From 4697625becadbd2d3eea9feb3eaacd2bf91ecdd4 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 21 Jan 2013 02:15:29 +0100 Subject: Adapted the test suite to domain creation. --- ldap/acl.ldif | 178 ++++++++++++++++++++++++++++++---------------------------- 1 file changed, 93 insertions(+), 85 deletions(-) (limited to 'ldap/acl.ldif') diff --git a/ldap/acl.ldif b/ldap/acl.ldif index c090925..ce2aa4c 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -31,49 +31,54 @@ replace: olcAccess # TODO: IMAP, SASLauth, Amavis # TODO: if possible, make use GSSAPI/EXTERNAL for the services. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - attrs=entry,objectClass,fvd,fripostIsStatusActive,fripostIsStatusPending,fripostOptionalMaildrop,fvu,fva,fripostMaildrop,fvl,fvlc,fripostLocalAlias + attrs=entry,fvd,fvu,fva,fvl,fvlc,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand)) by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd - by users none break + by users =0 break +# +olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + attrs=objectClass,fripostPendingToken,fripostIsStatusActive + filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand)) + by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =sd + by users =0 break # #olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" -# attrs=entry,objectClass,fripostIsStatusActive,fripostIsStatusPending,fvu,@amavisAccount -# filter=(&(objectClass=FripostVirtualUser)(objectClass=amavisAccount)(fripostIsStatusActive=TRUE)(fripostIsStatusPending=FALSE)) +# attrs=entry,objectClass,fripostIsStatusActive,fripostPendingToken,fvu,@amavisAccount +# filter=(&(objectClass=FripostVirtualUser)(objectClass=amavisAccount)(fripostIsStatusActive=TRUE)(fripostPendingToken=FALSE)) # by dn.exact="gidNumber=113+uidNumber=116,cn=peercred,cn=external,cn=auth" =rsd -# by users none break +# by users =0 break # # Anonymous can authenticate into the services. (But not read or write the password.) olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev" attrs=userPassword - by anonymous auth + by realanonymous =xd # # That's necessary for SASL proxy Authorize the web application. olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev" attrs=entry,objectClass,authzTo - by * =x + by realanonymous =x # # 1. Managers have read/write access to the "virtual" subtree. # 2. The list creator needs further access. # 3. Other services have no access other than the one above. # 4,5. Other users need further access. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" write - by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" none break - by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" none break - by anonymous none break + by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd + by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break + by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break + by anonymous =0 break # # 1. Users can change their password (but not read it). # 2. Anonymous users can bind. # 3. Else, we inspect the 2 following ACLs. olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" attrs=userPassword - by self =w - by anonymous auth - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" none break + by realself =w + by anonymous =xd + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break # -# The postmaster of a domain can change (replace) his/her users' -# password (but not see it). +# The postmaster of a domain can change (replace) his/her users' password (but not read it). olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=userPassword @@ -83,41 +88,41 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos # (That's a catch-all, just to be sure that services, etc. cannot read the passwords). olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" attrs=userPassword - by * none + by * =0 # # 1. Users can search (e.g., to list the entries they have created). # 2. So can the list creator. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=objectClass - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =s # -# Users can search (e.g., to list the entries they have created). -# Additional permissions may be added later on. +# 1. Users can search (e.g., to list the entries they have created). +# 2. Additional permissions may be added later on. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=entry,fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break - by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none break + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s break + by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break # # Everyone can create/delete domains. (Provided s/he has +a/+z access to the # "entry" attribute of the domains s/he wants to delete.) olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=children - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =w # -# Reserved local parts are reserved. /!\ The case be insensitive -# postmaster # RFC 822, appendix C.6 -# abuse # RFC 2142, section 4 +# Reserved local parts are reserved. /!\ The case must be insensitive +# - postmaster: RFC 822, appendix C.6 +# - abuse: RFC 2142, section 4 olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - by * none + by * =0 # -# Only the domain postmaster can read and search the unlock token and delete the -# 'pending' status. +# Only the domain Postmasters and Owners can read and search the unlock token and +# delete the 'pending' status. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=FripostVirtualDomain) - attrs=fripostIsStatusPending - by dnattr=fripostPostmaster =zrsd - by dnattr=fripostOwner =zrsd + attrs=fripostPendingToken + by dnattr=fripostPostmaster =zscd + by dnattr=fripostOwner =zscd # # 1. The postmaster of a domain can give (or take back) people the right to create # aliases. @@ -125,29 +130,29 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=FripostVirtualDomain) attrs=fripostCanAddAlias - by dnattr=fripostPostmaster write - by dnattr=fripostOwner read - by set.exact="this/fripostCanAddAlias & (user | user/-1)" read + by dnattr=fripostPostmaster =wrscd + by dnattr=fripostOwner =rscd + by set.exact="this/fripostCanAddAlias & (user | user/-1)" =rscd # # 1. The postmaster of a domain can give (or take back) people the right to create lists. # 2,3. People that can create lists can list the members of the group. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=FripostVirtualDomain) attrs=fripostCanAddList - by dnattr=fripostPostmaster write - by dnattr=fripostOwner read - by set.exact="this/fripostCanAddList & (user | user/-1)" read + by dnattr=fripostPostmaster =wrscd + by dnattr=fripostOwner =rscd + by set.exact="this/fripostCanAddList & (user | user/-1)" =rscd # # 1-3. Noone (but the managers) can appoint domain Owners or Postmasters. # But people that can create aliases and lists can list the members of their group. olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualDomain) attrs=fripostOwner,fripostPostmaster - by dnattr=fripostOwner read - by dnattr=fripostPostmaster read - by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" read + by dnattr=fripostOwner =rscd + by dnattr=fripostPostmaster =rscd + by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" =rscd by dn.onelevel,expand="$1" +d - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 # # 1. Domain owners can edit their entry's attributes. # 2. So can domain postmasters. @@ -156,19 +161,19 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualDomain) attrs=fvd,fripostIsStatusActive,description - by dnattr=fripostOwner write - by dnattr=fripostPostmaster write - by dn.onelevel,expand="$1" read - by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" read + by dnattr=fripostOwner =wrscd + by dnattr=fripostPostmaster =wrscd + by dn.onelevel,expand="$1" =rscd + by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" =rscd # # 1. Domain owners can edit their entry's attributes. # 2. So can domain postmasters. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=FripostVirtualDomain) attrs=@fripostVirtualDomain - by dnattr=fripostOwner write - by dnattr=fripostPostmaster write - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by dnattr=fripostOwner =wrscd + by dnattr=fripostPostmaster =wrscd + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 # # Every one can add or delete children, but we will be carefull with the # kid's "entry" attribute, which require +a and +z to add and delete @@ -176,12 +181,13 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=FripostVirtualDomain) attrs=children - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +w # -# 1. Domain owners can delete the domain (and read the entry). -# 2. So can domain postmasters. -# 3. Domain users can read the domain entry (but not delete it). -# 4. So can users with "canAddAlias" or "canAddList" rights. +# 1. Users with "addDomain" access can create new entries. +# 2. Domain owners can delete their domain (and read the entry). +# 3. So can domain postmasters. +# 4. Domain users can read the domain entry (but not delete it). +# 5. So can users with "canAddAlias" or "canAddList" rights. olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualDomain) attrs=entry @@ -190,22 +196,22 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ by dnattr=fripostPostmaster +zrd by dn.onelevel,expand="$1" +rd by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" +rd - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 # # Noone (but the managers) can change quotas. olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=fripostUserQuota - by self read - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read + by self =rscd + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =rscd # # 1. Users can modify their own entry. # 2. So can their postmasters. olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=@FripostVirtualUser - by self write - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write + by self =wrscd + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd # # 1. Postmasters can create users (but not delete them). # (Provided that they have +a access to the parent's "children" attribute.) @@ -222,10 +228,10 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualAlias) attrs=fripostOwner - by dnattr=fripostOwner read continue - by group/fripostVirtualDomain/fripostOwner.expand="$1" write - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by dnattr=fripostOwner =rscd continue + by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 # # 1. The alias owners can edit the rest of their entry's attributes. # 2. So can the domain owners. @@ -233,9 +239,9 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualAlias) attrs=@FripostVirtualAlias - by dnattr=fripostOwner write - by group/fripostVirtualDomain/fripostOwner.expand="$1" write - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write + by dnattr=fripostOwner =wrscd + by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd # # 1. The alias owners can read and delete the entry. # 2. So can the domain owner. @@ -249,7 +255,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by group/fripostVirtualDomain/fripostOwner.expand="$1" +wrd by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +wrd by set.exact="this/-1/fripostCanAddAlias & (user | user/-1)" +a - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 # # 1. The list owner can list the ownership of the entry. # 2. The domain owner can add/delete/change the ownership of the entry. @@ -257,10 +263,10 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualList) attrs=fripostOwner - by dnattr=fripostOwner read continue - by group/fripostVirtualDomain/fripostOwner.expand="$1" write - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by dnattr=fripostOwner =rscd continue + by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 # # 1. The list owner read (but not edit) the transport-related attributes. # 2. So can the domain ower. @@ -268,17 +274,19 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualList) attrs=fripostListManager - by dnattr=fripostOwner read - by group/fripostVirtualDomain/fripostOwner.expand="$1" read - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read + by dnattr=fripostOwner =rscd + by group/fripostVirtualDomain/fripostOwner.expand="$1" =rscd + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =rscd # -# Only the list creator can remove the "pending" flag +# 1,2,3. The list owner and the domain Owner and Postmaster can search +# (but not read) the 'pending' token. +# 4. The list creator can remove the "pending" flag. olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualList) - attrs=fripostIsStatusPending - by dnattr=fripostOwner read - by group/fripostVirtualDomain/fripostOwner.expand="$1" read - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read + attrs=fripostPendingToken + by dnattr=fripostOwner =scd + by group/fripostVirtualDomain/fripostOwner.expand="$1" =scd + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =scd by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =zsd # # 1. The list owners can edit their entry's attributes. @@ -287,9 +295,9 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualList) attrs=@FripostVirtualList - by dnattr=fripostOwner write - by group/fripostVirtualDomain/fripostOwner.expand="$1" write - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write + by dnattr=fripostOwner =wrscd + by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd # # 1. The list owners can read the entry. # 2. So can the domain's Owner. @@ -304,7 +312,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by group/fripostVirtualDomain/fripostOwner.expand="$1" +rad by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rad by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd # # The List Creator can add list commands. @@ -321,4 +329,4 @@ olcAccess: to dn.regex="^fvlc=[^,]+,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting # # Catch the "break" control above. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 -- cgit v1.2.3