aboutsummaryrefslogtreecommitdiffstats
path: root/modules/openldap
diff options
context:
space:
mode:
authorBuchan Milne <buchan@mageia.org>2010-11-09 14:25:10 +0000
committerBuchan Milne <buchan@mageia.org>2010-11-09 14:25:10 +0000
commitcfcfba74901f99fc55447292b5116b1bbd6f47ce (patch)
treed1015e9c85c2197f932a8435fd2f799d3cee3b9b /modules/openldap
parent24c74198234a58291ef51c122b09a6f80e2aa3f3 (diff)
downloadpuppet-cfcfba74901f99fc55447292b5116b1bbd6f47ce.tar
puppet-cfcfba74901f99fc55447292b5116b1bbd6f47ce.tar.gz
puppet-cfcfba74901f99fc55447292b5116b1bbd6f47ce.tar.bz2
puppet-cfcfba74901f99fc55447292b5116b1bbd6f47ce.tar.xz
puppet-cfcfba74901f99fc55447292b5116b1bbd6f47ce.zip
Close more anon access, and open up read access to some inetOrgPerson attrs to users
Diffstat (limited to 'modules/openldap')
-rw-r--r--modules/openldap/templates/mandriva-dit-access.conf24
1 files changed, 13 insertions, 11 deletions
diff --git a/modules/openldap/templates/mandriva-dit-access.conf b/modules/openldap/templates/mandriva-dit-access.conf
index b63880f4..a4d9661a 100644
--- a/modules/openldap/templates/mandriva-dit-access.conf
+++ b/modules/openldap/templates/mandriva-dit-access.conf
@@ -33,7 +33,7 @@ access to dn.subtree="dc=mageia,dc=org"
attrs=shadowLastChange
by self write
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
access to dn.subtree="dc=mageia,dc=org"
attrs=userPassword
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
@@ -53,7 +53,7 @@ access to dn.subtree="dc=mageia,dc=org"
# password policies
access to dn.subtree="ou=Password Policies,dc=mageia,dc=org"
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
# samba password attributes
# by self not strictly necessary, because samba uses its own admin user to
@@ -77,16 +77,18 @@ access to dn.subtree="dc=mageia,dc=org"
access to dn.subtree="dc=mageia,dc=org"
attrs=pwdReset,pwdAccountLockedTime
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by self read
# group owner can add/remove/edit members to groups
access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
attrs=member
by dnattr=owner write
+ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
by users +sx
access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
attrs=cn,description,objectClass,gidNumber
+ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
by users read
# registration - allow registrar group to create basic unprivileged accounts
@@ -106,7 +108,7 @@ access to dn.subtree="ou=People,dc=mageia,dc=org"
access to dn.subtree="ou=People,dc=mageia,dc=org"
attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage
by self write
- by users +sx
+ by users read
# create new accounts
access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$"
@@ -122,21 +124,21 @@ access to dn.regex="^[^,]+,ou=(People|Hosts|Group),dc=mageia,dc=org$"
access to dn.regex="^(sambaDomainName=[^,]+,)?dc=mageia,dc=org$"
attrs=children,entry,@sambaDomain,@sambaUnixIdPool
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
# samba ID mapping
access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,dc=mageia,dc=org$"
attrs=children,entry,@sambaIdmapEntry
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
by group.exact="cn=IDMAP Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
# global address book
# XXX - which class(es) to use?
access to dn.regex="^(.*,)?ou=Address Book,dc=mageia,dc=org"
attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList
by group.exact="cn=Address Book Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
# dhcp entries
# XXX - open up read access to anybody?
@@ -150,13 +152,13 @@ access to dn.sub="ou=dhcp,dc=mageia,dc=org"
access to dn.regex="^([^,]+,)?ou=sudoers,dc=mageia,dc=org$"
attrs=children,entry,@sudoRole
by group.exact="cn=Sudo Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
# dns
access to dn="ou=dns,dc=mageia,dc=org"
attrs=entry,@extensibleObject
by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
access to dn.sub="ou=dns,dc=mageia,dc=org"
attrs=children,entry,@dNSZone
by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
@@ -169,7 +171,7 @@ access to dn.sub="ou=dns,dc=mageia,dc=org"
access to dn.one="ou=People,dc=mageia,dc=org"
attrs=@inetLocalMailRecipient,mail
by group.exact="cn=MTA Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
# KDE Configuration
access to dn.sub="ou=KDEConfig,dc=mageia,dc=org"
@@ -178,5 +180,5 @@ access to dn.sub="ou=KDEConfig,dc=mageia,dc=org"
# last one
access to dn.subtree="dc=mageia,dc=org" attrs=entry,uid,cn
- by * read
+ by users read