/[adm]/puppet/modules/openldap/templates/mandriva-dit-access.conf
ViewVC logotype

Annotation of /puppet/modules/openldap/templates/mandriva-dit-access.conf

Parent Directory Parent Directory | Revision Log Revision Log


Revision 420 - (hide annotations) (download)
Tue Nov 23 13:29:44 2010 UTC (11 years, 2 months ago) by buchan
File size: 7139 byte(s)
Allow users to write their own sshPublicKey, and all users to read it

1 misc 53 # mandriva-dit-access.conf
2    
3 misc 375 limits group="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>"
4 misc 53 limit size=unlimited
5     limit time=unlimited
6    
7 misc 375 limits group="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>"
8 misc 53 limit size=unlimited
9     limit time=unlimited
10    
11 misc 375 limits group="cn=Account Admins,ou=System Groups,<%= dc_suffix %>"
12 misc 53 limit size=unlimited
13     limit time=unlimited
14    
15     # so we don't have to add these to every other acl down there
16 misc 375 access to dn.subtree="<%= dc_suffix %>"
17     by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" write
18     by group.exact="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" read
19 misc 53 by * break
20    
21     # userPassword access
22 buchan 82 # Allow account registration to write userPassword of unprivileged users accounts
23 misc 375 access to dn.subtree="ou=People,<%= dc_suffix %>"
24 buchan 82 filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))"
25     attrs=userPassword,pwdReset
26 misc 375 by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +a
27 buchan 82 by * +0 break
28    
29 misc 53 # shadowLastChange is here because it needs to be writable by the user because
30     # of pam_ldap, which will update this attr whenever the password is changed.
31     # And this is done with the user's credentials
32 misc 375 access to dn.subtree="<%= dc_suffix %>"
33 misc 53 attrs=shadowLastChange
34     by self write
35 misc 375 by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
36 buchan 212 by users read
37 misc 375 access to dn.subtree="<%= dc_suffix %>"
38 misc 53 attrs=userPassword
39 misc 375 by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
40 misc 53 by self write
41     by anonymous auth
42     by * none
43    
44     # kerberos key access
45     # "by auth" just in case...
46 misc 375 access to dn.subtree="<%= dc_suffix %>"
47 misc 53 attrs=krb5Key
48     by self write
49 misc 375 by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
50 misc 53 by anonymous auth
51     by * none
52    
53     # password policies
54 misc 375 access to dn.subtree="ou=Password Policies,<%= dc_suffix %>"
55     by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
56 buchan 212 by users read
57 misc 53
58     # samba password attributes
59     # by self not strictly necessary, because samba uses its own admin user to
60     # change the password on the user's behalf
61     # openldap also doesn't auth on these attributes, but maybe some day it will
62 misc 375 access to dn.subtree="<%= dc_suffix %>"
63 misc 53 attrs=sambaLMPassword,sambaNTPassword
64 misc 375 by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
65 misc 53 by anonymous auth
66     by self write
67     by * none
68     # password history attribute
69     # pwdHistory is read-only, but ACL is simplier with it here
70 misc 375 access to dn.subtree="<%= dc_suffix %>"
71 misc 53 attrs=sambaPasswordHistory,pwdHistory
72     by self read
73 misc 375 by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
74 misc 53 by * none
75    
76     # pwdReset, so the admin can force an user to change a password
77 misc 375 access to dn.subtree="<%= dc_suffix %>"
78 buchan 82 attrs=pwdReset,pwdAccountLockedTime
79 misc 375 by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
80 buchan 212 by self read
81 misc 53
82     # group owner can add/remove/edit members to groups
83 misc 375 access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
84 misc 53 attrs=member
85     by dnattr=owner write
86 misc 375 by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
87 buchan 142 by users +sx
88 misc 53
89 misc 375 access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
90 buchan 144 attrs=cn,description,objectClass,gidNumber
91 misc 375 by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
92 buchan 142 by users read
93    
94 buchan 134 # registration - allow registrar group to create basic unprivileged accounts
95 misc 375 access to dn.subtree="ou=People,<%= dc_suffix %>"
96 buchan 134 attrs="objectClass"
97     val="inetOrgperson"
98 misc 375 by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
99 buchan 134 by * +0 break
100    
101 misc 375 access to dn.subtree="ou=People,<%= dc_suffix %>"
102 buchan 134 filter="(!(objectclass=posixAccount))"
103 buchan 137 attrs=cn,sn,gn,mail,entry,children,preferredLanguage
104 misc 375 by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
105 buchan 134 by * +0 break
106    
107 misc 376 # TODO maybe we should use a group instead of a user here
108     access to dn.subtree="ou=People,<%= dc_suffix %>"
109     filter="(objectclass=posixAccount)"
110     attrs=homeDirectory,cn,uid,loginShell,gidNumber,uidNumber
111 buchan 392 by dn.one="ou=Hosts,<%= dc_suffix %>" read
112 misc 376 by * +0 break
113    
114 misc 53 # let the user change some of his/her attributes
115 misc 375 access to dn.subtree="ou=People,<%= dc_suffix %>"
116 buchan 420 attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage,sshPublicKey
117 misc 53 by self write
118 buchan 212 by users read
119 misc 53
120     # create new accounts
121 misc 375 access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= dc_suffix %>$"
122 misc 53 attrs=children,entry
123 misc 375 by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
124 misc 53 by * break
125     # access to existing entries
126 misc 375 access to dn.regex="^[^,]+,ou=(People|Hosts|Group),<%= dc_suffix %>$"
127     by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
128 misc 53 by * break
129    
130     # sambaDomainName entry
131 misc 375 access to dn.regex="^(sambaDomainName=[^,]+,)?<%= dc_suffix %>$"
132 misc 53 attrs=children,entry,@sambaDomain,@sambaUnixIdPool
133 misc 375 by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
134 buchan 212 by users read
135 misc 53
136     # samba ID mapping
137 misc 375 access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= dc_suffix %>$"
138 misc 53 attrs=children,entry,@sambaIdmapEntry
139 misc 375 by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
140     by group.exact="cn=IDMAP Admins,ou=System Groups,<%= dc_suffix %>" write
141 buchan 212 by users read
142 misc 53
143     # global address book
144     # XXX - which class(es) to use?
145 misc 375 access to dn.regex="^(.*,)?ou=Address Book,<%= dc_suffix %>"
146 misc 53 attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList
147 misc 375 by group.exact="cn=Address Book Admins,ou=System Groups,<%= dc_suffix %>" write
148 buchan 212 by users read
149 misc 53
150     # dhcp entries
151     # XXX - open up read access to anybody?
152 misc 375 access to dn.sub="ou=dhcp,<%= dc_suffix %>"
153 misc 53 attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog
154 misc 375 by group.exact="cn=DHCP Admins,ou=System Groups,<%= dc_suffix %>" write
155     by group.exact="cn=DHCP Readers,ou=System Groups,<%= dc_suffix %>" read
156 misc 53 by * read
157    
158     # sudoers
159 misc 375 access to dn.regex="^([^,]+,)?ou=sudoers,<%= dc_suffix %>$"
160 misc 53 attrs=children,entry,@sudoRole
161 misc 375 by group.exact="cn=Sudo Admins,ou=System Groups,<%= dc_suffix %>" write
162 buchan 212 by users read
163 misc 53
164     # dns
165 misc 375 access to dn="ou=dns,<%= dc_suffix %>"
166 misc 53 attrs=entry,@extensibleObject
167 misc 375 by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
168 buchan 212 by users read
169 misc 375 access to dn.sub="ou=dns,<%= dc_suffix %>"
170 misc 53 attrs=children,entry,@dNSZone
171 misc 375 by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
172     by group.exact="cn=DNS Readers,ou=System Groups,<%= dc_suffix %>" read
173 misc 53 by * none
174    
175 buchan 82
176 misc 53 # MTA
177     # XXX - what else can we add here? Virtual Domains? With which schema?
178 misc 375 access to dn.one="ou=People,<%= dc_suffix %>"
179 misc 53 attrs=@inetLocalMailRecipient,mail
180 misc 375 by group.exact="cn=MTA Admins,ou=System Groups,<%= dc_suffix %>" write
181 buchan 212 by users read
182 misc 53
183     # KDE Configuration
184 misc 375 access to dn.sub="ou=KDEConfig,<%= dc_suffix %>"
185     by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= dc_suffix %>" write
186 misc 53 by * read
187    
188     # last one
189 misc 375 access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn
190 buchan 212 by users read
191 misc 53

  ViewVC Help
Powered by ViewVC 1.1.28