openldap/templates/mandriva-dit-access.conf

# mandriva-dit-access.conf

limits group="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>"
        limit size=unlimited
        limit time=unlimited

limits group="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>"
        limit size=unlimited
        limit time=unlimited

limits group="cn=Account Admins,ou=System Groups,<%= dc_suffix %>"
        limit size=unlimited
        limit time=unlimited

# so we don't have to add these to every other acl down there
access to dn.subtree="<%= dc_suffix %>"
        by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" write
        by group.exact="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" read
        by * break

# userPassword access
# Allow account registration to write userPassword of unprivileged users accounts
access to dn.subtree="ou=People,<%= dc_suffix %>" 
        filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))"
        attrs=userPassword
        by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +w
        by * +0 break

# shadowLastChange is here because it needs to be writable by the user because
# of pam_ldap, which will update this attr whenever the password is changed.
# And this is done with the user's credentials
access to dn.subtree="<%= dc_suffix %>"
        attrs=shadowLastChange
        by self write
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by users read
access to dn.subtree="<%= dc_suffix %>"
        attrs=userPassword
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by self write
        by anonymous auth
        by * none

# kerberos key access
# "by auth" just in case...
access to dn.subtree="<%= dc_suffix %>"
        attrs=krb5Key
        by self write
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by anonymous auth
        by * none

# password policies
access to dn.subtree="ou=Password Policies,<%= dc_suffix %>"
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by users read

# samba password attributes
# by self not strictly necessary, because samba uses its own admin user to
# change the password on the user's behalf
# openldap also doesn't auth on these attributes, but maybe some day it will
access to dn.subtree="<%= dc_suffix %>"
        attrs=sambaLMPassword,sambaNTPassword
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by anonymous auth
        by self write
        by * none
# password history attribute
# pwdHistory is read-only, but ACL is simplier with it here
access to dn.subtree="<%= dc_suffix %>"
        attrs=sambaPasswordHistory,pwdHistory
        by self read
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by * none

# pwdReset, so the admin can force an user to change a password
access to dn.subtree="<%= dc_suffix %>"
        attrs=pwdReset,pwdAccountLockedTime
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by self read

# group owner can add/remove/edit members to groups
access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
        attrs=member,owner
        by dnattr=owner write
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by users +scrx

access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
        attrs=cn,description,objectClass,gidNumber
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by users read

# registration - allow registrar group to create basic unprivileged accounts
access to dn.subtree="ou=People,<%= dc_suffix %>" 
        attrs="objectClass" 
        val="inetOrgperson" 
        by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
        by * +0 break

access to dn.subtree="ou=People,<%= dc_suffix %>" 
        filter="(!(objectclass=posixAccount))"
        attrs=cn,sn,gn,mail,entry,children,preferredLanguage
        by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
        by * +0 break

# TODO maybe we should use a group instead of a user here
access to dn.subtree="ou=People,<%= dc_suffix %>" 
        filter="(objectclass=posixAccount)"
        attrs=homeDirectory,cn,uid,loginShell,gidNumber,uidNumber
        by dn.one="ou=Hosts,<%= dc_suffix %>" read
        by * +0 break

# let the user change some of his/her attributes
access to dn.subtree="ou=People,<%= dc_suffix %>"
        attrs=cn,sn,givenName,carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage,sshPublicKey
        by self write
        by users read

access to dn.subtree="ou=People,<%= dc_suffix %>"
        attrs=memberOf
        by users read


# create new accounts
access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= dc_suffix %>$"
        attrs=children,entry
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by * break
# access to existing entries
access to dn.regex="^[^,]+,ou=(People|Hosts|Group),<%= dc_suffix %>$"
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by * break

# sambaDomainName entry
access to dn.regex="^(sambaDomainName=[^,]+,)?<%= dc_suffix %>$"
        attrs=children,entry,@sambaDomain,@sambaUnixIdPool
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by users read

# samba ID mapping
access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= dc_suffix %>$"
        attrs=children,entry,@sambaIdmapEntry
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by group.exact="cn=IDMAP Admins,ou=System Groups,<%= dc_suffix %>" write
        by users read

# global address book
# XXX - which class(es) to use?
access to dn.regex="^(.*,)?ou=Address Book,<%= dc_suffix %>"
        attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList
        by group.exact="cn=Address Book Admins,ou=System Groups,<%= dc_suffix %>" write
        by users read

# dhcp entries
# XXX - open up read access to anybody?
access to dn.sub="ou=dhcp,<%= dc_suffix %>"
        attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog
        by group.exact="cn=DHCP Admins,ou=System Groups,<%= dc_suffix %>" write
        by group.exact="cn=DHCP Readers,ou=System Groups,<%= dc_suffix %>" read
        by * read

# sudoers
access to dn.regex="^([^,]+,)?ou=sudoers,<%= dc_suffix %>$"
        attrs=children,entry,@sudoRole
        by group.exact="cn=Sudo Admins,ou=System Groups,<%= dc_suffix %>" write
        by users read

# dns
access to dn="ou=dns,<%= dc_suffix %>"
        attrs=entry,@extensibleObject
        by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
        by users read
access to dn.sub="ou=dns,<%= dc_suffix %>"
        attrs=children,entry,@dNSZone
        by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
        by group.exact="cn=DNS Readers,ou=System Groups,<%= dc_suffix %>" read
        by * none


# MTA
# XXX - what else can we add here? Virtual Domains? With which schema?
access to dn.one="ou=People,<%= dc_suffix %>"
        attrs=@inetLocalMailRecipient,mail
        by group.exact="cn=MTA Admins,ou=System Groups,<%= dc_suffix %>" write
        by users read

# KDE Configuration
access to dn.sub="ou=KDEConfig,<%= dc_suffix %>"
        by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= dc_suffix %>" write
        by * read

# last one
access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn
        by users read

1	# mandriva-dit-access.conf
2
3	limits group="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>"
4	limit size=unlimited
5	limit time=unlimited
6
7	limits group="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>"
8	limit size=unlimited
9	limit time=unlimited
10
11	limits group="cn=Account Admins,ou=System Groups,<%= dc_suffix %>"
12	limit size=unlimited
13	limit time=unlimited
14
15	# so we don't have to add these to every other acl down there
16	access to dn.subtree="<%= dc_suffix %>"
17	by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" write
18	by group.exact="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" read
19	by * break
20
21	# userPassword access
22	# Allow account registration to write userPassword of unprivileged users accounts
23	access to dn.subtree="ou=People,<%= dc_suffix %>"
24	filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))"
25	attrs=userPassword
26	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +w
27	by * +0 break
28
29	# shadowLastChange is here because it needs to be writable by the user because
30	# of pam_ldap, which will update this attr whenever the password is changed.
31	# And this is done with the user's credentials
32	access to dn.subtree="<%= dc_suffix %>"
33	attrs=shadowLastChange
34	by self write
35	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
36	by users read
37	access to dn.subtree="<%= dc_suffix %>"
38	attrs=userPassword
39	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
40	by self write
41	by anonymous auth
42	by * none
43
44	# kerberos key access
45	# "by auth" just in case...
46	access to dn.subtree="<%= dc_suffix %>"
47	attrs=krb5Key
48	by self write
49	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
50	by anonymous auth
51	by * none
52
53	# password policies
54	access to dn.subtree="ou=Password Policies,<%= dc_suffix %>"
55	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
56	by users read
57
58	# samba password attributes
59	# by self not strictly necessary, because samba uses its own admin user to
60	# change the password on the user's behalf
61	# openldap also doesn't auth on these attributes, but maybe some day it will
62	access to dn.subtree="<%= dc_suffix %>"
63	attrs=sambaLMPassword,sambaNTPassword
64	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
65	by anonymous auth
66	by self write
67	by * none
68	# password history attribute
69	# pwdHistory is read-only, but ACL is simplier with it here
70	access to dn.subtree="<%= dc_suffix %>"
71	attrs=sambaPasswordHistory,pwdHistory
72	by self read
73	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
74	by * none
75
76	# pwdReset, so the admin can force an user to change a password
77	access to dn.subtree="<%= dc_suffix %>"
78	attrs=pwdReset,pwdAccountLockedTime
79	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
80	by self read
81
82	# group owner can add/remove/edit members to groups
83	access to dn.regex="^cn=[^,]+,ou=(System Groups\|Group),<%= dc_suffix %>$"
84	attrs=member,owner
85	by dnattr=owner write
86	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
87	by users +scrx
88
89	access to dn.regex="^cn=[^,]+,ou=(System Groups\|Group),<%= dc_suffix %>$"
90	attrs=cn,description,objectClass,gidNumber
91	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
92	by users read
93
94	# registration - allow registrar group to create basic unprivileged accounts
95	access to dn.subtree="ou=People,<%= dc_suffix %>"
96	attrs="objectClass"
97	val="inetOrgperson"
98	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
99	by * +0 break
100
101	access to dn.subtree="ou=People,<%= dc_suffix %>"
102	filter="(!(objectclass=posixAccount))"
103	attrs=cn,sn,gn,mail,entry,children,preferredLanguage
104	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
105	by * +0 break
106
107	# TODO maybe we should use a group instead of a user here
108	access to dn.subtree="ou=People,<%= dc_suffix %>"
109	filter="(objectclass=posixAccount)"
110	attrs=homeDirectory,cn,uid,loginShell,gidNumber,uidNumber
111	by dn.one="ou=Hosts,<%= dc_suffix %>" read
112	by * +0 break
113
114	# let the user change some of his/her attributes
115	access to dn.subtree="ou=People,<%= dc_suffix %>"
116	attrs=cn,sn,givenName,carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage,sshPublicKey
117	by self write
118	by users read
119
120	access to dn.subtree="ou=People,<%= dc_suffix %>"
121	attrs=memberOf
122	by users read
123
124
125	# create new accounts
126	access to dn.regex="^([^,]+,)?ou=(People\|Group\|Hosts),<%= dc_suffix %>$"
127	attrs=children,entry
128	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
129	by * break
130	# access to existing entries
131	access to dn.regex="^[^,]+,ou=(People\|Hosts\|Group),<%= dc_suffix %>$"
132	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
133	by * break
134
135	# sambaDomainName entry
136	access to dn.regex="^(sambaDomainName=[^,]+,)?<%= dc_suffix %>$"
137	attrs=children,entry,@sambaDomain,@sambaUnixIdPool
138	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
139	by users read
140
141	# samba ID mapping
142	access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= dc_suffix %>$"
143	attrs=children,entry,@sambaIdmapEntry
144	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
145	by group.exact="cn=IDMAP Admins,ou=System Groups,<%= dc_suffix %>" write
146	by users read
147
148	# global address book
149	# XXX - which class(es) to use?
150	access to dn.regex="^(.*,)?ou=Address Book,<%= dc_suffix %>"
151	attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList
152	by group.exact="cn=Address Book Admins,ou=System Groups,<%= dc_suffix %>" write
153	by users read
154
155	# dhcp entries
156	# XXX - open up read access to anybody?
157	access to dn.sub="ou=dhcp,<%= dc_suffix %>"
158	attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog
159	by group.exact="cn=DHCP Admins,ou=System Groups,<%= dc_suffix %>" write
160	by group.exact="cn=DHCP Readers,ou=System Groups,<%= dc_suffix %>" read
161	by * read
162
163	# sudoers
164	access to dn.regex="^([^,]+,)?ou=sudoers,<%= dc_suffix %>$"
165	attrs=children,entry,@sudoRole
166	by group.exact="cn=Sudo Admins,ou=System Groups,<%= dc_suffix %>" write
167	by users read
168
169	# dns
170	access to dn="ou=dns,<%= dc_suffix %>"
171	attrs=entry,@extensibleObject
172	by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
173	by users read
174	access to dn.sub="ou=dns,<%= dc_suffix %>"
175	attrs=children,entry,@dNSZone
176	by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
177	by group.exact="cn=DNS Readers,ou=System Groups,<%= dc_suffix %>" read
178	by * none
179
180
181	# MTA
182	# XXX - what else can we add here? Virtual Domains? With which schema?
183	access to dn.one="ou=People,<%= dc_suffix %>"
184	attrs=@inetLocalMailRecipient,mail
185	by group.exact="cn=MTA Admins,ou=System Groups,<%= dc_suffix %>" write
186	by users read
187
188	# KDE Configuration
189	access to dn.sub="ou=KDEConfig,<%= dc_suffix %>"
190	by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= dc_suffix %>" write
191	by * read
192
193	# last one
194	access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn
195	by users read
196