From 6689ea9829fd2957ff1c1589b0731eedb5fc8817 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem.moulin@fripost.org>
Date: Wed, 26 Sep 2012 02:36:45 +0200
Subject: Updated the LDAP schema to suit the list creation script, and the acl
 to suit the SASL authentication.

---
 ldap/acl.ldif | 90 +++++++++++++++++++++++++++++++++++++++--------------------
 1 file changed, 59 insertions(+), 31 deletions(-)

(limited to 'ldap/acl.ldif')

diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index e52e4d5..ac2e19d 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -29,9 +29,10 @@ replace: olcAccess
 # TODO: for postfix, it'd be more efficient and more secure to SASL-bind
 # on a UNIX socket (EXTERNAL mechanism); wait for Postfix 2.8.
 # TODO: IMAP & SASLauth
+# TODO: if possible, make use GSSAPI for the services.
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
-        attrs=entry,objectClass,fvd,fripostIsStatusActive,fripostOptionalMaildrop,fvu,fripostOptionalMaildrop,fva,fripostMaildrop,fvl,fripostListCommand
-        filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualMailbox)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList))
+        attrs=entry,objectClass,fvd,fripostIsStatusActive,fripostIsStatusPending,fripostOptionalMaildrop,fvu,fva,fripostMaildrop,fvl,fvlc,fripostLocalAlias
+        filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualMailbox)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))
     by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd
     by users none break
 #
@@ -45,23 +46,28 @@ olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev"
         attrs=entry,objectClass,authzTo
     by * =x
 #
-# 1. Services have no access other than the one above.
-# 2. Managers have read/write access to the "virtual" subtree.
+# 1. Managers have read/write access to the "virtual" subtree.
+# 2. The list creator needs further access.
+# 3. Other services have no access other than the one above.
+# 4,5. Other users need further access.
 olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+    by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" write
+    by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" none break
     by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none
-    by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" write
-    by * none break
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" none break
+    by anonymous none break
 #
 # 1. Users can change their password (but not read it).
-# 2. Anonymous users/services/managers can bind.
+# 2. Anonymous users can bind.
 # 3. Else, we inspect the 2 following ACLs.
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
         attrs=userPassword
     by self =w
     by anonymous auth
-    by users none break
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" none break
 #
-# The postmaster of a domain can change (replace) his/her users' password.
+# The postmaster of a domain can change (replace) his/her users'
+# password (but not see it).
 olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
         filter=(objectClass=FripostVirtualMailbox)
         attrs=userPassword
@@ -73,22 +79,25 @@ olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev"
         attrs=userPassword
     by * none
 #
-# Users can search (e.g., to list the entries they have created).
+# 1. Users can search (e.g., to list the entries they have created).
+# 2. So can the list creator.
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
         attrs=objectClass
-    by users =s
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s
+    by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =s
 #
 # Users can search (e.g., to list the entries they have created).
 # Additional permissions may be added later on.
 olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
         attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanCreateAlias,fripostCanCreateList
-    by users =s break
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break
+    by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none break
 #
 # Everyone can delete domains. (Provided s/he has +d access to the "entry"
 # attribute of the domains s/he wants to delete.)
 olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
         attrs=children
-    by users =z
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =z
 #
 # Reserved local parts are reserved.
 olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
@@ -122,7 +131,7 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
     by dnattr=fripostPostmaster read
     by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateList)& (user | user/-1)" read
     by dn.onelevel,expand="$1" +d
-    by users +0
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
 #
 # Every one can add or delete children, but we will be carefull with the
 # kid's "entry" attribute, which require +a and +z to add and delete
@@ -130,7 +139,7 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
 olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
         filter=(objectClass=FripostVirtualDomain)
         attrs=children
-    by users +w
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w
 #
 # 1. Domain owners can edit their entry's attributes.
 # 2. So can domain postmasters.
@@ -151,7 +160,7 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
         attrs=@fripostVirtualDomain
     by dnattr=fripostOwner write
     by dnattr=fripostPostmaster write
-    by users +0
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
 #
 # 1. Domain owners can delete the domain (and read the entry).
 # 2. So can domain postmasters.
@@ -164,7 +173,7 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$
     by dnattr=fripostPostmaster +zrd
     by dn.onelevel,expand="$1" +rd
     by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateList) & (user | user/-1)" +rd
-    by users +0
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
 #
 # Noone (but the managers) can change quotas.
 olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
@@ -199,7 +208,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
     by dnattr=fripostOwner read continue
     by group/fripostVirtualDomain/fripostOwner.expand="$1" write
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
-    by users +0
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
 #
 # 1. The alias owners can edit the rest of their entry's attributes.
 # 2. So can the domain owners.
@@ -223,7 +232,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
     by group/fripostVirtualDomain/fripostOwner.expand="$1" +wrd
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +wrd
     by set.exact="this/-1/fripostCanCreateAlias & (user | user/-1)" +a
-    by users +0
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
 #
 # 1. The list owner can list the ownership of the entry.
 # 2. The domain owner can add/delete/change the ownership of the entry.
@@ -234,18 +243,27 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
     by dnattr=fripostOwner read continue
     by group/fripostVirtualDomain/fripostOwner.expand="$1" write
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
-    by users +0
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
 #
 # 1. The list owner read (but not edit) the transport-related attributes.
 # 2. So can the domain ower.
 # 3. So can the domain postmaster.
 olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
         filter=(objectClass=FripostVirtualList)
-        attrs=fripostListManager,fripostListCommand
+        attrs=fripostListManager
     by dnattr=fripostOwner read
     by group/fripostVirtualDomain/fripostOwner.expand="$1" read
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read
 #
+# Only the list creator can remove the "pending" flag
+olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
+        filter=(objectClass=FripostVirtualList)
+        attrs=fripostIsStatusPending
+    by dnattr=fripostOwner read
+    by group/fripostVirtualDomain/fripostOwner.expand="$1" read
+    by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read
+    by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =zrd
+#
 # 1. The list owners can edit their entry's attributes.
 # 2. So can the domain owners.
 # 3. So can the domain postmasters.
@@ -256,24 +274,34 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
     by group/fripostVirtualDomain/fripostOwner.expand="$1" write
     by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write
 #
-# 1. The list owners can read and delete the entry.
+# 1. The list owners can read the entry.
 # 2. So can the domain's Owner.
 # 3. So can the domain's Postmaster.
 # 4. Users with "canCreateList" capability (either explicitely, or as a wildcard) for the domain can create lists for that domain.
 # (But *not* delete them, unless also owner.)
+# 6. The list creator can read the entry.
 olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
         filter=(objectClass=FripostVirtualList)
         attrs=entry
-    by dnattr=fripostOwner +rzd continue
-    by group/fripostVirtualDomain/fripostOwner.expand="$1" +rwd
-    by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rwd
+    by dnattr=fripostOwner +rd continue
+    by group/fripostVirtualDomain/fripostOwner.expand="$1" +rad
+    by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rad
     by set.exact="this/-1/fripostCanCreateList & (user | user/-1)" +a
-    by users +0
-#TODO
-#olcAccess: to dn.regex="^fvl=([^,]+)-request,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$"
-#        filter=(objectClass=FripostVirtualListCommand)
-#    by users read
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
+    by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd
+#
+# The List Creator can add list commands.
+olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+        filter=(objectClass=FripostVirtualList)
+        attrs=children
+    by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =a
+#
+# The List Creator can add list commands.
+olcAccess: to dn.regex="^fvlc=[^,]+,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev"
+        filter=(objectClass=FripostVirtualListCommand)
+        attrs=entry
+    by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =a
 #
 # Catch the "break" control above.
 olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev"
-    by users +0
+    by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0
-- 
cgit v1.2.3