1 |
# mandriva-dit-access.conf |
2 |
|
3 |
limits group="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" |
4 |
limit size=unlimited |
5 |
limit time=unlimited |
6 |
|
7 |
limits group="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" |
8 |
limit size=unlimited |
9 |
limit time=unlimited |
10 |
|
11 |
limits group="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" |
12 |
limit size=unlimited |
13 |
limit time=unlimited |
14 |
|
15 |
# so we don't have to add these to every other acl down there |
16 |
access to dn.subtree="dc=mageia,dc=org" |
17 |
by group.exact="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" write |
18 |
by group.exact="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" read |
19 |
by * break |
20 |
|
21 |
# userPassword access |
22 |
# shadowLastChange is here because it needs to be writable by the user because |
23 |
# of pam_ldap, which will update this attr whenever the password is changed. |
24 |
# And this is done with the user's credentials |
25 |
access to dn.subtree="dc=mageia,dc=org" |
26 |
attrs=shadowLastChange |
27 |
by self write |
28 |
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write |
29 |
by * read |
30 |
access to dn.subtree="dc=mageia,dc=org" |
31 |
attrs=userPassword |
32 |
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write |
33 |
by self write |
34 |
by anonymous auth |
35 |
by * none |
36 |
|
37 |
# kerberos key access |
38 |
# "by auth" just in case... |
39 |
access to dn.subtree="dc=mageia,dc=org" |
40 |
attrs=krb5Key |
41 |
by self write |
42 |
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write |
43 |
by anonymous auth |
44 |
by * none |
45 |
|
46 |
# password policies |
47 |
access to dn.subtree="ou=Password Policies,dc=mageia,dc=org" |
48 |
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write |
49 |
by * read |
50 |
|
51 |
# samba password attributes |
52 |
# by self not strictly necessary, because samba uses its own admin user to |
53 |
# change the password on the user's behalf |
54 |
# openldap also doesn't auth on these attributes, but maybe some day it will |
55 |
access to dn.subtree="dc=mageia,dc=org" |
56 |
attrs=sambaLMPassword,sambaNTPassword |
57 |
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write |
58 |
by anonymous auth |
59 |
by self write |
60 |
by * none |
61 |
# password history attribute |
62 |
# pwdHistory is read-only, but ACL is simplier with it here |
63 |
access to dn.subtree="dc=mageia,dc=org" |
64 |
attrs=sambaPasswordHistory,pwdHistory |
65 |
by self read |
66 |
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write |
67 |
by * none |
68 |
|
69 |
# pwdReset, so the admin can force an user to change a password |
70 |
access to dn.subtree="dc=mageia,dc=org" |
71 |
attrs=pwdReset |
72 |
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write |
73 |
by * read |
74 |
|
75 |
# group owner can add/remove/edit members to groups |
76 |
access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$" |
77 |
attrs=member |
78 |
by dnattr=owner write |
79 |
by * break |
80 |
|
81 |
# let the user change some of his/her attributes |
82 |
access to dn.subtree="ou=People,dc=mageia,dc=org" |
83 |
attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber |
84 |
by self write |
85 |
by * break |
86 |
|
87 |
# create new accounts |
88 |
access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$" |
89 |
attrs=children,entry |
90 |
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write |
91 |
by * break |
92 |
# access to existing entries |
93 |
access to dn.regex="^[^,]+,ou=(People|Hosts|Group),dc=mageia,dc=org$" |
94 |
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write |
95 |
by * break |
96 |
|
97 |
# sambaDomainName entry |
98 |
access to dn.regex="^(sambaDomainName=[^,]+,)?dc=mageia,dc=org$" |
99 |
attrs=children,entry,@sambaDomain,@sambaUnixIdPool |
100 |
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write |
101 |
by * read |
102 |
|
103 |
# samba ID mapping |
104 |
access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,dc=mageia,dc=org$" |
105 |
attrs=children,entry,@sambaIdmapEntry |
106 |
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write |
107 |
by group.exact="cn=IDMAP Admins,ou=System Groups,dc=mageia,dc=org" write |
108 |
by * read |
109 |
|
110 |
# global address book |
111 |
# XXX - which class(es) to use? |
112 |
access to dn.regex="^(.*,)?ou=Address Book,dc=mageia,dc=org" |
113 |
attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList |
114 |
by group.exact="cn=Address Book Admins,ou=System Groups,dc=mageia,dc=org" write |
115 |
by * read |
116 |
|
117 |
# dhcp entries |
118 |
# XXX - open up read access to anybody? |
119 |
access to dn.sub="ou=dhcp,dc=mageia,dc=org" |
120 |
attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog |
121 |
by group.exact="cn=DHCP Admins,ou=System Groups,dc=mageia,dc=org" write |
122 |
by group.exact="cn=DHCP Readers,ou=System Groups,dc=mageia,dc=org" read |
123 |
by * read |
124 |
|
125 |
# sudoers |
126 |
access to dn.regex="^([^,]+,)?ou=sudoers,dc=mageia,dc=org$" |
127 |
attrs=children,entry,@sudoRole |
128 |
by group.exact="cn=Sudo Admins,ou=System Groups,dc=mageia,dc=org" write |
129 |
by * read |
130 |
|
131 |
# dns |
132 |
access to dn="ou=dns,dc=mageia,dc=org" |
133 |
attrs=entry,@extensibleObject |
134 |
by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write |
135 |
by * read |
136 |
access to dn.sub="ou=dns,dc=mageia,dc=org" |
137 |
attrs=children,entry,@dNSZone |
138 |
by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write |
139 |
by group.exact="cn=DNS Readers,ou=System Groups,dc=mageia,dc=org" read |
140 |
by * none |
141 |
|
142 |
# MTA |
143 |
# XXX - what else can we add here? Virtual Domains? With which schema? |
144 |
access to dn.one="ou=People,dc=mageia,dc=org" |
145 |
attrs=@inetLocalMailRecipient,mail |
146 |
by group.exact="cn=MTA Admins,ou=System Groups,dc=mageia,dc=org" write |
147 |
by * read |
148 |
|
149 |
# KDE Configuration |
150 |
access to dn.sub="ou=KDEConfig,dc=mageia,dc=org" |
151 |
by group.exact="cn=KDEConfig Admins,ou=System Groups,dc=mageia,dc=org" write |
152 |
by * read |
153 |
|
154 |
# last one |
155 |
access to dn.subtree="dc=mageia,dc=org" attrs=entry,uid,cn |
156 |
by * read |
157 |
|