From 48d39ff63e2bfa2bdb7759bc4a99f69778d5ee22 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Tue, 22 Jan 2013 01:41:47 +0100 Subject: Reorganized the ACL. --- ldap/acl.ldif | 190 +++++++++++++++++++++++--------------------------- ldap/base.ldif | 5 +- ldap/test-user-acl.sh | 60 ++++++++++------ 3 files changed, 130 insertions(+), 125 deletions(-) (limited to 'ldap') diff --git a/ldap/acl.ldif b/ldap/acl.ldif index 3cbbd24..eef10a9 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -24,147 +24,112 @@ dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcAccess # -# Services have read access to the attribute they need. We put this ACL -# first as it's likely to be the most used. -# TODO: for postfix, it'd be more efficient and more secure to SASL-bind -# on a UNIX socket (EXTERNAL mechanism); wait for Postfix 2.8. -# TODO: IMAP, SASLauth, Amavis -# TODO: if possible, make use GSSAPI/EXTERNAL for the services. +######################################################################## +# Most common services: Postfix, Amavis, SASLauth, Dovecot +# (Most used ACLs are cheaper when written first.) +# +# Everyone can search the objectclass olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - attrs=entry,fvd,fvu,fva,fvl,fvlc,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias - filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand)) - by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd - by users =0 break + attrs=objectClass + by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =s + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =s # +# Postfix have read access to the attribute they need. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - attrs=objectClass,fripostPendingToken,fripostIsStatusActive - filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand)) - by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =sd + attrs=entry,fvd,fvu,fva,fvl,fvlc,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias + filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(!(fripostIsStatusActive=FALSE))(!(fripostPendingToken=*))) + by dn.exact="cn=SMTP,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd by users =0 break # -#olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" -# attrs=entry,objectClass,fripostIsStatusActive,fripostPendingToken,fvu,@amavisAccount -# filter=(&(objectClass=FripostVirtualUser)(objectClass=amavisAccount)(fripostIsStatusActive=TRUE)(fripostPendingToken=FALSE)) -# by dn.exact="gidNumber=113+uidNumber=116,cn=peercred,cn=external,cn=auth" =rsd -# by users =0 break -# # Anonymous can authenticate into the services. (But not read or write the password.) olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev" attrs=userPassword by realanonymous =xd # # That's necessary for SASL proxy Authorize the web application. -olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=dev" +olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=dev" attrs=entry,objectClass,authzTo by realanonymous =x # -# 1. Managers have read/write access to the "virtual" subtree. -# 2. The list creator needs further access. -# 3. Other services have no access other than the one above. -# 4,5. Other users need further access. -olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd - by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break - by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break - by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 - by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break - by anonymous =0 break -# -# 1. Users can change their password (but not read it). -# 2. Anonymous users can bind. -# 3. Else, we inspect the 2 following ACLs. -olcAccess: to dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - attrs=userPassword - by realself =w - by anonymous =xd - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =0 break -# -# The postmaster of a domain can change (replace) his/her users' password (but not read it). +# 1. Anonymous users can bind. +# 2. Users can change their password (but not read it). +# 3. The postmaster of a domain can change (replace) his/her users' password (but not read it). olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=userPassword + by realanonymous =xd + by realself =w by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =w + by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd # -# No permission on the userPassword attribute for other users. -# (That's a catch-all, just to be sure that services, etc. cannot read the passwords). -olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" - attrs=userPassword - by * =0 # -# 1. Users can search (e.g., to list the entries they have created). -# 2. So can the list creator. -olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - attrs=objectClass - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s - by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =s - by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =s +######################################################################## +# Virtual subtree, general access # -# 1. Users can search (e.g., to list the entries they have created). -# 2. Additional permissions may be added later on. +# 1,2. Services that need particular access on the tree. +# 3. Other users need further access. +# 4. Managers have read/write access to the "virtual" subtree. +# 5. Other services have no access other than the one above. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - attrs=entry,fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break - by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break -# -# Noone may create children under a pending entry. This is important -# since otherwise we couldn't delete old pending entries -# non-recursively. -olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" - filter=(fripostPendingToken=*) - attrs=children - by * =0 + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break + by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break + by dn.regex="^fvu=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" =0 break + by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=dev" =wrscd + by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 # # Our service can list and delete (old) pending entries. olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" filter=(fripostPendingToken=*) attrs=entry by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =zrd break - by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break + by dn.children="o=mailHosting,dc=fripost,dc=dev" =0 break # # Our service can search anywhere in the tree (for old pending entries). olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=entry - by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break - by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" +s - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +s break + by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" +s + by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break # # Our service needs to have 'z' access on the 'children' of the parent of the entry that is # to be deleted. (And 'z' access of the 'entry' attribute of this entry.) olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=children by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =z - by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break + by dn.children="o=mailHosting,dc=fripost,dc=dev" =0 break # # Our service needs search access to list (old) pending entries. -olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" filter=(fripostPendingToken=*) attrs=createTimestamp,fripostPendingToken - by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =sd - by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" +0 break - by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 break + by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =s + by dn.children="o=mailHosting,dc=fripost,dc=dev" +0 break +# +# Users can search (e.g., to list the entries they have created). +olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" + attrs=fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList + by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s break +# # -# Everyone can create/delete domains. (Provided s/he has +a/+z access to the +######################################################################## +# Virtual subtree, domains +# +# 1. Everyone can create/delete domains. (Provided s/he has +a/+z access to the # "entry" attribute of the domains s/he wants to delete.) +# 2. The relevant service can delete (old) pending entries. olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=children by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =w + by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=dev" =z # -# Reserved local parts are reserved. /!\ The case must be insensitive -# - postmaster: RFC 822, appendix C.6 -# - abuse: RFC 2142, section 4 -olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - by * =0 -# -# Everyone can check for the non-presence of the 'pending' status. +# Everyone can check for the absence of a 'pending' status. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(&(objectClass=FripostVirtualDomain)(!(fripostPendingToken=*))) attrs=fripostPendingToken by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" =s # -# Only the domain Postmasters and Owners can search the unlock token and delete the -# 'pending' status (but not read). +# Only the domain Postmasters and Owners can search the unlock token and delete +# the 'pending' status (but not read). olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=FripostVirtualDomain) attrs=fripostPendingToken @@ -222,11 +187,13 @@ olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" by dnattr=fripostPostmaster =wrscd by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # -# Everyone can add or delete children, but we will be carefull with the -# kid's "entry" attribute, which require +a and +z to add and delete -# respectively. +# Everyone can add or delete children, but we will be carefull with +# the kid's "entry" attribute, which require +a and +z to add and delete +# respectively. Note that it is forbidden add a child under a pending +# entry; This is important since otherwise we couldn't delete pending +# entry non-recursively. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" - filter=(objectClass=FripostVirtualDomain) + filter=(&(objectClass=FripostVirtualDomain)(!(fripostPendingToken=*))) attrs=children by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +w # @@ -245,7 +212,17 @@ olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$ by set.exact="(this/fripostCanAddAlias | this/fripostCanAddList) & (user | user/-1)" +rd by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # -# Noone (but the managers) can change quotas. +# Reserved local parts are reserved. /!\ The case must be insensitive +# - postmaster: RFC 822, appendix C.6 +# - abuse: RFC 2142, section 4 +olcAccess: to dn.regex="^(fvu|fva|fvl)=(postmaster|abuse),fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" + by * =0 +# +# +######################################################################## +# Virtual subtree, users +# +# Users and their postmaster can read the quota (but not change it). olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=fripostUserQuota @@ -260,14 +237,19 @@ olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by self =wrscd by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =wrscd # -# 1. Postmasters can create users (but not delete them). +# 1. Users can read their entry (but not delete it). +# 2. Postmasters can create users (but not delete them). # (Provided that they have +a access to the parent's "children" attribute.) -# 2. Users can read their entry (but not delete it). olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=entry - by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard by self +rd + by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard + by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=dev" =0 break +# +# +######################################################################## +# Virtual subtree, aliases # # 1. The alias owner can list the ownership of the entry. # 2. The domain owner can add/delete/change the ownership of the entry. @@ -304,6 +286,10 @@ olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by set.exact="this/-1/fripostCanAddAlias & (user | user/-1)" +a by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 # +# +######################################################################## +# Virtual subtree, lists +# # 1. The list owner can list the ownership of the entry. # 2. The domain owner can add/delete/change the ownership of the entry. # 3. So can the domain postmasters. @@ -325,8 +311,7 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by group/fripostVirtualDomain/fripostOwner.expand="$1" =rscd by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =rscd # -# 1,2,3. The list owner and the domain Owner and Postmaster can search -# (but not read) the 'pending' token. +# 1,2,3. The list owner and the domain Owner and Postmaster can search the 'pending' token. # 4. The list creator can remove the "pending" flag. # (We don't need to limit the search to presence only here, since when present the value is # always 'TRUE') @@ -364,9 +349,9 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =rsd # -# The List Creator can add list commands. +# The List Creator can add list commands under non-pending lists. olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev" - filter=(objectClass=FripostVirtualList) + filter=(&(objectClass=FripostVirtualList)(!(fripostPendingToken=*))) attrs=children by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a # @@ -376,6 +361,9 @@ olcAccess: to dn.regex="^fvlc=[^,]+,fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting attrs=entry by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=dev" =a # -# Catch the "break" control above. +# +######################################################################## +# Catchall +# olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=dev" +0 diff --git a/ldap/base.ldif b/ldap/base.ldif index 525fca6..e1a14fd 100644 --- a/ldap/base.ldif +++ b/ldap/base.ldif @@ -22,7 +22,10 @@ fripostCanAddDomain: fvu=test,fvd=fripost.org,ou=virtual,o=mailHosting,dc=fripos fripostCanAddDomain: fvu=bigbrother,fvd=postmastered.org,ou=virtual,o=mailHosting,dc=fripost,dc=dev description: Virtual mail hosting - +# TODO: for postfix, it'd be more efficient and more secure to SASL-bind +# on a UNIX socket (EXTERNAL mechanism); wait for Postfix 2.8. +# TODO: IMAP, SASLauth, Amavis +# TODO: if possible, make use GSSAPI/EXTERNAL for the services. dn: ou=services,o=mailHosting,dc=fripost,dc=dev objectClass: organizationalUnit diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh index 648f9c6..3e53b48 100755 --- a/ldap/test-user-acl.sh +++ b/ldap/test-user-acl.sh @@ -1024,94 +1024,108 @@ done | grep -Ev '^(objectClass|creatorsName)=' | isOK '=0$' entry ########################################################################### -SUFFIX0="${SUFFIX}" SUFFIX="${SUFFIXS}" echo echo "Service SMTP" +msg "Have =0 access on non-active or pending entries" +for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do + search -s base -b "${X},${SUFFIXV}" "(|(fripostIsStatusActive=TRUE)(fripostPendingToken=*))" | grep -q '^dn: ' && \ + checkACL "cn=SMTP" "${D}" +done | isOK '=0$' entry +[ $? -eq 0 ] || exit $? + msg "Can read and search the domain attributes it needs" for D in ${DOMAINS}; do + search -s base -b "${D},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \ checkACL "cn=SMTP" "${D}" entry fvd fripostOptionalMaildrop done | isOK '=rsd$' entry [ $? -eq 0 ] || exit $? msg "Can search the domain attributes it needs" for D in ${DOMAINS}; do - checkACL "cn=SMTP" "${D}" objectClass fripostPendingToken fripostIsStatusActive -done | isOK '=sd$' objectClass + search -s base -b "${D},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \ + checkACL "cn=SMTP" "${D}" objectClass +done | isOK '=s$' objectClass [ $? -eq 0 ] || exit $? msg "Have =0 access on other domain attributes" for D in ${DOMAINS}; do - checkACL "cn=SMTP" "${D}" children ${OPERATTRS} fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description + checkACL "cn=SMTP" "${D}" children ${OPERATTRS} fripostCanAddAlias fripostCanAddList fripostOwner fripostPostmaster description fripostPendingToken fripostIsStatusActive done | isOK '=0$' children [ $? -eq 0 ] || exit $? msg "Can read and search the user attributes it needs" for U in ${USERS}; do + search -s base -b "${U},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \ checkACL "cn=SMTP" "${U}" entry fvu fripostOptionalMaildrop done | isOK '=rsd$' entry [ $? -eq 0 ] || exit $? msg "Can search the user attributes it needs" for U in ${USERS}; do - checkACL "cn=SMTP" "${U}" objectClass fripostIsStatusActive -done | isOK '=sd$' objectClass + search -s base -b "${U},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \ + checkACL "cn=SMTP" "${U}" objectClass +done | isOK '=s$' objectClass [ $? -eq 0 ] || exit $? msg "Have =0 access on other user attributes" for U in ${USERS}; do - checkACL "cn=SMTP" "${U}" children ${OPERATTRS} userPassword fripostUserQuota description + checkACL "cn=SMTP" "${U}" children ${OPERATTRS} userPassword fripostUserQuota description fripostIsStatusActive done | isOK '=0$' children [ $? -eq 0 ] || exit $? msg "Can read and search the alias attributes it needs" for A in ${ALIASES}; do + search -s base -b "${A},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \ checkACL "cn=SMTP" "${A}" entry fva fripostMaildrop done | isOK '=rsd$' entry [ $? -eq 0 ] || exit $? msg "Can search the alias attributes it needs" for A in ${ALIASES}; do - checkACL "cn=SMTP" "${A}" objectClass fripostIsStatusActive -done | isOK '=sd$' objectClass + search -s base -b "${A},${SUFFIXV}" "(fripostIsStatusActive=FALSE)" | grep -q '^dn: ' || \ + checkACL "cn=SMTP" "${A}" objectClass +done | isOK '=s$' objectClass [ $? -eq 0 ] || exit $? msg "Have =0 access on other alias attributes" for A in ${ALIASES}; do - checkACL "cn=SMTP" "${A}" children ${OPERATTRS} fripostOwner description + checkACL "cn=SMTP" "${A}" children ${OPERATTRS} fripostOwner description fripostIsStatusActive done | isOK '=0$' children [ $? -eq 0 ] || exit $? msg "Can read and search the list attributes it needs" for L in ${LISTS}; do + search -s base -b "${L},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \ checkACL "cn=SMTP" "${L}" entry fvl fripostLocalAlias done | isOK '=rsd$' entry [ $? -eq 0 ] || exit $? msg "Can search the list attributes it needs" for L in ${LISTS}; do - checkACL "cn=SMTP" "${L}" objectClass fripostIsStatusActive fripostPendingToken -done | isOK '=sd$' objectClass + search -s base -b "${L},${SUFFIXV}" "(|(fripostIsStatusActive=FALSE)(fripostPendingToken=*))" | grep -q '^dn: ' || \ + checkACL "cn=SMTP" "${L}" objectClass +done | isOK '=s$' objectClass [ $? -eq 0 ] || exit $? msg "Have =0 access on other list attributes" for L in ${LISTS}; do - checkACL "cn=SMTP" "${L}" children ${OPERATTRS} fripostListManager fripostOwner description + checkACL "cn=SMTP" "${L}" children ${OPERATTRS} fripostListManager fripostOwner description fripostIsStatusActive fripostPendingToken done | isOK '=0$' children [ $? -eq 0 ] || exit $? msg "Can read and search the list command attributes it needs" for LC in ${LISTSC}; do - checkACL "cn=SMTP" "${LC}" entry fvlc + checkACL "cn=SMTP" "${LC}" entry fvlc fripostLocalAlias done | isOK '=rsd$' entry [ $? -eq 0 ] || exit $? msg "Can search the list command attributes it needs" for LC in ${LISTSC}; do checkACL "cn=SMTP" "${LC}" objectClass -done | isOK '=sd$' objectClass +done | isOK '=s$' objectClass [ $? -eq 0 ] || exit $? msg "Have =0 access on other list command attributes" @@ -1158,7 +1172,7 @@ done | isOK '=rsd$' msg "Have =a access on lists' children attribute" for L in ${LISTS}; do - search -s base -b "${L},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ + search -s base -b "${L},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ checkACL "cn=CreateList" "${L}" children done | isOK '=a$' [ $? -eq 0 ] || exit $? @@ -1190,14 +1204,14 @@ echo "Service DeletePendingEntries" msg "Have =z access on the \"children\" attribute of non-pending entries" (checkACL "cn=DeletePendingEntries" "" children for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do - search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ + search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ checkACL "cn=DeletePendingEntries" "${X}" children done) | isOK '=z$' children [ $? -eq 0 ] || exit $? msg "Have =zrsd access on the \"entry\" attribute of pending entries" for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do - search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \ + search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \ checkACL "cn=DeletePendingEntries" "${X}" entry done | isOK '=zrsd$' entry [ $? -eq 0 ] || exit $? @@ -1205,21 +1219,21 @@ done | isOK '=zrsd$' entry msg "Have =s access on the \"entry\" attribute of non-pending entries" (checkACL "cn=DeletePendingEntries" "" entry for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do - search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ + search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ checkACL "cn=DeletePendingEntries" "${X}" entry done) | isOK '=s$' entry [ $? -eq 0 ] || exit $? -msg "Have =sd access on the attributes it needs on pending entries" +msg "Have =s access on the attributes it needs on pending entries" for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do - search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \ + search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' && \ checkACL "cn=DeletePendingEntries" "${X}" createTimestamp fripostPendingToken -done | isOK '=sd$' fripostPendingToken +done | isOK '=s$' fripostPendingToken [ $? -eq 0 ] || exit $? msg "Have =0 access these attributes for non-pending entries" for X in ${DOMAINS} ${USERS} ${ALIASES} ${LISTS} ${LISTSC}; do - search -s base -b "${X},${SUFFIX0}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ + search -s base -b "${X},${SUFFIXV}" "(fripostPendingToken=*)" | grep -q '^dn: ' || \ checkACL "cn=DeletePendingEntries" "${X}" createTimestamp fripostPendingToken done | isOK '=0$' fripostPendingToken [ $? -eq 0 ] || exit $? -- cgit v1.2.3