2 files changed, 16 insertions, 10 deletions

diff --git a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
index 72695ab..54f3037 100644
--- a/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
+++ b/roles/common-LDAP/files/etc/ldap/schema/fripost.ldif
@@ -66,41 +66,41 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.1 NAME 'fvd'
     EQUALITY caseIgnoreIA5Match
     SUBSTR caseIgnoreIA5SubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.2 NAME 'fvl'
     DESC 'The local part of a virtual user, alias, list or list command'
     EQUALITY caseIgnoreIA5Match
     SUBSTR caseIgnoreIA5SubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.3 NAME 'fripostMaildrop'
     DESC 'An email address the virtual alias should be mapped to'
     EQUALITY caseIgnoreIA5Match
     SUBSTR caseIgnoreIA5SubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
 #
 # We are creating a new attribute, optional in virtual domains and
 # users, because the presence index should *not* apply to the
 # mandatory attribute above.
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.4 NAME 'fripostOptionalMaildrop'
-    DESC 'An optional email address for catch-all aliases on domains and users'
+    DESC 'An optional email address for catch-all or domain aliases'
     EQUALITY caseIgnoreIA5Match
     SUBSTR caseIgnoreIA5SubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.5 NAME 'fripostIsStatusActive'
     DESC 'When present, a token locking the entry in an inactive state'
     EQUALITY booleanMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.6 NAME 'fripostPendingToken'
     DESC 'Is the entry pending?'
     EQUALITY caseExactMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} SINGLE-VALUE )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.7 NAME 'fripostUserQuota'
     DESC 'The quota on a user e.g., "50MB"'
     EQUALITY caseExactMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32} SINGLE-VALUE )
 #
 olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.8 NAME 'fripostCanAddDomain'
@@ -128,43 +128,49 @@ olcAttributeTypes: ( 1.3.6.1.4.1.40011.1.2.1.13 NAME 'fripostListManager'
     EQUALITY caseIgnoreMatch
     SUBSTR caseIgnoreSubstringsMatch
     SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{64} SINGLE-VALUE )
 #
 #
 # Objects: 1.3.6.1.4.1.40011.1.2
 #
 olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.1 NAME 'FripostVirtual'
     AUXILIARY
     DESC 'Virtual mail hosting'
     MAY ( fripostCanAddDomain ) )
 #
 olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.2 NAME 'FripostVirtualDomain'
     SUP top STRUCTURAL
     DESC 'Virtual domain'
     MUST ( fvd $ fripostIsStatusActive )
     MAY ( fripostCanAddAlias $ fripostCanAddList $
           fripostOwner $ fripostPostmaster $
           fripostOptionalMaildrop $ description ) )
 #
+# Domain alias (for the domain given by fripostMaildrop). Children are ignored.
+olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualAliasDomain'
+    SUP FripostVirtualDomain STRUCTURAL
+    DESC 'Virtual alias domain'
+    MUST ( fripostMaildrop ) )
+#
 # | TODO: add limits here
-olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.3 NAME 'FripostVirtualUser'
+olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualUser'
     SUP top STRUCTURAL
     DESC 'Virtual user'
     MUST ( fvl $ userPassword $ fripostIsStatusActive )
-    MAY ( fripostUserQuota $ fripostOptionalMaildrop $ description) )
+    MAY ( fripostUserQuota $ description) )
 #
-olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.4 NAME 'FripostVirtualAlias'
+olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualAlias'
     SUP top STRUCTURAL
     DESC 'Virtual alias'
     MUST ( fvl $ fripostMaildrop $ fripostIsStatusActive )
     MAY ( fripostOwner $ description ) )
 #
-olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.5 NAME 'FripostVirtualList'
+olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostVirtualList'
     SUP top STRUCTURAL
     DESC 'Virtual list'
     MUST ( fvl $ fripostListManager $ fripostIsStatusActive )
     MAY ( fripostOwner $ description ) )
 #
-olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.6 NAME 'FripostPendingEntry'
+olcObjectClasses: ( 1.3.6.1.4.1.40011.1.2.7 NAME 'FripostPendingEntry'
     SUP top AUXILIARY
     DESC 'Virtual pending entry'
     MAY ( fripostPendingToken ) )
diff --git a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2 b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
index 6e5961b..33ef108 100644
--- a/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
+++ b/roles/common-LDAP/templates/etc/ldap/database.ldif.j2
@@ -272,52 +272,52 @@ olcAccess: to dn.regex="^fvl=[^,]+,fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost
         filter=(&(objectClass=FripostVirtualList)(objectClass=FripostPendingEntry))
         attrs=fripostPendingToken
     by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=org" +z
     by * +0
 #
 # The cleaning service can list the (expired) pending entries and delete them.
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         filter=(objectClass=FripostPendingEntry)
         attrs=entry
     by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" =zrd break
     by * =0 break
 #
 # One can search search everywhere in the virtual tree.
 olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         attrs=entry
     by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" +s
     by * =s break
 #
 # We're giving away create/delete access on the children attributes, but we will be carefull
 # with the 'entry' permissions.
-olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         filter=(objectClass=FripostVirtual)
         attrs=children
     by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" =w
     by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" =z
 olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         filter=(objectClass=FripostVirtualDomain)
         attrs=children
     by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" =z
     by * break
 olcAccess: to dn.one="ou=virtual,o=mailHosting,dc=fripost,dc=org"
-        filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry)))
+        filter=(&(objectClass=FripostVirtualDomain)(!(objectClass=FripostPendingEntry))(!(objectClass=FripostVirtualAliasDomain)))
         attrs=children
     by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" =w
 #
 # The cleaning service needs to know when entries have been created.
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         filter=(objectClass=FripostPendingEntry)
         attrs=createTimestamp
     by dn.exact="cn=DeletePendingEntries,ou=services,o=mailHosting,dc=fripost,dc=org" =s
 #
 # Users can use these in filters (e.g., to list the entries they have created).
 olcAccess: to dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         filter=(|(objectClass=FripostVirtualDomain)(objectClass=FripostVirtualUser)(objectClass=FripostVirtualAlias)(objectClass=FripostVirtualList))
         attrs=fripostOwner,fripostPostmaster,fripostCanAddAlias,fripostCanAddList
     by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" =s break
 #
 #
 ########################################################################
 # Virtual subtree, domains
 #
 # 1. The postmaster of a domain can give (or take back) people the right to create
@@ -517,32 +517,32 @@ olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripos
     by dn.exact="cn=CreateList,ou=services,o=mailHosting,dc=fripost,dc=org" +rd
     by * +0 break
 #
 # 1. The list owners can read the entry.
 # 2. So can the domain's Owner.
 # 3. So can the domain's Postmaster.
 olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=org)$"
         filter=(objectClass=FripostVirtualList)
         attrs=entry
     by dnattr=fripostOwner +rd
     by group/FripostVirtualDomain/fripostOwner.expand="$1" +rd
     by group/FripostVirtualDomain/fripostPostmaster.expand="$1" +rd
     by * +0
 #
 #
 ########################################################################
 # Catchall
 #
 # Users with "canAddDomain" access can see that they have the right
 # to create domains.
-olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         filter=(objectClass=FripostVirtual)
         attrs=entry
     by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" +rd
-olcAccess: to dn.base="ou=virtual,o=mailHosting,dc=fripost,dc=org"
+olcAccess: to dn.exact="ou=virtual,o=mailHosting,dc=fripost,dc=org"
         filter=(objectClass=FripostVirtual)
         attrs=fripostCanAddDomain
     by set.exact="this/fripostCanAddDomain & (user | user/-1)" =rscd
 # Catch the break above
 olcAccess: to dn.subtree="ou=virtual,o=mailHosting,dc=fripost,dc=org"
     by dn.children="ou=virtual,o=mailHosting,dc=fripost,dc=org" +0
 # vim: set filetype=ldif :