From f0f87bd9b13cb0bd5c37472e5a9b4e0d36d1384d Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 21 Jan 2013 23:17:41 +0100 Subject: Added a service to delete expired pending entries. --- ldap/acl.ldif | 71 +++++++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 57 insertions(+), 14 deletions(-) (limited to 'ldap/acl.ldif') diff --git a/ldap/acl.ldif b/ldap/acl.ldif index 4cf7e10..153470f 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -65,6 +65,7 @@ olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev" olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break + by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break by anonymous =0 break @@ -76,7 +77,7 @@ olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost attrs=userPassword by realself =w by anonymous =xd - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =0 break # # The postmaster of a domain can change (replace) his/her users' password (but not read it). olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" @@ -94,21 +95,61 @@ olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" # 2. So can the list creator. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=objectClass - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =s + by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =s # # 1. Users can search (e.g., to list the entries they have created). # 2. Additional permissions may be added later on. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=entry,fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s break + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break # +# Noone may create children under a pending entry. This is important +# since otherwise we couldn't delete old pending entries +# non-recursively. +olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + filter=(fripostPendingToken=*) + attrs=children + by * =0 +# +# Our service can list and delete (old) pending entries. +olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + filter=(fripostPendingToken=*) + attrs=entry + by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =zrd break + by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break +# +# Our service can search anywhere in the tree (for old pending entries). +olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + attrs=entry + by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break + by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" +s + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break +# +# Our service needs to have 'z' access on the 'children' of the parent of the entry that is +# to be deleted. (And 'z' access of the 'entry' attribute of this entry.) +olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + attrs=children + by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =z + by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break +# +# Our service needs search access to list (old) pending entries. +olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + filter=(fripostPendingToken=*) + attrs=createTimestamp,fripostPendingToken + by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =sd + by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break +# # Everyone can create/delete domains. (Provided s/he has +a/+z access to the # "entry" attribute of the domains s/he wants to delete.) olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=children - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =w + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w # # Reserved local parts are reserved. /!\ The case must be insensitive # - postmaster: RFC 822, appendix C.6 @@ -120,7 +161,7 @@ olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(&(objectClass=FripostVirtualDomain)(!(fripostPendingToken=*))) attrs=fripostPendingToken - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s # # Only the domain Postmasters and Owners can search the unlock token and delete the # 'pending' status (but not read). @@ -158,7 +199,7 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ by dnattr=fripostPostmaster =rscd by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" =rscd by dn.onelevel,expand="$1" +d - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # # 1. Domain owners can edit their entry's attributes. # 2. So can domain postmasters. @@ -179,7 +220,7 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" attrs=@fripostVirtualDomain by dnattr=fripostOwner =wrscd by dnattr=fripostPostmaster =wrscd - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # # Everyone can add or delete children, but we will be carefull with the # kid's "entry" attribute, which require +a and +z to add and delete @@ -187,7 +228,7 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=FripostVirtualDomain) attrs=children - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +w + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w # # 1. Users with "addDomain" access can create new entries. # 2. Domain owners can delete their domain (and read the entry). @@ -202,7 +243,7 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ by dnattr=fripostPostmaster +zrd by dn.onelevel,expand="$1" +rd by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" +rd - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # # Noone (but the managers) can change quotas. olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" @@ -237,7 +278,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by dnattr=fripostOwner =rscd continue by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # # 1. The alias owners can edit the rest of their entry's attributes. # 2. So can the domain owners. @@ -261,7 +302,7 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by group/fripostVirtualDomain/fripostOwner.expand="$1" +wrd by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +wrd by set.exact="this/-1/fripostCanAddAlias & (user | user/-1)" +a - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # # 1. The list owner can list the ownership of the entry. # 2. The domain owner can add/delete/change the ownership of the entry. @@ -272,7 +313,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by dnattr=fripostOwner =rscd continue by group/fripostVirtualDomain/fripostOwner.expand="$1" =wrscd by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # # 1. The list owner read (but not edit) the transport-related attributes. # 2. So can the domain ower. @@ -287,6 +328,8 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos # 1,2,3. The list owner and the domain Owner and Postmaster can search # (but not read) the 'pending' token. # 4. The list creator can remove the "pending" flag. +# (We don't need to limit the search to presence only here, since when present the value is +# always 'TRUE') olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualList) attrs=fripostPendingToken @@ -318,7 +361,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by group/fripostVirtualDomain/fripostOwner.expand="$1" +rad by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rad by set.exact="this/-1/fripostCanAddList & (user | user/-1)" +a - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 by dn.exact="cn=ListCreator,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd # # The List Creator can add list commands. @@ -335,4 +378,4 @@ olcAccess: to dn.regex="^fvlc=[^,]+,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting # # Catch the "break" control above. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" +0 + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 -- cgit v1.2.3