1 |
misc |
53 |
# mandriva-dit-access.conf |
2 |
|
|
|
3 |
misc |
375 |
limits group="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" |
4 |
misc |
53 |
limit size=unlimited |
5 |
|
|
limit time=unlimited |
6 |
|
|
|
7 |
misc |
375 |
limits group="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" |
8 |
misc |
53 |
limit size=unlimited |
9 |
|
|
limit time=unlimited |
10 |
|
|
|
11 |
misc |
375 |
limits group="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" |
12 |
misc |
53 |
limit size=unlimited |
13 |
|
|
limit time=unlimited |
14 |
|
|
|
15 |
|
|
# so we don't have to add these to every other acl down there |
16 |
misc |
375 |
access to dn.subtree="<%= dc_suffix %>" |
17 |
|
|
by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" write |
18 |
|
|
by group.exact="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" read |
19 |
misc |
53 |
by * break |
20 |
|
|
|
21 |
|
|
# userPassword access |
22 |
buchan |
82 |
# Allow account registration to write userPassword of unprivileged users accounts |
23 |
misc |
375 |
access to dn.subtree="ou=People,<%= dc_suffix %>" |
24 |
buchan |
82 |
filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))" |
25 |
|
|
attrs=userPassword,pwdReset |
26 |
misc |
375 |
by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +a |
27 |
buchan |
82 |
by * +0 break |
28 |
|
|
|
29 |
misc |
53 |
# shadowLastChange is here because it needs to be writable by the user because |
30 |
|
|
# of pam_ldap, which will update this attr whenever the password is changed. |
31 |
|
|
# And this is done with the user's credentials |
32 |
misc |
375 |
access to dn.subtree="<%= dc_suffix %>" |
33 |
misc |
53 |
attrs=shadowLastChange |
34 |
|
|
by self write |
35 |
misc |
375 |
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write |
36 |
buchan |
212 |
by users read |
37 |
misc |
375 |
access to dn.subtree="<%= dc_suffix %>" |
38 |
misc |
53 |
attrs=userPassword |
39 |
misc |
375 |
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write |
40 |
misc |
53 |
by self write |
41 |
|
|
by anonymous auth |
42 |
|
|
by * none |
43 |
|
|
|
44 |
|
|
# kerberos key access |
45 |
|
|
# "by auth" just in case... |
46 |
misc |
375 |
access to dn.subtree="<%= dc_suffix %>" |
47 |
misc |
53 |
attrs=krb5Key |
48 |
|
|
by self write |
49 |
misc |
375 |
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write |
50 |
misc |
53 |
by anonymous auth |
51 |
|
|
by * none |
52 |
|
|
|
53 |
|
|
# password policies |
54 |
misc |
375 |
access to dn.subtree="ou=Password Policies,<%= dc_suffix %>" |
55 |
|
|
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write |
56 |
buchan |
212 |
by users read |
57 |
misc |
53 |
|
58 |
|
|
# samba password attributes |
59 |
|
|
# by self not strictly necessary, because samba uses its own admin user to |
60 |
|
|
# change the password on the user's behalf |
61 |
|
|
# openldap also doesn't auth on these attributes, but maybe some day it will |
62 |
misc |
375 |
access to dn.subtree="<%= dc_suffix %>" |
63 |
misc |
53 |
attrs=sambaLMPassword,sambaNTPassword |
64 |
misc |
375 |
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write |
65 |
misc |
53 |
by anonymous auth |
66 |
|
|
by self write |
67 |
|
|
by * none |
68 |
|
|
# password history attribute |
69 |
|
|
# pwdHistory is read-only, but ACL is simplier with it here |
70 |
misc |
375 |
access to dn.subtree="<%= dc_suffix %>" |
71 |
misc |
53 |
attrs=sambaPasswordHistory,pwdHistory |
72 |
|
|
by self read |
73 |
misc |
375 |
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write |
74 |
misc |
53 |
by * none |
75 |
|
|
|
76 |
|
|
# pwdReset, so the admin can force an user to change a password |
77 |
misc |
375 |
access to dn.subtree="<%= dc_suffix %>" |
78 |
buchan |
82 |
attrs=pwdReset,pwdAccountLockedTime |
79 |
misc |
375 |
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write |
80 |
buchan |
212 |
by self read |
81 |
misc |
53 |
|
82 |
|
|
# group owner can add/remove/edit members to groups |
83 |
misc |
375 |
access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$" |
84 |
misc |
53 |
attrs=member |
85 |
|
|
by dnattr=owner write |
86 |
misc |
375 |
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write |
87 |
buchan |
142 |
by users +sx |
88 |
misc |
53 |
|
89 |
misc |
375 |
access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$" |
90 |
buchan |
144 |
attrs=cn,description,objectClass,gidNumber |
91 |
misc |
375 |
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write |
92 |
buchan |
142 |
by users read |
93 |
|
|
|
94 |
buchan |
134 |
# registration - allow registrar group to create basic unprivileged accounts |
95 |
misc |
375 |
access to dn.subtree="ou=People,<%= dc_suffix %>" |
96 |
buchan |
134 |
attrs="objectClass" |
97 |
|
|
val="inetOrgperson" |
98 |
misc |
375 |
by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx |
99 |
buchan |
134 |
by * +0 break |
100 |
|
|
|
101 |
misc |
375 |
access to dn.subtree="ou=People,<%= dc_suffix %>" |
102 |
buchan |
134 |
filter="(!(objectclass=posixAccount))" |
103 |
buchan |
137 |
attrs=cn,sn,gn,mail,entry,children,preferredLanguage |
104 |
misc |
375 |
by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx |
105 |
buchan |
134 |
by * +0 break |
106 |
|
|
|
107 |
misc |
53 |
# let the user change some of his/her attributes |
108 |
misc |
375 |
access to dn.subtree="ou=People,<%= dc_suffix %>" |
109 |
buchan |
82 |
attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage |
110 |
misc |
53 |
by self write |
111 |
buchan |
212 |
by users read |
112 |
misc |
53 |
|
113 |
|
|
# create new accounts |
114 |
misc |
375 |
access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= dc_suffix %>$" |
115 |
misc |
53 |
attrs=children,entry |
116 |
misc |
375 |
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write |
117 |
misc |
53 |
by * break |
118 |
|
|
# access to existing entries |
119 |
misc |
375 |
access to dn.regex="^[^,]+,ou=(People|Hosts|Group),<%= dc_suffix %>$" |
120 |
|
|
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write |
121 |
misc |
53 |
by * break |
122 |
|
|
|
123 |
|
|
# sambaDomainName entry |
124 |
misc |
375 |
access to dn.regex="^(sambaDomainName=[^,]+,)?<%= dc_suffix %>$" |
125 |
misc |
53 |
attrs=children,entry,@sambaDomain,@sambaUnixIdPool |
126 |
misc |
375 |
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write |
127 |
buchan |
212 |
by users read |
128 |
misc |
53 |
|
129 |
|
|
# samba ID mapping |
130 |
misc |
375 |
access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= dc_suffix %>$" |
131 |
misc |
53 |
attrs=children,entry,@sambaIdmapEntry |
132 |
misc |
375 |
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write |
133 |
|
|
by group.exact="cn=IDMAP Admins,ou=System Groups,<%= dc_suffix %>" write |
134 |
buchan |
212 |
by users read |
135 |
misc |
53 |
|
136 |
|
|
# global address book |
137 |
|
|
# XXX - which class(es) to use? |
138 |
misc |
375 |
access to dn.regex="^(.*,)?ou=Address Book,<%= dc_suffix %>" |
139 |
misc |
53 |
attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList |
140 |
misc |
375 |
by group.exact="cn=Address Book Admins,ou=System Groups,<%= dc_suffix %>" write |
141 |
buchan |
212 |
by users read |
142 |
misc |
53 |
|
143 |
|
|
# dhcp entries |
144 |
|
|
# XXX - open up read access to anybody? |
145 |
misc |
375 |
access to dn.sub="ou=dhcp,<%= dc_suffix %>" |
146 |
misc |
53 |
attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog |
147 |
misc |
375 |
by group.exact="cn=DHCP Admins,ou=System Groups,<%= dc_suffix %>" write |
148 |
|
|
by group.exact="cn=DHCP Readers,ou=System Groups,<%= dc_suffix %>" read |
149 |
misc |
53 |
by * read |
150 |
|
|
|
151 |
|
|
# sudoers |
152 |
misc |
375 |
access to dn.regex="^([^,]+,)?ou=sudoers,<%= dc_suffix %>$" |
153 |
misc |
53 |
attrs=children,entry,@sudoRole |
154 |
misc |
375 |
by group.exact="cn=Sudo Admins,ou=System Groups,<%= dc_suffix %>" write |
155 |
buchan |
212 |
by users read |
156 |
misc |
53 |
|
157 |
|
|
# dns |
158 |
misc |
375 |
access to dn="ou=dns,<%= dc_suffix %>" |
159 |
misc |
53 |
attrs=entry,@extensibleObject |
160 |
misc |
375 |
by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write |
161 |
buchan |
212 |
by users read |
162 |
misc |
375 |
access to dn.sub="ou=dns,<%= dc_suffix %>" |
163 |
misc |
53 |
attrs=children,entry,@dNSZone |
164 |
misc |
375 |
by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write |
165 |
|
|
by group.exact="cn=DNS Readers,ou=System Groups,<%= dc_suffix %>" read |
166 |
misc |
53 |
by * none |
167 |
|
|
|
168 |
buchan |
82 |
|
169 |
misc |
53 |
# MTA |
170 |
|
|
# XXX - what else can we add here? Virtual Domains? With which schema? |
171 |
misc |
375 |
access to dn.one="ou=People,<%= dc_suffix %>" |
172 |
misc |
53 |
attrs=@inetLocalMailRecipient,mail |
173 |
misc |
375 |
by group.exact="cn=MTA Admins,ou=System Groups,<%= dc_suffix %>" write |
174 |
buchan |
212 |
by users read |
175 |
misc |
53 |
|
176 |
|
|
# KDE Configuration |
177 |
misc |
375 |
access to dn.sub="ou=KDEConfig,<%= dc_suffix %>" |
178 |
|
|
by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= dc_suffix %>" write |
179 |
misc |
53 |
by * read |
180 |
|
|
|
181 |
|
|
# last one |
182 |
misc |
375 |
access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn |
183 |
buchan |
212 |
by users read |
184 |
misc |
53 |
|