From 0bed9611730fc434dd55175bc947dc09fc430710 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 9 Sep 2012 23:26:26 +0200 Subject: SASL proxy authorization. --- ldap/Makefile | 18 +++- ldap/acl.ldif | 103 ++++++++++++----------- ldap/authz.ldif | 24 ++++++ ldap/base.ldif | 30 +++++++ ldap/constraint.ldif | 28 +++++++ ldap/database.ldif | 2 +- ldap/fripost.ldif | 28 +++---- ldap/index.ldif | 2 +- ldap/populate.ldif | 143 +++++++++++++++++--------------- ldap/syncrepl.ldif | 4 +- ldap/test-user-acl.sh | 224 +++++++++++++++++++++++++++----------------------- 11 files changed, 365 insertions(+), 241 deletions(-) create mode 100644 ldap/authz.ldif create mode 100644 ldap/base.ldif create mode 100644 ldap/constraint.ldif diff --git a/ldap/Makefile b/ldap/Makefile index 8d6868f..01f20fd 100644 --- a/ldap/Makefile +++ b/ldap/Makefile @@ -4,6 +4,7 @@ TMPSLAPD := /tmp/$(shell mktemp -u slapd.d-XXXXXX) BACKUPDB := /tmp/$(shell mktemp -u db-XXXXXX.ldif) BACKUPCONFIG := /tmp/$(shell mktemp -u config-XXXXXX.ldif) NUM := $(shell ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "olcSuffix=$(SUFFIX)" dn | sed -e '/^$$/d' -e 's/^dn: //') +NUM2 := $(shell echo "$(NUM)" | sed -re 's/(.*),(cn=config)$$/\2\/\1/') SCHEMA := $(shell grep -i '^dn: ' fripost.ldif | sed -re 's/^dn: cn=([^,]+),.*/\1/') all: @@ -29,6 +30,13 @@ install-mx: @rmdir "$(BACKUPSLAPD)" +install: + # ldapadd -Y EXTERNAL -H ldapi:/// -f fripost.ldif + # ldapadd -Y EXTERNAL -H ldapi:/// -f index.ldif + # ldapadd -Y EXTERNAL -H ldapi:/// -f constraint.ldif + # ldapadd -Y EXTERNAL -H ldapi:/// -f acl.ldif + # ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif + # ldapadd -Y EXTERNAL -H ldapi:/// -f populate.ldif install-schema: @ldapadd -Q -Y EXTERNAL -H ldapi:/// -f fripost.ldif @@ -40,7 +48,7 @@ install-acl: uninstall: @echo "The database - suffix \"$(SUFFIX)\" - will be saved into \`$(BACKUPDB)' (if non-empty), and then *cleared* (but not deleted)." - @echo "Also, its ACLs and indexes will be cleared as well, if there are any." + @echo "Also, its ACLs, indexes and constraints will be cleared as well, if there are any." @echo "Global configuration will be saved into \`$(BACKUPCONFIG)'." @echo "slapd will be offline for a moment - at best." @/bin/echo -n "Are you sure you want to continue [y/N] " @@ -65,11 +73,13 @@ uninstall: ;else \ echo "No indexes to remove" \ ;fi - +# @echo "Making a new configuration directory at \`$(TMPSLAPD)'" @mkdir -m0700 "$(TMPSLAPD)" && slapcat -n0 | slapadd -F "$(TMPSLAPD)" -n0 && chown -R 'openldap:openldap' "$(TMPSLAPD)" - - @echo "Deleting schema \"cn=$(SCHEMA),cn=config\"" && find "$(TMPSLAPD)" -name "cn={*}$(SCHEMA).ldif" -delete +# + @echo "Deleting schema \"cn=$(SCHEMA),cn=config\"" && find "$(TMPSLAPD)/cn=config/cn=schema/" -type f -name "cn={*}$(SCHEMA).ldif" -delete +# + @echo "Deleting constraints" && find "$(TMPSLAPD)/$(NUM2)/" -type f -name "olcOverlay={*}constraint.ldif" -delete # @/etc/init.d/slapd stop # diff --git a/ldap/acl.ldif b/ldap/acl.ldif index 755697f..eb28872 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -39,7 +39,7 @@ olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" # # The postmaster of a domain can change (replace) his/her users' password. olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualMailbox) + filter=(objectClass=FripostVirtualMailbox) attrs=userPassword by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =w # @@ -48,17 +48,27 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" attrs=userPassword by * none +# +# That's necessary for SASL proxy Authorize the web application. +olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev" + attrs=entry,objectClass,authzTo + by * =x ## ## Services can read the whole subtree (minus the userPassword attributes). #olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" -# attrs=entry,creatorsName,@fripostVirtualDomain,@fripostVirtualMailbox,@fripostVirtualAlias,@fripostVirtualML -# by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=org" read -# by users * break +# attrs=entry,creatorsName,@fripostVirtualDomain,@fripostVirtualMailbox,@fripostVirtualAlias,@fripostVirtualList +# by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" read +# by users none break +# +# Users can search (e.g., to list the entries they have created). +olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + attrs=objectClass + by users =s # # Users can search (e.g., to list the entries they have created). # Additional permissions may be added later on. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanCreateAlias,fripostCanCreateML + attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanCreateAlias,fripostCanCreateList by users =s break # # Everyone can delete domains. (Provided he has +d access to the "entry" @@ -71,30 +81,29 @@ olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" # aliases. # 2,3. People that can create aliases can list the members of the group. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(objectClass=fripostVirtualDomain) + filter=(objectClass=FripostVirtualDomain) attrs=fripostCanCreateAlias by dnattr=fripostPostmaster write by dnattr=fripostOwner read by set.exact="this/fripostCanCreateAlias & (user | user/-1)" read # -# 1. The postmaster of a domain can give (or take back) people the right to create -# mailing lists. -# 2,3. People that can create mailing lists can list the members of the group. +# 1. The postmaster of a domain can give (or take back) people the right to create lists. +# 2,3. People that can create lists can list the members of the group. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(objectClass=fripostVirtualDomain) - attrs=fripostCanCreateML + filter=(objectClass=FripostVirtualDomain) + attrs=fripostCanCreateList by dnattr=fripostPostmaster write by dnattr=fripostOwner read - by set.exact="this/fripostCanCreateML & (user | user/-1)" read + by set.exact="this/fripostCanCreateList & (user | user/-1)" read # # 1-3. Noone (but the managers) can appoint domain Owners or Postmasters. -# But people that can create aliases and mailing lists can list the members of their group. +# But people that can create aliases and lists can list the members of their group. olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualDomain) + filter=(objectClass=FripostVirtualDomain) attrs=fripostOwner,fripostPostmaster by dnattr=fripostOwner read by dnattr=fripostPostmaster read - by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML)& (user | user/-1)" read + by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateList)& (user | user/-1)" read by dn.onelevel,expand="$1" +d by users +0 # @@ -102,26 +111,26 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ # kid's "entry" attribute, which require +a and +z to add and delete # respectively. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(objectClass=fripostVirtualDomain) + filter=(objectClass=FripostVirtualDomain) attrs=children by users +w # # 1. Domain owners can edit their entry's attributes. # 2. So can domain postmasters. # 3. Domain users can read the public domain attributes. -# 4. So can users with "canCreateAlias" or "canCreateML" access. +# 4. So can users with "canCreateAlias" or "canCreateList" access. olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualDomain) + filter=(objectClass=FripostVirtualDomain) attrs=fvd,fripostIsStatusActive,description by dnattr=fripostOwner write by dnattr=fripostPostmaster write by dn.onelevel,expand="$1" read - by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML) & (user | user/-1)" read + by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateList) & (user | user/-1)" read # # 1. Domain owners can edit their entry's attributes. # 2. So can domain postmasters. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(objectClass=fripostVirtualDomain) + filter=(objectClass=FripostVirtualDomain) attrs=@fripostVirtualDomain by dnattr=fripostOwner write by dnattr=fripostPostmaster write @@ -130,19 +139,19 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" # 1. Domain owners can delete the domain (and read the entry). # 2. So can domain postmasters. # 3. Domain users can read the domain entry (but not delete it). -# 4. So can users with "canCreateAlias" or "canCreateML" rights. +# 4. So can users with "canCreateAlias" or "canCreateList" rights. olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualDomain) + filter=(objectClass=FripostVirtualDomain) attrs=entry by dnattr=fripostOwner +zrd by dnattr=fripostPostmaster +zrd by dn.onelevel,expand="$1" +rd - by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML) & (user | user/-1)" +rd + by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateList) & (user | user/-1)" +rd by users +0 # # Noone (but the managers) can change quotas. olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualMailbox) + filter=(objectClass=FripostVirtualMailbox) attrs=fripostMailboxQuota by self read by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read @@ -150,7 +159,7 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos # 1. Users can modify their own entry. # 2. So can their postmasters. olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualMailbox) + filter=(objectClass=FripostVirtualMailbox) attrs=@FripostVirtualMailbox by self write by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write @@ -159,7 +168,7 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos # (Provided that they have +a access to the parent's "children" attribute.) # 2. Users can read their entry (but not delete it). olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualMailbox) + filter=(objectClass=FripostVirtualMailbox) attrs=entry by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard by self +rd @@ -167,7 +176,7 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos # Reserved aliases cannot be deactivated. (But the alias definition may be changed by the # domain owner.) olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualAlias) + filter=(objectClass=FripostVirtualAlias) attrs=fripostIsStatusActive,fripostOwner,fva by group/fripostVirtualDomain/fripostOwner.expand="$2" read by group/fripostVirtualDomain/fripostPostmaster.expand="$2" read @@ -175,7 +184,7 @@ olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHost # # Reserved aliases cannot be deleted. olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualAlias) + filter=(objectClass=FripostVirtualAlias) attrs=entry by group/fripostVirtualDomain/fripostOwner.expand="$2" +ard by group/fripostVirtualDomain/fripostPostmaster.expand="$2" +ard @@ -186,7 +195,7 @@ olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHost # 2. The domain owner can add/delete/change the ownership of the entry. # 3. So can the domain postmasters. olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualAlias) + filter=(objectClass=FripostVirtualAlias) attrs=fripostOwner by dnattr=fripostOwner read continue by group/fripostVirtualDomain/fripostOwner.expand="$1" write @@ -197,7 +206,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos # 2. So can the domain owners. # 3. So can the domain postmasters. olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualAlias) + filter=(objectClass=FripostVirtualAlias) attrs=@FripostVirtualAlias by dnattr=fripostOwner write by group/fripostVirtualDomain/fripostOwner.expand="$1" write @@ -209,7 +218,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos # 4. Users with "canCreateAlias" access (either explicitely, or as a wildcard) for the domain can create aliases for that domain. # (But *not* delete them, unless also owner.) olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualAlias) + filter=(objectClass=FripostVirtualAlias) attrs=entry by dnattr=fripostOwner +zrd continue by group/fripostVirtualDomain/fripostOwner.expand="$1" +wrd @@ -217,49 +226,49 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by set.exact="this/-1/fripostCanCreateAlias & (user | user/-1)" +a by users +0 # -# 1. The mailing list owner can list the ownership of the entry. +# 1. The list owner can list the ownership of the entry. # 2. The domain owner can add/delete/change the ownership of the entry. # 3. So can the domain postmasters. -olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualML) +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=FripostVirtualList) attrs=fripostOwner by dnattr=fripostOwner read continue by group/fripostVirtualDomain/fripostOwner.expand="$1" write by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write by users +0 # -# 1. The mailing list owner read (but not edit) the transport-related attributes. +# 1. The list owner read (but not edit) the transport-related attributes. # 2. So can the domain ower. # 3. So can the domain postmaster. -olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualML) - attrs=fripostMLManager,fripostMLCommand +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=FripostVirtualList) + attrs=fripostListManager,fripostListCommand by dnattr=fripostOwner read by group/fripostVirtualDomain/fripostOwner.expand="$1" read by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read # -# 1. The mailing list owners can edit their entry's attributes. +# 1. The list owners can edit their entry's attributes. # 2. So can the domain owners. # 3. So can the domain postmasters. -olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualML) - attrs=@FripostVirtualML +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=FripostVirtualList) + attrs=@FripostVirtualList by dnattr=fripostOwner write by group/fripostVirtualDomain/fripostOwner.expand="$1" write by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write # -# 1. The mailing list owners can read and delete the entry. +# 1. The list owners can read and delete the entry. # 2. So can the domain's Owner. # 3. So can the domain's Postmaster. -# 4. Users with "canCreateML" capability (either explicitely, or as a wildcard) for the domain can create mailing lists for that domain. +# 4. Users with "canCreateList" capability (either explicitely, or as a wildcard) for the domain can create lists for that domain. # (But *not* delete them, unless also owner.) -olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualML) +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=FripostVirtualList) attrs=entry by dnattr=fripostOwner +rzd continue by group/fripostVirtualDomain/fripostOwner.expand="$1" +rwd by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rwd - by set.exact="this/-1/fripostCanCreateML & (user | user/-1)" +a + by set.exact="this/-1/fripostCanCreateList & (user | user/-1)" +a by users +0 # # Catch the "break" control above. diff --git a/ldap/authz.ldif b/ldap/authz.ldif new file mode 100644 index 0000000..8f88d80 --- /dev/null +++ b/ldap/authz.ldif @@ -0,0 +1,24 @@ +# Load this file with +# +# ldapadd -Y EXTERNAL -H ldapi:/// -f authz.ldif +# +# That will allow the SASL-authenticated user (service) to be +# reformatted into a proper DN under our services directory. +# +# SASL authentication can be checked with: +# +# ldapwhoami -W -Y PLAIN -U FPanel -H ldapi:// +# ldapwhoami -W -Y PLAIN -U FPanel -H ldapi:// -X "dn:fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev" +# +# References: +# - http://www.openldap.org/doc/admin24/sasl.html#Direct%20Mapping +# - man 5 slapd-config + + +dn: cn=config +changetype: modify +replace: olcAuthzRegexp +olcAuthzRegexp: uid=([^,]+),cn=[^,]+,cn=auth cn=$1,ou=services,o=mailHosting,dc=fripost,dc=dev +- +replace: olcAuthzPolicy +olcAuthzPolicy: to diff --git a/ldap/base.ldif b/ldap/base.ldif new file mode 100644 index 0000000..f91946b --- /dev/null +++ b/ldap/base.ldif @@ -0,0 +1,30 @@ +# Load this file with +# +# ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif +# +# It will create the base directory and add services needed to for our +# systems to work. +# If "o=mailHosting,dc=fripost,dc=dev" exists, you can delete it with +# +# ldapdelete -Y EXTERNAL -H ldapi:/// -r "o=mailHosting,dc=fripost,dc=dev" + + +dn: o=mailHosting,dc=fripost,dc=dev +objectClass: organization +description: Mail hosting + + +dn: ou=virtual,o=mailHosting,dc=fripost,dc=dev +objectClass: organizationalUnit +description: Virtual mail hosting + + +dn: ou=services,o=mailHosting,dc=fripost,dc=dev +objectClass: organizationalUnit + +dn: cn=FPanel,ou=services,o=mailHosting,dc=fripost,dc=dev +objectClass: simpleSecurityObject +objectClass: organizationalRole +description: The adminstrator Web Panel +userPassword: panel +authzTo: dn.regex:^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$ diff --git a/ldap/constraint.ldif b/ldap/constraint.ldif new file mode 100644 index 0000000..555be85 --- /dev/null +++ b/ldap/constraint.ldif @@ -0,0 +1,28 @@ +# Load this file with +# +# ldapadd -Y EXTERNAL -H ldapi:/// -f constraint.ldif +# +# It will load the "constraint" overlay configuration for the database #1. +# Ensure that it's indeed the database #1 that you want to configure: +# +# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "olcSuffix=o=mailHosting,dc=fripost,dc=dev" dn +# +# +# References: +# - http://www.openldap.org/doc/admin24/overlays.html#Constraints +# - man 5 slapo-constraint + + +dn: olcOverlay=constraint,olcDatabase={1}hdb,cn=config +objectClass: olcOverlayConfig +objectClass: olcConstraintConfig +olcOverlay: constraint +olcConstraintAttribute: fvd regex ^.+\..+$ +olcConstraintAttribute: fvu regex ^.+$ +olcConstraintAttribute: fva regex ^.+$ +olcConstraintAttribute: fvl regex ^.+$ +olcConstraintAttribute: fripostMaildrop regex ^.*@.+\..+$ +olcConstraintAttribute: fripostOptionalMaildrop regex ^.*@.+\..+$ +olcConstraintAttribute: fripostListCommand regex ^.+-.+$ +olcConstraintAttribute: fripostListManager regex ^(mailman|schleuder)$ +olcConstraintAttribute: userPassword count 1 diff --git a/ldap/database.ldif b/ldap/database.ldif index 300d933..526cc89 100644 --- a/ldap/database.ldif +++ b/ldap/database.ldif @@ -18,7 +18,7 @@ olcDbCheckpoint: 512 30 # Require LDAPv3 protocol and authentication prior to directory # operations. olcRequires: LDAPv3 authc -# We don't want to give "canCreate{Alias,ML}" write access to alias/ml +# We don't want to give "canCreate{Alias,List}" write access to alias/list # attributes. olcAddContentAcl: FALSE # The root user has all rights on the whole database (when SASL-binding diff --git a/ldap/fripost.ldif b/ldap/fripost.ldif index 81602d5..b110ee7 100644 --- a/ldap/fripost.ldif +++ b/ldap/fripost.ldif @@ -58,14 +58,14 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.3 NAME 'fva' SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.4 NAME 'fvml' - DESC 'The local part of a virtual mailing list' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.4 NAME 'fvl' + DESC 'The local part of a virtual list' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.5 NAME 'fripostMLCommand' - DESC 'The local part of a command associated with a mailing list' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.5 NAME 'fripostListCommand' + DESC 'The local part of a command associated with a list' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} ) @@ -99,8 +99,8 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.10 NAME 'fripostCanCreateAlias' DESC 'A user/domain that can create aliases for the parent domain' SUP distinguishedName ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostCanCreateML' - DESC 'A user/domain that can create mailing lists for the parent domain' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.11 NAME 'fripostCanCreateList' + DESC 'A user/domain that can create lists for the parent domain' SUP distinguishedName ) # olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.12 NAME 'fripostOwner' @@ -111,8 +111,8 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostPostmaster' DESC 'A user that is a postmaster of the parent domain' SUP distinguishedName ) # -olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.14 NAME 'fripostMLManager' - DESC 'A mailing list manager' +olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.14 NAME 'fripostListManager' + DESC 'The list manager' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} SINGLE-VALUE ) @@ -124,7 +124,7 @@ olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.1 NAME 'FripostVirtualDomain' SUP top STRUCTURAL DESC 'Virtual domain' MUST ( fvd $ fripostIsStatusActive ) - MAY ( fripostCanCreateAlias $ fripostCanCreateML $ + MAY ( fripostCanCreateAlias $ fripostCanCreateList $ fripostOwner $ fripostPostmaster $ fripostOptionalMaildrop $ description ) ) # @@ -133,7 +133,7 @@ olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualMailbox' SUP top STRUCTURAL DESC 'Virtual mailbox' MUST ( fvu $ userPassword $ fripostIsStatusActive ) - MAY ( fripostMailboxQuota $ fripostOptionalMaildrop $ cn $ description) ) + MAY ( fripostMailboxQuota $ fripostOptionalMaildrop $ description) ) # olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualAlias' SUP top STRUCTURAL @@ -141,9 +141,9 @@ olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualAlias' MUST ( fva $ fripostMaildrop $ fripostIsStatusActive ) MAY ( fripostOwner $ description ) ) # -olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualML' +olcObjectclasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualList' SUP top STRUCTURAL - DESC 'Mailing List' - MUST ( fvml $ fripostMLManager $ fripostIsStatusActive ) - MAY ( fripostMLCommand $ fripostOwner $ description ) ) + DESC 'Virtual list' + MUST ( fvl $ fripostListManager $ fripostIsStatusActive ) + MAY ( fripostListCommand $ fripostOwner $ description ) ) diff --git a/ldap/index.ldif b/ldap/index.ldif index 6d7089a..f044ebe 100644 --- a/ldap/index.ldif +++ b/ldap/index.ldif @@ -28,7 +28,7 @@ olcDbIndex: objectClass eq - # Let us make Postfix's job easier. add: olcDbIndex -olcDbIndex: fripostIsStatusActive,fvd,fvu,fva,fvml,fripostMLCommand,fripostMLManager eq +olcDbIndex: fripostIsStatusActive,fvd,fvu,fva,fvl,fripostListCommand,fripostListManager eq - # Let us make Postfix's job easier. add: olcDbIndex diff --git a/ldap/populate.ldif b/ldap/populate.ldif index cd2b5f2..475975a 100644 --- a/ldap/populate.ldif +++ b/ldap/populate.ldif @@ -3,9 +3,6 @@ # ldapadd -Y EXTERNAL -H ldapi:/// -f populate.ldif # # It will populate the directory for testing purposes. -# If "o=mailHosting,dc=fripost,dc=dev" exists, you can delete it with -# -# ldapdelete -Y EXTERNAL -H ldapi:/// -r "o=mailHosting,dc=fripost,dc=dev" # ou=quotas,o=mailHosting,dc=fripost,dc=dev # |- fvd=fripost.org @@ -14,37 +11,29 @@ # |- -dn: o=mailHosting,dc=fripost,dc=dev -objectClass: organization -description: Mail hosting - - -dn: ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: organizationalUnit -description: Virtual mail hosting - - # An independent domain, not self managed dn: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualDomain +objectClass: FripostVirtualDomain fripostCanCreateAlias: fvu=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -fripostCanCreateML: fvu=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostCanCreateList: fvu=fake,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostIsStatusActive: TRUE dn: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualMailbox +objectClass: FripostVirtualMailbox userPassword: user1 fripostIsStatusActive: TRUE fripostOptionalMaildrop: user1@external.org +fripostOptionalMaildrop: user1@external2.org +fripostOptionalMaildrop: user1@external3.org dn: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualMailbox +objectClass: FripostVirtualMailbox userPassword: user2 fripostIsStatusActive: TRUE # A owned alias dn: fva=alias1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualAlias +objectClass: FripostVirtualAlias fripostIsStatusActive: TRUE fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostMaildrop: user1@fripost.org @@ -54,23 +43,23 @@ fripostOwner: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev # An independent alias dn: fva=alias2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualAlias +objectClass: FripostVirtualAlias fripostIsStatusActive: TRUE fripostMaildrop: user2@fripost.org -# A owned mailing list -dn: fvml=ml1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualML -fripostMLManager: mailman +# An owned list +dn: fvl=list1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +objectClass: FripostVirtualList +fripostListManager: mailman fripostIsStatusActive: TRUE -fripostMLCommand: ml1-request -fripostMLCommand: ml1-bounces +fripostListCommand: list1-request +fripostListCommand: list1-bounces fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -# An independent mailing list (for user1) -dn: fvml=ml2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualML -fripostMLManager: schleuder +# An independent list (for user1) +dn: fvl=list2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +objectClass: FripostVirtualList +fripostListManager: schleuder fripostIsStatusActive: TRUE fripostOwner: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev # Buggy owner @@ -79,87 +68,102 @@ fripostOwner: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev # An independent domain, with canCreateAlias options dn: fvd=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualDomain +objectClass: FripostVirtualDomain fripostCanCreateAlias: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -fripostIsStatusActive: TRUE +fripostIsStatusActive: FALSE +description: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod +description: tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim +description: veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea +description: commodo consequat. Duis aute irure dolor in reprehenderit in voluptate +description: velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint +description: occaecat cupidatat non proident, sunt in culpa qui officia deserunt +description: mollit anim id est laborum. # A owned alias dn: fva=alias1,fvd=example.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualAlias -fripostIsStatusActive: TRUE +objectClass: FripostVirtualAlias +fripostIsStatusActive: FALSE fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostMaildrop: user1@fripost.org -# An independent domain, with canCreateML options +# An independent domain, with canCreateList options dn: fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualDomain -fripostCanCreateML: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +objectClass: FripostVirtualDomain +fripostCanCreateList: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostIsStatusActive: TRUE -# A owned mailing list -dn: fvml=ml1,fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualML +# An owned list +dn: fvl=list1,fvd=example2.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +objectClass: FripostVirtualList fripostIsStatusActive: TRUE -fripostMLManager: schleuder +fripostListManager: schleuder fripostOwner: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -# An independent domain, with both can createAlias and canCreateML options +# An independent domain, with both can createAlias and canCreateList options dn: fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualDomain +objectClass: FripostVirtualDomain fripostCanCreateAlias: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -fripostCanCreateML: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +fripostCanCreateList: fvu=user2,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostIsStatusActive: TRUE -# A owned mailing list -dn: fvml=ml,fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualML +# An owned list +dn: fvl=list,fvd=example3.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +objectClass: FripostVirtualList fripostIsStatusActive: TRUE -fripostMLManager: mailman +fripostListManager: mailman fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev # A owned domain dn: fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualDomain +objectClass: FripostVirtualDomain fripostIsStatusActive: TRUE fripostOwner: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev # Buggy owner fripostOwner: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev dn: fva=alias,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualAlias +objectClass: FripostVirtualAlias fripostIsStatusActive: TRUE fripostMaildrop: user1@fripost.org dn: fva=abuse,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualAlias +objectClass: FripostVirtualAlias fripostIsStatusActive: TRUE fripostMaildrop: abuse@fripost.org dn: fva=postmaster,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualAlias +objectClass: FripostVirtualAlias fripostIsStatusActive: TRUE fripostMaildrop: postmaster@fripost.org +description: Lorem ipsum dolor sit amet, consectetur adipisicing elit, + sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut + enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut + aliquip ex ea commo do consequat. Duis aute irure dolor in reprehenderit + in voluptate velit esse cillum dolore eu fugiat nulla pariatur. + Excepteur sint occaecat cupidatat non proident, sunt in culpa qui + officia deserunt mollit anim id est laborum. -dn: fvml=ml,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualML -fripostMLManager: mailman +dn: fvl=list,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +objectClass: FripostVirtualList +fripostListManager: mailman fripostIsStatusActive: TRUE -fripostMLCommand: ml-request -fripostMLCommand: ml-bounces +fripostListCommand: list-request +fripostListCommand: list-bounces dn: fvu=user,fvd=owned.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualMailbox +objectClass: FripostVirtualMailbox userPassword: user fripostIsStatusActive: TRUE # A postmastered domain dn: fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualDomain +objectClass: FripostVirtualDomain fripostIsStatusActive: TRUE +fripostCanCreateAlias: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostPostmaster: fvu=user1,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostPostmaster: fvu=postmaster,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev # Buggy owner @@ -167,34 +171,37 @@ fripostPostmaster: fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev fripostCanCreateAlias: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev dn: fva=alias,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualAlias +objectClass: FripostVirtualAlias fripostIsStatusActive: TRUE fripostMaildrop: user1@fripost.org dn: fva=abuse,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualAlias +objectClass: FripostVirtualAlias fripostIsStatusActive: TRUE fripostMaildrop: abuse@fripost.org fripostOwner: fvu=postmaster,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev dn: fva=postmaster,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualAlias +objectClass: FripostVirtualAlias fripostIsStatusActive: TRUE fripostMaildrop: postmaster@fripost.org +description: test UTF8 +description: “All we are saying is: ‘give peace a chance!’” — Joe Cocker ☮ -dn: fvml=ml,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualML -fripostMLManager: mailman +dn: fvl=list,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev +objectClass: FripostVirtualList +fripostListManager: mailman fripostIsStatusActive: TRUE -fripostMLCommand: ml-request -fripostMLCommand: ml-bounces +fripostListCommand: list-request +fripostListCommand: list-bounces dn: fvu=user,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualMailbox +objectClass: FripostVirtualMailbox userPassword: user fripostIsStatusActive: TRUE +fripostMailboxQuota: 10MB dn: fvu=postmaster,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev -objectClass: fripostVirtualMailbox +objectClass: FripostVirtualMailbox userPassword: postmaster fripostIsStatusActive: TRUE diff --git a/ldap/syncrepl.ldif b/ldap/syncrepl.ldif index 9dbd30a..6fe0d06 100644 --- a/ldap/syncrepl.ldif +++ b/ldap/syncrepl.ldif @@ -26,8 +26,8 @@ credentials="xxxxxx" type=refreshAndPersist retry="5 5 300 +" searchbase="ou=virtual,o=mailHosting,dc=fripost,dc=org" -filter="(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualMailbox)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualML))(fripostIsStatusActive=TRUE))" -attrs="fripostIsStatusActive,fripostMaildrop,fripostOptionalMaildrop,fvd,fvu,fva,fvml,fripostMLCommand,fripostMLManager" +filter="(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualMailbox)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList))(fripostIsStatusActive=TRUE))" +attrs="fripostIsStatusActive,fripostMaildrop,fripostOptionalMaildrop,fvd,fvu,fva,fvl,fripostListCommand,fripostListManager" scope=sub schemachecking=off diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh index 26298f9..6983706 100755 --- a/ldap/test-user-acl.sh +++ b/ldap/test-user-acl.sh @@ -72,8 +72,8 @@ USERS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualMailbox" dn | \ grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvu=\1,fvd=\2/') ALIASES=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualAlias" dn | \ grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fva=\1,fvd=\2/') -MLS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualML" dn | \ - grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvml=\1,fvd=\2/') +LISTS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualList" dn | \ + grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvl=\1,fvd=\2/') ######################################################################## @@ -104,9 +104,9 @@ done | isOK '=0' entry [ $? -eq 0 ] || exit $? -msg "Have =0 access to mailing lists entries" -for ML in ${MLS}; do - checkACL "" "${ML}" +msg "Have =0 access to list entries" +for L in ${LISTS}; do + checkACL "" "${L}" done | isOK '=0' entry [ $? -eq 0 ] || exit $? @@ -162,34 +162,36 @@ echo "Authenticated users, access to domain entries" # * entry: # =s-a for all -# +rd if children, canCreate{Alias,ML}, owner or postmaster +# +rd if children, canCreate{Alias,List}, owner or postmaster # +z if owner or postmaster # * children: # =w for all +# * objectClass: +# =s for all # * fvd: -# =rscd if children, canCreate{Alias,ML}, owner or postmaster +# =rscd if children, canCreate{Alias,List}, owner or postmaster # +w if owner or postmaster # * fripostIsStatusActive -# =rscd if children, canCreate{Alias,ML}, owner or postmaster +# =rscd if children, canCreate{Alias,List}, owner or postmaster # +w if owner or postmaster # * fripostCanCreateAlias # =rscd if canCreateAlias, owner or postmaster # +w if postmaster -# * fripostCanCreateML -# =rscd if canCreateML, owner or postmaster +# * fripostCanCreateList +# =rscd if canCreateList, owner or postmaster # +w if postmaster # * fripostOwner # =s for all # +d if children -# +rc if canCreate{Alias,ML}, owner or postmaster +# +rc if canCreate{Alias,List}, owner or postmaster # * fripostPostmaster # =s for all # +d if children -# +rc if canCreate{Alias,ML}, owner or postmaster +# +rc if canCreate{Alias,List}, owner or postmaster # * fripostOptionalMaildrop # =wrscd if owner or postmaster # * description -# =rscd if children, canCreate{Alias,ML}, owner or postmaster +# =rscd if children, canCreate{Alias,List}, owner or postmaster # +w if owner or postmaster usersD () { @@ -213,6 +215,10 @@ msg "Have =w access to \"children\"" usersD children | isOK '=w$' children [ $? -eq 0 ] || exit $? +msg "Have =s access to \"objectClass\"" +usersD objectClass | isOK '=s' objectClass +[ $? -eq 0 ] || exit $? + msg "Have >=s access on \"entry\", \"fripostOwner\" and \"fripostPostmaster\"" usersD entry/search fripostOwner/search fripostPostmaster/search | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? @@ -225,7 +231,7 @@ usersD structuralObjectClass entryUUID createTimestamp entryCSN modifiersName mo # We check the following permissions: # 0. Simple user # 1. canCreateAlias (exact,wildcard) -# 2. canCreateML (exact,wildcard) +# 2. canCreateList (exact,wildcard) # 3. Owner # 4. Postmaster @@ -271,26 +277,26 @@ done | isOK 'ALLOWED$' children # 2 -ATTRSML="fripostOwner/read fripostOwner/compare - fripostPostmaster/read fripostPostmaster/compare - fripostCanCreateML/read fripostCanCreateML/search fripostCanCreateML/compare fripostCanCreateML/disclose" -msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanCreateML, exact)" +ATTRSL="fripostOwner/read fripostOwner/compare + fripostPostmaster/read fripostPostmaster/compare + fripostCanCreateList/read fripostCanCreateList/search fripostCanCreateList/compare fripostCanCreateList/disclose" +msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanCreateList, exact)" for U in ${USERS}; do for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "fripostCanCreateML=${U},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSML} + search -s base -b "${D},${SUFFIX}" "fripostCanCreateList=${U},${SUFFIX}" | grep -q '^dn: ' && \ + checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL} done done | isOK 'ALLOWED$' children [ $? -eq 0 ] || exit $? # 2 -msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanCreateML, wildcard)" +msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanCreateList, wildcard)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "fripostCanCreateML=${DU},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSML} + search -s base -b "${D},${SUFFIX}" "fripostCanCreateList=${DU},${SUFFIX}" | grep -q '^dn: ' && \ + checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL} done done | isOK 'ALLOWED$' children [ $? -eq 0 ] || exit $? @@ -298,7 +304,7 @@ done | isOK 'ALLOWED$' children # 3 # >=w to "children", =zrscd to "entry", >=rscd to "fripostCanCreateAlias" and -# "fripostCanCreateML", and =wrscd to the rest (other than "Owner" and +# "fripostCanCreateList", and =wrscd to the rest (other than "Owner" and # Postmaster") msg "Have =wrscd to the domain attributes (other than \"canCreate\"), and >=w to \"children\" (if Owner)" ATTRSO="entry/delete @@ -309,7 +315,7 @@ ATTRSO="entry/delete for U in ${USERS}; do for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSML} ${ATTRSO} + checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSL} ${ATTRSO} done done | isOK 'ALLOWED$' children [ $? -eq 0 ] || exit $? @@ -317,15 +323,15 @@ done | isOK 'ALLOWED$' children # 4 # >=w to "children", =zrscd to "entry", >=rscd to "fripostCanCreateAlias" and -# "fripostCanCreateML", and =wrscd to the rest (other than "Owner" and +# "fripostCanCreateList", and =wrscd to the rest (other than "Owner" and # Postmaster") msg "Have =wrscd to the domain attributes, and >=w to \"children\" (if Postmaster)" ATTRSP="fripostCanCreateAlias/add fripostCanCreateAlias/delete - fripostCanCreateML/add fripostCanCreateML/delete" + fripostCanCreateList/add fripostCanCreateList/delete" for U in ${USERS}; do for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSML} ${ATTRSO} ${ATTRSP} + checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSL} ${ATTRSO} ${ATTRSP} done done | isOK 'ALLOWED$' children [ $? -eq 0 ] || exit $? @@ -339,8 +345,8 @@ for U in ${USERS}; do [ "x${DU}" = "x${D}" ] || \ search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateAlias=${U},${SUFFIX}) (fripostCanCreateAlias=${DU},${SUFFIX}) - (fripostCanCreateML=${U},${SUFFIX}) - (fripostCanCreateML=${DU},${SUFFIX}) + (fripostCanCreateList=${U},${SUFFIX}) + (fripostCanCreateList=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ checkACL "${U}" "${D}" ${ATTRS0} @@ -350,17 +356,17 @@ done | isOK 'DENIED$' entry read # not (1 or 2 or 3 or 4) -msg "Do not have >=rc access to \"canCreate{Alias,ML}\", \"Owner\", \"Postmaster\" (unless member)" +msg "Do not have >=rc access to \"canCreate{Alias,List}\", \"Owner\", \"Postmaster\" (unless member)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateAlias=${U},${SUFFIX}) (fripostCanCreateAlias=${DU},${SUFFIX}) - (fripostCanCreateML=${U},${SUFFIX}) - (fripostCanCreateML=${DU},${SUFFIX}) + (fripostCanCreateList=${U},${SUFFIX}) + (fripostCanCreateList=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ - checkACL "${U}" "${D}" ${ATTRSA} ${ATTRSML} entry/add + checkACL "${U}" "${D}" ${ATTRSA} ${ATTRSL} entry/add done done | isOK 'DENIED$' entry # "entry" here is useless, but it's just to get the count [ $? -eq 0 ] || exit $? @@ -382,15 +388,15 @@ done | isOK '\(=0\|DENIED\)$' entry # "entry" here is useless, but it's just to # not (2 or 3 or 4) -msg "Have =0 access to \"canCreateML\" (unless member, Owner, or Postmaster)" +msg "Have =0 access to \"canCreateList\" (unless member, Owner, or Postmaster)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateML=${U},${SUFFIX}) - (fripostCanCreateML=${DU},${SUFFIX}) + search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateList=${U},${SUFFIX}) + (fripostCanCreateList=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ - checkACL "${U}" "${D}" fripostCanCreateML entry/add + checkACL "${U}" "${D}" fripostCanCreateList entry/add done done | isOK '\(=0\|DENIED\)$' entry # "entry" here is useless, but it's just to get the count [ $? -eq 0 ] || exit $? @@ -409,7 +415,7 @@ done | isOK 'DENIED$' entry # not 4 -msg "Do not have >=w access to \"canCreate{Alias,ML}\" (unless Postmaster)" +msg "Do not have >=w access to \"canCreate{Alias,List}\" (unless Postmaster)" for U in ${USERS}; do for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' || \ @@ -431,6 +437,8 @@ echo "Authenticated users, access to user entries" # +a if domain postmaster # * children: # =0 for all +# * objectClass: +# =s for all # * fvu: # =wrscd if account owner or domain postmaster # * userPassword: @@ -441,8 +449,6 @@ echo "Authenticated users, access to user entries" # =rscd if account owner or domain postmaster # * fripostOptionalMaildrop: # =wrscd if account owner or domain postmaster -# * cn: -# =wrscd if account owner or domain postmaster # * description: # =wrscd if account owner or domain postmaster @@ -463,7 +469,7 @@ usersU userPassword | isOK '=w$' [ $? -eq 0 ] || exit $? msg "Have =wrscxd access to the other attributes of their own entry" -usersU fvu fripostIsStatusActive fripostOptionalMaildrop cn description | isOK 'write(=wrscxd)$' fvu +usersU fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK 'write(=wrscxd)$' fvu [ $? -eq 0 ] || exit $? msg "Have >=rsd access to the \"entry\" attribute of their own entry" @@ -475,6 +481,10 @@ msg "Have =0 access to their \"children\" and operational attributes" usersU children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children [ $? -eq 0 ] || exit $? +msg "Have =s access to \"objectClass\"" +usersD objectClass | isOK '=s' objectClass +[ $? -eq 0 ] || exit $? + msg "Have =0 access to other user entries (unless Postmaster)" for U1 in ${USERS}; do for U2 in ${USERS}; do @@ -486,7 +496,7 @@ for U1 in ${USERS}; do fripostIsStatusActive \ fripostMailboxQuota \ fripostOptionalMaildrop \ - cn description + description done done | isOK '=0$' entry [ $? -eq 0 ] || exit $? @@ -512,7 +522,7 @@ usersP userPassword | isOK '=w$' [ $? -eq 0 ] || exit $? msg "Have =wrscxd access to the other attributes of their users' entry (if Postmaster)" -usersP fvu fripostIsStatusActive fripostOptionalMaildrop cn description | isOK 'write(=wrscxd)$' fvu +usersP fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK 'write(=wrscxd)$' fvu [ $? -eq 0 ] || exit $? # "+a" is needed to create new accounts. "+z" would be required to @@ -540,6 +550,8 @@ echo "Authenticated users, access to alias entries" # +w (regular alias) if domain owner or domain postmaster # * children: # =0 for all +# * objectClass: +# =s for all # * fva: # =rscd (reserved alias) if domain owner or domain postmaster # =wrscd (regular alias) if alias owner, domain owner or domain postmaster @@ -574,6 +586,10 @@ msg "Have =0 access to the \"children\" and operational attributes" usersA children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children [ $? -eq 0 ] || exit $? +msg "Have =s access to \"objectClass\"" +usersD objectClass | isOK '=s' objectClass +[ $? -eq 0 ] || exit $? + RESERVED_ATTRS="entry/delete fva/write fripostIsStatusActive/write" @@ -739,136 +755,136 @@ done | isOK 'DENIED$' entry delete echo -echo "Authenticated users, access to mailing list entries" +echo "Authenticated users, access to list entries" # * entry: # =s for all -# +a if canCreateML, domain owner or domain postmaster -# +zrd if mailing list owner, domain owner or domain postmaster +# +a if canCreateList, domain owner or domain postmaster +# +zrd if list owner, domain owner or domain postmaster # * children: # =0 for all -# * fvml: -# =wrscd if mailing list owner, domain owner or domain postmaster -# * fripostMLManager: -# =rscd if mailing list owner, domain owner or domain postmaster +# * fvl: +# =wrscd if list owner, domain owner or domain postmaster +# * fripostListManager: +# =rscd if list owner, domain owner or domain postmaster # * fripostIsStatusActive: -# =wrscd if mailing list owner, domain owner or domain postmaster -# * fripostMLCommand: -# =rscd if mailing list owner, domain owner or domain postmaster +# =wrscd if list owner, domain owner or domain postmaster +# * fripostListCommand: +# =rscd if list owner, domain owner or domain postmaster # * fripostOwner: # =d for all -# +rsc if mailing list owner, domain owner or domain postmaster +# +rsc if list owner, domain owner or domain postmaster # +w if domain owner or domain postmaster # * description: -# =wrscd if mailing list owner, domain owner or domain postmaster +# =wrscd if list owner, domain owner or domain postmaster -usersML () { +usersL () { for U in ${USERS}; do - for ML in ${MLS}; do - checkACL "${U}" "${ML}" "$@" + for L in ${LISTS}; do + checkACL "${U}" "${L}" "$@" done done } msg "Have >=s access on \"entry\" and \"fripostOwner\"" -usersML fripostOwner/search entry/search | isOK 'ALLOWED$' entry +usersL fripostOwner/search entry/search | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access the \"children\" and operational attributes" -usersML children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children +usersL children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children [ $? -eq 0 ] || exit $? msg "Cannot change transport-related attributes" for U in ${USERS}; do - for ML in ${MLS}; do - checkACL "${U}" "${ML}" fripostMLCommand/add fripostMLCommand/delete \ - fripostMLManager/write + for L in ${LISTS}; do + checkACL "${U}" "${L}" fripostListCommand/add fripostListCommand/delete \ + fripostListManager/write done -done | isOK 'DENIED$' fripostMLManager +done | isOK 'DENIED$' fripostListManager [ $? -eq 0 ] || exit $? ATTRS="entry/read entry/disclose entry/delete - fvml/write fvml/read fvml/search fvml/compare fvml/disclose - fripostMLManager/read fripostMLManager/search fripostMLManager/compare fripostMLManager/disclose + fvl/write fvl/read fvl/search fvl/compare fvl/disclose + fripostListManager/read fripostListManager/search fripostListManager/compare fripostListManager/disclose fripostIsStatusActive/write fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose - fripostMLCommand/read fripostMLCommand/search fripostMLCommand/compare fripostMLCommand/disclose + fripostListCommand/read fripostListCommand/search fripostListCommand/compare fripostListCommand/disclose fripostOwner/read fripostOwner/compare fripostOwner/disclose description/add description/delete description/read description/compare description/disclose" ATTRS2="fripostOwner/add fripostOwner/delete" -msg "Can edit/delete mailing list (if mailing list Owner)" +msg "Can edit/delete list (if list Owner)" for U in ${USERS}; do - for ML in ${MLS}; do - search -s base -b "${ML},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${ML}" ${ATTRS} + for L in ${LISTS}; do + search -s base -b "${L},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ + checkACL "${U}" "${L}" ${ATTRS} done done | isOK 'ALLOWED$' entry delete [ $? -eq 0 ] || exit $? -msg "Can edit/create/delete mailing list (if domain Owner)" +msg "Can edit/create/delete list (if domain Owner)" [ $? -eq 0 ] || exit $? for U in ${USERS}; do - for ML in ${MLS}; do - DML="$(echo "${ML}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - search -s base -b "${DML},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${ML}" ${ATTRS} ${ATTRS2} entry/add + for L in ${LISTS}; do + DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ + checkACL "${U}" "${L}" ${ATTRS} ${ATTRS2} entry/add done done | isOK 'ALLOWED$' entry add [ $? -eq 0 ] || exit $? -msg "Can edit/create/delete mailing list (if domain Postmaster)" +msg "Can edit/create/delete list (if domain Postmaster)" [ $? -eq 0 ] || exit $? for U in ${USERS}; do - for ML in ${MLS}; do - DML="$(echo "${ML}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - search -s base -b "${DML},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${ML}" ${ATTRS} ${ATTRS2} entry/add + for L in ${LISTS}; do + DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \ + checkACL "${U}" "${L}" ${ATTRS} ${ATTRS2} entry/add done done | isOK 'ALLOWED$' entry add [ $? -eq 0 ] || exit $? # Needed to create new entries. ("+z" is required to delete, btw.) -msg "Have >=a access to \"entry\" (if CanCreateML, exact)" +msg "Have >=a access to \"entry\" (if CanCreateList, exact)" for U in ${USERS}; do - for ML in ${MLS}; do - DML="$(echo "${ML}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - search -s base -b "${DML},${SUFFIX}" "fripostCanCreateML=${U},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${ML}" entry/add + for L in ${LISTS}; do + DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "fripostCanCreateList=${U},${SUFFIX}" | grep -q '^dn: ' && \ + checkACL "${U}" "${L}" entry/add done done | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? # Needed to create new entries. ("+z" is required to delete, btw.) -msg "Have >=a access to \"entry\" (if CanCreateML, wildcard)" +msg "Have >=a access to \"entry\" (if CanCreateList, wildcard)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - for ML in ${MLS}; do - DML="$(echo "${ML}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - search -s base -b "${DML},${SUFFIX}" "fripostCanCreateML=${DU},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${ML}" entry/add + for L in ${LISTS}; do + DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "fripostCanCreateList=${DU},${SUFFIX}" | grep -q '^dn: ' && \ + checkACL "${U}" "${L}" entry/add done done | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? -msg "Do not have >=a access to \"entry\" (unless canCreateML)" +msg "Do not have >=a access to \"entry\" (unless canCreateList)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - for ML in ${MLS}; do - DML="$(echo "${ML}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - search -s base -b "${DML},${SUFFIX}" "(|(fripostCanCreateML=${U},${SUFFIX}) - (fripostCanCreateML=${DU},${SUFFIX}) + for L in ${LISTS}; do + DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "(|(fripostCanCreateList=${U},${SUFFIX}) + (fripostCanCreateList=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ - checkACL "${U}" "${ML}" entry/add + checkACL "${U}" "${L}" entry/add done done | isOK 'DENIED$' entry [ $? -eq 0 ] || exit $? @@ -886,14 +902,14 @@ done | isOK 'DENIED$' fripostOwner add [ $? -eq 0 ] || exit $? -msg "Have no access to mailing list entries (unless mailing list owner/domain owner/domain postmaster)" +msg "Have no access to list entries (unless list owner/domain owner/domain postmaster)" for U in ${USERS}; do - for ML in ${MLS}; do - DML="$(echo "${ML}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - search -s base -b "${ML},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' || \ - search -s base -b "${DML},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) + for L in ${LISTS}; do + DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${L},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' || \ + search -s base -b "${DL},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ - checkACL "${U}" "${ML}" ${ATTRS} entry/delete + checkACL "${U}" "${L}" ${ATTRS} entry/delete done done | isOK 'DENIED$' entry delete [ $? -eq 0 ] || exit $? -- cgit v1.2.3