1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
3
<!--Converted with LaTeX2HTML 2002-2-1 (1.70)
4
original version by: Nikos Drakos, CBLU, University of Leeds
5
* revised and updated by: Marcus Hennecke, Ross Moore, Herb Swan
6
* with significant contributions from:
7
Jens Lippmann, Marek Rouchal, Martin Wilck and others -->
10
<TITLE>13. Authorization scenarios</TITLE>
11
<META NAME="description" CONTENT="13. Authorization scenarios">
12
<META NAME="keywords" CONTENT="sympa">
13
<META NAME="resource-type" CONTENT="document">
14
<META NAME="distribution" CONTENT="global">
16
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
17
<META NAME="Generator" CONTENT="LaTeX2HTML v2002-2-1">
18
<META HTTP-EQUIV="Content-Style-Type" CONTENT="text/css">
20
<LINK REL="STYLESHEET" HREF="sympa.css">
22
<LINK REL="next" HREF="node15.html">
23
<LINK REL="previous" HREF="node13.html">
24
<LINK REL="up" HREF="sympa.html">
25
<LINK REL="next" HREF="node15.html">
28
<BODY TEXT="#000000" BGCOLOR="#ffffff">
29
<!--Navigation Panel-->
30
<A NAME="tex2html1159"
32
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A>
33
<A NAME="tex2html1153"
35
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A>
36
<A NAME="tex2html1147"
38
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A>
39
<A NAME="tex2html1155"
41
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A>
42
<A NAME="tex2html1157"
44
<IMG WIDTH="43" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="index" SRC="index.png"></A>
46
<B> Next:</B> <A NAME="tex2html1160"
47
HREF="node15.html">14. virtual host</A>
48
<B> Up:</B> <A NAME="tex2html1154"
49
HREF="sympa.html">Sympa Mailing Lists Management Software version</A>
50
<B> Previous:</B> <A NAME="tex2html1148"
51
HREF="node13.html">12. Authentication</A>
52
<B> <A NAME="tex2html1156"
53
HREF="node1.html">Contents</A></B>
54
<B> <A NAME="tex2html1158"
55
HREF="node30.html">Index</A></B>
58
<!--End of Navigation Panel-->
59
<!--Table of Child-Links-->
60
<A NAME="CHILD_LINKS"><STRONG>Subsections</STRONG></A>
63
<LI><A NAME="tex2html1161"
64
HREF="node14.html#SECTION001410000000000000000">13.1 rules specifications</A>
65
<LI><A NAME="tex2html1162"
66
HREF="node14.html#SECTION001420000000000000000">13.2 LDAP Named Filters</A>
68
<LI><A NAME="tex2html1163"
69
HREF="node14.html#SECTION001421000000000000000">13.2.1 Definition</A>
70
<LI><A NAME="tex2html1164"
71
HREF="node14.html#SECTION001422000000000000000">13.2.2 Search Condition</A>
74
<LI><A NAME="tex2html1165"
75
HREF="node14.html#SECTION001430000000000000000">13.3 scenario inclusion</A>
76
<LI><A NAME="tex2html1166"
77
HREF="node14.html#SECTION001440000000000000000">13.4 Hidding scenario files</A>
79
<!--End of Table of Child-Links-->
82
<H1><A NAME="SECTION001400000000000000000"></A>
83
<A NAME="scenarios"></A><A NAME="1907"></A>
85
13. Authorization scenarios
89
List parameters controlling the behavior of commands are linked to different authorization scenarios.
90
For example : the <A NAME="9110"></A><TT>send private</TT> parameter is related to the send.private scenario.
91
There are four possible locations for a authorization scenario. When <I>Sympa</I> seeks to apply an authorization scenario, it
92
looks first in the related list directory <A NAME="9126"></A><TT>/home/sympa/expl/<TT><</TT>list<TT>></TT>/scenari</TT>. If it
93
does not find the file there, it scans the current robot configuration directory <A NAME="9135"></A><TT>/home/sympa/etc/my.domain.org/scenari</TT>, then the site's configuration directory <A NAME="9138"></A><TT>/home/sympa/etc/scenari</TT>,
94
and finally <A NAME="9141"></A><TT>/home/sympa/bin/etc/scenari</TT>, which is the directory installed by the Makefile.
97
An authorization scenario is a small configuration language to describe who
98
can perform an operation and which authentication method is requested for it.
99
An authorization scenario is an ordered set of rules. The goal is to provide a simple and
100
flexible way to configure authorization and required authentication method for each operation.
103
Each authorization scenario rule contains :
106
<LI>a condition : the condition is evaluated by <I>Sympa</I>. It can use
107
variables such as sender for the sender e-mail, list for the listname etc.
109
<LI>an authentication method. The authentication method can be <A NAME="9145"></A><TT>smtp</TT>,
110
<A NAME="9148"></A><TT>md5</TT> or <A NAME="9151"></A><TT>smime</TT>. The rule is applied by <I>Sympa</I> if both condition
111
and authentication method match the runtime context. <A NAME="9155"></A><TT>smtp</TT> is used if
112
<I>Sympa</I> use the SMTP <A NAME="9159"></A><TT>from:</TT> header , <A NAME="9162"></A><TT>md5</TT> is used if a unique
113
md5 key as been returned by the requestor to validate her message, <A NAME="9165"></A><TT>smime</TT>
114
is used for signed messages (see <A HREF="node27.html#smimeforsign">26.4.3</A>, page <A HREF="node27.html#smimeforsign"><IMG ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A>).
116
<LI>a returned atomic action that will be executed by <I>Sympa</I> if the rule matches
129
title.us deletion performed only by list owners, need authentication
130
title.fr suppression r�serv�e au propri�taire avec authentification
131
title.es eliminacin reservada slo para el propietario, necesita autentificacin
134
is_owner([listname],[sender]) smtp -> request_auth
135
is_listmaster([sender]) smtp -> request_auth
136
true() md5,smime -> do_it
141
<H1><A NAME="SECTION001410000000000000000"></A>
144
13.1 rules specifications
148
An authorization scenario consists of rules, evaluated in order beginning with the first.
149
Rules are defined as follows :<PRE>
150
<rule> ::= <condition> <auth_list> -> <action>
152
<condition> ::= [!] <condition
155
| equal (<var>, <var>)
156
| match (<var>, /perl_regexp/)
157
| search (<filter.ldap>,<var>)
158
| is_subscriber (<listname>, <var>)
159
| is_owner (<listname>, <var>)
160
| is_editor (<listname>, <var>)
161
| is_listmaster (<var>)
162
| older (<date>, <date>) # true if first date is anterior to the second date
163
| newer (<date>, <date>) # true if first date is posterior to the second date
164
<var> ::= [email] | [sender] | [user-><user_key_word>] | [previous_email]
165
| [remote_host] | [remote_addr] | [user_attributes-><user_attributes_keyword>]
166
| [subscriber-><subscriber_key_word>] | [list-><list_key_word>] | [env-><env_var>]
167
| [conf-><conf_key_word>] | [msg_header-><smtp_key_word>] | [msg_body]
168
| [msg_part->type] | [msg_part->body] | [msg_encrypted] | [is_bcc] | [current_date]
169
| [topic-auto] | [topic-sender,] | [topic-editor] | [topic] | [topic-needed]
172
[is_bcc] ::= set to 1 if the list is neither in To: nor Cc:
174
[sender] ::= email address of the current user (used on web or mail interface). Default value is 'nobody'
176
[previous_email] ::= old email when changing subscription email in preference page.
178
[msg_encrypted] ::= set to 'smime' if the message was S/MIME encrypted
180
[topic-auto] ::= topic of the message if it has been automatically tagged
182
[topic-sender] ::= topic of the message if it has been tagged by sender
184
[topic-editor] ::= topic of the message if it has been tagged by editor
186
[topic] ::= topic of the message
188
[topic-needed] ::= the message has not got any topic and message topic are required for the list
190
<date> ::= '<date_element> [ +|- <date_element>]'
192
<date_element> ::= <epoch_date> | <var> | <date_expr>
194
<epoch_date> ::= <integer>
196
<date_expr> ::= <integer>y<integer>m<integer>d<integer>h<integer>min<integer>sec
198
<listname> ::= [listname] | <listname_string>
200
<auth_list> ::= <auth>,<auth_list> | <auth>
202
<auth> ::= smtp|md5|smime
204
<action> ::= do_it [,notify]
206
| reject(reason=<reason_key>)
207
| reject(tt2=<tpl_name>)
214
<reason_key> ::= match a key in mail_tt2/authorization_reject.tt2 template corresponding to
215
an information message about the reason of the reject of the user
217
<tpl_name> ::= corresponding template (<tpl_name>.tt2) is send to the sender
219
<user_key_word> ::= email | gecos | lang | password | cookie_delay_user
220
| <additional_user_fields>
222
<user_attributes_key_word> ::= one of the user attributes provided by the SSO system via environment variables. The [user_attributes] structure is available only if user authenticated with a generic_sso.
224
<subscriber_key_word> ::= email | gecos | bounce | reception
225
| visibility | date | update_date
226
| <additional_subscriber_fields>
228
<list_key_word> ::= name | host | lang | max_size | priority | reply_to |
229
status | subject | account | total
231
<conf_key_word> ::= domain | email | listmaster | default_list_priority |
232
sympa_priority | request_priority | lang | max_size
236
(Refer to <A HREF="node17.html#tasks">16.8</A>, page <A HREF="node17.html#tasks"><IMG ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A> for date format definition)
239
The function to evaluate scenario is described in section <A HREF="node29.html#list-scenario-evaluation">28.2.6</A>, page <A HREF="node29.html#list-scenario-evaluation"><IMG ALIGN="BOTTOM" BORDER="1" ALT="[*]" SRC="crossref.png"></A>.
242
perl_regexp can contain the string [host] (interpreted at run time as the list or robot domain).
243
The variable notation [msg_header-<TT>><</TT>smtp_key_word<TT>></TT>] is interpreted as the
244
SMTP header value only when evaluating the authorization scenario for sending messages.
245
It can be used, for example, to require editor validation for multipart messages.
246
[msg_part-<TT>></TT>type] and [msg_part-<TT>></TT>body] are the MIME parts content-types and bodies ; the body is available
247
for MIME parts in text/xxx format only.
250
The difference between <A NAME="9169"></A>editor and <A NAME="9170"></A>editorkey is, that with <A NAME="9171"></A>editor the message is simply forwarded to the moderaotr. He then can forward it to the list, if he wishes. <A NAME="9172"></A>editorkey assigns a key to the message and sends it to the moderator together with the message. So the moderator can just send back the key to distribute the message. Please note, that moderation from the webinterface is only possible when using <A NAME="9173"></A>editorkey, because otherwise there is no copy of the message saved on the server.
253
A bunch of authorization scenarios is provided with the <I>Sympa</I> distribution ; they provide
254
a large set of configuration that allow to create lists for most usage. But you will
255
probably create authorization scenarios for your own need. In this case, don't forget to restart <I>Sympa</I>
256
and wwsympa because authorization scenarios are not reloaded dynamicaly.
259
These standard authorization scenarios are located in the <A NAME="9176"></A><TT>/home/sympa/bin/etc/scenari/</TT>
260
directory. Default scenarios are named <TT><</TT>command<TT>></TT>.default.
263
You may also define and name your own authorization scenarios. Store them in the
264
<A NAME="9179"></A><TT>/home/sympa/etc/scenari</TT> directory. They will not be overwritten by Sympa release.
265
Scenarios can also be defined for a particular virtual host (using directory <A NAME="9194"></A><TT>/home/sympa/etc/<TT><</TT>robot<TT>></TT>/scenari</TT>) or for a list ( <A NAME="9221"></A><TT>/home/sympa/expl/<TT><</TT>robot<TT>></TT>/<TT><</TT>list<TT>></TT>/scenari</TT> ). <B>Sympa will not dynamically detect that a list config should be reloaded after a scenario has been changed on disk.</B>
271
Copy the previous scenario to <A NAME="9236"></A><TT>scenari/subscribe.rennes1</TT> :
274
equal([sender], 'userxxx@univ-rennes1.fr') smtp,smime -> reject
275
match([sender], /univ-rennes1\.fr$/) smtp,smime -> do_it
276
true() smtp,smime -> owner
280
You may now refer to this authorization scenario in any list configuration file, for example :
288
<H1><A NAME="SECTION001420000000000000000"></A>
289
<A NAME="named-filters"></A>
291
13.2 LDAP Named Filters
295
At the moment Named Filters are only used in authorization scenarios. They enable to select a category of people who will be authorized or not to realise some actions.
298
As a consequence, you can grant privileges in a list to people belonging to an <A NAME="9239"></A>LDAP directory thanks to an authorization scenario.
302
<H2><A NAME="SECTION001421000000000000000">
303
13.2.1 Definition</A>
307
People are selected through an <A NAME="9240"></A>LDAP filter defined in a configuration file. This file must have the extension '.ldap'.It is stored in <A NAME="9241"></A><TT>/home/sympa/etc/search_filters/</TT>.
310
You must give several informations in order to create a Named Filter:
315
A list of host:port LDAP directories (replicates) entries.
321
Defines the naming space covered by the search (optional, depending on the LDAP server).
327
Defines the LDAP search filter (RFC 2254 compliant).
328
But you must absolutely take into account the first part of the filter which is:
329
('mail_attribute' = [sender]) as shown in the example. you will have to replce 'mail_attribute' by the name
330
of the attribute for the email.
331
<I>Sympa</I> verifies if the user belongs to the category of people defined in the filter.
337
By default the search is performed on the whole tree below the specified base object. This may be changed by specifying a scope :
342
<LI>base : Search only the base object.
346
Search the entries immediately below the base object.
350
Search the whole tree below the base object. This is the default.
359
If anonymous bind is not allowed on the LDAP server, a DN and password can be used.
365
This password is used, combined with the bind_dn above.
372
example.ldap : we want to select the professors of mathematics in the university of Rennes1 in France<PRE>
374
host ldap.univ-rennes1.fr:389,ldap2.univ-rennes1.fr:390
375
suffix dc=univ-rennes1.fr,dc=fr
376
filter (&(canonic_mail = [sender])(EmployeeType = prof)(subject = math))
382
<H2><A NAME="SECTION001422000000000000000">
383
13.2.2 Search Condition</A>
387
The search condition is used in authorization scenarios which are defined and described in (see <A HREF="#scenarios">13</A>)
390
The syntax of this rule is:<PRE>
391
search(example.ldap,[sender]) smtp,smime,md5 -> do_it
395
The variables used by 'search' are :
398
<LI>the name of the LDAP Configuration file
402
That is to say the sender email address.
407
Note that <I>Sympa</I> processes maintain a cache of processed search conditions to limit access to the LDAP directory ; each entry has a lifetime of 1 hour in the cache.
410
The method of authentication does not change.
414
<H1><A NAME="SECTION001430000000000000000">
415
13.3 scenario inclusion</A>
419
Scenarios can also contain includes :
424
match(, /cru\.fr$/) smtp,smime -> do_it
425
true() smtp,smime -> owner
429
In this case sympa applies recursively the scenario named <TT>include.commonreject</TT>
430
before introducing the other rules. This possibility was introduced in
431
order to facilitate the administration of common rules.
434
You can define a set of common scenario rules, used by all lists.
435
include.<TT><</TT>action<TT>></TT>.header is automatically added to evaluated scenarios.
439
<H1><A NAME="SECTION001440000000000000000">
440
13.4 Hidding scenario files</A>
444
Because <I>Sympa</I> is distributed with many default scenario files, you may want to hidde some of them
445
to list owners (to make list admin menus shorter and readable). To hidde a scenario file you should
446
create an empty file with the <TT>:ignore</TT> suffix. Depending on where this file has been created
447
will make it ignored at either a global, robot or list level.
452
/home/sympa/etc/my.domain.org/scenari/send.intranetorprivate:ignore
457
The <TT>intranetorprivate</TT> <TT>send</TT> scenario will be hidden (on the web admin interface),
458
at the my.domain.orgrobot level only.
462
<!--Navigation Panel-->
463
<A NAME="tex2html1159"
465
<IMG WIDTH="37" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="next" SRC="next.png"></A>
466
<A NAME="tex2html1153"
468
<IMG WIDTH="26" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="up" SRC="up.png"></A>
469
<A NAME="tex2html1147"
471
<IMG WIDTH="63" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="previous" SRC="prev.png"></A>
472
<A NAME="tex2html1155"
474
<IMG WIDTH="65" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="contents" SRC="contents.png"></A>
475
<A NAME="tex2html1157"
477
<IMG WIDTH="43" HEIGHT="24" ALIGN="BOTTOM" BORDER="0" ALT="index" SRC="index.png"></A>
479
<B> Next:</B> <A NAME="tex2html1160"
480
HREF="node15.html">14. virtual host</A>
481
<B> Up:</B> <A NAME="tex2html1154"
482
HREF="sympa.html">Sympa Mailing Lists Management Software version</A>
483
<B> Previous:</B> <A NAME="tex2html1148"
484
HREF="node13.html">12. Authentication</A>
485
<B> <A NAME="tex2html1156"
486
HREF="node1.html">Contents</A></B>
487
<B> <A NAME="tex2html1158"
488
HREF="node30.html">Index</A></B>
489
<!--End of Navigation Panel-->