/[adm]/puppet/modules/openldap/templates/mandriva-dit-access.conf
ViewVC logotype

Contents of /puppet/modules/openldap/templates/mandriva-dit-access.conf

Parent Directory Parent Directory | Revision Log Revision Log


Revision 53 - (show annotations) (download)
Thu Oct 28 22:55:56 2010 UTC (13 years, 11 months ago) by misc
File size: 5616 byte(s)
- deploy ldap with puppet on valstar

1 # mandriva-dit-access.conf
2
3 limits group="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org"
4 limit size=unlimited
5 limit time=unlimited
6
7 limits group="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org"
8 limit size=unlimited
9 limit time=unlimited
10
11 limits group="cn=Account Admins,ou=System Groups,dc=mageia,dc=org"
12 limit size=unlimited
13 limit time=unlimited
14
15 # so we don't have to add these to every other acl down there
16 access to dn.subtree="dc=mageia,dc=org"
17 by group.exact="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" write
18 by group.exact="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" read
19 by * break
20
21 # userPassword access
22 # shadowLastChange is here because it needs to be writable by the user because
23 # of pam_ldap, which will update this attr whenever the password is changed.
24 # And this is done with the user's credentials
25 access to dn.subtree="dc=mageia,dc=org"
26 attrs=shadowLastChange
27 by self write
28 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
29 by * read
30 access to dn.subtree="dc=mageia,dc=org"
31 attrs=userPassword
32 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
33 by self write
34 by anonymous auth
35 by * none
36
37 # kerberos key access
38 # "by auth" just in case...
39 access to dn.subtree="dc=mageia,dc=org"
40 attrs=krb5Key
41 by self write
42 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
43 by anonymous auth
44 by * none
45
46 # password policies
47 access to dn.subtree="ou=Password Policies,dc=mageia,dc=org"
48 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
49 by * read
50
51 # samba password attributes
52 # by self not strictly necessary, because samba uses its own admin user to
53 # change the password on the user's behalf
54 # openldap also doesn't auth on these attributes, but maybe some day it will
55 access to dn.subtree="dc=mageia,dc=org"
56 attrs=sambaLMPassword,sambaNTPassword
57 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
58 by anonymous auth
59 by self write
60 by * none
61 # password history attribute
62 # pwdHistory is read-only, but ACL is simplier with it here
63 access to dn.subtree="dc=mageia,dc=org"
64 attrs=sambaPasswordHistory,pwdHistory
65 by self read
66 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
67 by * none
68
69 # pwdReset, so the admin can force an user to change a password
70 access to dn.subtree="dc=mageia,dc=org"
71 attrs=pwdReset
72 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
73 by * read
74
75 # group owner can add/remove/edit members to groups
76 access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
77 attrs=member
78 by dnattr=owner write
79 by * break
80
81 # let the user change some of his/her attributes
82 access to dn.subtree="ou=People,dc=mageia,dc=org"
83 attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber
84 by self write
85 by * break
86
87 # create new accounts
88 access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$"
89 attrs=children,entry
90 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
91 by * break
92 # access to existing entries
93 access to dn.regex="^[^,]+,ou=(People|Hosts|Group),dc=mageia,dc=org$"
94 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
95 by * break
96
97 # sambaDomainName entry
98 access to dn.regex="^(sambaDomainName=[^,]+,)?dc=mageia,dc=org$"
99 attrs=children,entry,@sambaDomain,@sambaUnixIdPool
100 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
101 by * read
102
103 # samba ID mapping
104 access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,dc=mageia,dc=org$"
105 attrs=children,entry,@sambaIdmapEntry
106 by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
107 by group.exact="cn=IDMAP Admins,ou=System Groups,dc=mageia,dc=org" write
108 by * read
109
110 # global address book
111 # XXX - which class(es) to use?
112 access to dn.regex="^(.*,)?ou=Address Book,dc=mageia,dc=org"
113 attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList
114 by group.exact="cn=Address Book Admins,ou=System Groups,dc=mageia,dc=org" write
115 by * read
116
117 # dhcp entries
118 # XXX - open up read access to anybody?
119 access to dn.sub="ou=dhcp,dc=mageia,dc=org"
120 attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog
121 by group.exact="cn=DHCP Admins,ou=System Groups,dc=mageia,dc=org" write
122 by group.exact="cn=DHCP Readers,ou=System Groups,dc=mageia,dc=org" read
123 by * read
124
125 # sudoers
126 access to dn.regex="^([^,]+,)?ou=sudoers,dc=mageia,dc=org$"
127 attrs=children,entry,@sudoRole
128 by group.exact="cn=Sudo Admins,ou=System Groups,dc=mageia,dc=org" write
129 by * read
130
131 # dns
132 access to dn="ou=dns,dc=mageia,dc=org"
133 attrs=entry,@extensibleObject
134 by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
135 by * read
136 access to dn.sub="ou=dns,dc=mageia,dc=org"
137 attrs=children,entry,@dNSZone
138 by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
139 by group.exact="cn=DNS Readers,ou=System Groups,dc=mageia,dc=org" read
140 by * none
141
142 # MTA
143 # XXX - what else can we add here? Virtual Domains? With which schema?
144 access to dn.one="ou=People,dc=mageia,dc=org"
145 attrs=@inetLocalMailRecipient,mail
146 by group.exact="cn=MTA Admins,ou=System Groups,dc=mageia,dc=org" write
147 by * read
148
149 # KDE Configuration
150 access to dn.sub="ou=KDEConfig,dc=mageia,dc=org"
151 by group.exact="cn=KDEConfig Admins,ou=System Groups,dc=mageia,dc=org" write
152 by * read
153
154 # last one
155 access to dn.subtree="dc=mageia,dc=org" attrs=entry,uid,cn
156 by * read
157

  ViewVC Help
Powered by ViewVC 1.1.30