1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
|
# mandriva-dit-access.conf
limits group="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org"
limit size=unlimited
limit time=unlimited
limits group="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org"
limit size=unlimited
limit time=unlimited
limits group="cn=Account Admins,ou=System Groups,dc=mageia,dc=org"
limit size=unlimited
limit time=unlimited
# so we don't have to add these to every other acl down there
access to dn.subtree="dc=mageia,dc=org"
by group.exact="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" write
by group.exact="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" read
by * break
# userPassword access
# shadowLastChange is here because it needs to be writable by the user because
# of pam_ldap, which will update this attr whenever the password is changed.
# And this is done with the user's credentials
access to dn.subtree="dc=mageia,dc=org"
attrs=shadowLastChange
by self write
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
by * read
access to dn.subtree="dc=mageia,dc=org"
attrs=userPassword
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
by self write
by anonymous auth
by * none
# kerberos key access
# "by auth" just in case...
access to dn.subtree="dc=mageia,dc=org"
attrs=krb5Key
by self write
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
by anonymous auth
by * none
# password policies
access to dn.subtree="ou=Password Policies,dc=mageia,dc=org"
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
by * read
# samba password attributes
# by self not strictly necessary, because samba uses its own admin user to
# change the password on the user's behalf
# openldap also doesn't auth on these attributes, but maybe some day it will
access to dn.subtree="dc=mageia,dc=org"
attrs=sambaLMPassword,sambaNTPassword
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
by anonymous auth
by self write
by * none
# password history attribute
# pwdHistory is read-only, but ACL is simplier with it here
access to dn.subtree="dc=mageia,dc=org"
attrs=sambaPasswordHistory,pwdHistory
by self read
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
by * none
# pwdReset, so the admin can force an user to change a password
access to dn.subtree="dc=mageia,dc=org"
attrs=pwdReset
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
by * read
# group owner can add/remove/edit members to groups
access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
attrs=member
by dnattr=owner write
by * break
# let the user change some of his/her attributes
access to dn.subtree="ou=People,dc=mageia,dc=org"
attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber
by self write
by * break
# create new accounts
access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$"
attrs=children,entry
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
by * break
# access to existing entries
access to dn.regex="^[^,]+,ou=(People|Hosts|Group),dc=mageia,dc=org$"
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
by * break
# sambaDomainName entry
access to dn.regex="^(sambaDomainName=[^,]+,)?dc=mageia,dc=org$"
attrs=children,entry,@sambaDomain,@sambaUnixIdPool
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
by * read
# samba ID mapping
access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,dc=mageia,dc=org$"
attrs=children,entry,@sambaIdmapEntry
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
by group.exact="cn=IDMAP Admins,ou=System Groups,dc=mageia,dc=org" write
by * read
# global address book
# XXX - which class(es) to use?
access to dn.regex="^(.*,)?ou=Address Book,dc=mageia,dc=org"
attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList
by group.exact="cn=Address Book Admins,ou=System Groups,dc=mageia,dc=org" write
by * read
# dhcp entries
# XXX - open up read access to anybody?
access to dn.sub="ou=dhcp,dc=mageia,dc=org"
attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog
by group.exact="cn=DHCP Admins,ou=System Groups,dc=mageia,dc=org" write
by group.exact="cn=DHCP Readers,ou=System Groups,dc=mageia,dc=org" read
by * read
# sudoers
access to dn.regex="^([^,]+,)?ou=sudoers,dc=mageia,dc=org$"
attrs=children,entry,@sudoRole
by group.exact="cn=Sudo Admins,ou=System Groups,dc=mageia,dc=org" write
by * read
# dns
access to dn="ou=dns,dc=mageia,dc=org"
attrs=entry,@extensibleObject
by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
by * read
access to dn.sub="ou=dns,dc=mageia,dc=org"
attrs=children,entry,@dNSZone
by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
by group.exact="cn=DNS Readers,ou=System Groups,dc=mageia,dc=org" read
by * none
# MTA
# XXX - what else can we add here? Virtual Domains? With which schema?
access to dn.one="ou=People,dc=mageia,dc=org"
attrs=@inetLocalMailRecipient,mail
by group.exact="cn=MTA Admins,ou=System Groups,dc=mageia,dc=org" write
by * read
# KDE Configuration
access to dn.sub="ou=KDEConfig,dc=mageia,dc=org"
by group.exact="cn=KDEConfig Admins,ou=System Groups,dc=mageia,dc=org" write
by * read
# last one
access to dn.subtree="dc=mageia,dc=org" attrs=entry,uid,cn
by * read
|
