aboutsummaryrefslogtreecommitdiffstats
path: root/modules/openldap
diff options
context:
space:
mode:
authorMichael Scherer <misc@mageia.org>2010-11-22 02:04:02 +0000
committerMichael Scherer <misc@mageia.org>2010-11-22 02:04:02 +0000
commita011669f59bacc1460b275ed8593628bf1672b2d (patch)
tree679681a437597025e783f1b2cc1aa917ee1e327a /modules/openldap
parentd005808b0a87b30d9edc1273cde9dd5f3d1e02f2 (diff)
downloadpuppet-a011669f59bacc1460b275ed8593628bf1672b2d.tar
puppet-a011669f59bacc1460b275ed8593628bf1672b2d.tar.gz
puppet-a011669f59bacc1460b275ed8593628bf1672b2d.tar.bz2
puppet-a011669f59bacc1460b275ed8593628bf1672b2d.tar.xz
puppet-a011669f59bacc1460b275ed8593628bf1672b2d.zip
- do not hardcode mageia.org in acl
Diffstat (limited to 'modules/openldap')
-rw-r--r--modules/openldap/templates/mandriva-dit-access.conf114
1 files changed, 57 insertions, 57 deletions
diff --git a/modules/openldap/templates/mandriva-dit-access.conf b/modules/openldap/templates/mandriva-dit-access.conf
index a4d9661a..9a501713 100644
--- a/modules/openldap/templates/mandriva-dit-access.conf
+++ b/modules/openldap/templates/mandriva-dit-access.conf
@@ -1,184 +1,184 @@
# mandriva-dit-access.conf
-limits group="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org"
+limits group="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>"
limit size=unlimited
limit time=unlimited
-limits group="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org"
+limits group="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>"
limit size=unlimited
limit time=unlimited
-limits group="cn=Account Admins,ou=System Groups,dc=mageia,dc=org"
+limits group="cn=Account Admins,ou=System Groups,<%= dc_suffix %>"
limit size=unlimited
limit time=unlimited
# so we don't have to add these to every other acl down there
-access to dn.subtree="dc=mageia,dc=org"
- by group.exact="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" write
- by group.exact="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" read
+access to dn.subtree="<%= dc_suffix %>"
+ by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" write
+ by group.exact="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" read
by * break
# userPassword access
# Allow account registration to write userPassword of unprivileged users accounts
-access to dn.subtree="ou=People,dc=mageia,dc=org"
+access to dn.subtree="ou=People,<%= dc_suffix %>"
filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))"
attrs=userPassword,pwdReset
- by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" +a
+ by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +a
by * +0 break
# shadowLastChange is here because it needs to be writable by the user because
# of pam_ldap, which will update this attr whenever the password is changed.
# And this is done with the user's credentials
-access to dn.subtree="dc=mageia,dc=org"
+access to dn.subtree="<%= dc_suffix %>"
attrs=shadowLastChange
by self write
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
-access to dn.subtree="dc=mageia,dc=org"
+access to dn.subtree="<%= dc_suffix %>"
attrs=userPassword
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by self write
by anonymous auth
by * none
# kerberos key access
# "by auth" just in case...
-access to dn.subtree="dc=mageia,dc=org"
+access to dn.subtree="<%= dc_suffix %>"
attrs=krb5Key
by self write
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by anonymous auth
by * none
# password policies
-access to dn.subtree="ou=Password Policies,dc=mageia,dc=org"
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+access to dn.subtree="ou=Password Policies,<%= dc_suffix %>"
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
# samba password attributes
# by self not strictly necessary, because samba uses its own admin user to
# change the password on the user's behalf
# openldap also doesn't auth on these attributes, but maybe some day it will
-access to dn.subtree="dc=mageia,dc=org"
+access to dn.subtree="<%= dc_suffix %>"
attrs=sambaLMPassword,sambaNTPassword
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by anonymous auth
by self write
by * none
# password history attribute
# pwdHistory is read-only, but ACL is simplier with it here
-access to dn.subtree="dc=mageia,dc=org"
+access to dn.subtree="<%= dc_suffix %>"
attrs=sambaPasswordHistory,pwdHistory
by self read
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by * none
# pwdReset, so the admin can force an user to change a password
-access to dn.subtree="dc=mageia,dc=org"
+access to dn.subtree="<%= dc_suffix %>"
attrs=pwdReset,pwdAccountLockedTime
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by self read
# group owner can add/remove/edit members to groups
-access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
+access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
attrs=member
by dnattr=owner write
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by users +sx
-access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
+access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
attrs=cn,description,objectClass,gidNumber
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
# registration - allow registrar group to create basic unprivileged accounts
-access to dn.subtree="ou=People,dc=mageia,dc=org"
+access to dn.subtree="ou=People,<%= dc_suffix %>"
attrs="objectClass"
val="inetOrgperson"
- by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =asrx
+ by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
by * +0 break
-access to dn.subtree="ou=People,dc=mageia,dc=org"
+access to dn.subtree="ou=People,<%= dc_suffix %>"
filter="(!(objectclass=posixAccount))"
attrs=cn,sn,gn,mail,entry,children,preferredLanguage
- by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =asrx
+ by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
by * +0 break
# let the user change some of his/her attributes
-access to dn.subtree="ou=People,dc=mageia,dc=org"
+access to dn.subtree="ou=People,<%= dc_suffix %>"
attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage
by self write
by users read
# create new accounts
-access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$"
+access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= dc_suffix %>$"
attrs=children,entry
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by * break
# access to existing entries
-access to dn.regex="^[^,]+,ou=(People|Hosts|Group),dc=mageia,dc=org$"
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+access to dn.regex="^[^,]+,ou=(People|Hosts|Group),<%= dc_suffix %>$"
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by * break
# sambaDomainName entry
-access to dn.regex="^(sambaDomainName=[^,]+,)?dc=mageia,dc=org$"
+access to dn.regex="^(sambaDomainName=[^,]+,)?<%= dc_suffix %>$"
attrs=children,entry,@sambaDomain,@sambaUnixIdPool
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
# samba ID mapping
-access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,dc=mageia,dc=org$"
+access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= dc_suffix %>$"
attrs=children,entry,@sambaIdmapEntry
- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
- by group.exact="cn=IDMAP Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
+ by group.exact="cn=IDMAP Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
# global address book
# XXX - which class(es) to use?
-access to dn.regex="^(.*,)?ou=Address Book,dc=mageia,dc=org"
+access to dn.regex="^(.*,)?ou=Address Book,<%= dc_suffix %>"
attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList
- by group.exact="cn=Address Book Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Address Book Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
# dhcp entries
# XXX - open up read access to anybody?
-access to dn.sub="ou=dhcp,dc=mageia,dc=org"
+access to dn.sub="ou=dhcp,<%= dc_suffix %>"
attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog
- by group.exact="cn=DHCP Admins,ou=System Groups,dc=mageia,dc=org" write
- by group.exact="cn=DHCP Readers,ou=System Groups,dc=mageia,dc=org" read
+ by group.exact="cn=DHCP Admins,ou=System Groups,<%= dc_suffix %>" write
+ by group.exact="cn=DHCP Readers,ou=System Groups,<%= dc_suffix %>" read
by * read
# sudoers
-access to dn.regex="^([^,]+,)?ou=sudoers,dc=mageia,dc=org$"
+access to dn.regex="^([^,]+,)?ou=sudoers,<%= dc_suffix %>$"
attrs=children,entry,@sudoRole
- by group.exact="cn=Sudo Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=Sudo Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
# dns
-access to dn="ou=dns,dc=mageia,dc=org"
+access to dn="ou=dns,<%= dc_suffix %>"
attrs=entry,@extensibleObject
- by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
-access to dn.sub="ou=dns,dc=mageia,dc=org"
+access to dn.sub="ou=dns,<%= dc_suffix %>"
attrs=children,entry,@dNSZone
- by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
- by group.exact="cn=DNS Readers,ou=System Groups,dc=mageia,dc=org" read
+ by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
+ by group.exact="cn=DNS Readers,ou=System Groups,<%= dc_suffix %>" read
by * none
# MTA
# XXX - what else can we add here? Virtual Domains? With which schema?
-access to dn.one="ou=People,dc=mageia,dc=org"
+access to dn.one="ou=People,<%= dc_suffix %>"
attrs=@inetLocalMailRecipient,mail
- by group.exact="cn=MTA Admins,ou=System Groups,dc=mageia,dc=org" write
+ by group.exact="cn=MTA Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
# KDE Configuration
-access to dn.sub="ou=KDEConfig,dc=mageia,dc=org"
- by group.exact="cn=KDEConfig Admins,ou=System Groups,dc=mageia,dc=org" write
+access to dn.sub="ou=KDEConfig,<%= dc_suffix %>"
+ by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= dc_suffix %>" write
by * read
# last one
-access to dn.subtree="dc=mageia,dc=org" attrs=entry,uid,cn
+access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn
by users read