openldap/templates/mandriva-dit-access.conf

# mandriva-dit-access.conf

limits group="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>"
        limit size=unlimited
        limit time=unlimited

limits group="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>"
        limit size=unlimited
        limit time=unlimited

limits group="cn=Account Admins,ou=System Groups,<%= dc_suffix %>"
        limit size=unlimited
        limit time=unlimited

# so we don't have to add these to every other acl down there
access to dn.subtree="<%= dc_suffix %>"
        by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" write
        by group.exact="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" read
        by * break

# userPassword access
# Allow account registration to write userPassword of unprivileged users accounts
access to dn.subtree="ou=People,<%= dc_suffix %>" 
        filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))"
        attrs=userPassword
        by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +w
        by * +0 break

# shadowLastChange is here because it needs to be writable by the user because
# of pam_ldap, which will update this attr whenever the password is changed.
# And this is done with the user's credentials
access to dn.subtree="<%= dc_suffix %>"
        attrs=shadowLastChange
        by self write
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by users read
access to dn.subtree="<%= dc_suffix %>"
        attrs=userPassword
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by self write
        by anonymous auth
        by * none

# kerberos key access
# "by auth" just in case...
access to dn.subtree="<%= dc_suffix %>"
        attrs=krb5Key
        by self write
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by anonymous auth
        by * none

# password policies
access to dn.subtree="ou=Password Policies,<%= dc_suffix %>"
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by users read

# samba password attributes
# by self not strictly necessary, because samba uses its own admin user to
# change the password on the user's behalf
# openldap also doesn't auth on these attributes, but maybe some day it will
access to dn.subtree="<%= dc_suffix %>"
        attrs=sambaLMPassword,sambaNTPassword
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by anonymous auth
        by self write
        by * none
# password history attribute
# pwdHistory is read-only, but ACL is simplier with it here
access to dn.subtree="<%= dc_suffix %>"
        attrs=sambaPasswordHistory,pwdHistory
        by self read
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by * none

# pwdReset, so the admin can force an user to change a password
access to dn.subtree="<%= dc_suffix %>"
        attrs=pwdReset,pwdAccountLockedTime
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by self read

# group owner can add/remove/edit members to groups
access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
        attrs=member,owner
        by dnattr=owner write
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by users +scrx

access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
        attrs=cn,description,objectClass,gidNumber
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by users read

# registration - allow registrar group to create basic unprivileged accounts
access to dn.subtree="ou=People,<%= dc_suffix %>" 
        attrs="objectClass" 
        val="inetOrgperson" 
        by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
        by * +0 break

access to dn.subtree="ou=People,<%= dc_suffix %>" 
        filter="(!(objectclass=posixAccount))"
        attrs=cn,sn,gn,mail,entry,children,preferredLanguage
        by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
        by * +0 break

# TODO maybe we should use a group instead of a user here
access to dn.subtree="ou=People,<%= dc_suffix %>" 
        filter="(objectclass=posixAccount)"
        attrs=homeDirectory,cn,uid,loginShell,gidNumber,uidNumber
        by dn.one="ou=Hosts,<%= dc_suffix %>" read
        by * +0 break

# let the user change some of his/her attributes
access to dn.subtree="ou=People,<%= dc_suffix %>"
        attrs=cn,sn,givenName,carLicense,drink,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage,sshPublicKey
        by self write
        by users read

access to dn.subtree="ou=People,<%= dc_suffix %>"
        attrs=memberOf
        by users read


# create new accounts
access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= dc_suffix %>$"
        attrs=children,entry
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by * break
# access to existing entries
access to dn.regex="^[^,]+,ou=(People|Hosts|Group),<%= dc_suffix %>$"
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by * break

# sambaDomainName entry
access to dn.regex="^(sambaDomainName=[^,]+,)?<%= dc_suffix %>$"
        attrs=children,entry,@sambaDomain,@sambaUnixIdPool
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by users read

# samba ID mapping
access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= dc_suffix %>$"
        attrs=children,entry,@sambaIdmapEntry
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by group.exact="cn=IDMAP Admins,ou=System Groups,<%= dc_suffix %>" write
        by users read

# global address book
# XXX - which class(es) to use?
access to dn.regex="^(.*,)?ou=Address Book,<%= dc_suffix %>"
        attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList
        by group.exact="cn=Address Book Admins,ou=System Groups,<%= dc_suffix %>" write
        by users read

# dhcp entries
# XXX - open up read access to anybody?
access to dn.sub="ou=dhcp,<%= dc_suffix %>"
        attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog
        by group.exact="cn=DHCP Admins,ou=System Groups,<%= dc_suffix %>" write
        by group.exact="cn=DHCP Readers,ou=System Groups,<%= dc_suffix %>" read
        by * read

# sudoers
access to dn.regex="^([^,]+,)?ou=sudoers,<%= dc_suffix %>$"
        attrs=children,entry,@sudoRole
        by group.exact="cn=Sudo Admins,ou=System Groups,<%= dc_suffix %>" write
        by users read

# dns
access to dn="ou=dns,<%= dc_suffix %>"
        attrs=entry,@extensibleObject
        by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
        by users read
access to dn.sub="ou=dns,<%= dc_suffix %>"
        attrs=children,entry,@dNSZone
        by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
        by group.exact="cn=DNS Readers,ou=System Groups,<%= dc_suffix %>" read
        by * none


# MTA
# XXX - what else can we add here? Virtual Domains? With which schema?
access to dn.one="ou=People,<%= dc_suffix %>"
        attrs=@inetLocalMailRecipient,mail
        by group.exact="cn=MTA Admins,ou=System Groups,<%= dc_suffix %>" write
        by users read

# KDE Configuration
access to dn.sub="ou=KDEConfig,<%= dc_suffix %>"
        by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= dc_suffix %>" write
        by * read

# last one
access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn
        by users read

1	misc	53	# mandriva-dit-access.conf
2
3	misc	375	limits group="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>"
4	misc	53	limit size=unlimited
5			limit time=unlimited
6
7	misc	375	limits group="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>"
8	misc	53	limit size=unlimited
9			limit time=unlimited
10
11	misc	375	limits group="cn=Account Admins,ou=System Groups,<%= dc_suffix %>"
12	misc	53	limit size=unlimited
13			limit time=unlimited
14
15			# so we don't have to add these to every other acl down there
16	misc	375	access to dn.subtree="<%= dc_suffix %>"
17			by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" write
18			by group.exact="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" read
19	misc	53	by * break
20
21			# userPassword access
22	buchan	82	# Allow account registration to write userPassword of unprivileged users accounts
23	misc	375	access to dn.subtree="ou=People,<%= dc_suffix %>"
24	buchan	82	filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))"
25	buchan	877	attrs=userPassword
26			by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +w
27	buchan	82	by * +0 break
28
29	misc	53	# shadowLastChange is here because it needs to be writable by the user because
30			# of pam_ldap, which will update this attr whenever the password is changed.
31			# And this is done with the user's credentials
32	misc	375	access to dn.subtree="<%= dc_suffix %>"
33	misc	53	attrs=shadowLastChange
34			by self write
35	misc	375	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
36	buchan	212	by users read
37	misc	375	access to dn.subtree="<%= dc_suffix %>"
38	misc	53	attrs=userPassword
39	misc	375	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
40	misc	53	by self write
41			by anonymous auth
42			by * none
43
44			# kerberos key access
45			# "by auth" just in case...
46	misc	375	access to dn.subtree="<%= dc_suffix %>"
47	misc	53	attrs=krb5Key
48			by self write
49	misc	375	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
50	misc	53	by anonymous auth
51			by * none
52
53			# password policies
54	misc	375	access to dn.subtree="ou=Password Policies,<%= dc_suffix %>"
55			by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
56	buchan	212	by users read
57	misc	53
58			# samba password attributes
59			# by self not strictly necessary, because samba uses its own admin user to
60			# change the password on the user's behalf
61			# openldap also doesn't auth on these attributes, but maybe some day it will
62	misc	375	access to dn.subtree="<%= dc_suffix %>"
63	misc	53	attrs=sambaLMPassword,sambaNTPassword
64	misc	375	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
65	misc	53	by anonymous auth
66			by self write
67			by * none
68			# password history attribute
69			# pwdHistory is read-only, but ACL is simplier with it here
70	misc	375	access to dn.subtree="<%= dc_suffix %>"
71	misc	53	attrs=sambaPasswordHistory,pwdHistory
72			by self read
73	misc	375	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
74	misc	53	by * none
75
76			# pwdReset, so the admin can force an user to change a password
77	misc	375	access to dn.subtree="<%= dc_suffix %>"
78	buchan	82	attrs=pwdReset,pwdAccountLockedTime
79	misc	375	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
80	buchan	212	by self read
81	misc	53
82			# group owner can add/remove/edit members to groups
83	misc	375	access to dn.regex="^cn=[^,]+,ou=(System Groups\|Group),<%= dc_suffix %>$"
84	buchan	1144	attrs=member,owner
85	misc	53	by dnattr=owner write
86	misc	375	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
87	misc	1139	by users +scrx
88	misc	53
89	misc	375	access to dn.regex="^cn=[^,]+,ou=(System Groups\|Group),<%= dc_suffix %>$"
90	buchan	144	attrs=cn,description,objectClass,gidNumber
91	misc	375	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
92	buchan	142	by users read
93
94	buchan	134	# registration - allow registrar group to create basic unprivileged accounts
95	misc	375	access to dn.subtree="ou=People,<%= dc_suffix %>"
96	buchan	134	attrs="objectClass"
97			val="inetOrgperson"
98	misc	375	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
99	buchan	134	by * +0 break
100
101	misc	375	access to dn.subtree="ou=People,<%= dc_suffix %>"
102	buchan	134	filter="(!(objectclass=posixAccount))"
103	buchan	137	attrs=cn,sn,gn,mail,entry,children,preferredLanguage
104	misc	375	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
105	buchan	134	by * +0 break
106
107	misc	376	# TODO maybe we should use a group instead of a user here
108			access to dn.subtree="ou=People,<%= dc_suffix %>"
109			filter="(objectclass=posixAccount)"
110			attrs=homeDirectory,cn,uid,loginShell,gidNumber,uidNumber
111	buchan	392	by dn.one="ou=Hosts,<%= dc_suffix %>" read
112	misc	376	by * +0 break
113
114	misc	53	# let the user change some of his/her attributes
115	misc	375	access to dn.subtree="ou=People,<%= dc_suffix %>"
116	boklm	3050	attrs=cn,sn,givenName,carLicense,drink,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage,sshPublicKey
117	misc	53	by self write
118	buchan	212	by users read
119	misc	53
120	misc	634	access to dn.subtree="ou=People,<%= dc_suffix %>"
121			attrs=memberOf
122			by users read
123
124
125	misc	53	# create new accounts
126	misc	375	access to dn.regex="^([^,]+,)?ou=(People\|Group\|Hosts),<%= dc_suffix %>$"
127	misc	53	attrs=children,entry
128	misc	375	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
129	misc	53	by * break
130			# access to existing entries
131	misc	375	access to dn.regex="^[^,]+,ou=(People\|Hosts\|Group),<%= dc_suffix %>$"
132			by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
133	misc	53	by * break
134
135			# sambaDomainName entry
136	misc	375	access to dn.regex="^(sambaDomainName=[^,]+,)?<%= dc_suffix %>$"
137	misc	53	attrs=children,entry,@sambaDomain,@sambaUnixIdPool
138	misc	375	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
139	buchan	212	by users read
140	misc	53
141			# samba ID mapping
142	misc	375	access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= dc_suffix %>$"
143	misc	53	attrs=children,entry,@sambaIdmapEntry
144	misc	375	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
145			by group.exact="cn=IDMAP Admins,ou=System Groups,<%= dc_suffix %>" write
146	buchan	212	by users read
147	misc	53
148			# global address book
149			# XXX - which class(es) to use?
150	misc	375	access to dn.regex="^(.*,)?ou=Address Book,<%= dc_suffix %>"
151	misc	53	attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList
152	misc	375	by group.exact="cn=Address Book Admins,ou=System Groups,<%= dc_suffix %>" write
153	buchan	212	by users read
154	misc	53
155			# dhcp entries
156			# XXX - open up read access to anybody?
157	misc	375	access to dn.sub="ou=dhcp,<%= dc_suffix %>"
158	misc	53	attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog
159	misc	375	by group.exact="cn=DHCP Admins,ou=System Groups,<%= dc_suffix %>" write
160			by group.exact="cn=DHCP Readers,ou=System Groups,<%= dc_suffix %>" read
161	misc	53	by * read
162
163			# sudoers
164	misc	375	access to dn.regex="^([^,]+,)?ou=sudoers,<%= dc_suffix %>$"
165	misc	53	attrs=children,entry,@sudoRole
166	misc	375	by group.exact="cn=Sudo Admins,ou=System Groups,<%= dc_suffix %>" write
167	buchan	212	by users read
168	misc	53
169			# dns
170	misc	375	access to dn="ou=dns,<%= dc_suffix %>"
171	misc	53	attrs=entry,@extensibleObject
172	misc	375	by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
173	buchan	212	by users read
174	misc	375	access to dn.sub="ou=dns,<%= dc_suffix %>"
175	misc	53	attrs=children,entry,@dNSZone
176	misc	375	by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
177			by group.exact="cn=DNS Readers,ou=System Groups,<%= dc_suffix %>" read
178	misc	53	by * none
179
180	buchan	82
181	misc	53	# MTA
182			# XXX - what else can we add here? Virtual Domains? With which schema?
183	misc	375	access to dn.one="ou=People,<%= dc_suffix %>"
184	misc	53	attrs=@inetLocalMailRecipient,mail
185	misc	375	by group.exact="cn=MTA Admins,ou=System Groups,<%= dc_suffix %>" write
186	buchan	212	by users read
187	misc	53
188			# KDE Configuration
189	misc	375	access to dn.sub="ou=KDEConfig,<%= dc_suffix %>"
190			by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= dc_suffix %>" write
191	misc	53	by * read
192
193			# last one
194	misc	375	access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn
195	buchan	212	by users read
196	misc	53