/[adm]/puppet/modules/openldap/templates/mandriva-dit-access.conf
ViewVC logotype

Contents of /puppet/modules/openldap/templates/mandriva-dit-access.conf

Parent Directory Parent Directory | Revision Log Revision Log

Revision 212 - (show annotations) (download)
Tue Nov 9 14:25:10 2010 UTC (13 years, 5 months ago) by buchan
File size: 6861 byte(s) 
Close more anon access, and open up read access to some inetOrgPerson attrs to users
1 # mandriva-dit-access.conf
2
3 limits group="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org"
4 limit size=unlimited
5 limit time=unlimited
6
7 limits group="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org"
8 limit size=unlimited
9 limit time=unlimited
10
11 limits group="cn=Account Admins,ou=System Groups,dc=mageia,dc=org"
12 limit size=unlimited
13 limit time=unlimited
14
15 # so we don't have to add these to every other acl down there
16 access to dn.subtree="dc=mageia,dc=org"
17 by group.exact="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" write
18 by group.exact="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" read
19 by * break
20
21 # userPassword access
22 # Allow account registration to write userPassword of unprivileged users accounts
23 access to dn.subtree="ou=People,dc=mageia,dc=org"
24 filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))"
25 attrs=userPassword,pwdReset
26 by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" +a
27 by * +0 break
28
29 # shadowLastChange is here because it needs to be writable by the user because
30 # of pam_ldap, which will update this attr whenever the password is changed.
31 # And this is done with the user's credentials
32 access to dn.subtree="dc=mageia,dc=org"
33 attrs=shadowLastChange
34 by self write
35 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
36 by users read
37 access to dn.subtree="dc=mageia,dc=org"
38 attrs=userPassword
39 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
40 by self write
41 by anonymous auth
42 by * none
43
44 # kerberos key access
45 # "by auth" just in case...
46 access to dn.subtree="dc=mageia,dc=org"
47 attrs=krb5Key
48 by self write
49 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
50 by anonymous auth
51 by * none
52
53 # password policies
54 access to dn.subtree="ou=Password Policies,dc=mageia,dc=org"
55 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
56 by users read
57
58 # samba password attributes
59 # by self not strictly necessary, because samba uses its own admin user to
60 # change the password on the user's behalf
61 # openldap also doesn't auth on these attributes, but maybe some day it will
62 access to dn.subtree="dc=mageia,dc=org"
63 attrs=sambaLMPassword,sambaNTPassword
64 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
65 by anonymous auth
66 by self write
67 by * none
68 # password history attribute
69 # pwdHistory is read-only, but ACL is simplier with it here
70 access to dn.subtree="dc=mageia,dc=org"
71 attrs=sambaPasswordHistory,pwdHistory
72 by self read
73 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
74 by * none
75
76 # pwdReset, so the admin can force an user to change a password
77 access to dn.subtree="dc=mageia,dc=org"
78 attrs=pwdReset,pwdAccountLockedTime
79 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
80 by self read
81
82 # group owner can add/remove/edit members to groups
83 access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
84 attrs=member
85 by dnattr=owner write
86 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
87 by users +sx
88
89 access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
90 attrs=cn,description,objectClass,gidNumber
91 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
92 by users read
93
94 # registration - allow registrar group to create basic unprivileged accounts
95 access to dn.subtree="ou=People,dc=mageia,dc=org"
96 attrs="objectClass"
97 val="inetOrgperson"
98 by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =asrx
99 by * +0 break
100
101 access to dn.subtree="ou=People,dc=mageia,dc=org"
102 filter="(!(objectclass=posixAccount))"
103 attrs=cn,sn,gn,mail,entry,children,preferredLanguage
104 by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =asrx
105 by * +0 break
106
107 # let the user change some of his/her attributes
108 access to dn.subtree="ou=People,dc=mageia,dc=org"
109 attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage
110 by self write
111 by users read
112
113 # create new accounts
114 access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$"
115 attrs=children,entry
116 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
117 by * break
118 # access to existing entries
119 access to dn.regex="^[^,]+,ou=(People|Hosts|Group),dc=mageia,dc=org$"
120 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
121 by * break
122
123 # sambaDomainName entry
124 access to dn.regex="^(sambaDomainName=[^,]+,)?dc=mageia,dc=org$"
125 attrs=children,entry,@sambaDomain,@sambaUnixIdPool
126 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
127 by users read
128
129 # samba ID mapping
130 access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,dc=mageia,dc=org$"
131 attrs=children,entry,@sambaIdmapEntry
132 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
133 by group.exact="cn=IDMAP Admins,ou=System Groups,dc=mageia,dc=org" write
134 by users read
135
136 # global address book
137 # XXX - which class(es) to use?
138 access to dn.regex="^(.*,)?ou=Address Book,dc=mageia,dc=org"
139 attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList
140 by group.exact="cn=Address Book Admins,ou=System Groups,dc=mageia,dc=org" write
141 by users read
142
143 # dhcp entries
144 # XXX - open up read access to anybody?
145 access to dn.sub="ou=dhcp,dc=mageia,dc=org"
146 attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog
147 by group.exact="cn=DHCP Admins,ou=System Groups,dc=mageia,dc=org" write
148 by group.exact="cn=DHCP Readers,ou=System Groups,dc=mageia,dc=org" read
149 by * read
150
151 # sudoers
152 access to dn.regex="^([^,]+,)?ou=sudoers,dc=mageia,dc=org$"
153 attrs=children,entry,@sudoRole
154 by group.exact="cn=Sudo Admins,ou=System Groups,dc=mageia,dc=org" write
155 by users read
156
157 # dns
158 access to dn="ou=dns,dc=mageia,dc=org"
159 attrs=entry,@extensibleObject
160 by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
161 by users read
162 access to dn.sub="ou=dns,dc=mageia,dc=org"
163 attrs=children,entry,@dNSZone
164 by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
165 by group.exact="cn=DNS Readers,ou=System Groups,dc=mageia,dc=org" read
166 by * none
167
168
169 # MTA
170 # XXX - what else can we add here? Virtual Domains? With which schema?
171 access to dn.one="ou=People,dc=mageia,dc=org"
172 attrs=@inetLocalMailRecipient,mail
173 by group.exact="cn=MTA Admins,ou=System Groups,dc=mageia,dc=org" write
174 by users read
175
176 # KDE Configuration
177 access to dn.sub="ou=KDEConfig,dc=mageia,dc=org"
178 by group.exact="cn=KDEConfig Admins,ou=System Groups,dc=mageia,dc=org" write
179 by * read
180
181 # last one
182 access to dn.subtree="dc=mageia,dc=org" attrs=entry,uid,cn
183 by users read
184
  ViewVC Help
Powered by ViewVC 1.1.30