From 0bed9611730fc434dd55175bc947dc09fc430710 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 9 Sep 2012 23:26:26 +0200 Subject: SASL proxy authorization. --- ldap/acl.ldif | 103 +++++++++++++++++++++++++++++++--------------------------- 1 file changed, 56 insertions(+), 47 deletions(-) (limited to 'ldap/acl.ldif') diff --git a/ldap/acl.ldif b/ldap/acl.ldif index 755697f..eb28872 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -39,7 +39,7 @@ olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" # # The postmaster of a domain can change (replace) his/her users' password. olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualMailbox) + filter=(objectClass=FripostVirtualMailbox) attrs=userPassword by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =w # @@ -48,17 +48,27 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" attrs=userPassword by * none +# +# That's necessary for SASL proxy Authorize the web application. +olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev" + attrs=entry,objectClass,authzTo + by * =x ## ## Services can read the whole subtree (minus the userPassword attributes). #olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" -# attrs=entry,creatorsName,@fripostVirtualDomain,@fripostVirtualMailbox,@fripostVirtualAlias,@fripostVirtualML -# by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=org" read -# by users * break +# attrs=entry,creatorsName,@fripostVirtualDomain,@fripostVirtualMailbox,@fripostVirtualAlias,@fripostVirtualList +# by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" read +# by users none break +# +# Users can search (e.g., to list the entries they have created). +olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + attrs=objectClass + by users =s # # Users can search (e.g., to list the entries they have created). # Additional permissions may be added later on. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanCreateAlias,fripostCanCreateML + attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanCreateAlias,fripostCanCreateList by users =s break # # Everyone can delete domains. (Provided he has +d access to the "entry" @@ -71,30 +81,29 @@ olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" # aliases. # 2,3. People that can create aliases can list the members of the group. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(objectClass=fripostVirtualDomain) + filter=(objectClass=FripostVirtualDomain) attrs=fripostCanCreateAlias by dnattr=fripostPostmaster write by dnattr=fripostOwner read by set.exact="this/fripostCanCreateAlias & (user | user/-1)" read # -# 1. The postmaster of a domain can give (or take back) people the right to create -# mailing lists. -# 2,3. People that can create mailing lists can list the members of the group. +# 1. The postmaster of a domain can give (or take back) people the right to create lists. +# 2,3. People that can create lists can list the members of the group. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(objectClass=fripostVirtualDomain) - attrs=fripostCanCreateML + filter=(objectClass=FripostVirtualDomain) + attrs=fripostCanCreateList by dnattr=fripostPostmaster write by dnattr=fripostOwner read - by set.exact="this/fripostCanCreateML & (user | user/-1)" read + by set.exact="this/fripostCanCreateList & (user | user/-1)" read # # 1-3. Noone (but the managers) can appoint domain Owners or Postmasters. -# But people that can create aliases and mailing lists can list the members of their group. +# But people that can create aliases and lists can list the members of their group. olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualDomain) + filter=(objectClass=FripostVirtualDomain) attrs=fripostOwner,fripostPostmaster by dnattr=fripostOwner read by dnattr=fripostPostmaster read - by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML)& (user | user/-1)" read + by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateList)& (user | user/-1)" read by dn.onelevel,expand="$1" +d by users +0 # @@ -102,26 +111,26 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ # kid's "entry" attribute, which require +a and +z to add and delete # respectively. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(objectClass=fripostVirtualDomain) + filter=(objectClass=FripostVirtualDomain) attrs=children by users +w # # 1. Domain owners can edit their entry's attributes. # 2. So can domain postmasters. # 3. Domain users can read the public domain attributes. -# 4. So can users with "canCreateAlias" or "canCreateML" access. +# 4. So can users with "canCreateAlias" or "canCreateList" access. olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualDomain) + filter=(objectClass=FripostVirtualDomain) attrs=fvd,fripostIsStatusActive,description by dnattr=fripostOwner write by dnattr=fripostPostmaster write by dn.onelevel,expand="$1" read - by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML) & (user | user/-1)" read + by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateList) & (user | user/-1)" read # # 1. Domain owners can edit their entry's attributes. # 2. So can domain postmasters. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(objectClass=fripostVirtualDomain) + filter=(objectClass=FripostVirtualDomain) attrs=@fripostVirtualDomain by dnattr=fripostOwner write by dnattr=fripostPostmaster write @@ -130,19 +139,19 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" # 1. Domain owners can delete the domain (and read the entry). # 2. So can domain postmasters. # 3. Domain users can read the domain entry (but not delete it). -# 4. So can users with "canCreateAlias" or "canCreateML" rights. +# 4. So can users with "canCreateAlias" or "canCreateList" rights. olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualDomain) + filter=(objectClass=FripostVirtualDomain) attrs=entry by dnattr=fripostOwner +zrd by dnattr=fripostPostmaster +zrd by dn.onelevel,expand="$1" +rd - by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML) & (user | user/-1)" +rd + by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateList) & (user | user/-1)" +rd by users +0 # # Noone (but the managers) can change quotas. olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualMailbox) + filter=(objectClass=FripostVirtualMailbox) attrs=fripostMailboxQuota by self read by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read @@ -150,7 +159,7 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos # 1. Users can modify their own entry. # 2. So can their postmasters. olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualMailbox) + filter=(objectClass=FripostVirtualMailbox) attrs=@FripostVirtualMailbox by self write by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write @@ -159,7 +168,7 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos # (Provided that they have +a access to the parent's "children" attribute.) # 2. Users can read their entry (but not delete it). olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualMailbox) + filter=(objectClass=FripostVirtualMailbox) attrs=entry by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard by self +rd @@ -167,7 +176,7 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos # Reserved aliases cannot be deactivated. (But the alias definition may be changed by the # domain owner.) olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualAlias) + filter=(objectClass=FripostVirtualAlias) attrs=fripostIsStatusActive,fripostOwner,fva by group/fripostVirtualDomain/fripostOwner.expand="$2" read by group/fripostVirtualDomain/fripostPostmaster.expand="$2" read @@ -175,7 +184,7 @@ olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHost # # Reserved aliases cannot be deleted. olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualAlias) + filter=(objectClass=FripostVirtualAlias) attrs=entry by group/fripostVirtualDomain/fripostOwner.expand="$2" +ard by group/fripostVirtualDomain/fripostPostmaster.expand="$2" +ard @@ -186,7 +195,7 @@ olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHost # 2. The domain owner can add/delete/change the ownership of the entry. # 3. So can the domain postmasters. olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualAlias) + filter=(objectClass=FripostVirtualAlias) attrs=fripostOwner by dnattr=fripostOwner read continue by group/fripostVirtualDomain/fripostOwner.expand="$1" write @@ -197,7 +206,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos # 2. So can the domain owners. # 3. So can the domain postmasters. olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualAlias) + filter=(objectClass=FripostVirtualAlias) attrs=@FripostVirtualAlias by dnattr=fripostOwner write by group/fripostVirtualDomain/fripostOwner.expand="$1" write @@ -209,7 +218,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos # 4. Users with "canCreateAlias" access (either explicitely, or as a wildcard) for the domain can create aliases for that domain. # (But *not* delete them, unless also owner.) olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualAlias) + filter=(objectClass=FripostVirtualAlias) attrs=entry by dnattr=fripostOwner +zrd continue by group/fripostVirtualDomain/fripostOwner.expand="$1" +wrd @@ -217,49 +226,49 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by set.exact="this/-1/fripostCanCreateAlias & (user | user/-1)" +a by users +0 # -# 1. The mailing list owner can list the ownership of the entry. +# 1. The list owner can list the ownership of the entry. # 2. The domain owner can add/delete/change the ownership of the entry. # 3. So can the domain postmasters. -olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualML) +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=FripostVirtualList) attrs=fripostOwner by dnattr=fripostOwner read continue by group/fripostVirtualDomain/fripostOwner.expand="$1" write by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write by users +0 # -# 1. The mailing list owner read (but not edit) the transport-related attributes. +# 1. The list owner read (but not edit) the transport-related attributes. # 2. So can the domain ower. # 3. So can the domain postmaster. -olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualML) - attrs=fripostMLManager,fripostMLCommand +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=FripostVirtualList) + attrs=fripostListManager,fripostListCommand by dnattr=fripostOwner read by group/fripostVirtualDomain/fripostOwner.expand="$1" read by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read # -# 1. The mailing list owners can edit their entry's attributes. +# 1. The list owners can edit their entry's attributes. # 2. So can the domain owners. # 3. So can the domain postmasters. -olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualML) - attrs=@FripostVirtualML +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=FripostVirtualList) + attrs=@FripostVirtualList by dnattr=fripostOwner write by group/fripostVirtualDomain/fripostOwner.expand="$1" write by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write # -# 1. The mailing list owners can read and delete the entry. +# 1. The list owners can read and delete the entry. # 2. So can the domain's Owner. # 3. So can the domain's Postmaster. -# 4. Users with "canCreateML" capability (either explicitely, or as a wildcard) for the domain can create mailing lists for that domain. +# 4. Users with "canCreateList" capability (either explicitely, or as a wildcard) for the domain can create lists for that domain. # (But *not* delete them, unless also owner.) -olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" - filter=(objectClass=fripostVirtualML) +olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=FripostVirtualList) attrs=entry by dnattr=fripostOwner +rzd continue by group/fripostVirtualDomain/fripostOwner.expand="$1" +rwd by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rwd - by set.exact="this/-1/fripostCanCreateML & (user | user/-1)" +a + by set.exact="this/-1/fripostCanCreateList & (user | user/-1)" +a by users +0 # # Catch the "break" control above. -- cgit v1.2.3