summaryrefslogtreecommitdiffstats
path: root/roles/common-LDAP/templates
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common-LDAP/templates')
-rw-r--r--roles/common-LDAP/templates/etc/ldap/database.ldif.j28
1 files changed, 4 insertions, 4 deletions
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 6e5961b..33ef108 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -272,52 +272,52 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost
filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry))
attrs=fripostPendingToken
by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=org" +z
by * +0
#
# The cleaning service can list the (expired) pending entries and delete them.
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
filter=(objectClass=FripostPendingEntry)
attrs=entry
by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" =zrd break
by * =0 break
#
# One can search search everywhere in the virtual tree.
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org"
attrs=entry
by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" +s
by * =s break
#
# We're giving away create/delete access on the children attributes, but we will be carefull
# with the 'entry' permissions.
-olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
filter=(objectClass=FripostVirtual)
attrs=children
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" =w
by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" =z
olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=org"
filter=(objectClass=FripostVirtualDomain)
attrs=children
by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" =z
by * break
olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=org"
- filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry)))
+ filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(!(objectClass=FripostVirtualAliasDomain)))
attrs=children
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" =w
#
# The cleaning service needs to know when entries have been created.
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
filter=(objectClass=FripostPendingEntry)
attrs=createTimestamp
by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" =s
#
# Users can use these in filters (e.g., to list the entries they have created).
olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList))
attrs=fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" =s break
#
#
########################################################################
# Virtual subtree, domains
#
# 1. The postmaster of a domain can give (or take back) people the right to create
@@ -517,32 +517,32 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=org" +rd
by * +0 break
#
# 1. The list owners can read the entry.
# 2. So can the domain's Owner.
# 3. So can the domain's Postmaster.
olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$"
filter=(objectClass=FripostVirtualList)
attrs=entry
by dnattr=fripostOwner +rd
by group/FripostVirtualDomain/fripostOwner.expand="$1" +rd
by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +rd
by * +0
#
#
########################################################################
# Catchall
#
# Users with "canAddDomain" access can see that they have the right
# to create domains.
-olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
filter=(objectClass=FripostVirtual)
attrs=entry
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" +rd
-olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
filter=(objectClass=FripostVirtual)
attrs=fripostCanAddDomain
by set.exact="this/fripostCanAddDomain & (user | user/-1)" =rscd
# Catch the break above
olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org"
by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" +0
# vim: set filetype=ldif :
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-18 10:04:53 +0000