From 695e6662e46545d08213d3eec0c4f9956333a28e Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 15 Sep 2012 19:24:24 +0200 Subject: SMTP service. --- ldap/acl.ldif | 57 +++++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 37 insertions(+), 20 deletions(-) (limited to 'ldap/acl.ldif') diff --git a/ldap/acl.ldif b/ldap/acl.ldif index eb28872..212d4d9 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -23,15 +23,39 @@ dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcAccess -## Managers have read/write access to the "virtual" subtree. -#olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" -# by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" write -# by * break -#- -## 1. Users/Services/Managers can change their password (but not read it). -## 2. Anonymous users/services/managers can bind. -## 3. Else, we inspect the 2 following ACLs. -olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" +# +# Services have read access to the attribute they need. We put this ACL +# first as it's likely to be the most used. +# TODO: for postfix, it'd be more efficient and more secure to SASL-bind +# on a UNIX socket (EXTERNAL mechanism); wait for Postfix 2.8. +# TODO: IMAP & SASLauth +olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + attrs=entry,objectClass,fvd,fripostIsStatusActive,fripostOptionalMaildrop,fvu,fripostOptionalMaildrop,fva,fripostMaildrop,fvl,fripostListCommand + filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualMailbox)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)) + by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd + by users none break +# +# Anonymous can authenticate into the services. (But not read or write the password.) +olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev" + attrs=userPassword + by anonymous auth +# +# That's necessary for SASL proxy Authorize the web application. +olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev" + attrs=entry,objectClass,authzTo + by * =x +# +# 1. Services have no access other than the one above. +# 2. Managers have read/write access to the "virtual" subtree. +olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" none + by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" write + by * none break +# +# 1. Users can change their password (but not read it). +# 2. Anonymous users/services/managers can bind. +# 3. Else, we inspect the 2 following ACLs. +olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=userPassword by self =w by anonymous auth @@ -49,17 +73,6 @@ olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" attrs=userPassword by * none # -# That's necessary for SASL proxy Authorize the web application. -olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev" - attrs=entry,objectClass,authzTo - by * =x -## -## Services can read the whole subtree (minus the userPassword attributes). -#olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" -# attrs=entry,creatorsName,@fripostVirtualDomain,@fripostVirtualMailbox,@fripostVirtualAlias,@fripostVirtualList -# by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" read -# by users none break -# # Users can search (e.g., to list the entries they have created). olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=objectClass @@ -270,6 +283,10 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rwd by set.exact="this/-1/fripostCanCreateList & (user | user/-1)" +a by users +0 +#TODO +#olcAccess: to dn.regex="^fvl=([^,]+)-request,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +# filter=(objectClass=FripostVirtualListCommand) +# by users read # # Catch the "break" control above. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" -- cgit v1.2.3