1 files changed, 4 insertions, 4 deletions

diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 6e5961b..33ef108 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -272,52 +272,52 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost
         filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry))
         attrs=fripostPendingToken
     by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=org" +z
     by * +0
 #
 # The cleaning service can list the (expired) pending entries and delete them.
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         filter=(objectClass=FripostPendingEntry)
         attrs=entry
     by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" =zrd break
     by * =0 break
 #
 # One can search search everywhere in the virtual tree.
 olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         attrs=entry
     by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" +s
     by * =s break
 #
 # We're giving away create/delete access on the children attributes, but we will be carefull
 # with the 'entry' permissions.
-olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         filter=(objectClass=FripostVirtual)
         attrs=children
     by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" =w
     by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" =z
 olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         filter=(objectClass=FripostVirtualDomain)
         attrs=children
     by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" =z
     by * break
 olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=org"
-        filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry)))
+        filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(!(objectClass=FripostVirtualAliasDomain)))
         attrs=children
     by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" =w
 #
 # The cleaning service needs to know when entries have been created.
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         filter=(objectClass=FripostPendingEntry)
         attrs=createTimestamp
     by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" =s
 #
 # Users can use these in filters (e.g., to list the entries they have created).
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList))
         attrs=fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList
     by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" =s break
 #
 #
 ########################################################################
 # Virtual subtree, domains
 #
 # 1. The postmaster of a domain can give (or take back) people the right to create
@@ -517,32 +517,32 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
     by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=org" +rd
     by * +0 break
 #
 # 1. The list owners can read the entry.
 # 2. So can the domain's Owner.
 # 3. So can the domain's Postmaster.
 olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$"
         filter=(objectClass=FripostVirtualList)
         attrs=entry
     by dnattr=fripostOwner +rd
     by group/FripostVirtualDomain/fripostOwner.expand="$1" +rd
     by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +rd
     by * +0
 #
 #
 ########################################################################
 # Catchall
 #
 # Users with "canAddDomain" access can see that they have the right
 # to create domains.
-olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         filter=(objectClass=FripostVirtual)
         attrs=entry
     by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" +rd
-olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         filter=(objectClass=FripostVirtual)
         attrs=fripostCanAddDomain
     by set.exact="this/fripostCanAddDomain & (user | user/-1)" =rscd
 # Catch the break above
 olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org"
     by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" +0
 # vim: set filetype=ldif :