From 73c7ba4d856553706528bf2a3ae91a82fa121c10 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem.moulin@fripost.org>
Date: Wed, 30 Jan 2013 03:20:08 +0100
Subject: Prevent the WebApp from modifying the user passwords.

---
 ldap/acl.ldif | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'ldap/acl.ldif')

diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index 5cc0ef0..970799a 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -45,12 +45,17 @@ olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc
         attrs=entry,objectClass,authzTo
     by realanonymous =x
 #
-# 1. Anonymous users can bind.
-# 2. Users can change their password (but not read it).
-# 3. The postmaster of a domain can change (replace) his/her users' password (but not read it).
+# 1. The WebPanel itself cannot bind, read or write passwords. This
+# guarantees that, if an attacker gains its priviledge, it will *not* be
+# able to change user passwords (which would allow him/her to read every
+# emails). This is a trick to tackle the absence of 'realgroup'.
+# 2. Anonymous users can bind.
+# 3. Users can change their password (but not read it).
+# 4. The postmaster of a domain can change (replace) his/her users' password (but not read it).
 olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
         filter=(objectClass=FripostVirtualUser)
         attrs=userPassword
+    by realdn.exact="uid=AdminWebPanel@fripost.org,cn=auth" =0
     by realanonymous =xd
     by realself =w
     by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =w
-- 
cgit v1.2.3