From 2c7da66570999dcd21f11f976dc6ec27d820f45c Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Fri, 4 Oct 2024 19:28:06 -0700 Subject: Use @ when accessing variables in templates Access without the @ symbol is the older method and is discouraged. --- modules/openldap/templates/init_ldap.sh | 22 ++-- .../openldap/templates/mandriva-dit-access.conf | 120 ++++++++++----------- modules/openldap/templates/slapd.conf | 22 ++-- modules/openldap/templates/slapd.syncrepl.conf | 12 +-- modules/openldap/templates/slapd.test.conf | 2 +- 5 files changed, 89 insertions(+), 89 deletions(-) (limited to 'modules/openldap') diff --git a/modules/openldap/templates/init_ldap.sh b/modules/openldap/templates/init_ldap.sh index dfcaf236..01ab00bb 100644 --- a/modules/openldap/templates/init_ldap.sh +++ b/modules/openldap/templates/init_ldap.sh @@ -1,27 +1,27 @@ #!/bin/bash ldapadd -Y EXTERNAL -H ldapi:/// < -dc: <%= dc_suffix.split(',')[0].split('=')[1] %> +dn: <%= @dc_suffix %> +dc: <%= @dc_suffix.split(',')[0].split('=')[1] %> objectClass: domain objectClass: domainRelatedObject -associatedDomain: <%= domain %> +associatedDomain: <%= @domain %> <% for g in ['People','Group','Hosts'] %> -dn: ou=<%= g%>,<%= dc_suffix %> -ou: <%= g %> +dn: ou=<%= @g %>,<%= @dc_suffix %> +ou: <%= @g %> objectClass: organizationalUnit <% end %> <% gid = 5000 for g in ['packagers','web','sysadmin','packagers-committers','forum-developers'] %> -dn: cn=mga-<%= g %>,ou=Group,<%= dc_suffix %> +dn: cn=mga-<%= @g %>,ou=Group,<%= @dc_suffix %> objectClass: groupOfNames objectClass: posixGroup -cn: mga-<%= g %> -gidNumber: <%= gid %> -member: cn=manager,<%= dc_suffix %> +cn: mga-<%= @g %> +gidNumber: <%= @gid %> +member: cn=manager,<%= @dc_suffix %> <%- gid+=1 end -%> @@ -29,10 +29,10 @@ end -%> <% # FIXME automatically get the list of servers for g in ['duvel','alamut'] %> -dn: cn=<%= g%>.<%= domain %>,ou=Hosts,<%= dc_suffix %> +dn: cn=<%= @g %>.<%= @domain %>,ou=Hosts,<%= @dc_suffix %> objectClass: device objectClass: simpleSecurityObject -cn: <%= g%>.<%= domain %> +cn: <%= @g %>.<%= @domain %> userPassword: x <% end %> diff --git a/modules/openldap/templates/mandriva-dit-access.conf b/modules/openldap/templates/mandriva-dit-access.conf index 361d956b..8cf2a404 100644 --- a/modules/openldap/templates/mandriva-dit-access.conf +++ b/modules/openldap/templates/mandriva-dit-access.conf @@ -1,195 +1,195 @@ # mandriva-dit-access.conf -limits group="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" +limits group="cn=LDAP Replicators,ou=System Groups,<%= @dc_suffix %>" limit size=unlimited limit time=unlimited -limits group="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" +limits group="cn=LDAP Admins,ou=System Groups,<%= @dc_suffix %>" limit size=unlimited limit time=unlimited -limits group="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" +limits group="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" limit size=unlimited limit time=unlimited # so we don't have to add these to every other acl down there -access to dn.subtree="<%= dc_suffix %>" - by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" write - by group.exact="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" read +access to dn.subtree="<%= @dc_suffix %>" + by group.exact="cn=LDAP Admins,ou=System Groups,<%= @dc_suffix %>" write + by group.exact="cn=LDAP Replicators,ou=System Groups,<%= @dc_suffix %>" read by * break # userPassword access # Allow account registration to write userPassword of unprivileged users accounts -access to dn.subtree="ou=People,<%= dc_suffix %>" +access to dn.subtree="ou=People,<%= @dc_suffix %>" filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))" attrs=userPassword - by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +w + by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= @dc_suffix %>" +w by * +0 break # shadowLastChange is here because it needs to be writable by the user because # of pam_ldap, which will update this attr whenever the password is changed. # And this is done with the user's credentials -access to dn.subtree="<%= dc_suffix %>" +access to dn.subtree="<%= @dc_suffix %>" attrs=shadowLastChange by self write - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by users read -access to dn.subtree="<%= dc_suffix %>" +access to dn.subtree="<%= @dc_suffix %>" attrs=userPassword - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by self write by anonymous auth by * none # kerberos key access # "by auth" just in case... -access to dn.subtree="<%= dc_suffix %>" +access to dn.subtree="<%= @dc_suffix %>" attrs=krb5Key by self write - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by anonymous auth by * none # password policies -access to dn.subtree="ou=Password Policies,<%= dc_suffix %>" - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write +access to dn.subtree="ou=Password Policies,<%= @dc_suffix %>" + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by users read # samba password attributes # by self not strictly necessary, because samba uses its own admin user to # change the password on the user's behalf # openldap also doesn't auth on these attributes, but maybe some day it will -access to dn.subtree="<%= dc_suffix %>" +access to dn.subtree="<%= @dc_suffix %>" attrs=sambaLMPassword,sambaNTPassword - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by anonymous auth by self write by * none # password history attribute # pwdHistory is read-only, but ACL is simpler with it here -access to dn.subtree="<%= dc_suffix %>" +access to dn.subtree="<%= @dc_suffix %>" attrs=sambaPasswordHistory,pwdHistory by self read - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by * none # pwdReset, so the admin can force an user to change a password -access to dn.subtree="<%= dc_suffix %>" +access to dn.subtree="<%= @dc_suffix %>" attrs=pwdReset,pwdAccountLockedTime - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by self read # group owner can add/remove/edit members to groups -access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$" +access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= @dc_suffix %>$" attrs=member,owner by dnattr=owner write - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by users +scrx -access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$" +access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= @dc_suffix %>$" attrs=cn,description,objectClass,gidNumber - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by users read # registration - allow registrar group to create basic unprivileged accounts -access to dn.subtree="ou=People,<%= dc_suffix %>" +access to dn.subtree="ou=People,<%= @dc_suffix %>" attrs="objectClass" val="inetOrgperson" - by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx + by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= @dc_suffix %>" =asrx by * +0 break -access to dn.subtree="ou=People,<%= dc_suffix %>" +access to dn.subtree="ou=People,<%= @dc_suffix %>" filter="(!(objectclass=posixAccount))" attrs=cn,sn,gn,mail,entry,children,preferredLanguage - by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx + by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= @dc_suffix %>" =asrx by * +0 break # TODO maybe we should use a group instead of a user here -access to dn.subtree="ou=People,<%= dc_suffix %>" +access to dn.subtree="ou=People,<%= @dc_suffix %>" filter="(objectclass=posixAccount)" attrs=homeDirectory,cn,uid,loginShell,gidNumber,uidNumber - by dn.one="ou=Hosts,<%= dc_suffix %>" read + by dn.one="ou=Hosts,<%= @dc_suffix %>" read by * +0 break # let the user change some of his/her attributes -access to dn.subtree="ou=People,<%= dc_suffix %>" +access to dn.subtree="ou=People,<%= @dc_suffix %>" attrs=cn,sn,givenName,carLicense,drink,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage,sshPublicKey by self write by users read -access to dn.subtree="ou=People,<%= dc_suffix %>" +access to dn.subtree="ou=People,<%= @dc_suffix %>" attrs=memberOf by users read # create new accounts -access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= dc_suffix %>$" +access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= @dc_suffix %>$" attrs=children,entry - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by * break # access to existing entries -access to dn.regex="^[^,]+,ou=(People|Hosts|Group),<%= dc_suffix %>$" - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write +access to dn.regex="^[^,]+,ou=(People|Hosts|Group),<%= @dc_suffix %>$" + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by * break # sambaDomainName entry -access to dn.regex="^(sambaDomainName=[^,]+,)?<%= dc_suffix %>$" +access to dn.regex="^(sambaDomainName=[^,]+,)?<%= @dc_suffix %>$" attrs=children,entry,@sambaDomain,@sambaUnixIdPool - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write by users read # samba ID mapping -access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= dc_suffix %>$" +access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= @dc_suffix %>$" attrs=children,entry,@sambaIdmapEntry - by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write - by group.exact="cn=IDMAP Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Account Admins,ou=System Groups,<%= @dc_suffix %>" write + by group.exact="cn=IDMAP Admins,ou=System Groups,<%= @dc_suffix %>" write by users read # global address book # XXX - which class(es) to use? -access to dn.regex="^(.*,)?ou=Address Book,<%= dc_suffix %>" +access to dn.regex="^(.*,)?ou=Address Book,<%= @dc_suffix %>" attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList - by group.exact="cn=Address Book Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Address Book Admins,ou=System Groups,<%= @dc_suffix %>" write by users read # dhcp entries # XXX - open up read access to anybody? -access to dn.sub="ou=dhcp,<%= dc_suffix %>" +access to dn.sub="ou=dhcp,<%= @dc_suffix %>" attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog - by group.exact="cn=DHCP Admins,ou=System Groups,<%= dc_suffix %>" write - by group.exact="cn=DHCP Readers,ou=System Groups,<%= dc_suffix %>" read + by group.exact="cn=DHCP Admins,ou=System Groups,<%= @dc_suffix %>" write + by group.exact="cn=DHCP Readers,ou=System Groups,<%= @dc_suffix %>" read by * read # sudoers -access to dn.regex="^([^,]+,)?ou=sudoers,<%= dc_suffix %>$" +access to dn.regex="^([^,]+,)?ou=sudoers,<%= @dc_suffix %>$" attrs=children,entry,@sudoRole - by group.exact="cn=Sudo Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=Sudo Admins,ou=System Groups,<%= @dc_suffix %>" write by users read # dns -access to dn="ou=dns,<%= dc_suffix %>" +access to dn="ou=dns,<%= @dc_suffix %>" attrs=entry,@extensibleObject - by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=DNS Admins,ou=System Groups,<%= @dc_suffix %>" write by users read -access to dn.sub="ou=dns,<%= dc_suffix %>" +access to dn.sub="ou=dns,<%= @dc_suffix %>" attrs=children,entry,@dNSZone - by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write - by group.exact="cn=DNS Readers,ou=System Groups,<%= dc_suffix %>" read + by group.exact="cn=DNS Admins,ou=System Groups,<%= @dc_suffix %>" write + by group.exact="cn=DNS Readers,ou=System Groups,<%= @dc_suffix %>" read by * none # MTA # XXX - what else can we add here? Virtual Domains? With which schema? -access to dn.one="ou=People,<%= dc_suffix %>" +access to dn.one="ou=People,<%= @dc_suffix %>" attrs=@inetLocalMailRecipient,mail - by group.exact="cn=MTA Admins,ou=System Groups,<%= dc_suffix %>" write + by group.exact="cn=MTA Admins,ou=System Groups,<%= @dc_suffix %>" write by users read # KDE Configuration -access to dn.sub="ou=KDEConfig,<%= dc_suffix %>" - by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= dc_suffix %>" write +access to dn.sub="ou=KDEConfig,<%= @dc_suffix %>" + by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= @dc_suffix %>" write by * read # last one -access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn +access to dn.subtree="<%= @dc_suffix %>" attrs=entry,uid,cn by users read diff --git a/modules/openldap/templates/slapd.conf b/modules/openldap/templates/slapd.conf index d82fe088..542e54fa 100644 --- a/modules/openldap/templates/slapd.conf +++ b/modules/openldap/templates/slapd.conf @@ -29,7 +29,7 @@ include /usr/share/openldap/schema/openssh-lpk_openldap.schema pidfile /var/run/ldap/slapd.pid argsfile /var/run/ldap/slapd.args -modulepath <%= lib_dir %>/openldap +modulepath <%= @lib_dir %>/openldap <% if @hostname == 'duvel' then %> moduleload back_bdb.la <% else %> @@ -44,9 +44,9 @@ moduleload unique.la moduleload dynlist.la moduleload constraint.la -TLSCertificateFile /etc/ssl/openldap/ldap.<%= domain %>.pem -TLSCertificateKeyFile /etc/ssl/openldap/ldap.<%= domain %>.pem -TLSCACertificateFile /etc/ssl/openldap/ldap.<%= domain %>.pem +TLSCertificateFile /etc/ssl/openldap/ldap.<%= @domain %>.pem +TLSCertificateKeyFile /etc/ssl/openldap/ldap.<%= @domain %>.pem +TLSCACertificateFile /etc/ssl/openldap/ldap.<%= @domain %>.pem # Give ldapi connection some security localSSF 56 @@ -60,8 +60,8 @@ loglevel 256 database monitor access to dn.subtree="cn=Monitor" - by group.exact="cn=LDAP Monitors,ou=System Groups,<%= dc_suffix %>" read - by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" read + by group.exact="cn=LDAP Monitors,ou=System Groups,<%= @dc_suffix %>" read + by group.exact="cn=LDAP Admins,ou=System Groups,<%= @dc_suffix %>" read by * none <% if @hostname == 'duvel' then %> @@ -71,9 +71,9 @@ database mdb # mdb defaults to 10MB max DB, so we need to hardcode some better value :( maxsize 500000000 <% end %> -suffix "<%= dc_suffix %>" +suffix "<%= @dc_suffix %>" directory /var/lib/ldap -rootdn "cn=manager,<%= dc_suffix %>" +rootdn "cn=manager,<%= @dc_suffix %>" checkpoint 256 5 <% if @hostname == 'duvel' then %> @@ -105,7 +105,7 @@ syncprov-checkpoint 100 10 syncprov-sessionlog 100 overlay ppolicy -ppolicy_default "cn=default,ou=Password Policies,<%= dc_suffix %>" +ppolicy_default "cn=default,ou=Password Policies,<%= @dc_suffix %>" ppolicy_hash_cleartext yes ppolicy_use_lockout yes @@ -128,8 +128,8 @@ constraint_attribute sshPublicKey regex "^ssh-(rsa|dss|ed25519) [[:graph:]]+ [[: <% if environment == "test" %> authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" - "cn=manager,<%= dc_suffix %>" -authz-regexp ^uid=([^,]+),cn=[^,]+,cn=auth$ uid=$1,ou=People,<%= dc_suffix %> + "cn=manager,<%= @dc_suffix %>" +authz-regexp ^uid=([^,]+),cn=[^,]+,cn=auth$ uid=$1,ou=People,<%= @dc_suffix %> <% end %> include /etc/openldap/mandriva-dit-access.conf diff --git a/modules/openldap/templates/slapd.syncrepl.conf b/modules/openldap/templates/slapd.syncrepl.conf index 2bfe7d50..4c69a56e 100644 --- a/modules/openldap/templates/slapd.syncrepl.conf +++ b/modules/openldap/templates/slapd.syncrepl.conf @@ -1,11 +1,11 @@ -syncrepl rid=<%= rid %> - provider=ldaps://ldap-master.<%= domain %>:636 +syncrepl rid=<%= @rid %> + provider=ldaps://ldap-master.<%= @domain %>:636 type=refreshAndPersist - searchbase="<%= dc_suffix %>" + searchbase="<%= @dc_suffix %>" schemachecking=off bindmethod=simple - binddn="cn=syncuser-<%= hostname%>,ou=System Accounts,<%= dc_suffix %>" - credentials=<%= sync_password %> + binddn="cn=syncuser-<%= @hostname %>,ou=System Accounts,<%= @dc_suffix %>" + credentials=<%= @sync_password %> tls_reqcert=never -updateref ldaps://ldap-master.<%= domain %>:636 +updateref ldaps://ldap-master.<%= @domain %>:636 diff --git a/modules/openldap/templates/slapd.test.conf b/modules/openldap/templates/slapd.test.conf index 8befa55a..a492acd7 100644 --- a/modules/openldap/templates/slapd.test.conf +++ b/modules/openldap/templates/slapd.test.conf @@ -2,7 +2,7 @@ database bdb suffix "dc=test_ldap" directory /var/lib/ldap/test rootdn "cn=manager,dc=test_ldap" -rootpw "<%= ldap_test_password %>" +rootpw "<%= @ldap_test_password %>" authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=manager,dc=test_ldap" # force ssl -- cgit v1.2.1