# mandriva-dit-access.conf

limits group="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>"
	limit size=unlimited
	limit time=unlimited

limits group="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>"
	limit size=unlimited
	limit time=unlimited

limits group="cn=Account Admins,ou=System Groups,<%= dc_suffix %>"
	limit size=unlimited
	limit time=unlimited

# so we don't have to add these to every other acl down there
access to dn.subtree="<%= dc_suffix %>"
	by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" write
	by group.exact="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" read
	by * break

# userPassword access
# Allow account registration to write userPassword of unprivileged users accounts
access to dn.subtree="ou=People,<%= dc_suffix %>" 
	filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))"
	attrs=userPassword
	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +w
	by * +0 break

# shadowLastChange is here because it needs to be writable by the user because
# of pam_ldap, which will update this attr whenever the password is changed.
# And this is done with the user's credentials
access to dn.subtree="<%= dc_suffix %>"
        attrs=shadowLastChange
        by self write
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by users read
access to dn.subtree="<%= dc_suffix %>"
	attrs=userPassword
	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
	by self write
	by anonymous auth
	by * none

# kerberos key access
# "by auth" just in case...
access to dn.subtree="<%= dc_suffix %>"
        attrs=krb5Key
        by self write
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by anonymous auth
        by * none

# password policies
access to dn.subtree="ou=Password Policies,<%= dc_suffix %>"
	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
	by users read

# samba password attributes
# by self not strictly necessary, because samba uses its own admin user to
# change the password on the user's behalf
# openldap also doesn't auth on these attributes, but maybe some day it will
access to dn.subtree="<%= dc_suffix %>"
	attrs=sambaLMPassword,sambaNTPassword
	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
	by anonymous auth
	by self write
	by * none
# password history attribute
# pwdHistory is read-only, but ACL is simplier with it here
access to dn.subtree="<%= dc_suffix %>"
	attrs=sambaPasswordHistory,pwdHistory
	by self read
	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
	by * none

# pwdReset, so the admin can force an user to change a password
access to dn.subtree="<%= dc_suffix %>"
	attrs=pwdReset,pwdAccountLockedTime
	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
	by self read

# group owner can add/remove/edit members to groups
access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
	attrs=member,owner
	by dnattr=owner write
	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
	by users +scrx

access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
	attrs=cn,description,objectClass,gidNumber
	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
	by users read

# registration - allow registrar group to create basic unprivileged accounts
access to dn.subtree="ou=People,<%= dc_suffix %>" 
	attrs="objectClass" 
	val="inetOrgperson" 
	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
	by * +0 break

access to dn.subtree="ou=People,<%= dc_suffix %>" 
	filter="(!(objectclass=posixAccount))"
	attrs=cn,sn,gn,mail,entry,children,preferredLanguage
	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
	by * +0 break

# TODO maybe we should use a group instead of a user here
access to dn.subtree="ou=People,<%= dc_suffix %>" 
	filter="(objectclass=posixAccount)"
	attrs=homeDirectory,cn,uid,loginShell,gidNumber,uidNumber
	by dn.one="ou=Hosts,<%= dc_suffix %>" read
	by * +0 break

# let the user change some of his/her attributes
access to dn.subtree="ou=People,<%= dc_suffix %>"
	attrs=cn,sn,givenName,carLicense,drink,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage,sshPublicKey
	by self write
	by users read

access to dn.subtree="ou=People,<%= dc_suffix %>"
	attrs=memberOf
	by users read


# create new accounts
access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= dc_suffix %>$"
	attrs=children,entry
	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
	by * break
# access to existing entries
access to dn.regex="^[^,]+,ou=(People|Hosts|Group),<%= dc_suffix %>$"
	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
	by * break

# sambaDomainName entry
access to dn.regex="^(sambaDomainName=[^,]+,)?<%= dc_suffix %>$"
	attrs=children,entry,@sambaDomain,@sambaUnixIdPool
	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
	by users read

# samba ID mapping
access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= dc_suffix %>$"
	attrs=children,entry,@sambaIdmapEntry
	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
	by group.exact="cn=IDMAP Admins,ou=System Groups,<%= dc_suffix %>" write
	by users read

# global address book
# XXX - which class(es) to use?
access to dn.regex="^(.*,)?ou=Address Book,<%= dc_suffix %>"
	attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList
	by group.exact="cn=Address Book Admins,ou=System Groups,<%= dc_suffix %>" write
	by users read

# dhcp entries
# XXX - open up read access to anybody?
access to dn.sub="ou=dhcp,<%= dc_suffix %>"
	attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog
	by group.exact="cn=DHCP Admins,ou=System Groups,<%= dc_suffix %>" write
	by group.exact="cn=DHCP Readers,ou=System Groups,<%= dc_suffix %>" read
	by * read

# sudoers
access to dn.regex="^([^,]+,)?ou=sudoers,<%= dc_suffix %>$"
	attrs=children,entry,@sudoRole
	by group.exact="cn=Sudo Admins,ou=System Groups,<%= dc_suffix %>" write
	by users read

# dns
access to dn="ou=dns,<%= dc_suffix %>"
	attrs=entry,@extensibleObject
	by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
	by users read
access to dn.sub="ou=dns,<%= dc_suffix %>"
	attrs=children,entry,@dNSZone
	by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
	by group.exact="cn=DNS Readers,ou=System Groups,<%= dc_suffix %>" read
	by * none


# MTA
# XXX - what else can we add here? Virtual Domains? With which schema?
access to dn.one="ou=People,<%= dc_suffix %>"
	attrs=@inetLocalMailRecipient,mail
	by group.exact="cn=MTA Admins,ou=System Groups,<%= dc_suffix %>" write
	by users read

# KDE Configuration
access to dn.sub="ou=KDEConfig,<%= dc_suffix %>"
	by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= dc_suffix %>" write
	by * read

# last one
access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn
	by users read