summaryrefslogtreecommitdiffstats
path: root/zarb-ml/mageia-sysadm/2010-November/000250.html
diff options
context:
space:
mode:
Diffstat (limited to 'zarb-ml/mageia-sysadm/2010-November/000250.html')
-rw-r--r--zarb-ml/mageia-sysadm/2010-November/000250.html162
1 files changed, 162 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/2010-November/000250.html b/zarb-ml/mageia-sysadm/2010-November/000250.html
new file mode 100644
index 000000000..e5265cc5c
--- /dev/null
+++ b/zarb-ml/mageia-sysadm/2010-November/000250.html
@@ -0,0 +1,162 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
+<HTML>
+ <HEAD>
+ <TITLE> [Mageia-sysadm] [134] Finalise registration ACLs
+ </TITLE>
+ <LINK REL="Index" HREF="index.html" >
+ <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B134%5D%20Finalise%20registration%20ACLs&In-Reply-To=%3C20101105121923.62C7F3F92E%40valstar.mageia.org%3E">
+ <META NAME="robots" CONTENT="index,nofollow">
+ <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
+ <LINK REL="Previous" HREF="000249.html">
+ <LINK REL="Next" HREF="000252.html">
+ </HEAD>
+ <BODY BGCOLOR="#ffffff">
+ <H1>[Mageia-sysadm] [134] Finalise registration ACLs</H1>
+ <B>root at mageia.org</B>
+ <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B134%5D%20Finalise%20registration%20ACLs&In-Reply-To=%3C20101105121923.62C7F3F92E%40valstar.mageia.org%3E"
+ TITLE="[Mageia-sysadm] [134] Finalise registration ACLs">root at mageia.org
+ </A><BR>
+ <I>Fri Nov 5 13:19:23 CET 2010</I>
+ <P><UL>
+ <LI>Previous message: <A HREF="000249.html">[Mageia-sysadm] [133] SVN server is on valstar
+</A></li>
+ <LI>Next message: <A HREF="000252.html">[Mageia-sysadm] [135] Correct authentication binddn
+</A></li>
+ <LI> <B>Messages sorted by:</B>
+ <a href="date.html#250">[ date ]</a>
+ <a href="thread.html#250">[ thread ]</a>
+ <a href="subject.html#250">[ subject ]</a>
+ <a href="author.html#250">[ author ]</a>
+ </LI>
+ </UL>
+ <HR>
+<!--beginarticle-->
+<PRE>Revision: 134
+Author: buchan
+Date: 2010-11-05 13:19:23 +0100 (Fri, 05 Nov 2010)
+Log Message:
+-----------
+Finalise registration ACLs
+Restrict anonymous access (to none)
+Add some additional ACLs to put back some access that previously relied on anonymous
+Listen on all IP addresses, and ldapi
+Assign localSSF matching ssf requirement, so we allow ldapi,ldaps,ldap+start_tls
+
+Modified Paths:
+--------------
+ puppet/modules/openldap/templates/ldap.sysconfig
+ puppet/modules/openldap/templates/mandriva-dit-access.conf
+ puppet/modules/openldap/templates/slapd.conf
+
+Modified: puppet/modules/openldap/templates/ldap.sysconfig
+===================================================================
+--- puppet/modules/openldap/templates/ldap.sysconfig 2010-11-05 11:03:31 UTC (rev 133)
++++ puppet/modules/openldap/templates/ldap.sysconfig 2010-11-05 12:19:23 UTC (rev 134)
+@@ -3,7 +3,7 @@
+ SLAPDSYSLOGLOCALUSER=&quot;local4&quot;
+
+ # SLAPD URL list
+-SLAPDURLLIST=&quot;<A HREF="ldap://127.0.0.1/">ldap://127.0.0.1/</A> <A HREF="ldaps://127.0.0.1/">ldaps://127.0.0.1/</A>&quot;
++SLAPDURLLIST=&quot;<A HREF="ldap:///">ldap:///</A> <A HREF="ldaps:///">ldaps:///</A> <A HREF="ldapi:///">ldapi:///</A>&quot;
+
+ # Config file to use for slapd
+ #SLAPDCONF=/etc/openldap/slapd.conf
+
+Modified: puppet/modules/openldap/templates/mandriva-dit-access.conf
+===================================================================
+--- puppet/modules/openldap/templates/mandriva-dit-access.conf 2010-11-05 11:03:31 UTC (rev 133)
++++ puppet/modules/openldap/templates/mandriva-dit-access.conf 2010-11-05 12:19:23 UTC (rev 134)
+@@ -85,11 +85,24 @@
+ by dnattr=owner write
+ by * break
+
++# registration - allow registrar group to create basic unprivileged accounts
++access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot;
++ attrs=&quot;objectClass&quot;
++ val=&quot;inetOrgperson&quot;
++ by group/groupOfNames/member.exact=&quot;cn=registrars,ou=system groups,dc=mageia,dc=org&quot; =a
++ by * +0 break
++
++access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot;
++ filter=&quot;(!(objectclass=posixAccount))&quot;
++ attrs=cn,sn,gn,mail,entry,children
++ by group/groupOfNames/member.exact=&quot;cn=registrars,ou=system groups,dc=mageia,dc=org&quot; =a
++ by * +0 break
++
+ # let the user change some of his/her attributes
+ access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot;
+ attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage
+ by self write
+- by * break
++ by * +0 break
+
+ # create new accounts
+ access to dn.regex=&quot;^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$&quot;
+@@ -146,17 +159,7 @@
+ by group.exact=&quot;cn=DNS Readers,ou=System Groups,dc=mageia,dc=org&quot; read
+ by * none
+
+-# registration - allow registrar group to create basic unprivileged accounts
+-access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot;
+- attrs=&quot;objectClass&quot;
+- val=&quot;inetOrgperson&quot;
+- by group/groupOfNames/member.exact=&quot;cn=registrars,ou=system groups,dc=mageia,dc=org&quot; write by * +0 break
+
+-access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot;
+- attrs=&quot;cn,sn,gn,mail,entry,children&quot;
+- by group/groupOfNames/member.exact=&quot;cn=registrars,ou=system groups,dc=mageia,dc=org&quot; +a break
+- by * +0 break
+-
+ # MTA
+ # XXX - what else can we add here? Virtual Domains? With which schema?
+ access to dn.one=&quot;ou=People,dc=mageia,dc=org&quot;
+
+Modified: puppet/modules/openldap/templates/slapd.conf
+===================================================================
+--- puppet/modules/openldap/templates/slapd.conf 2010-11-05 11:03:31 UTC (rev 133)
++++ puppet/modules/openldap/templates/slapd.conf 2010-11-05 12:19:23 UTC (rev 134)
+@@ -40,6 +40,14 @@
+ TLSCertificateKeyFile /etc/ssl/openldap/ldap.pem
+ TLSCACertificateFile /etc/ssl/openldap/ldap.pem
+
++# Give ldapi connection some security
++localSSF 56
++# Require at least this security, so we allow:
++# ldapi
++# ldap+start_tls
++# ldaps
++security ssf=56
++
+ loglevel 256
+
+ database bdb
+-------------- next part --------------
+An HTML attachment was scrubbed...
+URL: &lt;/pipermail/mageia-sysadm/attachments/20101105/eaebe76e/attachment.html&gt;
+</PRE>
+
+
+
+
+
+
+<!--endarticle-->
+ <HR>
+ <P><UL>
+ <!--threads-->
+ <LI>Previous message: <A HREF="000249.html">[Mageia-sysadm] [133] SVN server is on valstar
+</A></li>
+ <LI>Next message: <A HREF="000252.html">[Mageia-sysadm] [135] Correct authentication binddn
+</A></li>
+ <LI> <B>Messages sorted by:</B>
+ <a href="date.html#250">[ date ]</a>
+ <a href="thread.html#250">[ thread ]</a>
+ <a href="subject.html#250">[ subject ]</a>
+ <a href="author.html#250">[ author ]</a>
+ </LI>
+ </UL>
+
+<hr>
+<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm
+mailing list</a><br>
+</body></html>
generated by cgit v1.2.1 (git 2.21.0) at 2024-11-16 20:57:00 +0000