diff options
author | Michael Scherer <misc@mageia.org> | 2010-11-22 02:04:02 +0000 |
---|---|---|
committer | Michael Scherer <misc@mageia.org> | 2010-11-22 02:04:02 +0000 |
commit | a011669f59bacc1460b275ed8593628bf1672b2d (patch) | |
tree | 679681a437597025e783f1b2cc1aa917ee1e327a /modules/openldap | |
parent | d005808b0a87b30d9edc1273cde9dd5f3d1e02f2 (diff) | |
download | puppet-a011669f59bacc1460b275ed8593628bf1672b2d.tar puppet-a011669f59bacc1460b275ed8593628bf1672b2d.tar.gz puppet-a011669f59bacc1460b275ed8593628bf1672b2d.tar.bz2 puppet-a011669f59bacc1460b275ed8593628bf1672b2d.tar.xz puppet-a011669f59bacc1460b275ed8593628bf1672b2d.zip |
- do not hardcode mageia.org in acl
Diffstat (limited to 'modules/openldap')
-rw-r--r-- | modules/openldap/templates/mandriva-dit-access.conf | 114 |
1 files changed, 57 insertions, 57 deletions
diff --git a/modules/openldap/templates/mandriva-dit-access.conf b/modules/openldap/templates/mandriva-dit-access.conf index a4d9661a..9a501713 100644 --- a/modules/openldap/templates/mandriva-dit-access.conf +++ b/modules/openldap/templates/mandriva-dit-access.conf @@ -1,184 +1,184 @@ # mandriva-dit-access.conf -limits group="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" +limits group="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" limit size=unlimited limit time=unlimited -limits group="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" +limits group="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" limit size=unlimited limit time=unlimited -limits group="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" +limits group="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" limit size=unlimited limit time=unlimited # so we don't have to add these to every other acl down there -access to dn.subtree="dc=mageia,dc=org" - by group.exact="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" write - by group.exact="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" read +access to dn.subtree="<%= dc_suffix %>" + by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" read by * break # userPassword access # Allow account registration to write userPassword of unprivileged users accounts -access to dn.subtree="ou=People,dc=mageia,dc=org" +access to dn.subtree="ou=People,<%= dc_suffix %>" filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))" attrs=userPassword,pwdReset - by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" +a + by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +a by * +0 break # shadowLastChange is here because it needs to be writable by the user because # of pam_ldap, which will update this attr whenever the password is changed. # And this is done with the user's credentials -access to dn.subtree="dc=mageia,dc=org" +access to dn.subtree="<%= dc_suffix %>" attrs=shadowLastChange by self write - by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write + by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write by users read -access to dn.subtree="dc=mageia,dc=org" +access to dn.subtree="<%= dc_suffix %>" attrs=userPassword - by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write + by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write by self write by anonymous auth by * none # kerberos key access # "by auth" just in case... -access to dn.subtree="dc=mageia,dc=org" +access to dn.subtree="<%= dc_suffix %>" attrs=krb5Key by self write - by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write + by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write by anonymous auth by * none # password policies -access to dn.subtree="ou=Password Policies,dc=mageia,dc=org" - by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write +access to dn.subtree="ou=Password Policies,<%= dc_suffix %>" + by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write by users read # samba password attributes # by self not strictly necessary, because samba uses its own admin user to # change the password on the user's behalf # openldap also doesn't auth on these attributes, but maybe some day it will -access to dn.subtree="dc=mageia,dc=org" +access to dn.subtree="<%= dc_suffix %>" attrs=sambaLMPassword,sambaNTPassword - by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write + by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write by anonymous auth by self write by * none # password history attribute # pwdHistory is read-only, but ACL is simplier with it here -access to dn.subtree="dc=mageia,dc=org" +access to dn.subtree="<%= dc_suffix %>" attrs=sambaPasswordHistory,pwdHistory by self read - by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write + by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write by * none # pwdReset, so the admin can force an user to change a password -access to dn.subtree="dc=mageia,dc=org" +access to dn.subtree="<%= dc_suffix %>" attrs=pwdReset,pwdAccountLockedTime - by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write + by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write by self read # group owner can add/remove/edit members to groups -access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$" +access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$" attrs=member by dnattr=owner write - by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write + by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write by users +sx -access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$" +access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$" attrs=cn,description,objectClass,gidNumber - by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write + by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write by users read # registration - allow registrar group to create basic unprivileged accounts -access to dn.subtree="ou=People,dc=mageia,dc=org" +access to dn.subtree="ou=People,<%= dc_suffix %>" attrs="objectClass" val="inetOrgperson" - by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =asrx + by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx by * +0 break -access to dn.subtree="ou=People,dc=mageia,dc=org" +access to dn.subtree="ou=People,<%= dc_suffix %>" filter="(!(objectclass=posixAccount))" attrs=cn,sn,gn,mail,entry,children,preferredLanguage - by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =asrx + by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx by * +0 break # let the user change some of his/her attributes -access to dn.subtree="ou=People,dc=mageia,dc=org" +access to dn.subtree="ou=People,<%= dc_suffix %>" attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage by self write by users read # create new accounts -access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$" +access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= dc_suffix %>$" attrs=children,entry - by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write + by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write by * break # access to existing entries -access to dn.regex="^[^,]+,ou=(People|Hosts|Group),dc=mageia,dc=org$" - by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write +access to dn.regex="^[^,]+,ou=(People|Hosts|Group),<%= dc_suffix %>$" + by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write by * break # sambaDomainName entry -access to dn.regex="^(sambaDomainName=[^,]+,)?dc=mageia,dc=org$" +access to dn.regex="^(sambaDomainName=[^,]+,)?<%= dc_suffix %>$" attrs=children,entry,@sambaDomain,@sambaUnixIdPool - by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write + by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write by users read # samba ID mapping -access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,dc=mageia,dc=org$" +access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= dc_suffix %>$" attrs=children,entry,@sambaIdmapEntry - by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write - by group.exact="cn=IDMAP Admins,ou=System Groups,dc=mageia,dc=org" write + by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=IDMAP Admins,ou=System Groups,<%= dc_suffix %>" write by users read # global address book # XXX - which class(es) to use? -access to dn.regex="^(.*,)?ou=Address Book,dc=mageia,dc=org" +access to dn.regex="^(.*,)?ou=Address Book,<%= dc_suffix %>" attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList - by group.exact="cn=Address Book Admins,ou=System Groups,dc=mageia,dc=org" write + by group.exact="cn=Address Book Admins,ou=System Groups,<%= dc_suffix %>" write by users read # dhcp entries # XXX - open up read access to anybody? -access to dn.sub="ou=dhcp,dc=mageia,dc=org" +access to dn.sub="ou=dhcp,<%= dc_suffix %>" attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog - by group.exact="cn=DHCP Admins,ou=System Groups,dc=mageia,dc=org" write - by group.exact="cn=DHCP Readers,ou=System Groups,dc=mageia,dc=org" read + by group.exact="cn=DHCP Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=DHCP Readers,ou=System Groups,<%= dc_suffix %>" read by * read # sudoers -access to dn.regex="^([^,]+,)?ou=sudoers,dc=mageia,dc=org$" +access to dn.regex="^([^,]+,)?ou=sudoers,<%= dc_suffix %>$" attrs=children,entry,@sudoRole - by group.exact="cn=Sudo Admins,ou=System Groups,dc=mageia,dc=org" write + by group.exact="cn=Sudo Admins,ou=System Groups,<%= dc_suffix %>" write by users read # dns -access to dn="ou=dns,dc=mageia,dc=org" +access to dn="ou=dns,<%= dc_suffix %>" attrs=entry,@extensibleObject - by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write + by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write by users read -access to dn.sub="ou=dns,dc=mageia,dc=org" +access to dn.sub="ou=dns,<%= dc_suffix %>" attrs=children,entry,@dNSZone - by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write - by group.exact="cn=DNS Readers,ou=System Groups,dc=mageia,dc=org" read + by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=DNS Readers,ou=System Groups,<%= dc_suffix %>" read by * none # MTA # XXX - what else can we add here? Virtual Domains? With which schema? -access to dn.one="ou=People,dc=mageia,dc=org" +access to dn.one="ou=People,<%= dc_suffix %>" attrs=@inetLocalMailRecipient,mail - by group.exact="cn=MTA Admins,ou=System Groups,dc=mageia,dc=org" write + by group.exact="cn=MTA Admins,ou=System Groups,<%= dc_suffix %>" write by users read # KDE Configuration -access to dn.sub="ou=KDEConfig,dc=mageia,dc=org" - by group.exact="cn=KDEConfig Admins,ou=System Groups,dc=mageia,dc=org" write +access to dn.sub="ou=KDEConfig,<%= dc_suffix %>" + by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= dc_suffix %>" write by * read # last one -access to dn.subtree="dc=mageia,dc=org" attrs=entry,uid,cn +access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn by users read |