From 9c01ed08ac100cfc8a0f5ba3ed197969fafaf6e5 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem.moulin@fripost.org>
Date: Wed, 23 Jan 2013 01:10:30 +0100
Subject: Merged the attributes representing the localpart.

---
 ldap/test-user-acl.sh | 347 +++++++++++++++++++++++++++++---------------------
 1 file changed, 200 insertions(+), 147 deletions(-)

(limited to 'ldap/test-user-acl.sh')

diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh
index 221415c..ee09fc9 100755
--- a/ldap/test-user-acl.sh
+++ b/ldap/test-user-acl.sh
@@ -71,13 +71,13 @@ search () {
 DOMAINS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualDomain" dn | \
           grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+),.*/fvd=\1/')
 USERS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualUser" dn | \
-        grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvu=\1,fvd=\2/')
+        grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvl=\1,fvd=\2/')
 ALIASES=$(search -u  -b "${SUFFIX}" "objectClass=FripostVirtualAlias" dn | \
-          grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fva=\1,fvd=\2/')
+          grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvl=\1,fvd=\2/')
 LISTS=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualList" dn | \
       grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+),.*/fvl=\1,fvd=\2/')
 LISTSC=$(search -u -b "${SUFFIX}" "objectClass=FripostVirtualListCommand" dn | \
-       grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), *([^,]+), *([^,]+),.*/fvlc=\1,fvl=\2,fvd=\3/')
+       grep -i '^ufn: ' | sed -re 's/^ufn: ([^,]+), **([^,]+),.*/fvl=\1,fvd=\2/')
 
 OPERATTRS="structuralObjectClass creatorsName entryUUID createTimestamp entryCSN modifiersName modifyTimestamp"
 
@@ -88,8 +88,9 @@ OPERATTRS="structuralObjectClass creatorsName entryUUID createTimestamp entryCSN
 echo "Anonymous users:"
 
 
-# Anonymous need to bind to any fvu
-msg "Have =xd access to \"userPassword\" attributes"
+# Anonymous need to bind to any user, but shouldn't be able to bind to
+# anything else.
+msg "Have =xd access to \"userPassword\" attributes of users"
 for U in ${USERS}; do
     checkACL "" "${U}" userPassword
 done | isOK '=xd$'
@@ -187,7 +188,6 @@ done | isOK '=0$' entry
 
 ###########################################################################
 
-
 echo
 echo "Authenticated users, access to the base"
 
@@ -199,10 +199,37 @@ usersB () {
 }
 
 
-msg "Have =s access on the base's \"entry\" attribute"
-usersB entry | isOK '=s' entry
+msg "Have =rsd access on the base's \"entry\" attribute"
+usersB entry | isOK '=rsd' entry
+[ $? -eq 0 ] || exit $?
+
+msg "Have =rscd access on the base's \"objectClass\" attribute"
+usersB objectClass | isOK '=rscd' objectClass
 [ $? -eq 0 ] || exit $?
 
+msg "Have =rscd access on the base's \"canAddDomain\" attribute (if member, exact)"
+for U in ${USERS}; do
+    search -s base -b "${SUFFIX}" "(fripostCanAddDomain=${U},${SUFFIX})" | grep -q '^dn: ' && \
+    checkACL "${U}" "" fripostCanAddDomain
+done | isOK '=rscd' fripostCanAddDomain
+[ $? -eq 0 ] || exit $?
+
+msg "Have =rscd access on the base's \"canAddDomain\" attribute (if member, wildcard)"
+for U in ${USERS}; do
+    DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+    search -s base -b "${SUFFIX}" "(fripostCanAddDomain=${DU},${SUFFIX})" | grep -q '^dn: ' && \
+    checkACL "${U}" "" fripostCanAddDomain
+done | isOK '=rscd' fripostCanAddDomain
+[ $? -eq 0 ] || exit $?
+
+msg "Have =0 access to the base's \"canAddDomain\" attribute (unless member)"
+for U in ${USERS}; do
+    DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+    search -s base -b "${SUFFIX}" "(|(fripostCanAddDomain=${U},${SUFFIX})
+                                     (fripostCanAddDomain=${DU},${SUFFIX}))" | grep -q '^dn: ' || \
+    checkACL "${U}" "" fripostCanAddDomain
+done | isOK '=0' fripostCanAddDomain
+[ $? -eq 0 ] || exit $?
 
 # Needed to create/delete domains.
 msg "Have =w access on the base's \"children\" attribute"
@@ -218,13 +245,22 @@ usersB ${OPERATTRS} | isOK '=0$' entryUUID
 msg "Cannot create children under a pending entry"
 for U in ${USERS}; do
     for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
-        search -s base -b "${X},${SUFFIX}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \
+        search -s base -b "${X},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \
         checkACL "${U}" "${X}" children
     done
 done | isOK '=0$' children
 [ $? -eq 0 ] || exit $?
 
 
+msg "Cannot add, read or search the pending token"
+for U in ${USERS}; do
+    for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
+        checkACL "${U}" "${X}" fripostPendingToken/add fripostPendingToken/read fripostPendingToken/search
+    done
+done | isOK 'DENIED$' fripostPendingToken add
+[ $? -eq 0 ] || exit $?
+
+
 ###########################################################################
 
 
@@ -239,7 +275,8 @@ echo "Authenticated users, access to domain entries"
 # * children:
 #       =w for all (non-pending entries)
 # * objectClass:
-#       =s for all
+#       =rscd for all
+#       +z for FripostPendingEntry, if owner or postmaster
 # * fvd:
 #       =rscd if children, canAdd{Alias,List}, owner or postmaster
 #       +w if owner or postmaster
@@ -247,8 +284,7 @@ echo "Authenticated users, access to domain entries"
 #       =rscd if children, canAdd{Alias,List}, owner or postmaster
 #       +w if owner or postmaster
 # * fripostPendingToken
-#       =zscd if owner or postmaster
-#       =s for all if there is no pending token
+#       =z if owner or postmaster
 # * fripostCanAddAlias
 #       =rscd if canAddAlias, owner or postmaster
 #       +w if postmaster
@@ -285,37 +321,27 @@ usersD fripostOwner/add fripostOwner/delete \
 [ $? -eq 0 ] || exit $?
 
 
-msg "Have =s rights on the \"pending\" status if absent"
-for U in ${USERS}; do
-    for D in ${DOMAINS}; do
-        search -s base -b "${D},${SUFFIX}" "(!(fripostPendingToken=*))" | grep -q '^dn: ' && \
-        checkACL "${U}" "${D}" fripostPendingToken
-    done
-done | isOK '=s$'
-[ $? -eq 0 ] || exit $?
-
-
 msg "Have =0 rights on the \"pending\" status if present (unless owner or postmaster)"
 for U in ${USERS}; do
     for D in ${DOMAINS}; do
         search -s base -b "${D},${SUFFIX}" "(&(!(|(fripostOwner=${U},${SUFFIX})
                                                   (fripostPostmaster=${U},${SUFFIX})))
-                                              (fripostPendingToken=*))" | grep -q '^dn: ' && \
+                                              (objectClass=FripostPendingEntry))" | grep -q '^dn: ' && \
         checkACL "${U}" "${D}" fripostPendingToken
     done
 done | isOK '=0$'
 [ $? -eq 0 ] || exit $?
 
 
-msg "Have =zscd access on the \"pending\" status if present (if owner or postmaster)"
+msg "Have =zcd access on the \"pending\" status if present (if owner or postmaster)"
 for U in ${USERS}; do
     for D in ${DOMAINS}; do
         search -s base -b "${D},${SUFFIX}" "(&(|(fripostOwner=${U},${SUFFIX})
                                                 (fripostPostmaster=${U},${SUFFIX}))
-                                              (fripostPendingToken=*))" | grep -q '^dn: ' && \
+                                              (objectClass=FripostPendingEntry))" | grep -q '^dn: ' && \
         checkACL "${U}" "${D}" fripostPendingToken
     done
-done | isOK '=zscd$'
+done | isOK '=zcd$'
 [ $? -eq 0 ] || exit $?
 
 
@@ -324,6 +350,7 @@ msg "Have >=a access to \"entry\" (if CanAddDomain, exact)"
 for U in ${USERS}; do
     for D in ${DOMAINS}; do
         search -s base -b "${SUFFIX}" "fripostCanAddDomain=${U},${SUFFIX}" | grep -q '^dn: ' && \
+        search -s base -b "${D},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \
         checkACL "${U}" "${D}" entry/add
     done
 done | isOK 'ALLOWED$' entry add
@@ -336,6 +363,7 @@ for U in ${USERS}; do
     DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
     for D in ${DOMAINS}; do
         search -s base -b "${SUFFIX}" "fripostCanAddDomain=${DU},${SUFFIX}" | grep -q '^dn: ' && \
+        search -s base -b "${D},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \
         checkACL "${U}" "${D}" entry/add
     done
 done | isOK 'ALLOWED$' entry add
@@ -358,16 +386,32 @@ done | isOK 'DENIED$' entry add
 msg "Have =w access to \"children\" (for non-pending attributes)"
 for U in ${USERS}; do
     for D in ${DOMAINS}; do
-        search -s base -b "${D},${SUFFIX}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
+        search -s base -b "${D},${SUFFIX}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \
         checkACL "${U}" "${D}" children
     done
 done | isOK '=w$' children
 [ $? -eq 0 ] || exit $?
 
-msg "Have =s access to \"objectClass\""
-usersD objectClass | isOK '=s' objectClass
+msg "Have =zrscd access to \"objectClass:FripostPendingEntry\" (if owner,postmaster)"
+for U in ${USERS}; do
+    for D in ${DOMAINS}; do
+        search -s base -b "${D},${SUFFIX}" "(&(|(fripostOwner=${U},${SUFFIX})
+                                                (fripostPostmaster=${U},${SUFFIX}))
+                                              (objectClass=FripostPendingEntry))" | grep -q '^dn: ' && \
+        checkACL "${U}" "${D}" objectClass:FripostPendingEntry
+    done
+done | isOK '=zrscd$'
+[ $? -eq 0 ] || exit $?
+
+msg "Have =rscd access to \"objectClass\" otherwise"
+for U in ${USERS}; do
+    for D in ${DOMAINS}; do
+        checkACL "${U}" "${D}" objectClass
+    done
+done | isOK '=rscd$'
 [ $? -eq 0 ] || exit $?
 
+
 msg "Have >=s access on \"entry\", \"fripostOwner\" and \"fripostPostmaster\""
 usersD entry/search fripostOwner/search fripostPostmaster/search | isOK 'ALLOWED$' entry
 [ $? -eq 0 ] || exit $?
@@ -406,7 +450,7 @@ ATTRSA="fripostOwner/read fripostOwner/compare
 msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanAddAlias, exact)"
 for U in ${USERS}; do
     for D in ${DOMAINS}; do
-        search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddAlias=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \
+        search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddAlias=${U},${SUFFIX})(!(objectClass=FripostPendingEntry)))" | grep -q '^dn: ' && \
         checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSA}
     done
 done | isOK 'ALLOWED$' children
@@ -418,7 +462,7 @@ msg "Have >=rscd to the public attributes and >=a to \"children\" (if CanAddAlia
 for U in ${USERS}; do
     DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
     for D in ${DOMAINS}; do
-        search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddAlias=${DU},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \
+        search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddAlias=${DU},${SUFFIX})(!(objectClass=FripostPendingEntry)))" | grep -q '^dn: ' && \
         checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSA}
     done
 done | isOK 'ALLOWED$' children
@@ -432,7 +476,7 @@ ATTRSL="fripostOwner/read fripostOwner/compare
 msg "Have >=rscd access to the public attributes and >=a to \"children\" (if CanAddList, exact)"
 for U in ${USERS}; do
     for D in ${DOMAINS}; do
-        search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddList=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \
+        search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddList=${U},${SUFFIX})(!(objectClass=FripostPendingEntry)))" | grep -q '^dn: ' && \
         checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL}
     done
 done | isOK 'ALLOWED$' children
@@ -444,7 +488,7 @@ msg "Have >=rscd access to the public attributes and >=a to \"children\" (if Can
 for U in ${USERS}; do
     DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
     for D in ${DOMAINS}; do
-        search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddList=${DU},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \
+        search -s base -b "${D},${SUFFIX}" "(&(fripostCanAddList=${DU},${SUFFIX})(!(objectClass=FripostPendingEntry)))" | grep -q '^dn: ' && \
         checkACL "${U}" "${D}" children/add ${ATTRS0} ${ATTRSL}
     done
 done | isOK 'ALLOWED$' children
@@ -463,7 +507,7 @@ ATTRSO="entry/delete
         description/add description/delete"
 for U in ${USERS}; do
     for D in ${DOMAINS}; do
-        search -s base -b "${D},${SUFFIX}" "(&(fripostOwner=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \
+        search -s base -b "${D},${SUFFIX}" "(&(fripostOwner=${U},${SUFFIX})(!(objectClass=FripostPendingEntry)))" | grep -q '^dn: ' && \
         checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSL} ${ATTRSO}
     done
 done | isOK 'ALLOWED$' children
@@ -479,7 +523,7 @@ ATTRSP="fripostCanAddAlias/add fripostCanAddAlias/delete
         fripostCanAddList/add fripostCanAddList/delete"
 for U in ${USERS}; do
     for D in ${DOMAINS}; do
-        search -s base -b "${D},${SUFFIX}" "(&(fripostPostmaster=${U},${SUFFIX})(!(fripostPendingToken=*)))" | grep -q '^dn: ' && \
+        search -s base -b "${D},${SUFFIX}" "(&(fripostPostmaster=${U},${SUFFIX})(!(objectClass=FripostPendingEntry)))" | grep -q '^dn: ' && \
         checkACL "${U}" "${D}" children/write ${ATTRS0} ${ATTRSA} ${ATTRSL} ${ATTRSO} ${ATTRSP}
     done
 done | isOK 'ALLOWED$' children
@@ -587,8 +631,8 @@ echo "Authenticated users, access to user entries"
 # * children:
 #       =0 for all
 # * objectClass:
-#       =s for all
-# * fvu:
+#       =rscd for all
+# * fvl:
 #       =wrscd if account owner or domain postmaster
 # * userPassword:
 #       =w if account owner or domain postmaster
@@ -608,7 +652,7 @@ usersU () {
 }
 
 # They would need write access to their fripostUserQuota.
-# In practice they can't write fvu either, since it's single valued.
+# In practice they can't write fvl either, since it's single valued.
 msg "Have =rscd access to their \"fripostUserQuota\""
 usersU fripostUserQuota | isOK '=rscd$'
 [ $? -eq 0 ] || exit $?
@@ -618,20 +662,20 @@ usersU userPassword | isOK '=w$'
 [ $? -eq 0 ] || exit $?
 
 msg "Have =wrscd access to the other attributes of their own entry"
-usersU fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK '=wrscd$' fvu
+usersU fvl fripostIsStatusActive fripostOptionalMaildrop description | isOK '=wrscd$' fvl
 [ $? -eq 0 ] || exit $?
 
 msg "Have >=rsd access to the \"entry\" attribute of their own entry"
-usersU entry/read entry/search entry/disclose fvu/read \
-    | isOK 'ALLOWED$' fvu # fvu is useless here, but it's just to get the count
+usersU entry/read entry/search entry/disclose fvl/read \
+    | isOK 'ALLOWED$' fvl # fvl is useless here, but it's just to get the count
 [ $? -eq 0 ] || exit $?
 
 msg "Have =0 access to their \"children\" and operational attributes"
 usersU children ${OPERATTRS} | isOK '=0$' children
 [ $? -eq 0 ] || exit $?
 
-msg "Have =s access to \"objectClass\""
-usersD objectClass | isOK '=s' objectClass
+msg "Have =rscd access to \"objectClass\""
+usersD objectClass | isOK '=rscd' objectClass
 [ $? -eq 0 ] || exit $?
 
 msg "Have =0 access to other user entries (unless Postmaster)"
@@ -641,7 +685,7 @@ for U1 in ${USERS}; do
         [ "x${U1}" = "x${U2}" ] || \
         search -s base -b "${D2},${SUFFIX}" "(fripostPostmaster=${U1},${SUFFIX})" | grep -q '^dn: ' || \
         checkACL "${U1}" "${U2}" entry children \
-                                 fvu userPassword \
+                                 fvl userPassword \
                                  fripostIsStatusActive \
                                  fripostUserQuota \
                                  fripostOptionalMaildrop \
@@ -671,7 +715,7 @@ usersP userPassword | isOK '=w$'
 [ $? -eq 0 ] || exit $?
 
 msg "Have =wrscd access to the other attributes of their users' entry (if Postmaster)"
-usersP fvu fripostIsStatusActive fripostOptionalMaildrop description | isOK '=wrscd$' fvu
+usersP fvl fripostIsStatusActive fripostOptionalMaildrop description | isOK '=wrscd$' fvl
 [ $? -eq 0 ] || exit $?
 
 # "+a" is needed to create new accounts. "+z" would be required to
@@ -698,8 +742,8 @@ echo "Authenticated users, access to alias entries"
 # * children:
 #       =0 for all
 # * objectClass:
-#       =s for all
-# * fva:
+#       =rscd for all
+# * fvl:
 #       =wrscd if alias owner, domain owner or domain postmaster
 # * fripostMaildrop:
 #       =wrscd if alias owner, domain owner or domain postmaster
@@ -730,13 +774,13 @@ msg "Have =0 access to the \"children\" and operational attributes"
 usersA children ${OPERATTRS} | isOK '=0$' children
 [ $? -eq 0 ] || exit $?
 
-msg "Have =s access to \"objectClass\""
-usersD objectClass | isOK '=s' objectClass
+msg "Have =rscd access to \"objectClass\""
+usersD objectClass | isOK '=rscd' objectClass
 [ $? -eq 0 ] || exit $?
 
 
 ATTRS="entry/delete entry/read entry/disclose
-       fva/write fva/read fva/search fva/compare fva/disclose
+       fvl/write fvl/read fvl/search fvl/compare fvl/disclose
        fripostMaildrop/add fripostMaildrop/delete fripostMaildrop/read fripostMaildrop/search fripostMaildrop/compare fripostMaildrop/disclose
        fripostIsStatusActive/write fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose
        fripostOwner/read fripostOwner/compare fripostOwner/disclose
@@ -853,14 +897,14 @@ echo "Authenticated users, access to list entries"
 #       +rd if list owner, domain owner or domain postmaster
 # * children:
 #       =0 for all
+# * objectClass
+#       =rscd for all
 # * fvl:
 #       =wrscd if list owner, domain owner or domain postmaster
 # * fripostListManager:
 #       =rscd if list owner, domain owner or domain postmaster
 # * fripostIsStatusActive:
 #       =wrscd if list owner, domain owner or domain postmaster
-# * fripostPendingToken:
-#       =scd if list owner, domain owner or domain postmaster
 # * fripostOwner:
 #       =d for all
 #       +rsc if list owner, domain owner or domain postmaster
@@ -896,10 +940,10 @@ done | isOK 'DENIED$' fripostListManager
 [ $? -eq 0 ] || exit $?
 
 
-msg "Cannot read or delete the pending status; Cannot delete entry"
+msg "Cannot delete entry or the pending status"
 for U in ${USERS}; do
     for L in ${LISTS}; do
-        checkACL "${U}" "${L}" fripostPendingToken/read fripostPendingToken/add fripostPendingToken/delete entry/delete
+        checkACL "${U}" "${L}" objectClass/delete:FripostPendingEntry entry/delete
     done
 done | isOK 'DENIED$' entry
 [ $? -eq 0 ] || exit $?
@@ -909,7 +953,6 @@ ATTRS="entry/read entry/disclose
        fvl/write fvl/read fvl/search fvl/compare fvl/disclose
        fripostListManager/read fripostListManager/search fripostListManager/compare fripostListManager/disclose
        fripostIsStatusActive/write fripostIsStatusActive/read fripostIsStatusActive/search fripostIsStatusActive/compare fripostIsStatusActive/disclose
-       fripostPendingToken/search fripostPendingToken/compare fripostPendingToken/disclose
        fripostOwner/read fripostOwner/compare fripostOwner/disclose
        description/add description/delete description/read description/compare description/disclose"
 ATTRS2="fripostOwner/add fripostOwner/delete"
@@ -924,25 +967,51 @@ done | isOK 'ALLOWED$' entry read
 [ $? -eq 0 ] || exit $?
 
 
-msg "Can edit/create list (if domain Owner)"
+msg "Can edit list (if domain Owner)"
+[ $? -eq 0 ] || exit $?
+for U in ${USERS}; do
+    for L in ${LISTS}; do
+        DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+        search -s base -b "${DL},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \
+        checkACL "${U}" "${L}" ${ATTRS} ${ATTRS2}
+    done
+done | isOK 'ALLOWED$' entry read
+[ $? -eq 0 ] || exit $?
+
+
+msg "Can edit list (if domain Postmaster)"
+[ $? -eq 0 ] || exit $?
+for U in ${USERS}; do
+    for L in ${LISTS}; do
+        DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+        search -s base -b "${DL},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \
+        checkACL "${U}" "${L}" ${ATTRS} ${ATTRS2}
+    done
+done | isOK 'ALLOWED$' entry read
+[ $? -eq 0 ] || exit $?
+
+
+msg "Can create list (if domain Owner)"
 [ $? -eq 0 ] || exit $?
 for U in ${USERS}; do
     for L in ${LISTS}; do
         DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
         search -s base -b "${DL},${SUFFIX}" "fripostOwner=${U},${SUFFIX}" | grep -q '^dn: ' && \
-        checkACL "${U}" "${L}" ${ATTRS} ${ATTRS2} entry/add
+        search -s base -b "${L},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \
+        checkACL "${U}" "${L}" entry/add
     done
 done | isOK 'ALLOWED$' entry add
 [ $? -eq 0 ] || exit $?
 
 
-msg "Can edit/create list (if domain Postmaster)"
+msg "Can create list (if domain Postmaster)"
 [ $? -eq 0 ] || exit $?
 for U in ${USERS}; do
     for L in ${LISTS}; do
         DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
         search -s base -b "${DL},${SUFFIX}" "fripostPostmaster=${U},${SUFFIX}" | grep -q '^dn: ' && \
-        checkACL "${U}" "${L}" ${ATTRS} ${ATTRS2} entry/add
+        search -s base -b "${L},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \
+        checkACL "${U}" "${L}" entry/add
     done
 done | isOK 'ALLOWED$' entry add
 [ $? -eq 0 ] || exit $?
@@ -954,6 +1023,7 @@ for U in ${USERS}; do
     for L in ${LISTS}; do
         DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
         search -s base -b "${DL},${SUFFIX}" "fripostCanAddList=${U},${SUFFIX}" | grep -q '^dn: ' && \
+        search -s base -b "${L},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \
         checkACL "${U}" "${L}" entry/add
     done
 done | isOK 'ALLOWED$' entry
@@ -967,6 +1037,7 @@ for U in ${USERS}; do
     for L in ${LISTS}; do
         DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
         search -s base -b "${DL},${SUFFIX}" "fripostCanAddList=${DU},${SUFFIX}" | grep -q '^dn: ' && \
+        search -s base -b "${L},${SUFFIX}" "objectClass=FripostPendingEntry" | grep -q '^dn: ' && \
         checkACL "${U}" "${L}" entry/add
     done
 done | isOK 'ALLOWED$' entry
@@ -978,10 +1049,11 @@ for U in ${USERS}; do
     DU="$(echo "${U}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
     for L in ${LISTS}; do
         DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
-        search -s base -b "${DL},${SUFFIX}" "(|(fripostCanAddList=${U},${SUFFIX})
-                                                (fripostCanAddList=${DU},${SUFFIX})
-                                                (fripostOwner=${U},${SUFFIX})
-                                                (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
+        search -s base -b "${DL},${SUFFIX}" "(!(|(fripostCanAddList=${U},${SUFFIX})
+                                                 (fripostCanAddList=${DU},${SUFFIX})
+                                                 (fripostOwner=${U},${SUFFIX})
+                                                 (fripostPostmaster=${U},${SUFFIX})))" | grep -q '^dn: ' || \
+        search -s base -b "${L},${SUFFIX}" "(!(objectClass=FripostPendingEntry))" | grep -q '^dn: ' && \
         checkACL "${U}" "${L}" entry/add
     done
 done | isOK 'DENIED$' entry
@@ -990,11 +1062,11 @@ done | isOK 'DENIED$' entry
 
 msg "Cannot manage ownership (unless domain owner/domain postmaster)"
 for U in ${USERS}; do
-    for A in ${ALIASES}; do
-        DA="$(echo "${A}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
-        search -s base -b "${DA},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX})
+    for L in ${LISTS}; do
+        DL="$(echo "${L}" | sed -re 's/.*,(fvd=[^,]+)$/\1/')"
+        search -s base -b "${DL},${SUFFIX}" "(|(fripostOwner=${U},${SUFFIX})
                                                (fripostPostmaster=${U},${SUFFIX}))" | grep -q '^dn: ' || \
-        checkACL "${U}" "${A}" ${ATTRS2}
+        checkACL "${U}" "${L}" ${ATTRS2}
     done
 done | isOK 'DENIED$' fripostOwner add
 [ $? -eq 0 ] || exit $?
@@ -1017,7 +1089,7 @@ for U in ${USERS}; do
     for LC in ${LISTSC}; do
         checkACL "${U}" "${LC}"
     done
-done | grep -Ev '^(objectClass|creatorsName)=' | isOK '=0$' entry
+done | grep -Ev '^objectClass=' | isOK '=0$' entry
 [ $? -eq 0 ] || exit $?
 
 
@@ -1031,25 +1103,18 @@ echo "Service Postfix"
 
 msg "Have =0 access on non-active or pending entries"
 for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
-    search -s base -b "${X},${SUFFIXV}" "(|(fripostIsStatusActive=TRUE)(fripostPendingToken=*))" | grep -q '^dn: ' && \
+    search -s base -b "${X},${SUFFIXV}" "(|(fripostIsStatusActive=TRUE)(objectClass=FripostPendingEntry))" | grep -q '^dn: ' && \
     checkACL "cn=Postfix" "${D}"
 done | isOK '=0$' entry
 [ $? -eq 0 ] || exit $?
 
 msg "Can read and search the domain attributes it needs"
 for D in ${DOMAINS}; do
-    search -s base -b "${D},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \
-    checkACL "cn=Postfix" "${D}" entry fvd fripostOptionalMaildrop
+    search -s base -b "${D},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(objectClass=FripostPendingEntry))" | grep -q '^dn: ' || \
+    checkACL "cn=Postfix" "${D}" entry objectClass fvd fripostOptionalMaildrop
 done | isOK '=rsd$' entry
 [ $? -eq 0 ] || exit $?
 
-msg "Can search the domain attributes it needs"
-for D in ${DOMAINS}; do
-    search -s base -b "${D},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \
-    checkACL "cn=Postfix" "${D}" objectClass
-done | isOK '=s$' objectClass
-[ $? -eq 0 ] || exit $?
-
 msg "Have =0 access on other domain attributes"
 for D in ${DOMAINS}; do
     checkACL "cn=Postfix" "${D}" children ${OPERATTRS} fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description fripostPendingToken fripostIsStatusActive
@@ -1058,18 +1123,11 @@ done | isOK '=0$' children
 
 msg "Can read and search the user attributes it needs"
 for U in ${USERS}; do
-    search -s base -b "${U},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \
-    checkACL "cn=Postfix" "${U}" entry fvu fripostOptionalMaildrop
+    search -s base -b "${U},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(objectClass=FripostPendingEntry))" | grep -q '^dn: ' || \
+    checkACL "cn=Postfix" "${U}" entry objectClass fvl fripostOptionalMaildrop
 done | isOK '=rsd$' entry
 [ $? -eq 0 ] || exit $?
 
-msg "Can search the user attributes it needs"
-for U in ${USERS}; do
-    search -s base -b "${U},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \
-    checkACL "cn=Postfix" "${U}" objectClass
-done | isOK '=s$' objectClass
-[ $? -eq 0 ] || exit $?
-
 msg "Have =0 access on other user attributes"
 for U in ${USERS}; do
     checkACL "cn=Postfix" "${U}" children ${OPERATTRS} userPassword fripostUserQuota description fripostIsStatusActive
@@ -1078,18 +1136,11 @@ done | isOK '=0$' children
 
 msg "Can read and search the alias attributes it needs"
 for A in ${ALIASES}; do
-    search -s base -b "${A},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \
-    checkACL "cn=Postfix" "${A}" entry fva fripostMaildrop
+    search -s base -b "${A},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(objectClass=FripostPendingEntry))" | grep -q '^dn: ' || \
+    checkACL "cn=Postfix" "${A}" entry objectClass fvl fripostMaildrop
 done | isOK '=rsd$' entry
 [ $? -eq 0 ] || exit $?
 
-msg "Can search the alias attributes it needs"
-for A in ${ALIASES}; do
-    search -s base -b "${A},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \
-    checkACL "cn=Postfix" "${A}" objectClass
-done | isOK '=s$' objectClass
-[ $? -eq 0 ] || exit $?
-
 msg "Have =0 access on other alias attributes"
 for A in ${ALIASES}; do
     checkACL "cn=Postfix" "${A}" children ${OPERATTRS} fripostOwner description fripostIsStatusActive
@@ -1098,18 +1149,11 @@ done | isOK '=0$' children
 
 msg "Can read and search the list attributes it needs"
 for L in ${LISTS}; do
-    search -s base -b "${L},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \
-    checkACL "cn=Postfix" "${L}" entry fvl fripostLocalAlias
+    search -s base -b "${L},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(objectClass=FripostPendingEntry))" | grep -q '^dn: ' || \
+    checkACL "cn=Postfix" "${L}" entry objectClass fvl fripostLocalAlias
 done | isOK '=rsd$' entry
 [ $? -eq 0 ] || exit $?
 
-msg "Can search the list attributes it needs"
-for L in ${LISTS}; do
-    search -s base -b "${L},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \
-    checkACL "cn=Postfix" "${L}" objectClass
-done | isOK '=s$' objectClass
-[ $? -eq 0 ] || exit $?
-
 msg "Have =0 access on other list attributes"
 for L in ${LISTS}; do
     checkACL "cn=Postfix" "${L}" children ${OPERATTRS} fripostListManager fripostOwner description fripostIsStatusActive fripostPendingToken
@@ -1118,16 +1162,11 @@ done | isOK '=0$' children
 
 msg "Can read and search the list command attributes it needs"
 for LC in ${LISTSC}; do
-    checkACL "cn=Postfix" "${LC}" entry fvlc fripostLocalAlias
+    search -s base -b "${LC},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(objectClass=FripostPendingEntry))" | grep -q '^dn: ' || \
+    checkACL "cn=Postfix" "${LC}" entry objectClass fvl fripostLocalAlias
 done | isOK '=rsd$' entry
 [ $? -eq 0 ] || exit $?
 
-msg "Can search the list command attributes it needs"
-for LC in ${LISTSC}; do
-    checkACL "cn=Postfix" "${LC}" objectClass
-done | isOK '=s$' objectClass
-[ $? -eq 0 ] || exit $?
-
 msg "Have =0 access on other list command attributes"
 for LC in ${LISTSC}; do
     checkACL "cn=Postfix" "${LC}" children ${OPERATTRS}
@@ -1142,38 +1181,53 @@ echo "Service CreateList"
 
 msg "Have =0 access on domain attributes"
 for D in ${DOMAINS}; do
-    checkACL "cn=CreateList" "${D}" entry children ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description fripostPendingToken
+    checkACL "cn=CreateList" "${D}" entry ${OPERATTRS} fvd fripostIsStatusActive fripostOptionalMaildrop fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description fripostPendingToken
 done | isOK '=0$' entry
 [ $? -eq 0 ] || exit $?
 
 msg "Have =0 access on user attributes"
 for U in ${USERS}; do
-    checkACL "cn=CreateList" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description
+    checkACL "cn=CreateList" "${U}" entry children ${OPERATTRS} fvl userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description
 done | isOK '=0$' entry
 [ $? -eq 0 ] || exit $?
 
 msg "Have =0 access on alias attributes"
 for A in ${ALIASES}; do
-    checkACL "cn=CreateList" "${A}" entry children ${OPERATTRS} fva fripostMaildrop fripostIsStatusActive fripostOwner description
+    checkACL "cn=CreateList" "${A}" entry children ${OPERATTRS} fvl fripostMaildrop fripostIsStatusActive fripostOwner description
 done | isOK '=0$' entry
 [ $? -eq 0 ] || exit $?
 
-msg "Have =zsd access on lists' pending status"
+msg "Can remove the 'pending' status on lists"
+for L in ${LISTS}; do
+    search -s base -b "${L},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \
+    checkACL "cn=CreateList" "${L}" objectClass/delete:FripostPendingEntry fripostPendingToken/delete
+done | isOK 'ALLOWED$'
+[ $? -eq 0 ] || exit $?
+
+msg "Cannot create a 'pending' satus"
 for L in ${LISTS}; do
-    checkACL "cn=CreateList" "${L}" fripostPendingToken
-done | isOK '=zsd$'
+    search -s base -b "${L},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \
+    checkACL "cn=CreateList" "${L}" objectClass/delete:FripostPendingEntry fripostPendingToken/delete
+done | isOK 'DENIED$'
 [ $? -eq 0 ] || exit $?
 
+msg "Have =rscd access on objectClass"
+for L in ${LISTS}; do
+    search -s base -b "${L},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \
+    checkACL "cn=CreateList" "${L}" objectClass
+done | isOK '=rscd$'
+
 msg "Have =rsd access on lists' entry attribute"
 for L in ${LISTS}; do
+    search -s base -b "${L},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \
     checkACL "cn=CreateList" "${L}" entry
 done | isOK '=rsd$'
 [ $? -eq 0 ] || exit $?
 
-msg "Have =a access on lists' children attribute"
-for L in ${LISTS}; do
-    search -s base -b "${L},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
-    checkACL "cn=CreateList" "${L}" children
+msg "Have =a access on domains' children attribute"
+for D in ${DOMAINS}; do
+    search -s base -b "${D},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \
+    checkACL "cn=CreateList" "${D}" children
 done | isOK '=a$'
 [ $? -eq 0 ] || exit $?
 
@@ -1191,7 +1245,7 @@ done | isOK '=a$'
 
 msg "Have =0 access on other list command attributes"
 for LC in ${LISTSC}; do
-    checkACL "cn=CreateList" "${LC}" children ${OPERATTRS} fvlc fripostLocalAlias
+    checkACL "cn=CreateList" "${LC}" children ${OPERATTRS} fvl fripostLocalAlias
 done | isOK '=0$' children
 [ $? -eq 0 ] || exit $?
 
@@ -1201,17 +1255,16 @@ done | isOK '=0$' children
 echo
 echo "Service DeletePendingEntries"
 
-msg "Have =z access on the \"children\" attribute of non-pending entries"
+msg "Have =z access on the \"children\" attribute"
 (checkACL "cn=DeletePendingEntries" "" children
-for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
-    search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
-    checkACL "cn=DeletePendingEntries" "${X}" children
-done) | isOK '=z$' children
+ for D in ${DOMAINS}; do
+    checkACL "cn=DeletePendingEntries" "${D}" children
+ done) | isOK '=z$' children
 [ $? -eq 0 ] || exit $?
 
 msg "Have =zrsd access on the \"entry\" attribute of pending entries"
 for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
-    search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \
+    search -s base -b "${X},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \
     checkACL "cn=DeletePendingEntries" "${X}" entry
 done | isOK '=zrsd$' entry
 [ $? -eq 0 ] || exit $?
@@ -1219,29 +1272,29 @@ done | isOK '=zrsd$' entry
 msg "Have =s access on the \"entry\" attribute of non-pending entries"
 (checkACL "cn=DeletePendingEntries" "" entry
 for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
-    search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
+    search -s base -b "${X},${SUFFIXV}" "(|(objectClass=FripostVirtualListCommand)(objectClass=FripostPendingEntry))" | grep -q '^dn: ' || \
     checkACL "cn=DeletePendingEntries" "${X}" entry
 done) | isOK '=s$' entry
 [ $? -eq 0 ] || exit $?
 
 msg "Have =s access on the attributes it needs on pending entries"
 for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
-    search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \
-    checkACL "cn=DeletePendingEntries" "${X}" createTimestamp fripostPendingToken
-done | isOK '=s$' fripostPendingToken
+    search -s base -b "${X},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' && \
+    checkACL "cn=DeletePendingEntries" "${X}" createTimestamp
+done | isOK '=s$' createTimestamp
 [ $? -eq 0 ] || exit $?
 
 msg "Have =0 access these attributes for non-pending entries"
 for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
-    search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \
-    checkACL "cn=DeletePendingEntries" "${X}" createTimestamp fripostPendingToken
-done | isOK '=0$' fripostPendingToken
+    search -s base -b "${X},${SUFFIXV}" "(objectClass=FripostPendingEntry)" | grep -q '^dn: ' || \
+    checkACL "cn=DeletePendingEntries" "${X}" createTimestamp
+done | isOK '=0$' createTimestamp
 [ $? -eq 0 ] || exit $?
 
-msg "Have =s access on the object class"
+msg "Have =rscd access on objectClass"
 for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do
     checkACL "cn=DeletePendingEntries" "${X}" objectClass
-done | isOK '=s$' objectClass
+done | isOK '=rscd$' objectClass
 [ $? -eq 0 ] || exit $?
 
 msg "Have =0 access on other domain attributes"
@@ -1252,14 +1305,14 @@ done | isOK '=0$' fvd
 
 msg "Have =0 access on other user attributes"
 for U in ${USERS}; do
-    checkACL "cn=DeletePendingEntries" "${U}" fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description
-done | isOK '=0$' fvu
+    checkACL "cn=DeletePendingEntries" "${U}" fvl userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description
+done | isOK '=0$' fvl
 [ $? -eq 0 ] || exit $?
 
 msg "Have =0 access on other alias attributes"
 for A in ${ALIASES}; do
-    checkACL "cn=DeletePendingEntries" "${A}" fva fripostMaildrop fripostIsStatusActive fripostOwner description
-done | isOK '=0$' fva
+    checkACL "cn=DeletePendingEntries" "${A}" fvl fripostMaildrop fripostIsStatusActive fripostOwner description
+done | isOK '=0$' fvl
 [ $? -eq 0 ] || exit $?
 
 msg "Have =0 access on other list attributes"
@@ -1270,8 +1323,8 @@ done | isOK '=0$' fvl
 
 msg "Have =0 access on other list command attributes"
 for LC in ${LISTSC}; do
-    checkACL "cn=AdminWebPanel" "${LC}" fvlc fripostLocalAlias
-done | isOK '=0$' fvlc
+    checkACL "cn=AdminWebPanel" "${LC}" fvl fripostLocalAlias
+done | isOK '=0$' fvl
 [ $? -eq 0 ] || exit $?
 
 
@@ -1288,13 +1341,13 @@ done | isOK '=0$' entry
 
 msg "Have =0 access on user attributes"
 for U in ${USERS}; do
-    checkACL "cn=AdminWebPanel" "${U}" entry children ${OPERATTRS} fvu userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description
+    checkACL "cn=AdminWebPanel" "${U}" entry children ${OPERATTRS} fvl userPassword fripostIsStatusActive fripostUserQuota fripostOptionalMaildrop description
 done | isOK '=0$' entry
 [ $? -eq 0 ] || exit $?
 
 msg "Have =0 access on alias attributes"
 for A in ${ALIASES}; do
-    checkACL "cn=AdminWebPanel" "${A}" entry children ${OPERATTRS} fva fripostMaildrop fripostIsStatusActive fripostOwner description
+    checkACL "cn=AdminWebPanel" "${A}" entry children ${OPERATTRS} fvl fripostMaildrop fripostIsStatusActive fripostOwner description
 done | isOK '=0$' entry
 [ $? -eq 0 ] || exit $?
 
@@ -1306,7 +1359,7 @@ done | isOK '=0$' entry
 
 msg "Have =0 access on list command attributes"
 for LC in ${LISTSC}; do
-    checkACL "cn=AdminWebPanel" "${LC}" entry children ${OPERATTRS} fvlc fripostLocalAlias
+    checkACL "cn=AdminWebPanel" "${LC}" entry children ${OPERATTRS} fvl fripostLocalAlias
 done | isOK '=0$' entry
 [ $? -eq 0 ] || exit $?
 
-- 
cgit v1.2.3