From ded29bf9eb3fa40c56eb9ace365d13e6348e215c Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 20 Aug 2012 01:53:16 +0200 Subject: A little test suite for LDAP ACLs. --- ldap/acl.ldif | 293 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 293 insertions(+) create mode 100644 ldap/acl.ldif (limited to 'ldap/acl.ldif') diff --git a/ldap/acl.ldif b/ldap/acl.ldif new file mode 100644 index 0000000..5af52aa --- /dev/null +++ b/ldap/acl.ldif @@ -0,0 +1,293 @@ +# Load this file with +# +# ldapmodify -Y EXTERNAL -H ldapi:/// -f acl.ldif +# +# It will remove existing ACLs, and add the following instead. Ensure +# that it's indeed the database #1 that you want to amend: +# +# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "olcSuffix=o=mailHosting,dc=fripost,dc=dev" dn +# +# +# /!\ ATTENTION! Every modification made to this file should be +# /!\ implemented in the test suite as well! +# +# +# References: +# - http://www.openldap.org/doc/admin24/access-control.html +# - http://www.openldap.org/faq/data/cache/189.html +# - http://www.openldap.org/faq/data/cache/1140.html +# - http://www.openldap.org/faq/data/cache/1133.html +# - man 5 slapd.access + + +dn: olcDatabase={1}hdb,cn=config +changetype: modify +replace: olcAccess +## Managers have read/write access to the "virtual" subtree. +#olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +# by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" write +# by * break +#- +## 1. Users/Services/Managers can change their password (but not read it). +## 2. Anonymous users/services/managers can bind. +## 3. Else, we inspect the 2 following ACLs. +#add: olcAccess +olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" + attrs=userPassword + by self =w + by anonymous auth + by users none break +- +# The postmaster of a domain can change (replace) his/her users' password. +add: olcAccess +olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=fripostVirtualMailbox) + attrs=userPassword + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =w +- +# No permission on the userPassword attribute for other users. +# (That's a catch-all, just to be sure that services, etc. cannot read the passwords). +add: olcAccess +olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" + attrs=userPassword + by * none +#- +## Services can read the whole subtree (minus the userPassword attributes). +#add: olcAccess +#olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" +# attrs=entry,creatorsName,@fripostVirtualDomain,@fripostVirtualMailbox,@fripostVirtualAlias,@fripostVirtualML +# by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=org" read +# by users * break +- +# Users can search (e.g., to list the entries they have created). +# Additional permissions may be added later on. +add: olcAccess +olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanCreateAlias,fripostCanCreateML + by users =s break +- +# Everyone can delete domains. (Provided he has +d access to the "entry" +# attribute of the domains he wants to delete.) +add: olcAccess +olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + attrs=children + by users =z +- +# 1. The postmaster of a domain can give (or take back) people the right to create +# aliases. +# 2,3. People that can create aliases can list the members of the group. +add: olcAccess +olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" + filter=(objectClass=fripostVirtualDomain) + attrs=fripostCanCreateAlias + by dnattr=fripostPostmaster write + by dnattr=fripostOwner read + by set.exact="this/fripostCanCreateAlias & (user | user/-1)" read +- +# 1. The postmaster of a domain can give (or take back) people the right to create +# mailing lists. +# 2,3. People that can create mailing lists can list the members of the group. +add: olcAccess +olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" + filter=(objectClass=fripostVirtualDomain) + attrs=fripostCanCreateML + by dnattr=fripostPostmaster write + by dnattr=fripostOwner read + by set.exact="this/fripostCanCreateML & (user | user/-1)" read +- +# 1-3. Noone (but the managers) can appoint domain Owners or Postmasters. +# But people that can create aliases and mailing lists can list the members of their group. +add: olcAccess +olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=fripostVirtualDomain) + attrs=fripostOwner,fripostPostmaster + by dnattr=fripostOwner read + by dnattr=fripostPostmaster read + by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML)& (user | user/-1)" read + by dn.onelevel,expand="$1" +d + by users +0 +- +# Every one can add or delete children, but we will be carefull with the +# kid's "entry" attribute, which require +a and +z to add and delete +# respectively. +add: olcAccess +olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" + filter=(objectClass=fripostVirtualDomain) + attrs=children + by users +w +- +# 1. Domain owners can edit their entry's attributes. +# 2. So can domain postmasters. +# 3. Domain users can read the public domain attributes. +# 4. So can users with "canCreateAlias" or "canCreateML" access. +add: olcAccess +olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=fripostVirtualDomain) + attrs=fvd,fripostIsStatusActive,description + by dnattr=fripostOwner write + by dnattr=fripostPostmaster write + by dn.onelevel,expand="$1" read + by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML) & (user | user/-1)" read +- +# 1. Domain owners can edit their entry's attributes. +# 2. So can domain postmasters. +add: olcAccess +olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" + filter=(objectClass=fripostVirtualDomain) + attrs=@fripostVirtualDomain + by dnattr=fripostOwner write + by dnattr=fripostPostmaster write + by users +0 +- +# 1. Domain owners can delete the domain (and read the entry). +# 2. So can domain postmasters. +# 3. Domain users can read the domain entry (but not delete it). +# 4. So can users with "canCreateAlias" or "canCreateML" rights. +add: olcAccess +olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=fripostVirtualDomain) + attrs=entry + by dnattr=fripostOwner +zrd + by dnattr=fripostPostmaster +zrd + by dn.onelevel,expand="$1" +rd + by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML) & (user | user/-1)" +rd + by users +0 +- +# Noone (but the managers) can change quotas. +add: olcAccess +olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=fripostVirtualMailbox) + attrs=fripostMailboxQuota + by self read + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read +- +# 1. Users can modify their own entry. +# 2. So can their postmasters. +add: olcAccess +olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=fripostVirtualMailbox) + attrs=@FripostVirtualMailbox + by self write + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write +- +# 1. Postmasters can create mailboxes (but not delete them). +# (Provided that they have +a access to the parent's "children" attribute.) +# 2. Users can read their entry (but not delete it). +add: olcAccess +olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=fripostVirtualMailbox) + attrs=entry + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard + by self +rd +- +# Reserved aliases cannot be deactivated. (But the alias definition may be changed by the +# domain owner.) +add: olcAccess +olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=fripostVirtualAlias) + attrs=fripostIsStatusActive,fripostOwner,fva + by group/fripostVirtualDomain/fripostOwner.expand="$2" read + by group/fripostVirtualDomain/fripostPostmaster.expand="$2" read + by users +0 +- +# Reserved aliases cannot be deleted. +add: olcAccess +olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=fripostVirtualAlias) + attrs=entry + by group/fripostVirtualDomain/fripostOwner.expand="$2" +ard + by group/fripostVirtualDomain/fripostPostmaster.expand="$2" +ard + by set.exact="this/-1/fripostCanCreateAlias & (user | user/-1)" +a + by users +0 +- +# 1. The alias owner can list the ownership of the entry. +# 2. The domain owner can add/delete/change the ownership of the entry. +# 3. So can the domain postmasters. +add: olcAccess +olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=fripostVirtualAlias) + attrs=fripostOwner + by dnattr=fripostOwner read continue + by group/fripostVirtualDomain/fripostOwner.expand="$1" write + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write + by users +0 +- +# 1. The alias owners can edit the rest of their entry's attributes. +# 2. So can the domain owners. +# 3. So can the domain postmasters. +add: olcAccess +olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=fripostVirtualAlias) + attrs=@FripostVirtualAlias + by dnattr=fripostOwner write + by group/fripostVirtualDomain/fripostOwner.expand="$1" write + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write +- +# 1. The alias owners can read and delete the entry. +# 2. So can the domain owner. +# 3. So can the domain postmaster. +# 4. Users with "canCreateAlias" access (either explicitely, or as a wildcard) for the domain can create aliases for that domain. +# (But *not* delete them, unless also owner.) +add: olcAccess +olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=fripostVirtualAlias) + attrs=entry + by dnattr=fripostOwner +zrd continue + by group/fripostVirtualDomain/fripostOwner.expand="$1" +wrd + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +wrd + by set.exact="this/-1/fripostCanCreateAlias & (user | user/-1)" +a + by users +0 +- +# 1. The mailing list owner can list the ownership of the entry. +# 2. The domain owner can add/delete/change the ownership of the entry. +# 3. So can the domain postmasters. +add: olcAccess +olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=fripostVirtualML) + attrs=fripostOwner + by dnattr=fripostOwner read continue + by group/fripostVirtualDomain/fripostOwner.expand="$1" write + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write + by users +0 +- +# 1. The mailing list owner read (but not edit) the transport-related attributes. +# 2. So can the domain ower. +# 3. So can the domain postmaster. +add: olcAccess +olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=fripostVirtualML) + attrs=fripostMLManager,fripostMLCommand + by dnattr=fripostOwner read + by group/fripostVirtualDomain/fripostOwner.expand="$1" read + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read +- +# 1. The mailing list owners can edit their entry's attributes. +# 2. So can the domain owners. +# 3. So can the domain postmasters. +add: olcAccess +olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=fripostVirtualML) + attrs=@FripostVirtualML + by dnattr=fripostOwner write + by group/fripostVirtualDomain/fripostOwner.expand="$1" write + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write +- +# 1. The mailing list owners can read and delete the entry. +# 2. So can the domain's Owner. +# 3. So can the domain's Postmaster. +# 4. Users with "canCreateML" capability (either explicitely, or as a wildcard) for the domain can create mailing lists for that domain. +# (But *not* delete them, unless also owner.) +add: olcAccess +olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" + filter=(objectClass=fripostVirtualML) + attrs=entry + by dnattr=fripostOwner +rzd continue + by group/fripostVirtualDomain/fripostOwner.expand="$1" +rwd + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rwd + by set.exact="this/-1/fripostCanCreateML & (user | user/-1)" +a + by users +0 +- +# Catch the "break" control above. +add: olcAccess +olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + by users +0 -- cgit v1.2.3