From 0bed9611730fc434dd55175bc947dc09fc430710 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 9 Sep 2012 23:26:26 +0200 Subject: SASL proxy authorization. --- ldap/test-user-acl.sh | 224 +++++++++++++++++++++++++++----------------------- 1 file changed, 120 insertions(+), 104 deletions(-) (limited to 'ldap/test-user-acl.sh') diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh index 26298f9..6983706 100755 --- a/ldap/test-user-acl.sh +++ b/ldap/test-user-acl.sh @@ -72,8 +72,8 @@ USERS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualMailbox" dn | \ grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvu=\1,fvd=\2/') ALIASES=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualAlias" dn | \ grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fva=\1,fvd=\2/') -MLS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualML" dn | \ - grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvml=\1,fvd=\2/') +LISTS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualList" dn | \ + grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvl=\1,fvd=\2/') ######################################################################## @@ -104,9 +104,9 @@ done | isOK '=0' entry [ $? -eq 0 ] || exit $? -msg "Have =0 access to mailing lists entries" -for ML in ${MLS}; do - checkACL "" "${ML}" +msg "Have =0 access to list entries" +for L in ${LISTS}; do + checkACL "" "${L}" done | isOK '=0' entry [ $? -eq 0 ] || exit $? @@ -162,34 +162,36 @@ echo "Authenticated users, access to domain entries" # * entry: # =s-a for all -# +rd if children, canCreate{Alias,ML}, owner or postmaster +# +rd if children, canCreate{Alias,List}, owner or postmaster # +z if owner or postmaster # * children: # =w for all +# * objectClass: +# =s for all # * fvd: -# =rscd if children, canCreate{Alias,ML}, owner or postmaster +# =rscd if children, canCreate{Alias,List}, owner or postmaster # +w if owner or postmaster # * fripostIsStatusActive -# =rscd if children, canCreate{Alias,ML}, owner or postmaster +# =rscd if children, canCreate{Alias,List}, owner or postmaster # +w if owner or postmaster # * fripostCanCreateAlias # =rscd if canCreateAlias, owner or postmaster # +w if postmaster -# * fripostCanCreateML -# =rscd if canCreateML, owner or postmaster +# * fripostCanCreateList +# =rscd if canCreateList, owner or postmaster # +w if postmaster # * fripostOwner # =s for all # +d if children -# +rc if canCreate{Alias,ML}, owner or postmaster +# +rc if canCreate{Alias,List}, owner or postmaster # * fripostPostmaster # =s for all # +d if children -# +rc if canCreate{Alias,ML}, owner or postmaster +# +rc if canCreate{Alias,List}, owner or postmaster # * fripostOptionalMaildrop # =wrscd if owner or postmaster # * description -# =rscd if children, canCreate{Alias,ML}, owner or postmaster +# =rscd if children, canCreate{Alias,List}, owner or postmaster # +w if owner or postmaster usersD () { @@ -213,6 +215,10 @@ msg "Have =w access to \"children\"" usersD children | isOK '=w$' children [ $? -eq 0 ] || exit $? +msg "Have =s access to \"objectClass\"" +usersD objectClass | isOK '=s' objectClass +[ $? -eq 0 ] || exit $? + msg "Have >=s access on \"entry\", \"fripostOwner\" and \"fripostPostmaster\"" usersD entry/search fripostOwner/search fripostPostmaster/search | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? @@ -225,7 +231,7 @@ usersD structuralObjectClass entryUUID createTimestamp entryCSN modifiersName mo # We check the following permissions: # 0. Simple user # 1. canCreateAlias (exact,wildcard) -# 2. canCreateML (exact,wildcard) +# 2. canCreateList (exact,wildcard) # 3. Owner # 4. Postmaster @@ -271,26 +277,26 @@ done | isOK 'ALLOWED$' children # 2 -ATTRSML="fripostOwner/read fripostOwner/compare - fripostPostmaster/read fripostPostmaster/compare - fripostCanCreateML/read fripostCanCreateML/search fripostCanCreateML/compare fripostCanCreateML/disclose" -msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanCreateML, exact)" +ATTRSL="fripostOwner/read fripostOwner/compare + fripostPostmaster/read fripostPostmaster/compare + fripostCanCreateList/read fripostCanCreateList/search fripostCanCreateList/compare fripostCanCreateList/disclose" +msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanCreateList, exact)" for U in ${USERS}; do for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "fripostCanCreateML=${U},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSML} + search -s base -b "${D},${SUFFIX}" "fripostCanCreateList=${U},${SUFFIX}" | grep -q '^dn: ' && \ + checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL} done done | isOK 'ALLOWED$' children [ $? -eq 0 ] || exit $? # 2 -msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanCreateML, wildcard)" +msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanCreateList, wildcard)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "fripostCanCreateML=${DU},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSML} + search -s base -b "${D},${SUFFIX}" "fripostCanCreateList=${DU},${SUFFIX}" | grep -q '^dn: ' && \ + checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL} done done | isOK 'ALLOWED$' children [ $? -eq 0 ] || exit $? @@ -298,7 +304,7 @@ done | isOK 'ALLOWED$' children # 3 # >=w to "children", =zrscd to "entry", >=rscd to "fripostCanCreateAlias" and -# "fripostCanCreateML", and =wrscd to the rest (other than "Owner" and +# "fripostCanCreateList", and =wrscd to the rest (other than "Owner" and # Postmaster") msg "Have =wrscd to the domain attributes (other than \"canCreate\"), and >=w to \"children\" (if Owner)" ATTRSO="entry/delete @@ -309,7 +315,7 @@ ATTRSO="entry/delete for U in ${USERS}; do for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSML} ${ATTRSO} + checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSL} ${ATTRSO} done done | isOK 'ALLOWED$' children [ $? -eq 0 ] || exit $? @@ -317,15 +323,15 @@ done | isOK 'ALLOWED$' children # 4 # >=w to "children", =zrscd to "entry", >=rscd to "fripostCanCreateAlias" and -# "fripostCanCreateML", and =wrscd to the rest (other than "Owner" and +# "fripostCanCreateList", and =wrscd to the rest (other than "Owner" and # Postmaster") msg "Have =wrscd to the domain attributes, and >=w to \"children\" (if Postmaster)" ATTRSP="fripostCanCreateAlias/add fripostCanCreateAlias/delete - fripostCanCreateML/add fripostCanCreateML/delete" + fripostCanCreateList/add fripostCanCreateList/delete" for U in ${USERS}; do for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSML} ${ATTRSO} ${ATTRSP} + checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSL} ${ATTRSO} ${ATTRSP} done done | isOK 'ALLOWED$' children [ $? -eq 0 ] || exit $? @@ -339,8 +345,8 @@ for U in ${USERS}; do [ "x${DU}" = "x${D}" ] || \ search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateAlias=${U},${SUFFIX}) (fripostCanCreateAlias=${DU},${SUFFIX}) - (fripostCanCreateML=${U},${SUFFIX}) - (fripostCanCreateML=${DU},${SUFFIX}) + (fripostCanCreateList=${U},${SUFFIX}) + (fripostCanCreateList=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ checkACL "${U}" "${D}" ${ATTRS0} @@ -350,17 +356,17 @@ done | isOK 'DENIED$' entry read # not (1 or 2 or 3 or 4) -msg "Do not have >=rc access to \"canCreate{Alias,ML}\", \"Owner\", \"Postmaster\" (unless member)" +msg "Do not have >=rc access to \"canCreate{Alias,List}\", \"Owner\", \"Postmaster\" (unless member)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateAlias=${U},${SUFFIX}) (fripostCanCreateAlias=${DU},${SUFFIX}) - (fripostCanCreateML=${U},${SUFFIX}) - (fripostCanCreateML=${DU},${SUFFIX}) + (fripostCanCreateList=${U},${SUFFIX}) + (fripostCanCreateList=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ - checkACL "${U}" "${D}" ${ATTRSA} ${ATTRSML} entry/add + checkACL "${U}" "${D}" ${ATTRSA} ${ATTRSL} entry/add done done | isOK 'DENIED$' entry # "entry" here is useless, but it's just to get the count [ $? -eq 0 ] || exit $? @@ -382,15 +388,15 @@ done | isOK '\(=0\|DENIED\)$' entry # "entry" here is useless, but it's just to # not (2 or 3 or 4) -msg "Have =0 access to \"canCreateML\" (unless member, Owner, or Postmaster)" +msg "Have =0 access to \"canCreateList\" (unless member, Owner, or Postmaster)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" for D in ${DOMAINS}; do - search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateML=${U},${SUFFIX}) - (fripostCanCreateML=${DU},${SUFFIX}) + search -s base -b "${D},${SUFFIX}" "(|(fripostCanCreateList=${U},${SUFFIX}) + (fripostCanCreateList=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ - checkACL "${U}" "${D}" fripostCanCreateML entry/add + checkACL "${U}" "${D}" fripostCanCreateList entry/add done done | isOK '\(=0\|DENIED\)$' entry # "entry" here is useless, but it's just to get the count [ $? -eq 0 ] || exit $? @@ -409,7 +415,7 @@ done | isOK 'DENIED$' entry # not 4 -msg "Do not have >=w access to \"canCreate{Alias,ML}\" (unless Postmaster)" +msg "Do not have >=w access to \"canCreate{Alias,List}\" (unless Postmaster)" for U in ${USERS}; do for D in ${DOMAINS}; do search -s base -b "${D},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' || \ @@ -431,6 +437,8 @@ echo "Authenticated users, access to user entries" # +a if domain postmaster # * children: # =0 for all +# * objectClass: +# =s for all # * fvu: # =wrscd if account owner or domain postmaster # * userPassword: @@ -441,8 +449,6 @@ echo "Authenticated users, access to user entries" # =rscd if account owner or domain postmaster # * fripostOptionalMaildrop: # =wrscd if account owner or domain postmaster -# * cn: -# =wrscd if account owner or domain postmaster # * description: # =wrscd if account owner or domain postmaster @@ -463,7 +469,7 @@ usersU userPassword | isOK '=w$' [ $? -eq 0 ] || exit $? msg "Have =wrscxd access to the other attributes of their own entry" -usersU fvu fripostIsStatusActive fripostOptionalMaildrop cn description | isOK 'write(=wrscxd)$' fvu +usersU fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK 'write(=wrscxd)$' fvu [ $? -eq 0 ] || exit $? msg "Have >=rsd access to the \"entry\" attribute of their own entry" @@ -475,6 +481,10 @@ msg "Have =0 access to their \"children\" and operational attributes" usersU children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children [ $? -eq 0 ] || exit $? +msg "Have =s access to \"objectClass\"" +usersD objectClass | isOK '=s' objectClass +[ $? -eq 0 ] || exit $? + msg "Have =0 access to other user entries (unless Postmaster)" for U1 in ${USERS}; do for U2 in ${USERS}; do @@ -486,7 +496,7 @@ for U1 in ${USERS}; do fripostIsStatusActive \ fripostMailboxQuota \ fripostOptionalMaildrop \ - cn description + description done done | isOK '=0$' entry [ $? -eq 0 ] || exit $? @@ -512,7 +522,7 @@ usersP userPassword | isOK '=w$' [ $? -eq 0 ] || exit $? msg "Have =wrscxd access to the other attributes of their users' entry (if Postmaster)" -usersP fvu fripostIsStatusActive fripostOptionalMaildrop cn description | isOK 'write(=wrscxd)$' fvu +usersP fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK 'write(=wrscxd)$' fvu [ $? -eq 0 ] || exit $? # "+a" is needed to create new accounts. "+z" would be required to @@ -540,6 +550,8 @@ echo "Authenticated users, access to alias entries" # +w (regular alias) if domain owner or domain postmaster # * children: # =0 for all +# * objectClass: +# =s for all # * fva: # =rscd (reserved alias) if domain owner or domain postmaster # =wrscd (regular alias) if alias owner, domain owner or domain postmaster @@ -574,6 +586,10 @@ msg "Have =0 access to the \"children\" and operational attributes" usersA children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children [ $? -eq 0 ] || exit $? +msg "Have =s access to \"objectClass\"" +usersD objectClass | isOK '=s' objectClass +[ $? -eq 0 ] || exit $? + RESERVED_ATTRS="entry/delete fva/write fripostIsStatusActive/write" @@ -739,136 +755,136 @@ done | isOK 'DENIED$' entry delete echo -echo "Authenticated users, access to mailing list entries" +echo "Authenticated users, access to list entries" # * entry: # =s for all -# +a if canCreateML, domain owner or domain postmaster -# +zrd if mailing list owner, domain owner or domain postmaster +# +a if canCreateList, domain owner or domain postmaster +# +zrd if list owner, domain owner or domain postmaster # * children: # =0 for all -# * fvml: -# =wrscd if mailing list owner, domain owner or domain postmaster -# * fripostMLManager: -# =rscd if mailing list owner, domain owner or domain postmaster +# * fvl: +# =wrscd if list owner, domain owner or domain postmaster +# * fripostListManager: +# =rscd if list owner, domain owner or domain postmaster # * fripostIsStatusActive: -# =wrscd if mailing list owner, domain owner or domain postmaster -# * fripostMLCommand: -# =rscd if mailing list owner, domain owner or domain postmaster +# =wrscd if list owner, domain owner or domain postmaster +# * fripostListCommand: +# =rscd if list owner, domain owner or domain postmaster # * fripostOwner: # =d for all -# +rsc if mailing list owner, domain owner or domain postmaster +# +rsc if list owner, domain owner or domain postmaster # +w if domain owner or domain postmaster # * description: -# =wrscd if mailing list owner, domain owner or domain postmaster +# =wrscd if list owner, domain owner or domain postmaster -usersML () { +usersL () { for U in ${USERS}; do - for ML in ${MLS}; do - checkACL "${U}" "${ML}" "$@" + for L in ${LISTS}; do + checkACL "${U}" "${L}" "$@" done done } msg "Have >=s access on \"entry\" and \"fripostOwner\"" -usersML fripostOwner/search entry/search | isOK 'ALLOWED$' entry +usersL fripostOwner/search entry/search | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? msg "Have =0 access the \"children\" and operational attributes" -usersML children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children +usersL children structuralObjectClass entryUUID createTimestamp entryCSN modifiersName modifyTimestamp | isOK '=0$' children [ $? -eq 0 ] || exit $? msg "Cannot change transport-related attributes" for U in ${USERS}; do - for ML in ${MLS}; do - checkACL "${U}" "${ML}" fripostMLCommand/add fripostMLCommand/delete \ - fripostMLManager/write + for L in ${LISTS}; do + checkACL "${U}" "${L}" fripostListCommand/add fripostListCommand/delete \ + fripostListManager/write done -done | isOK 'DENIED$' fripostMLManager +done | isOK 'DENIED$' fripostListManager [ $? -eq 0 ] || exit $? ATTRS="entry/read entry/disclose entry/delete - fvml/write fvml/read fvml/search fvml/compare fvml/disclose - fripostMLManager/read fripostMLManager/search fripostMLManager/compare fripostMLManager/disclose + fvl/write fvl/read fvl/search fvl/compare fvl/disclose + fripostListManager/read fripostListManager/search fripostListManager/compare fripostListManager/disclose fripostIsStatusActive/write fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose - fripostMLCommand/read fripostMLCommand/search fripostMLCommand/compare fripostMLCommand/disclose + fripostListCommand/read fripostListCommand/search fripostListCommand/compare fripostListCommand/disclose fripostOwner/read fripostOwner/compare fripostOwner/disclose description/add description/delete description/read description/compare description/disclose" ATTRS2="fripostOwner/add fripostOwner/delete" -msg "Can edit/delete mailing list (if mailing list Owner)" +msg "Can edit/delete list (if list Owner)" for U in ${USERS}; do - for ML in ${MLS}; do - search -s base -b "${ML},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${ML}" ${ATTRS} + for L in ${LISTS}; do + search -s base -b "${L},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ + checkACL "${U}" "${L}" ${ATTRS} done done | isOK 'ALLOWED$' entry delete [ $? -eq 0 ] || exit $? -msg "Can edit/create/delete mailing list (if domain Owner)" +msg "Can edit/create/delete list (if domain Owner)" [ $? -eq 0 ] || exit $? for U in ${USERS}; do - for ML in ${MLS}; do - DML="$(echo "${ML}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - search -s base -b "${DML},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${ML}" ${ATTRS} ${ATTRS2} entry/add + for L in ${LISTS}; do + DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \ + checkACL "${U}" "${L}" ${ATTRS} ${ATTRS2} entry/add done done | isOK 'ALLOWED$' entry add [ $? -eq 0 ] || exit $? -msg "Can edit/create/delete mailing list (if domain Postmaster)" +msg "Can edit/create/delete list (if domain Postmaster)" [ $? -eq 0 ] || exit $? for U in ${USERS}; do - for ML in ${MLS}; do - DML="$(echo "${ML}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - search -s base -b "${DML},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${ML}" ${ATTRS} ${ATTRS2} entry/add + for L in ${LISTS}; do + DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \ + checkACL "${U}" "${L}" ${ATTRS} ${ATTRS2} entry/add done done | isOK 'ALLOWED$' entry add [ $? -eq 0 ] || exit $? # Needed to create new entries. ("+z" is required to delete, btw.) -msg "Have >=a access to \"entry\" (if CanCreateML, exact)" +msg "Have >=a access to \"entry\" (if CanCreateList, exact)" for U in ${USERS}; do - for ML in ${MLS}; do - DML="$(echo "${ML}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - search -s base -b "${DML},${SUFFIX}" "fripostCanCreateML=${U},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${ML}" entry/add + for L in ${LISTS}; do + DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "fripostCanCreateList=${U},${SUFFIX}" | grep -q '^dn: ' && \ + checkACL "${U}" "${L}" entry/add done done | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? # Needed to create new entries. ("+z" is required to delete, btw.) -msg "Have >=a access to \"entry\" (if CanCreateML, wildcard)" +msg "Have >=a access to \"entry\" (if CanCreateList, wildcard)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - for ML in ${MLS}; do - DML="$(echo "${ML}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - search -s base -b "${DML},${SUFFIX}" "fripostCanCreateML=${DU},${SUFFIX}" | grep -q '^dn: ' && \ - checkACL "${U}" "${ML}" entry/add + for L in ${LISTS}; do + DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "fripostCanCreateList=${DU},${SUFFIX}" | grep -q '^dn: ' && \ + checkACL "${U}" "${L}" entry/add done done | isOK 'ALLOWED$' entry [ $? -eq 0 ] || exit $? -msg "Do not have >=a access to \"entry\" (unless canCreateML)" +msg "Do not have >=a access to \"entry\" (unless canCreateList)" for U in ${USERS}; do DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - for ML in ${MLS}; do - DML="$(echo "${ML}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - search -s base -b "${DML},${SUFFIX}" "(|(fripostCanCreateML=${U},${SUFFIX}) - (fripostCanCreateML=${DU},${SUFFIX}) + for L in ${LISTS}; do + DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${DL},${SUFFIX}" "(|(fripostCanCreateList=${U},${SUFFIX}) + (fripostCanCreateList=${DU},${SUFFIX}) (fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ - checkACL "${U}" "${ML}" entry/add + checkACL "${U}" "${L}" entry/add done done | isOK 'DENIED$' entry [ $? -eq 0 ] || exit $? @@ -886,14 +902,14 @@ done | isOK 'DENIED$' fripostOwner add [ $? -eq 0 ] || exit $? -msg "Have no access to mailing list entries (unless mailing list owner/domain owner/domain postmaster)" +msg "Have no access to list entries (unless list owner/domain owner/domain postmaster)" for U in ${USERS}; do - for ML in ${MLS}; do - DML="$(echo "${ML}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" - search -s base -b "${ML},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' || \ - search -s base -b "${DML},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) + for L in ${LISTS}; do + DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')" + search -s base -b "${L},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' || \ + search -s base -b "${DL},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX}) (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \ - checkACL "${U}" "${ML}" ${ATTRS} entry/delete + checkACL "${U}" "${L}" ${ATTRS} entry/delete done done | isOK 'DENIED$' entry delete [ $? -eq 0 ] || exit $? -- cgit v1.2.3