias $ fripostCanAddList $ fripostOwner $ fripostPostmaster $ fripostOptionalMaildrop $ description ) ) # diff --git a/ldap/populate.ldif b/ldap/populate.ldif index 4e0f9b6..9844275 100644 --- a/ldap/populate.ldif +++ b/ldap/populate.ldif @@ -14,8 +14,8 @@ # An independent domain, not self managed dn: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualDomain -fripostCanCreateAlias: fvu=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -fripostCanCreateList: fvu=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostCanAddAlias: fvu=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostCanAddList: fvu=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostIsStatusActive: TRUE dn: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev @@ -75,10 +75,10 @@ fripostLocalAlias: test-mailman#fripost.org fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -# An independent domain, with canCreateAlias options +# An independent domain, with canAddAlias options dn: fvd=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualDomain -fripostCanCreateAlias: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostCanAddAlias: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostIsStatusActive: FALSE description: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod description: tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim @@ -96,10 +96,10 @@ fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=d fripostMaildrop: user1@fripost.org -# An independent domain, with canCreateList options +# An independent domain, with canAddList options dn: fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualDomain -fripostCanCreateList: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostCanAddList: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostIsStatusActive: TRUE # An owned list @@ -111,11 +111,11 @@ fripostOwner: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=d fripostLocalAlias: list1#example2.org -# An independent domain, with both can createAlias and canCreateList options +# An independent domain, with both can createAlias and canAddList options dn: fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualDomain -fripostCanCreateAlias: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -fripostCanCreateList: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostCanAddAlias: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostCanAddList: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostIsStatusActive: TRUE # An owned list @@ -159,13 +159,13 @@ fripostIsStatusActive: TRUE dn: fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev objectClass: FripostVirtualDomain fripostIsStatusActive: TRUE -fripostCanCreateAlias: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostCanAddAlias: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostPostmaster: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostPostmaster: fvu=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostPostmaster: fvu=user,fvd=xn--v4h.net,ou=virtual,o=mailHosting,dc=fripost,dc=dev # Buggy owner fripostPostmaster: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -fripostCanCreateAlias: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostCanAddAlias: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostOptionalMaildrop: catch-all@example.org fripostOptionalMaildrop: @example2.org fripostOptionalMaildrop: @xn--v4h.net diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh index c55916e..9b954c7 100755 --- a/ldap/test-user-acl.sh +++ b/ldap/test-user-acl.sh @@ -168,36 +168,36 @@ echo "Authenticated users, access to domain entries" # * entry: # =s-a for all -# +rd if children, canCreate{Alias,List}, owner or postmaster +# +rd if children, canAdd{Alias,List}, owner or postmaster # +z if owner or postmaster # * children: # =w for all # * objectClass: # =s for all # * fvd: -# =rscd if children, canCreate{Alias,List}, owner or postmaster +# =rscd if children, canAdd{Alias,List}, owner or postmaster # +w if owner or postmaster # * fripostIsStatusActive -# =rscd if children, canCreate{Alias,List}, owner or postmaster +# =rscd if children, canAdd{Alias,List}, owner or postmaster # +w if owner or postmaster -# * fripostCanCreateAlias -# =rscd if canCreateAlias, owner or postmaster +# * fripostCanAddAlias +# =rscd if canAddAlias, owner or postmaster # +w if postmaster -# * fripostCanCreateList -# =rscd if canCreateList, owner or postmaster +# * fripostCanAddList +# =rscd if canAddList, owner or postmaster # +w if postmaster # * fripostOwner # =s for all # +d if children -# +rc if canCreate{Alias,List}, owner or postmaster +# +rc if canAdd{Alias,List}, owner or postmaster # * fripostPostmaster # =s for all # +d if children -# +rc if canCreate{Alias,List}, owner or postmaster +# +rc if canAdd{Alias,List}, owner or postmaster # * fripostOptionalMaildrop # =wrscd if owner or postmaster # * description -# =rscd if children, canCreate{Alias,List}, owner or postmaster +# =rscd if children, canAdd{Alias,List}, owner or postmaster # +w if owner or postmaster usersD () { @@ -236,8 +236,8 @@ usersD ${OPERATTRS} | isOK '=0$' entryUUID # We check the following permissions: # 0. Simple user -# 1. canCreateAlias (exact,wildcard) -# 2. canCreateList (exact,wildcard) +# 1. canAddAlias (exact,wildcard) +# 2. canAddList (exact,wildcard) # 3. Owner # 4. Postmaster @@ -259,11 +259,11 @@ done | isOK 'ALLOWED$' entry read # 1 ATTRSA="fripostOwner/read fripostOwner/compare fripostPostmaster/read fripostPostmaster/compare - fripostCanCreateAlias/read fripostCanCreateAlias/search fripostCanCreateAlias/compare fripostCanCreateAlias/disclose" -msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanCreateAlias, exact)" + fripostCanAddAlias/read fripostCanAddAlias/search fripostCanAddAlias/compare fripostCanAddAlias/disclose" +msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanAddAlias, exact)" for U in ${USERS}; do for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "fripostCanCreateAlias=${U},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "fripostCanAddAlias=${U},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSA} done done | isOK 'ALLOWED$' children @@ -271,11 +271,11 @@ done | isOK 'ALLOWED$' children # 1 -msg "Have >=rscd to the public attributes and >=a to \"children\" (if CanCreateAlias, wildcard)" +msg "Have >=rscd to the public attributes and >=a to \"children\" (if CanAddAlias, wildcard)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "fripostCanCreateAlias=${DU},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "fripostCanAddAlias=${DU},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSA} done done | isOK 'ALLOWED$' children @@ -285,11 +285,11 @@ done | isOK 'ALLOWED$' children # 2 ATTRSL="fripostOwner/read fripostOwner/compare fripostPostmaster/read fripostPostmaster/compare - fripostCanCreateList/read fripostCanCreateList/search fripostCanCreateList/compare fripostCanCreateList/disclose" -msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanCreateList, exact)" + fripostCanAddList/read fripostCanAddList/search fripostCanAddList/compare fripostCanAddList/disclose" +msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanAddList, exact)" for U in ${USERS}; do for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "fripostCanCreateList=${U},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "fripostCanAddList=${U},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL} done done | isOK 'ALLOWED$' children @@ -297,11 +297,11 @@ done | isOK 'ALLOWED$' children # 2 -msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanCreateList, wildcard)" +msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanAddList, wildcard)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "fripostCanCreateList=${DU},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "fripostCanAddList=${DU},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL} done done | isOK 'ALLOWED$' children @@ -309,10 +309,10 @@ done | isOK 'ALLOWED$' children # 3 -# >=w to "children", =zrscd to "entry", >=rscd to "fripostCanCreateAlias" and -# "fripostCanCreateList", and =wrscd to the rest (other than "Owner" and +# >=w to "children", =zrscd to "entry", >=rscd to "fripostCanAddAlias" and +# "fripostCanAddList", and =wrscd to the rest (other than "Owner" and # Postmaster") -msg "Have =wrscd to the domain attributes (other than \"canCreate\"), and >=w to \"children\" (if Owner)" +msg "Have =wrscd to the domain attributes (other than \"canAdd\"), and >=w to \"children\" (if Owner)" ATTRSO="entry/delete fvd/write fripostIsStatusActive/write @@ -328,12 +328,12 @@ done | isOK 'ALLOWED$' children # 4 -# >=w to "children", =zrscd to "entry", >=rscd to "fripostCanCreateAlias" and -# "fripostCanCreateList", and =wrscd to the rest (other than "Owner" and +# >=w to "children", =zrscd to "entry", >=rscd to "fripostCanAddAlias" and +# "fripostCanAddList", and =wrscd to the rest (other than "Owner" and # Postmaster") msg "Have =wrscd to the domain attributes, and >=w to \"children\" (if Postmaster)" -ATTRSP="fripostCanCreateAlias/add fripostCanCreateAlias/delete - fripostCanCreateList/add fripostCanCreateList/delete" +ATTRSP="fripostCanAddAlias/add fripostCanAddAlias/delete + fripostCanAddList/add fripostCanAddList/delete" for U in ${USERS}; do for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \ @@ -349,10 +349,10 @@ for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do [ "x${DU}" = "x${D}" ] || \ - search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateAlias=${U},${SUFFIX}) - (fripostCanCreateAlias=${DU},${SUFFIX}) - (fripostCanCreateList=${U},${SUFFIX}) - (fripostCanCreateList=${DU},${SUFFIX}) + search -s base -b "${D},${SUFFIX}" "(|(fripostCanAddAlias=${U},${SUFFIX}) + (fripostCanAddAlias=${DU},${SUFFIX}) + (fripostCanAddList=${U},${SUFFIX}) + (fripostCanAddList=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ checkACL "${U}" "${D}" ${ATTRS0} @@ -362,14 +362,14 @@ done | isOK 'DENIED$' entry read # not (1 or 2 or 3 or 4) -msg "Do not have >=rc access to \"canCreate{Alias,List}\", \"Owner\", \"Postmaster\" (unless member)" +msg "Do not have >=rc access to \"canAdd{Alias,List}\", \"Owner\", \"Postmaster\" (unless member)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateAlias=${U},${SUFFIX}) - (fripostCanCreateAlias=${DU},${SUFFIX}) - (fripostCanCreateList=${U},${SUFFIX}) - (fripostCanCreateList=${DU},${SUFFIX}) + search -s base -b "${D},${SUFFIX}" "(|(fripostCanAddAlias=${U},${SUFFIX}) + (fripostCanAddAlias=${DU},${SUFFIX}) + (fripostCanAddList=${U},${SUFFIX}) + (fripostCanAddList=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ checkACL "${U}" "${D}" ${ATTRSA} ${ATTRSL} entry/add @@ -379,30 +379,30 @@ done | isOK 'DENIED$' entry # "entry" here is useless, but it's just to get the # not (1 or 3 or 4) -msg "Have =0 access to \"canCreateAlias\" (unless member, Owner, or Postmaster)" +msg "Have =0 access to \"canAddAlias\" (unless member, Owner, or Postmaster)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateAlias=${U},${SUFFIX}) - (fripostCanCreateAlias=${DU},${SUFFIX}) + search -s base -b "${D},${SUFFIX}" "(|(fripostCanAddAlias=${U},${SUFFIX}) + (fripostCanAddAlias=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ - checkACL "${U}" "${D}" fripostCanCreateAlias entry/add + checkACL "${U}" "${D}" fripostCanAddAlias entry/add done done | isOK '\(=0\|DENIED\)$' entry # "entry" here is useless, but it's just to get the count [ $? -eq 0 ] || exit $? # not (2 or 3 or 4) -msg "Have =0 access to \"canCreateList\" (unless member, Owner, or Postmaster)" +msg "Have =0 access to \"canAddList\" (unless member, Owner, or Postmaster)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateList=${U},${SUFFIX}) - (fripostCanCreateList=${DU},${SUFFIX}) + search -s base -b "${D},${SUFFIX}" "(|(fripostCanAddList=${U},${SUFFIX}) + (fripostCanAddList=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ - checkACL "${U}" "${D}" fripostCanCreateList entry/add + checkACL "${U}" "${D}" fripostCanAddList entry/add done done | isOK '\(=0\|DENIED\)$' entry # "entry" here is useless, but it's just to get the count [ $? -eq 0 ] || exit $? @@ -421,7 +421,7 @@ done | isOK 'DENIED$' entry # not 4 -msg "Do not have >=w access to \"canCreate{Alias,List}\" (unless Postmaster)" +msg "Do not have >=w access to \"canAdd{Alias,List}\" (unless Postmaster)" for U in ${USERS}; do for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' || \ @@ -550,7 +550,7 @@ echo "Authenticated users, access to alias entries" # * entry: # =s for all -# +a if canCreateAlias +# +a if canAddAlias # +zrd if alias owner, domain owner or domain postmaster # * children: # =0 for all @@ -633,11 +633,11 @@ done | isOK 'ALLOWED$' entry add # Needed to create new entries. ("+z" is required to delete, btw.) -msg "Have >=a access to \"entry\" (if CanCreateAlias, exact)" +msg "Have >=a access to \"entry\" (if CanAddAlias, exact)" for U in ${USERS}; do for A in ${ALIASES}; do DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - search -s base -b "${DA},${SUFFIX}" "fripostCanCreateAlias=${U},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${DA},${SUFFIX}" "fripostCanAddAlias=${U},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${A}" entry/add done done | isOK 'ALLOWED$' entry add @@ -645,25 +645,25 @@ done | isOK 'ALLOWED$' entry add # Needed to create new entries. ("+z" is required to delete, btw.) -msg "Have >=a access to \"entry\" (if CanCreateAlias, wildcard)" +msg "Have >=a access to \"entry\" (if CanAddAlias, wildcard)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for A in ${ALIASES}; do DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - search -s base -b "${DA},${SUFFIX}" "fripostCanCreateAlias=${DU},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${DA},${SUFFIX}" "fripostCanAddAlias=${DU},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${A}" entry/add done done | isOK 'ALLOWED$' entry add [ $? -eq 0 ] || exit $? -msg "Do not have >=a access to \"entry\" (unless canCreateAlias)" +msg "Do not have >=a access to \"entry\" (unless canAddAlias)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for A in ${ALIASES}; do DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - search -s base -b "${DA},${SUFFIX}" "(|(fripostCanCreateAlias=${U},${SUFFIX}) - (fripostCanCreateAlias=${DU},${SUFFIX}) + search -s base -b "${DA},${SUFFIX}" "(|(fripostCanAddAlias=${U},${SUFFIX}) + (fripostCanAddAlias=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ checkACL "${U}" "${A}" entry/add @@ -706,7 +706,7 @@ echo "Authenticated users, access to list entries" # * entry: # =s for all -# +a if canCreateList, domain owner or domain postmaster +# +a if canAddList, domain owner or domain postmaster # +rd if list owner, domain owner or domain postmaster # * children: # =0 for all @@ -806,11 +806,11 @@ done | isOK 'ALLOWED$' entry add # Needed to create new entries. ("+z" is required to delete, btw.) -msg "Have >=a access to \"entry\" (if CanCreateList, exact)" +msg "Have >=a access to \"entry\" (if CanAddList, exact)" for U in ${USERS}; do for L in ${LISTS}; do DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - search -s base -b "${DL},${SUFFIX}" "fripostCanCreateList=${U},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${DL},${SUFFIX}" "fripostCanAddList=${U},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${L}" entry/add done done | isOK 'ALLOWED$' entry @@ -818,25 +818,25 @@ done | isOK 'ALLOWED$' entry # Needed to create new entries. ("+z" is required to delete, btw.) -msg "Have >=a access to \"entry\" (if CanCreateList, wildcard)" +msg "Have >=a access to \"entry\" (if CanAddList, wildcard)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for L in ${LISTS}; do DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - search -s base -b "${DL},${SUFFIX}" "fripostCanCreateList=${DU},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${DL},${SUFFIX}" "fripostCanAddList=${DU},${SUFFIX}" | grep -q '^dn: ' && \ checkACL "${U}" "${L}" entry/add done done | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? -msg "Do not have >=a access to \"entry\" (unless canCreateList)" +msg "Do not have >=a access to \"entry\" (unless canAddList)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for L in ${LISTS}; do DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - search -s base -b "${DL},${SUFFIX}" "(|(fripostCanCreateList=${U},${SUFFIX}) - (fripostCanCreateList=${DU},${SUFFIX}) + search -s base -b "${DL},${SUFFIX}" "(|(fripostCanAddList=${U},${SUFFIX}) + (fripostCanAddList=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ checkACL "${U}" "${L}" entry/add @@ -893,7 +893,7 @@ done | isOK '=rsd$' entry msg "Have =0 access on other domain attributes" for D in ${DOMAINS}; do - checkACL "cn=SMTP" "${D}" children ${OPERATTRS} fripostCanCreateAlias fripostCanCreateList fripostOwner fripostPostmaster description + checkACL "cn=SMTP" "${D}" children ${OPERATTRS} fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description done | isOK 'none(=0)$' children msg "Can read and search the user attributes it needs" @@ -944,7 +944,7 @@ echo "Service ListCreator" msg "Have =0 access on domain attributes" for D in ${DOMAINS}; do - checkACL "cn=ListCreator" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanCreateAlias fripostCanCreateList fripostOwner fripostPostmaster description + checkACL "cn=ListCreator" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description done | isOK '=0$' entry msg "Have =0 access on user attributes" @@ -995,7 +995,7 @@ echo "Service AdminWebPanel" msg "Have =0 access on domain attributes" for D in ${DOMAINS}; do - checkACL "cn=AdminWebPanel" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanCreateAlias fripostCanCreateList fripostOwner fripostPostmaster description + checkACL "cn=AdminWebPanel" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description done | isOK 'none(=0)$' entry msg "Have =0 access on user attributes" @@ -1018,7 +1018,7 @@ for LC in ${LISTSC}; do checkACL "cn=AdminWebPanel" "${LC}" entry children ${OPERATTRS} fvlc fripostLocalAlias done | isOK 'none(=0)$' entry -if sudo -u fpanel klist >/dev/null; then +if test -x /usr/bin/sudo && sudo -u fpanel klist >/dev/null; then msg "Can SASL authenticate (GSSAPI)" DN=$(echo "dn:cn=AdminWebPanel,${SUFFIXS}" | tr [A-Z] [a-z]) DN2=$(sudo -u fpanel ldapwhoami -Q | tr [A-Z] [a-z]) -- cgit v1.2.3