From f0f87bd9b13cb0bd5c37472e5a9b4e0d36d1384d Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 21 Jan 2013 23:17:41 +0100 Subject: Added a service to delete expired pending entries. --- ldap/README | 4 +- ldap/acl.ldif | 71 +++++++++++++++++++++------ ldap/base.ldif | 6 +++ ldap/database.ldif | 6 +-- ldap/index.ldif | 2 +- ldap/modules.ldif | 2 +- ldap/syncprov.ldif | 2 +- ldap/syncrepl.ldif | 2 +- ldap/test-user-acl.sh | 130 +++++++++++++++++++++++++++++++++++++++++++------- todo.org | 2 +- 10 files changed, 186 insertions(+), 41 deletions(-) diff --git a/ldap/README b/ldap/README index 037ae65..7fdc088 100644 --- a/ldap/README +++ b/ldap/README @@ -18,11 +18,11 @@ single situation we may encounter in our directory. Usage: * Load the ACLs: - + ldapmodify -Y EXTERNAL -H ldapi:/// -f acl.ldif * Repopulate the database (will clear it out first!): - + ldapdelete -Y EXTERNAL -H ldapi:/// -r "ou=virtual,o=mailHosting,dc=fripost,dc=dev" ; ldapadd -Y EXTERNAL -H ldapi:/// -f populate.ldif * Running the test suite: diff --git a/ldap/acl.ldif b/ldap/acl.ldif index 4cf7e10..153470f 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -65,6 +65,7 @@ olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev" olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break + by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break by anonymous =0 break @@ -76,7 +77,7 @@ olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost attrs=userPassword by realself =w by anonymous =xd - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =0 break # # The postmaster of a domain can change (replace) his/her users' password (but not read it). olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" @@ -94,21 +95,61 @@ olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" # 2. So can the list creator. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=objectClass - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =s + by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =s # # 1. Users can search (e.g., to list the entries they have created). # 2. Additional permissions may be added later on. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=entry,fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s break + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break # +# Noone may create children under a pending entry. This is important +# since otherwise we couldn't delete old pending entries +# non-recursively. +olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + filter=(fripostPendingToken=*) + attrs=children + by * =0 +# +# Our service can list and delete (old) pending entries. +olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + filter=(fripostPendingToken=*) + attrs=entry + by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =zrd break + by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break +# +# Our service can search anywhere in the tree (for old pending entries). +olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + attrs=entry + by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break + by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" +s + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break +# +# Our service needs to have 'z' access on the 'children' of the parent of the entry that is +# to be deleted. (And 'z' access of the 'entry' attribute of this entry.) +olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + attrs=children + by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =z + by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break +# +# Our service needs search access to list (old) pending entries. +olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + filter=(fripostPendingToken=*) + attrs=createTimestamp,fripostPendingToken + by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =sd + by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break +# # Everyone can create/delete domains. (Provided s/he has +a/+z access to the # "entry" attribute of the domains s/he wants to delete.) olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=children - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =w + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w # # Reserved local parts are reserved. /!\ The case must be insensitive # - postmaster: RFC 822, appendix C.6 @@ -120,7 +161,7 @@ olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(&(objectClass=FripostVirtualDomain)(!(fripostPendingToken=*))) attrs=fripostPendingToken - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s # # Only the domain Postmasters and Owners can search the unlock token and delete the # 'pending' status (but not read). @@ -158,7 +199,7 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ by dnattr=fripostPostmaster =rscd by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" =rscd by dn.onelevel,expand="$1" +d - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # # 1. Domain owners can edit their entry's attributes. # 2. So can domain postmasters. @@ -179,7 +220,7 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" attrs=@fripostVirtualDomain by dnattr=fripostOwner =wrscd by dnattr=fripostPostmaster =wrscd - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # # Everyone can add or delete children, but we will be carefull with the # kid's "entry" attribute, which require +a and +z to add and delete @@ -187,7 +228,7 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=FripostVirtualDomain) attrs=children - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +w + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w # # 1. Users with "addDomain" access can create new entries. # 2. Domain owners can delete their domain (and read the entry). @@ -202,7 +243,7 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ by dnattr=fripostPostmaster +zrd by dn.onelevel,expand="$1" +rd by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" +rd - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # # Noone (but the managers) can change quotas. olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" @@ -237,7 +278,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by dnattr=fripostOwner =rscd continue by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # # 1. The alias owners can edit the rest of their entry's attributes. # 2. So can the domain owners. @@ -261,7 +302,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by group/fripostVirtualDomain/fripostOwner.expand="$1" +wrd by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +wrd by set.exact="this/-1/fripostCanAddAlias & (user | user/-1)" +a - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # # 1. The list owner can list the ownership of the entry. # 2. The domain owner can add/delete/change the ownership of the entry. @@ -272,7 +313,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by dnattr=fripostOwner =rscd continue by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # # 1. The list owner read (but not edit) the transport-related attributes. # 2. So can the domain ower. @@ -287,6 +328,8 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos # 1,2,3. The list owner and the domain Owner and Postmaster can search # (but not read) the 'pending' token. # 4. The list creator can remove the "pending" flag. +# (We don't need to limit the search to presence only here, since when present the value is +# always 'TRUE') olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualList) attrs=fripostPendingToken @@ -318,7 +361,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by group/fripostVirtualDomain/fripostOwner.expand="$1" +rad by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rad by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd # # The List Creator can add list commands. @@ -335,4 +378,4 @@ olcAccess: to dn.regex="^fvlc=[^,]+,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting # # Catch the "break" control above. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 diff --git a/ldap/base.ldif b/ldap/base.ldif index ff48497..4a40d3c 100644 --- a/ldap/base.ldif +++ b/ldap/base.ldif @@ -38,6 +38,12 @@ objectClass: organizationalRole description: The entity that is authorized to add list commands userPassword: listcreator +dn: cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev +objectClass: simpleSecurityObject +objectClass: organizationalRole +description: Delete expired pending entries +userPassword: deletependingentries + dn: cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=dev objectClass: simpleSecurityObject objectClass: organizationalRole diff --git a/ldap/database.ldif b/ldap/database.ldif index ada28c7..eb94b87 100644 --- a/ldap/database.ldif +++ b/ldap/database.ldif @@ -44,15 +44,15 @@ olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth # # # 2. It may be a good idea to modify DB_CONFIG, depending on the output -# of -# +# of +# # db4.8_stat -m -h /var/lib/ldap/ | head -16 # # (For optimal performance, the Requested pages found in the cache # should be above 95%, and the pages forced from the cache should be 0.) # # and -# +# # db4.8_stat -m -h /var/lib/ldap/ | head -16 # # (For optimal performance, usage should be within 85% of the configured diff --git a/ldap/index.ldif b/ldap/index.ldif index 77b0e5a..3a4f548 100644 --- a/ldap/index.ldif +++ b/ldap/index.ldif @@ -6,7 +6,7 @@ # that it's indeed the database #1 that you want to amend: # # ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "olcSuffix=o=mailHosting,dc=fripost,dc=dev" dn -# +# # # To reindex an existing database, you have to # * Stop slapd /etc/init.d/slapd stop diff --git a/ldap/modules.ldif b/ldap/modules.ldif index cc4da57..46b9ca2 100644 --- a/ldap/modules.ldif +++ b/ldap/modules.ldif @@ -4,7 +4,7 @@ # # It will load the "syncprov" and "constraint" modules. # -# +# # References: # - http://www.openldap.org/doc/admin24/replication.html#Syncrepl # - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap diff --git a/ldap/syncprov.ldif b/ldap/syncprov.ldif index 66ce154..b0de08d 100644 --- a/ldap/syncprov.ldif +++ b/ldap/syncprov.ldif @@ -7,7 +7,7 @@ # # ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "olcSuffix=o=mailHosting,dc=fripost,dc=dev" dn # -# +# # References: # - http://www.openldap.org/doc/admin24/replication.html#Syncrepl # - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap diff --git a/ldap/syncrepl.ldif b/ldap/syncrepl.ldif index 2f40472..d579e5c 100644 --- a/ldap/syncrepl.ldif +++ b/ldap/syncrepl.ldif @@ -7,7 +7,7 @@ # # ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "olcSuffix=o=mailHosting,dc=fripost,dc=dev" dn # -# +# # References: # - http://www.openldap.org/doc/admin24/replication.html#Syncrepl # - http://www.zytrax.com/books/ldap/ch7/#ol-syncrepl-rap diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh index 7046716..3023152 100755 --- a/ldap/test-user-acl.sh +++ b/ldap/test-user-acl.sh @@ -215,6 +215,16 @@ usersB ${OPERATTRS} | isOK '=0$' entryUUID [ $? -eq 0 ] || exit $? +msg "Cannot create children under a pending entry" +for U in ${USERS}; do + for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do + search -s base -b "${X},${SUFFIX}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \ + checkACL "${U}" "${X}" children + done +done | isOK '=0$' children +[ $? -eq 0 ] || exit $? + + ########################################################################### @@ -227,7 +237,7 @@ echo "Authenticated users, access to domain entries" # +rd if children, canAdd{Alias,List}, owner or postmaster # +z if owner or postmaster # * children: -# =w for all +# =w for all (non-pending entries) # * objectClass: # =s for all # * fvd: @@ -345,8 +355,13 @@ done | isOK 'DENIED$' entry add # We ensure not to give +a/+z access to the \"entry\" attribute of the # children, unless justified (required to add/delete a child). -msg "Have =w access to \"children\"" -usersD children | isOK '=w$' children +msg "Have =w access to \"children\" (for non-pending attributes)" +for U in ${USERS}; do + for D in ${DOMAINS}; do + search -s base -b "${D},${SUFFIX}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ + checkACL "${U}" "${D}" children + done +done | isOK '=w$' children [ $? -eq 0 ] || exit $? msg "Have =s access to \"objectClass\"" @@ -391,7 +406,7 @@ ATTRSA="fripostOwner/read fripostOwner/compare msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanAddAlias, exact)" for U in ${USERS}; do for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "fripostCanAddAlias=${U},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddAlias=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSA} done done | isOK 'ALLOWED$' children @@ -403,7 +418,7 @@ msg "Have >=rscd to the public attributes and >=a to \"children\" (if CanAddAlia for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "fripostCanAddAlias=${DU},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddAlias=${DU},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSA} done done | isOK 'ALLOWED$' children @@ -417,7 +432,7 @@ ATTRSL="fripostOwner/read fripostOwner/compare msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanAddList, exact)" for U in ${USERS}; do for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "fripostCanAddList=${U},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddList=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL} done done | isOK 'ALLOWED$' children @@ -429,7 +444,7 @@ msg "Have >=rscd access to the public attributes and >=a to \"children\" (if Can for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "fripostCanAddList=${DU},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddList=${DU},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL} done done | isOK 'ALLOWED$' children @@ -448,7 +463,7 @@ ATTRSO="entry/delete description/add description/delete" for U in ${USERS}; do for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "(&(fripostOwner=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSL} ${ATTRSO} done done | isOK 'ALLOWED$' children @@ -464,7 +479,7 @@ ATTRSP="fripostCanAddAlias/add fripostCanAddAlias/delete fripostCanAddList/add fripostCanAddList/delete" for U in ${USERS}; do for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \ + search -s base -b "${D},${SUFFIX}" "(&(fripostPostmaster=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \ checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSL} ${ATTRSO} ${ATTRSP} done done | isOK 'ALLOWED$' children @@ -720,8 +735,8 @@ usersD objectClass | isOK '=s' objectClass [ $? -eq 0 ] || exit $? -ATTRS="entry/delete entry/read entry/disclose - fva/write fva/read fva/search fva/compare fva/disclose +ATTRS="entry/delete entry/read entry/disclose + fva/write fva/read fva/search fva/compare fva/disclose fripostMaildrop/add fripostMaildrop/delete fripostMaildrop/read fripostMaildrop/search fripostMaildrop/compare fripostMaildrop/disclose fripostIsStatusActive/write fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose fripostOwner/read fripostOwner/compare fripostOwner/disclose @@ -845,7 +860,7 @@ echo "Authenticated users, access to list entries" # * fripostIsStatusActive: # =wrscd if list owner, domain owner or domain postmaster # * fripostPendingToken: -# =rscd if list owner, domain owner or domain postmaster +# =scd if list owner, domain owner or domain postmaster # * fripostOwner: # =d for all # +rsc if list owner, domain owner or domain postmaster @@ -1000,7 +1015,7 @@ done | isOK 'DENIED$' entry delete msg "Have =0 access to the list command entries" for U in ${USERS}; do for LC in ${LISTSC}; do - checkACL "${U}" "${LC}" + checkACL "${U}" "${LC}" done done | grep -Ev '^(objectClass|creatorsName)=' | isOK '=0$' entry [ $? -eq 0 ] || exit $? @@ -1009,6 +1024,7 @@ done | grep -Ev '^(objectClass|creatorsName)=' | isOK '=0$' entry ########################################################################### +SUFFIX0="${SUFFIX}" SUFFIX="${SUFFIXS}" echo @@ -1100,7 +1116,7 @@ done | isOK '=sd$' objectClass msg "Have =0 access on other list command attributes" for LC in ${LISTSC}; do - checkACL "cn=SMTP" "${LC}" children ${OPERATTRS} + checkACL "cn=SMTP" "${LC}" children ${OPERATTRS} done | isOK '=0$' children [ $? -eq 0 ] || exit $? @@ -1112,7 +1128,7 @@ echo "Service ListCreator" msg "Have =0 access on domain attributes" for D in ${DOMAINS}; do - checkACL "cn=ListCreator" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description + checkACL "cn=ListCreator" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description fripostPendingToken done | isOK '=0$' entry [ $? -eq 0 ] || exit $? @@ -1142,6 +1158,7 @@ done | isOK '=rsd$' msg "Have =a access on lists' children attribute" for L in ${LISTS}; do + search -s base -b "${L},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ checkACL "cn=ListCreator" "${L}" children done | isOK '=a$' [ $? -eq 0 ] || exit $? @@ -1165,6 +1182,85 @@ done | isOK '=0$' children [ $? -eq 0 ] || exit $? +########################################################################### + +echo +echo "Service DeletePendingEntries" + +msg "Have =z access on the \"children\" attribute of non-pending entries" +(checkACL "cn=DeletePendingEntries" "" children +for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do + search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ + checkACL "cn=DeletePendingEntries" "${X}" children +done) | isOK '=z$' children +[ $? -eq 0 ] || exit $? + +msg "Have =zrsd access on the \"entry\" attribute of pending entries" +for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do + search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \ + checkACL "cn=DeletePendingEntries" "${X}" entry +done | isOK '=zrsd$' entry +[ $? -eq 0 ] || exit $? + +msg "Have =s access on the \"entry\" attribute of non-pending entries" +(checkACL "cn=DeletePendingEntries" "" entry +for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do + search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ + checkACL "cn=DeletePendingEntries" "${X}" entry +done) | isOK '=s$' entry +[ $? -eq 0 ] || exit $? + +msg "Have =sd access on the attributes it needs on pending entries" +for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do + search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \ + checkACL "cn=DeletePendingEntries" "${X}" createTimestamp fripostPendingToken +done | isOK '=sd$' fripostPendingToken +[ $? -eq 0 ] || exit $? + +msg "Have =0 access these attributes for non-pending entries" +for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do + search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ + checkACL "cn=DeletePendingEntries" "${X}" createTimestamp fripostPendingToken +done | isOK '=0$' fripostPendingToken +[ $? -eq 0 ] || exit $? + +msg "Have =s access on the object class" +for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do + checkACL "cn=DeletePendingEntries" "${X}" objectClass +done | isOK '=s$' objectClass +[ $? -eq 0 ] || exit $? + +msg "Have =0 access on other domain attributes" +for D in ${DOMAINS}; do + checkACL "cn=DeletePendingEntries" "${D}" fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description +done | isOK '=0$' fvd +[ $? -eq 0 ] || exit $? + +msg "Have =0 access on other user attributes" +for U in ${USERS}; do + checkACL "cn=DeletePendingEntries" "${U}" fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description +done | isOK '=0$' fvu +[ $? -eq 0 ] || exit $? + +msg "Have =0 access on other alias attributes" +for A in ${ALIASES}; do + checkACL "cn=DeletePendingEntries" "${A}" fva fripostMaildrop fripostIsStatusActive fripostOwner description +done | isOK '=0$' fva +[ $? -eq 0 ] || exit $? + +msg "Have =0 access on other list attributes" +for L in ${LISTS}; do + checkACL "cn=DeletePendingEntries" "${L}" fvl fripostListManager fripostIsStatusActive fripostLocalAlias fripostOwner description +done | isOK '=0$' fvl +[ $? -eq 0 ] || exit $? + +msg "Have =0 access on other list command attributes" +for LC in ${LISTSC}; do + checkACL "cn=AdminWebPanel" "${LC}" fvlc fripostLocalAlias +done | isOK '=0$' fvlc +[ $? -eq 0 ] || exit $? + + ########################################################################### echo @@ -1172,7 +1268,7 @@ echo "Service AdminWebPanel" msg "Have =0 access on domain attributes" for D in ${DOMAINS}; do - checkACL "cn=AdminWebPanel" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description + checkACL "cn=AdminWebPanel" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description fripostPendingToken done | isOK '=0$' entry [ $? -eq 0 ] || exit $? @@ -1194,7 +1290,7 @@ for L in ${LISTS}; do done | isOK '=0$' entry [ $? -eq 0 ] || exit $? -msg "Have =0 access on other list command attributes" +msg "Have =0 access on list command attributes" for LC in ${LISTSC}; do checkACL "cn=AdminWebPanel" "${LC}" entry children ${OPERATTRS} fvlc fripostLocalAlias done | isOK '=0$' entry diff --git a/todo.org b/todo.org index 1df7713..a67f7c9 100644 --- a/todo.org +++ b/todo.org @@ -191,7 +191,7 @@ Reason for discarding: Not feasible at this point, too much overhead, not always ** Create a mail gateway to change settings ** Set up an Asterisk server (VoIP) ** Evaluate SSH-tunnels vs VPN -** Evaluating changing Apache to nginx +** Evaluating changing Apache to nginx * Discarded ideas ** Improve logcheck rules (increase signal to noise ratio) Reason for discarding: not very concrete -- cgit v1.2.3