/[adm]/puppet/modules/openldap/templates/mandriva-dit-access.conf
ViewVC logotype

Annotation of /puppet/modules/openldap/templates/mandriva-dit-access.conf

Parent Directory Parent Directory | Revision Log Revision Log


Revision 375 - (hide annotations) (download)
Mon Nov 22 02:04:02 2010 UTC (13 years, 4 months ago) by misc
File size: 6861 byte(s)
- do not hardcode mageia.org in acl
1 misc 53 # mandriva-dit-access.conf
2    
3 misc 375 limits group="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>"
4 misc 53 limit size=unlimited
5     limit time=unlimited
6    
7 misc 375 limits group="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>"
8 misc 53 limit size=unlimited
9     limit time=unlimited
10    
11 misc 375 limits group="cn=Account Admins,ou=System Groups,<%= dc_suffix %>"
12 misc 53 limit size=unlimited
13     limit time=unlimited
14    
15     # so we don't have to add these to every other acl down there
16 misc 375 access to dn.subtree="<%= dc_suffix %>"
17     by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" write
18     by group.exact="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" read
19 misc 53 by * break
20    
21     # userPassword access
22 buchan 82 # Allow account registration to write userPassword of unprivileged users accounts
23 misc 375 access to dn.subtree="ou=People,<%= dc_suffix %>"
24 buchan 82 filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))"
25     attrs=userPassword,pwdReset
26 misc 375 by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +a
27 buchan 82 by * +0 break
28    
29 misc 53 # shadowLastChange is here because it needs to be writable by the user because
30     # of pam_ldap, which will update this attr whenever the password is changed.
31     # And this is done with the user's credentials
32 misc 375 access to dn.subtree="<%= dc_suffix %>"
33 misc 53 attrs=shadowLastChange
34     by self write
35 misc 375 by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
36 buchan 212 by users read
37 misc 375 access to dn.subtree="<%= dc_suffix %>"
38 misc 53 attrs=userPassword
39 misc 375 by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
40 misc 53 by self write
41     by anonymous auth
42     by * none
43    
44     # kerberos key access
45     # "by auth" just in case...
46 misc 375 access to dn.subtree="<%= dc_suffix %>"
47 misc 53 attrs=krb5Key
48     by self write
49 misc 375 by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
50 misc 53 by anonymous auth
51     by * none
52    
53     # password policies
54 misc 375 access to dn.subtree="ou=Password Policies,<%= dc_suffix %>"
55     by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
56 buchan 212 by users read
57 misc 53
58     # samba password attributes
59     # by self not strictly necessary, because samba uses its own admin user to
60     # change the password on the user's behalf
61     # openldap also doesn't auth on these attributes, but maybe some day it will
62 misc 375 access to dn.subtree="<%= dc_suffix %>"
63 misc 53 attrs=sambaLMPassword,sambaNTPassword
64 misc 375 by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
65 misc 53 by anonymous auth
66     by self write
67     by * none
68     # password history attribute
69     # pwdHistory is read-only, but ACL is simplier with it here
70 misc 375 access to dn.subtree="<%= dc_suffix %>"
71 misc 53 attrs=sambaPasswordHistory,pwdHistory
72     by self read
73 misc 375 by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
74 misc 53 by * none
75    
76     # pwdReset, so the admin can force an user to change a password
77 misc 375 access to dn.subtree="<%= dc_suffix %>"
78 buchan 82 attrs=pwdReset,pwdAccountLockedTime
79 misc 375 by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
80 buchan 212 by self read
81 misc 53
82     # group owner can add/remove/edit members to groups
83 misc 375 access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
84 misc 53 attrs=member
85     by dnattr=owner write
86 misc 375 by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
87 buchan 142 by users +sx
88 misc 53
89 misc 375 access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
90 buchan 144 attrs=cn,description,objectClass,gidNumber
91 misc 375 by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
92 buchan 142 by users read
93    
94 buchan 134 # registration - allow registrar group to create basic unprivileged accounts
95 misc 375 access to dn.subtree="ou=People,<%= dc_suffix %>"
96 buchan 134 attrs="objectClass"
97     val="inetOrgperson"
98 misc 375 by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
99 buchan 134 by * +0 break
100    
101 misc 375 access to dn.subtree="ou=People,<%= dc_suffix %>"
102 buchan 134 filter="(!(objectclass=posixAccount))"
103 buchan 137 attrs=cn,sn,gn,mail,entry,children,preferredLanguage
104 misc 375 by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
105 buchan 134 by * +0 break
106    
107 misc 53 # let the user change some of his/her attributes
108 misc 375 access to dn.subtree="ou=People,<%= dc_suffix %>"
109 buchan 82 attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage
110 misc 53 by self write
111 buchan 212 by users read
112 misc 53
113     # create new accounts
114 misc 375 access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= dc_suffix %>$"
115 misc 53 attrs=children,entry
116 misc 375 by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
117 misc 53 by * break
118     # access to existing entries
119 misc 375 access to dn.regex="^[^,]+,ou=(People|Hosts|Group),<%= dc_suffix %>$"
120     by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
121 misc 53 by * break
122    
123     # sambaDomainName entry
124 misc 375 access to dn.regex="^(sambaDomainName=[^,]+,)?<%= dc_suffix %>$"
125 misc 53 attrs=children,entry,@sambaDomain,@sambaUnixIdPool
126 misc 375 by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
127 buchan 212 by users read
128 misc 53
129     # samba ID mapping
130 misc 375 access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= dc_suffix %>$"
131 misc 53 attrs=children,entry,@sambaIdmapEntry
132 misc 375 by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
133     by group.exact="cn=IDMAP Admins,ou=System Groups,<%= dc_suffix %>" write
134 buchan 212 by users read
135 misc 53
136     # global address book
137     # XXX - which class(es) to use?
138 misc 375 access to dn.regex="^(.*,)?ou=Address Book,<%= dc_suffix %>"
139 misc 53 attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList
140 misc 375 by group.exact="cn=Address Book Admins,ou=System Groups,<%= dc_suffix %>" write
141 buchan 212 by users read
142 misc 53
143     # dhcp entries
144     # XXX - open up read access to anybody?
145 misc 375 access to dn.sub="ou=dhcp,<%= dc_suffix %>"
146 misc 53 attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog
147 misc 375 by group.exact="cn=DHCP Admins,ou=System Groups,<%= dc_suffix %>" write
148     by group.exact="cn=DHCP Readers,ou=System Groups,<%= dc_suffix %>" read
149 misc 53 by * read
150    
151     # sudoers
152 misc 375 access to dn.regex="^([^,]+,)?ou=sudoers,<%= dc_suffix %>$"
153 misc 53 attrs=children,entry,@sudoRole
154 misc 375 by group.exact="cn=Sudo Admins,ou=System Groups,<%= dc_suffix %>" write
155 buchan 212 by users read
156 misc 53
157     # dns
158 misc 375 access to dn="ou=dns,<%= dc_suffix %>"
159 misc 53 attrs=entry,@extensibleObject
160 misc 375 by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
161 buchan 212 by users read
162 misc 375 access to dn.sub="ou=dns,<%= dc_suffix %>"
163 misc 53 attrs=children,entry,@dNSZone
164 misc 375 by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
165     by group.exact="cn=DNS Readers,ou=System Groups,<%= dc_suffix %>" read
166 misc 53 by * none
167    
168 buchan 82
169 misc 53 # MTA
170     # XXX - what else can we add here? Virtual Domains? With which schema?
171 misc 375 access to dn.one="ou=People,<%= dc_suffix %>"
172 misc 53 attrs=@inetLocalMailRecipient,mail
173 misc 375 by group.exact="cn=MTA Admins,ou=System Groups,<%= dc_suffix %>" write
174 buchan 212 by users read
175 misc 53
176     # KDE Configuration
177 misc 375 access to dn.sub="ou=KDEConfig,<%= dc_suffix %>"
178     by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= dc_suffix %>" write
179 misc 53 by * read
180    
181     # last one
182 misc 375 access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn
183 buchan 212 by users read
184 misc 53

  ViewVC Help
Powered by ViewVC 1.1.30