- deploy ldap with puppet on valstar

1 files changed, 157 insertions, 0 deletions

diff --git a/modules/openldap/templates/mandriva-dit-access.conf b/modules/openldap/templates/mandriva-dit-access.conf
new file mode 100644
index 00000000..0cbeb746
--- /dev/null
+++ b/modules/openldap/templates/mandriva-dit-access.conf
@@ -0,0 +1,157 @@
+# mandriva-dit-access.conf
+
+limits group="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org"
+	limit size=unlimited
+	limit time=unlimited
+
+limits group="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org"
+	limit size=unlimited
+	limit time=unlimited
+
+limits group="cn=Account Admins,ou=System Groups,dc=mageia,dc=org"
+	limit size=unlimited
+	limit time=unlimited
+
+# so we don't have to add these to every other acl down there
+access to dn.subtree="dc=mageia,dc=org"
+	by group.exact="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" write
+	by group.exact="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" read
+	by * break
+
+# userPassword access
+# shadowLastChange is here because it needs to be writable by the user because
+# of pam_ldap, which will update this attr whenever the password is changed.
+# And this is done with the user's credentials
+access to dn.subtree="dc=mageia,dc=org"
+        attrs=shadowLastChange
+        by self write
+        by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+        by * read
+access to dn.subtree="dc=mageia,dc=org"
+	attrs=userPassword
+	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+	by self write
+	by anonymous auth
+	by * none
+
+# kerberos key access
+# "by auth" just in case...
+access to dn.subtree="dc=mageia,dc=org"
+        attrs=krb5Key
+        by self write
+        by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+        by anonymous auth
+        by * none
+
+# password policies
+access to dn.subtree="ou=Password Policies,dc=mageia,dc=org"
+	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+	by * read
+
+# samba password attributes
+# by self not strictly necessary, because samba uses its own admin user to
+# change the password on the user's behalf
+# openldap also doesn't auth on these attributes, but maybe some day it will
+access to dn.subtree="dc=mageia,dc=org"
+	attrs=sambaLMPassword,sambaNTPassword
+	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+	by anonymous auth
+	by self write
+	by * none
+# password history attribute
+# pwdHistory is read-only, but ACL is simplier with it here
+access to dn.subtree="dc=mageia,dc=org"
+	attrs=sambaPasswordHistory,pwdHistory
+	by self read
+	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+	by * none
+
+# pwdReset, so the admin can force an user to change a password
+access to dn.subtree="dc=mageia,dc=org"
+	attrs=pwdReset
+	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+	by * read
+
+# group owner can add/remove/edit members to groups
+access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
+	attrs=member
+	by dnattr=owner write
+	by * break
+
+# let the user change some of his/her attributes
+access to dn.subtree="ou=People,dc=mageia,dc=org"
+	attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber
+	by self write
+	by * break
+
+# create new accounts
+access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$"
+	attrs=children,entry
+	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+	by * break
+# access to existing entries
+access to dn.regex="^[^,]+,ou=(People|Hosts|Group),dc=mageia,dc=org$"
+	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+	by * break
+
+# sambaDomainName entry
+access to dn.regex="^(sambaDomainName=[^,]+,)?dc=mageia,dc=org$"
+	attrs=children,entry,@sambaDomain,@sambaUnixIdPool
+	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+	by * read
+
+# samba ID mapping
+access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,dc=mageia,dc=org$"
+	attrs=children,entry,@sambaIdmapEntry
+	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+	by group.exact="cn=IDMAP Admins,ou=System Groups,dc=mageia,dc=org" write
+	by * read
+
+# global address book
+# XXX - which class(es) to use?
+access to dn.regex="^(.*,)?ou=Address Book,dc=mageia,dc=org"
+	attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList
+	by group.exact="cn=Address Book Admins,ou=System Groups,dc=mageia,dc=org" write
+	by * read
+
+# dhcp entries
+# XXX - open up read access to anybody?
+access to dn.sub="ou=dhcp,dc=mageia,dc=org"
+	attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog
+	by group.exact="cn=DHCP Admins,ou=System Groups,dc=mageia,dc=org" write
+	by group.exact="cn=DHCP Readers,ou=System Groups,dc=mageia,dc=org" read
+	by * read
+
+# sudoers
+access to dn.regex="^([^,]+,)?ou=sudoers,dc=mageia,dc=org$"
+	attrs=children,entry,@sudoRole
+	by group.exact="cn=Sudo Admins,ou=System Groups,dc=mageia,dc=org" write
+	by * read
+
+# dns
+access to dn="ou=dns,dc=mageia,dc=org"
+	attrs=entry,@extensibleObject
+	by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
+	by * read
+access to dn.sub="ou=dns,dc=mageia,dc=org"
+	attrs=children,entry,@dNSZone
+	by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
+	by group.exact="cn=DNS Readers,ou=System Groups,dc=mageia,dc=org" read
+	by * none
+
+# MTA
+# XXX - what else can we add here? Virtual Domains? With which schema?
+access to dn.one="ou=People,dc=mageia,dc=org"
+	attrs=@inetLocalMailRecipient,mail
+	by group.exact="cn=MTA Admins,ou=System Groups,dc=mageia,dc=org" write
+	by * read
+
+# KDE Configuration
+access to dn.sub="ou=KDEConfig,dc=mageia,dc=org"
+	by group.exact="cn=KDEConfig Admins,ou=System Groups,dc=mageia,dc=org" write
+	by * read
+
+# last one
+access to dn.subtree="dc=mageia,dc=org" attrs=entry,uid,cn
+	by * read
+