# Load this file with # # ldapmodify -Y EXTERNAL -H ldapi:/// -f acl.ldif # # It will remove existing ACLs, and add the following instead. Ensure # that it's indeed the database #1 that you want to amend: # # ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" "olcSuffix=o=mailHosting,dc=fripost,dc=dev" dn # # # /!\ ATTENTION! Every modification made to this file should be # /!\ implemented in the test suite as well! # # # References: # - http://www.openldap.org/doc/admin24/access-control.html # - http://www.openldap.org/faq/data/cache/189.html # - http://www.openldap.org/faq/data/cache/1140.html # - http://www.openldap.org/faq/data/cache/1133.html # - man 5 slapd.access dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcAccess ## Managers have read/write access to the "virtual" subtree. #olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" # by dn.onelevel="ou=managers,o=mailHosting,dc=fripost,dc=org" write # by * break #- ## 1. Users/Services/Managers can change their password (but not read it). ## 2. Anonymous users/services/managers can bind. ## 3. Else, we inspect the 2 following ACLs. olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" attrs=userPassword by self =w by anonymous auth by users none break # # The postmaster of a domain can change (replace) his/her users' password. olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualMailbox) attrs=userPassword by group/fripostVirtualDomain/fripostPostmaster.expand="$1" =w # # No permission on the userPassword attribute for other users. # (That's a catch-all, just to be sure that services, etc. cannot read the passwords). olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" attrs=userPassword by * none ## ## Services can read the whole subtree (minus the userPassword attributes). #olcAccess: to dn.subtree="o=mailHosting,dc=fripost,dc=dev" # attrs=entry,creatorsName,@fripostVirtualDomain,@fripostVirtualMailbox,@fripostVirtualAlias,@fripostVirtualML # by dn.onelevel="ou=services,o=mailHosting,dc=fripost,dc=org" read # by users * break # # Users can search (e.g., to list the entries they have created). # Additional permissions may be added later on. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=entry,creatorsName,fripostOwner,fripostPostmaster,fripostCanCreateAlias,fripostCanCreateML by users =s break # # Everyone can delete domains. (Provided he has +d access to the "entry" # attribute of the domains he wants to delete.) olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=dev" attrs=children by users =z # # 1. The postmaster of a domain can give (or take back) people the right to create # aliases. # 2,3. People that can create aliases can list the members of the group. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=fripostVirtualDomain) attrs=fripostCanCreateAlias by dnattr=fripostPostmaster write by dnattr=fripostOwner read by set.exact="this/fripostCanCreateAlias & (user | user/-1)" read # # 1. The postmaster of a domain can give (or take back) people the right to create # mailing lists. # 2,3. People that can create mailing lists can list the members of the group. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=fripostVirtualDomain) attrs=fripostCanCreateML by dnattr=fripostPostmaster write by dnattr=fripostOwner read by set.exact="this/fripostCanCreateML & (user | user/-1)" read # # 1-3. Noone (but the managers) can appoint domain Owners or Postmasters. # But people that can create aliases and mailing lists can list the members of their group. olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualDomain) attrs=fripostOwner,fripostPostmaster by dnattr=fripostOwner read by dnattr=fripostPostmaster read by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML)& (user | user/-1)" read by dn.onelevel,expand="$1" +d by users +0 # # Every one can add or delete children, but we will be carefull with the # kid's "entry" attribute, which require +a and +z to add and delete # respectively. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=fripostVirtualDomain) attrs=children by users +w # # 1. Domain owners can edit their entry's attributes. # 2. So can domain postmasters. # 3. Domain users can read the public domain attributes. # 4. So can users with "canCreateAlias" or "canCreateML" access. olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualDomain) attrs=fvd,fripostIsStatusActive,description by dnattr=fripostOwner write by dnattr=fripostPostmaster write by dn.onelevel,expand="$1" read by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML) & (user | user/-1)" read # # 1. Domain owners can edit their entry's attributes. # 2. So can domain postmasters. olcAccess: to dn.regex="^fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev$" filter=(objectClass=fripostVirtualDomain) attrs=@fripostVirtualDomain by dnattr=fripostOwner write by dnattr=fripostPostmaster write by users +0 # # 1. Domain owners can delete the domain (and read the entry). # 2. So can domain postmasters. # 3. Domain users can read the domain entry (but not delete it). # 4. So can users with "canCreateAlias" or "canCreateML" rights. olcAccess: to dn.regex="^(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualDomain) attrs=entry by dnattr=fripostOwner +zrd by dnattr=fripostPostmaster +zrd by dn.onelevel,expand="$1" +rd by set.exact="(this/fripostCanCreateAlias | this/fripostCanCreateML) & (user | user/-1)" +rd by users +0 # # Noone (but the managers) can change quotas. olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualMailbox) attrs=fripostMailboxQuota by self read by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read # # 1. Users can modify their own entry. # 2. So can their postmasters. olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualMailbox) attrs=@FripostVirtualMailbox by self write by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write # # 1. Postmasters can create mailboxes (but not delete them). # (Provided that they have +a access to the parent's "children" attribute.) # 2. Users can read their entry (but not delete it). olcAccess: to dn.regex="^fvu=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualMailbox) attrs=entry by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +ard by self +rd # # Reserved aliases cannot be deactivated. (But the alias definition may be changed by the # domain owner.) olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualAlias) attrs=fripostIsStatusActive,fripostOwner,fva by group/fripostVirtualDomain/fripostOwner.expand="$2" read by group/fripostVirtualDomain/fripostPostmaster.expand="$2" read by users +0 # # Reserved aliases cannot be deleted. olcAccess: to dn.regex="^fva=(abuse|postmaster),(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualAlias) attrs=entry by group/fripostVirtualDomain/fripostOwner.expand="$2" +ard by group/fripostVirtualDomain/fripostPostmaster.expand="$2" +ard by set.exact="this/-1/fripostCanCreateAlias & (user | user/-1)" +a by users +0 # # 1. The alias owner can list the ownership of the entry. # 2. The domain owner can add/delete/change the ownership of the entry. # 3. So can the domain postmasters. olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualAlias) attrs=fripostOwner by dnattr=fripostOwner read continue by group/fripostVirtualDomain/fripostOwner.expand="$1" write by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write by users +0 # # 1. The alias owners can edit the rest of their entry's attributes. # 2. So can the domain owners. # 3. So can the domain postmasters. olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualAlias) attrs=@FripostVirtualAlias by dnattr=fripostOwner write by group/fripostVirtualDomain/fripostOwner.expand="$1" write by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write # # 1. The alias owners can read and delete the entry. # 2. So can the domain owner. # 3. So can the domain postmaster. # 4. Users with "canCreateAlias" access (either explicitely, or as a wildcard) for the domain can create aliases for that domain. # (But *not* delete them, unless also owner.) olcAccess: to dn.regex="^fva=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualAlias) attrs=entry by dnattr=fripostOwner +zrd continue by group/fripostVirtualDomain/fripostOwner.expand="$1" +wrd by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +wrd by set.exact="this/-1/fripostCanCreateAlias & (user | user/-1)" +a by users +0 # # 1. The mailing list owner can list the ownership of the entry. # 2. The domain owner can add/delete/change the ownership of the entry. # 3. So can the domain postmasters. olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualML) attrs=fripostOwner by dnattr=fripostOwner read continue by group/fripostVirtualDomain/fripostOwner.expand="$1" write by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write by users +0 # # 1. The mailing list owner read (but not edit) the transport-related attributes. # 2. So can the domain ower. # 3. So can the domain postmaster. olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualML) attrs=fripostMLManager,fripostMLCommand by dnattr=fripostOwner read by group/fripostVirtualDomain/fripostOwner.expand="$1" read by group/fripostVirtualDomain/fripostPostmaster.expand="$1" read # # 1. The mailing list owners can edit their entry's attributes. # 2. So can the domain owners. # 3. So can the domain postmasters. olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualML) attrs=@FripostVirtualML by dnattr=fripostOwner write by group/fripostVirtualDomain/fripostOwner.expand="$1" write by group/fripostVirtualDomain/fripostPostmaster.expand="$1" write # # 1. The mailing list owners can read and delete the entry. # 2. So can the domain's Owner. # 3. So can the domain's Postmaster. # 4. Users with "canCreateML" capability (either explicitely, or as a wildcard) for the domain can create mailing lists for that domain. # (But *not* delete them, unless also owner.) olcAccess: to dn.regex="^fvml=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=fripostVirtualML) attrs=entry by dnattr=fripostOwner +rzd continue by group/fripostVirtualDomain/fripostOwner.expand="$1" +rwd by group/fripostVirtualDomain/fripostPostmaster.expand="$1" +rwd by set.exact="this/-1/fripostCanCreateML & (user | user/-1)" +a by users +0 # # Catch the "break" control above. olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=dev" by users +0