From 48d39ff63e2bfa2bdb7759bc4a99f69778d5ee22 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 22 Jan 2013 01:41:47 +0100 Subject: Reorganized the ACL. --- ldap/acl.ldif | 190 +++++++++++++++++++++++++++------------------------------- 1 file changed, 89 insertions(+), 101 deletions(-) (limited to 'ldap/acl.ldif') diff --git a/ldap/acl.ldif b/ldap/acl.ldif index 3cbbd24..eef10a9 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -24,147 +24,112 @@ dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcAccess # -# Services have read access to the attribute they need. We put this ACL -# first as it's likely to be the most used. -# TODO: for postfix, it'd be more efficient and more secure to SASL-bind -# on a UNIX socket (EXTERNAL mechanism); wait for Postfix 2.8. -# TODO: IMAP, SASLauth, Amavis -# TODO: if possible, make use GSSAPI/EXTERNAL for the services. +######################################################################## +# Most common services: Postfix, Amavis, SASLauth, Dovecot +# (Most used ACLs are cheaper when written first.) +# +# Everyone can search the objectclass olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - attrs=entry,fvd,fvu,fva,fvl,fvlc,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias - filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand)) - by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd - by users =0 break + attrs=objectClass + by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =s + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s # +# Postfix have read access to the attribute they need. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - attrs=objectClass,fripostPendingToken,fripostIsStatusActive - filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand)) - by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =sd + attrs=entry,fvd,fvu,fva,fvl,fvlc,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias + filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(!(fripostIsStatusActive=FALSE))(!(fripostPendingToken=*))) + by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd by users =0 break # -#olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" -# attrs=entry,objectClass,fripostIsStatusActive,fripostPendingToken,fvu,@amavisAccount -# filter=(&(objectClass=FripostVirtualUser)(objectClass=amavisAccount)(fripostIsStatusActive=TRUE)(fripostPendingToken=FALSE)) -# by dn.exact="gidNumber=113+uidNumber=116,cn=peercred,cn=external,cn=auth" =rsd -# by users =0 break -# # Anonymous can authenticate into the services. (But not read or write the password.) olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev" attrs=userPassword by realanonymous =xd # # That's necessary for SASL proxy Authorize the web application. -olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev" +olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=dev" attrs=entry,objectClass,authzTo by realanonymous =x # -# 1. Managers have read/write access to the "virtual" subtree. -# 2. The list creator needs further access. -# 3. Other services have no access other than the one above. -# 4,5. Other users need further access. -olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd - by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break - by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break - by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break - by anonymous =0 break -# -# 1. Users can change their password (but not read it). -# 2. Anonymous users can bind. -# 3. Else, we inspect the 2 following ACLs. -olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - attrs=userPassword - by realself =w - by anonymous =xd - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =0 break -# -# The postmaster of a domain can change (replace) his/her users' password (but not read it). +# 1. Anonymous users can bind. +# 2. Users can change their password (but not read it). +# 3. The postmaster of a domain can change (replace) his/her users' password (but not read it). olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=userPassword + by realanonymous =xd + by realself =w by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =w + by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd # -# No permission on the userPassword attribute for other users. -# (That's a catch-all, just to be sure that services, etc. cannot read the passwords). -olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" - attrs=userPassword - by * =0 # -# 1. Users can search (e.g., to list the entries they have created). -# 2. So can the list creator. -olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - attrs=objectClass - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s - by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =s - by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =s +######################################################################## +# Virtual subtree, general access # -# 1. Users can search (e.g., to list the entries they have created). -# 2. Additional permissions may be added later on. +# 1,2. Services that need particular access on the tree. +# 3. Other users need further access. +# 4. Managers have read/write access to the "virtual" subtree. +# 5. Other services have no access other than the one above. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - attrs=entry,fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break - by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break -# -# Noone may create children under a pending entry. This is important -# since otherwise we couldn't delete old pending entries -# non-recursively. -olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - filter=(fripostPendingToken=*) - attrs=children - by * =0 + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break + by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break + by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd + by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 # # Our service can list and delete (old) pending entries. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" filter=(fripostPendingToken=*) attrs=entry by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =zrd break - by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break + by dn.children="o=mailHosting,dc=fripost,dc=dev" =0 break # # Our service can search anywhere in the tree (for old pending entries). olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=entry - by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break - by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" +s - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +s break + by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" +s + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break # # Our service needs to have 'z' access on the 'children' of the parent of the entry that is # to be deleted. (And 'z' access of the 'entry' attribute of this entry.) olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=children by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =z - by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break + by dn.children="o=mailHosting,dc=fripost,dc=dev" =0 break # # Our service needs search access to list (old) pending entries. -olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" filter=(fripostPendingToken=*) attrs=createTimestamp,fripostPendingToken - by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =sd - by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break + by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =s + by dn.children="o=mailHosting,dc=fripost,dc=dev" +0 break +# +# Users can search (e.g., to list the entries they have created). +olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + attrs=fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break +# # -# Everyone can create/delete domains. (Provided s/he has +a/+z access to the +######################################################################## +# Virtual subtree, domains +# +# 1. Everyone can create/delete domains. (Provided s/he has +a/+z access to the # "entry" attribute of the domains s/he wants to delete.) +# 2. The relevant service can delete (old) pending entries. olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=children by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w + by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =z # -# Reserved local parts are reserved. /!\ The case must be insensitive -# - postmaster: RFC 822, appendix C.6 -# - abuse: RFC 2142, section 4 -olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - by * =0 -# -# Everyone can check for the non-presence of the 'pending' status. +# Everyone can check for the absence of a 'pending' status. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(&(objectClass=FripostVirtualDomain)(!(fripostPendingToken=*))) attrs=fripostPendingToken by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s # -# Only the domain Postmasters and Owners can search the unlock token and delete the -# 'pending' status (but not read). +# Only the domain Postmasters and Owners can search the unlock token and delete +# the 'pending' status (but not read). olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=FripostVirtualDomain) attrs=fripostPendingToken @@ -222,11 +187,13 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" by dnattr=fripostPostmaster =wrscd by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # -# Everyone can add or delete children, but we will be carefull with the -# kid's "entry" attribute, which require +a and +z to add and delete -# respectively. +# Everyone can add or delete children, but we will be carefull with +# the kid's "entry" attribute, which require +a and +z to add and delete +# respectively. Note that it is forbidden add a child under a pending +# entry; This is important since otherwise we couldn't delete pending +# entry non-recursively. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(objectClass=FripostVirtualDomain) + filter=(&(objectClass=FripostVirtualDomain)(!(fripostPendingToken=*))) attrs=children by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w # @@ -245,7 +212,17 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" +rd by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # -# Noone (but the managers) can change quotas. +# Reserved local parts are reserved. /!\ The case must be insensitive +# - postmaster: RFC 822, appendix C.6 +# - abuse: RFC 2142, section 4 +olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" + by * =0 +# +# +######################################################################## +# Virtual subtree, users +# +# Users and their postmaster can read the quota (but not change it). olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=fripostUserQuota @@ -260,14 +237,19 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by self =wrscd by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd # -# 1. Postmasters can create users (but not delete them). +# 1. Users can read their entry (but not delete it). +# 2. Postmasters can create users (but not delete them). # (Provided that they have +a access to the parent's "children" attribute.) -# 2. Users can read their entry (but not delete it). olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=entry - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard by self +rd + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard + by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break +# +# +######################################################################## +# Virtual subtree, aliases # # 1. The alias owner can list the ownership of the entry. # 2. The domain owner can add/delete/change the ownership of the entry. @@ -304,6 +286,10 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by set.exact="this/-1/fripostCanAddAlias & (user | user/-1)" +a by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # +# +######################################################################## +# Virtual subtree, lists +# # 1. The list owner can list the ownership of the entry. # 2. The domain owner can add/delete/change the ownership of the entry. # 3. So can the domain postmasters. @@ -325,8 +311,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by group/fripostVirtualDomain/fripostOwner.expand="$1" =rscd by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =rscd # -# 1,2,3. The list owner and the domain Owner and Postmaster can search -# (but not read) the 'pending' token. +# 1,2,3. The list owner and the domain Owner and Postmaster can search the 'pending' token. # 4. The list creator can remove the "pending" flag. # (We don't need to limit the search to presence only here, since when present the value is # always 'TRUE') @@ -364,9 +349,9 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd # -# The List Creator can add list commands. +# The List Creator can add list commands under non-pending lists. olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev" - filter=(objectClass=FripostVirtualList) + filter=(&(objectClass=FripostVirtualList)(!(fripostPendingToken=*))) attrs=children by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a # @@ -376,6 +361,9 @@ olcAccess: to dn.regex="^fvlc=[^,]+,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting attrs=entry by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a # -# Catch the "break" control above. +# +######################################################################## +# Catchall +# olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 -- cgit v1.2.3