summaryrefslogtreecommitdiffstats
path: root/roles/common-LDAP/templates/etc/ldap
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common-LDAP/templates/etc/ldap')
-rw-r--r--roles/common-LDAP/templates/etc/ldap/database.ldif.j24
1 files changed, 3 insertions, 1 deletions
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 1970a99..8333032 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -89,52 +89,54 @@ olcDbIndex: entryCSN,entryUUID eq
# /!\ WARN: All modification to the ACL should be reflected to the test
# /!\ suite as well!
#
# References:
# - http://www.openldap.org/doc/admin24/access-control.html
# - http://www.openldap.org/faq/data/cache/189.html
# - http://www.openldap.org/faq/data/cache/1140.html
# - http://www.openldap.org/faq/data/cache/1133.html
# - man 5 slapd.access
#
#
########################################################################
# Most common services: Postfix, Amavis, SASLauth, Dovecot
# (Most used ACLs are cheaper when written first.)
#
# Postfix have read access to the attribute they need.
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
attrs=entry,objectClass,fvd,fvl,fripostMaildrop,fripostOptionalMaildrop,fripostLocalAlias
filter=(&(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList)(objectClass=FripostVirtualListCommand))(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE)))
by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
+ by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =rsd
by users =0 break
+#
# Search lists and domain owners
olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
attrs=entry
- by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =s
by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =s
by users =0 break
#
# Search domain owners / postmasters
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
attrs=entry,objectClass,fvd,fvl,fripostPostmaster,fripostOwner
filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(!(fripostIsStatusActive=FALSE)))
+ by dn.exact="cn=Postfix,ou=services,o=mailHosting,dc=fripost,dc=org" =rsd
by dn.exact="username=postfix,cn=peercred,cn=external,cn=auth" =rsd
by users =0 break
#
# Anonymous can authenticate into the services. (But not read or write the password.)
olcAccess: to dn.one="ou=services,o=mailHosting,dc=fripost,dc=org"
attrs=userPassword
by realanonymous =xd
#
# That's necessary for SASL proxy Authorize the web application.
olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc=org"
attrs=entry,objectClass,authzTo
by realanonymous =x
#
# 1. The WebPanel itself cannot bind, read or write passwords. This
# guarantees that, if an attacker gains its priviledge, it will *not* be
# able to change user passwords (which would allow him/her to read every
# emails). This is a trick to tackle the absence of 'realgroup'.
# 2. Anonymous users can bind.
# 3. Users can change their password (but not read it).
# 4. The postmaster of a domain can change (replace) his/her users' password (but not read it).
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-21 23:39:31 +0000