diff options
| author | Buchan Milne <buchan@mageia.org> | 2010-11-05 12:19:23 +0000 |
|---|---|---|
| committer | Buchan Milne <buchan@mageia.org> | 2010-11-05 12:19:23 +0000 |
| commit | 23fdeab2512c5f7816ddf9315165ba154de1d1e2 (patch) | |
| tree | 81436e64378b031375d391dc71d210dee5b6927e /modules/openldap/templates/mandriva-dit-access.conf | |
| parent | 49a9c571bea47c308ebb90140dd3802f0b0b7424 (diff) | |
| download | puppet-23fdeab2512c5f7816ddf9315165ba154de1d1e2.tar puppet-23fdeab2512c5f7816ddf9315165ba154de1d1e2.tar.gz puppet-23fdeab2512c5f7816ddf9315165ba154de1d1e2.tar.bz2 puppet-23fdeab2512c5f7816ddf9315165ba154de1d1e2.tar.xz puppet-23fdeab2512c5f7816ddf9315165ba154de1d1e2.zip | |
Finalise registration ACLs
Restrict anonymous access (to none)
Add some additional ACLs to put back some access that previously relied on anonymous
Listen on all IP addresses, and ldapi
Assign localSSF matching ssf requirement, so we allow ldapi,ldaps,ldap+start_tls
Diffstat (limited to 'modules/openldap/templates/mandriva-dit-access.conf')
| -rw-r--r-- | modules/openldap/templates/mandriva-dit-access.conf | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/modules/openldap/templates/mandriva-dit-access.conf b/modules/openldap/templates/mandriva-dit-access.conf index 95541890..e97be748 100644 --- a/modules/openldap/templates/mandriva-dit-access.conf +++ b/modules/openldap/templates/mandriva-dit-access.conf @@ -85,11 +85,24 @@ access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$" by dnattr=owner write by * break +# registration - allow registrar group to create basic unprivileged accounts +access to dn.subtree="ou=People,dc=mageia,dc=org" + attrs="objectClass" + val="inetOrgperson" + by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =a + by * +0 break + +access to dn.subtree="ou=People,dc=mageia,dc=org" + filter="(!(objectclass=posixAccount))" + attrs=cn,sn,gn,mail,entry,children + by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =a + by * +0 break + # let the user change some of his/her attributes access to dn.subtree="ou=People,dc=mageia,dc=org" attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage by self write - by * break + by * +0 break # create new accounts access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$" @@ -146,16 +159,6 @@ access to dn.sub="ou=dns,dc=mageia,dc=org" by group.exact="cn=DNS Readers,ou=System Groups,dc=mageia,dc=org" read by * none -# registration - allow registrar group to create basic unprivileged accounts -access to dn.subtree="ou=People,dc=mageia,dc=org" - attrs="objectClass" - val="inetOrgperson" - by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" write by * +0 break - -access to dn.subtree="ou=People,dc=mageia,dc=org" - attrs="cn,sn,gn,mail,entry,children" - by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" +a break - by * +0 break # MTA # XXX - what else can we add here? Virtual Domains? With which schema? |