From cfcfba74901f99fc55447292b5116b1bbd6f47ce Mon Sep 17 00:00:00 2001
From: Buchan Milne <buchan@mageia.org>
Date: Tue, 9 Nov 2010 14:25:10 +0000
Subject: Close more anon access, and open up read access to some inetOrgPerson
 attrs to users

---
 .../openldap/templates/mandriva-dit-access.conf    | 24 ++++++++++++----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/modules/openldap/templates/mandriva-dit-access.conf b/modules/openldap/templates/mandriva-dit-access.conf
index b63880f4..a4d9661a 100644
--- a/modules/openldap/templates/mandriva-dit-access.conf
+++ b/modules/openldap/templates/mandriva-dit-access.conf
@@ -33,7 +33,7 @@ access to dn.subtree="dc=mageia,dc=org"
         attrs=shadowLastChange
         by self write
         by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
-        by * read
+        by users read
 access to dn.subtree="dc=mageia,dc=org"
 	attrs=userPassword
 	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
@@ -53,7 +53,7 @@ access to dn.subtree="dc=mageia,dc=org"
 # password policies
 access to dn.subtree="ou=Password Policies,dc=mageia,dc=org"
 	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
-	by * read
+	by users read
 
 # samba password attributes
 # by self not strictly necessary, because samba uses its own admin user to
@@ -77,16 +77,18 @@ access to dn.subtree="dc=mageia,dc=org"
 access to dn.subtree="dc=mageia,dc=org"
 	attrs=pwdReset,pwdAccountLockedTime
 	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
-	by * read
+	by self read
 
 # group owner can add/remove/edit members to groups
 access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
 	attrs=member
 	by dnattr=owner write
+	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
 	by users +sx
 
 access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
 	attrs=cn,description,objectClass,gidNumber
+	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
 	by users read
 
 # registration - allow registrar group to create basic unprivileged accounts
@@ -106,7 +108,7 @@ access to dn.subtree="ou=People,dc=mageia,dc=org"
 access to dn.subtree="ou=People,dc=mageia,dc=org"
 	attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage
 	by self write
-	by users +sx
+	by users read
 
 # create new accounts
 access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$"
@@ -122,21 +124,21 @@ access to dn.regex="^[^,]+,ou=(People|Hosts|Group),dc=mageia,dc=org$"
 access to dn.regex="^(sambaDomainName=[^,]+,)?dc=mageia,dc=org$"
 	attrs=children,entry,@sambaDomain,@sambaUnixIdPool
 	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
-	by * read
+	by users read
 
 # samba ID mapping
 access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,dc=mageia,dc=org$"
 	attrs=children,entry,@sambaIdmapEntry
 	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
 	by group.exact="cn=IDMAP Admins,ou=System Groups,dc=mageia,dc=org" write
-	by * read
+	by users read
 
 # global address book
 # XXX - which class(es) to use?
 access to dn.regex="^(.*,)?ou=Address Book,dc=mageia,dc=org"
 	attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList
 	by group.exact="cn=Address Book Admins,ou=System Groups,dc=mageia,dc=org" write
-	by * read
+	by users read
 
 # dhcp entries
 # XXX - open up read access to anybody?
@@ -150,13 +152,13 @@ access to dn.sub="ou=dhcp,dc=mageia,dc=org"
 access to dn.regex="^([^,]+,)?ou=sudoers,dc=mageia,dc=org$"
 	attrs=children,entry,@sudoRole
 	by group.exact="cn=Sudo Admins,ou=System Groups,dc=mageia,dc=org" write
-	by * read
+	by users read
 
 # dns
 access to dn="ou=dns,dc=mageia,dc=org"
 	attrs=entry,@extensibleObject
 	by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
-	by * read
+	by users read
 access to dn.sub="ou=dns,dc=mageia,dc=org"
 	attrs=children,entry,@dNSZone
 	by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
@@ -169,7 +171,7 @@ access to dn.sub="ou=dns,dc=mageia,dc=org"
 access to dn.one="ou=People,dc=mageia,dc=org"
 	attrs=@inetLocalMailRecipient,mail
 	by group.exact="cn=MTA Admins,ou=System Groups,dc=mageia,dc=org" write
-	by * read
+	by users read
 
 # KDE Configuration
 access to dn.sub="ou=KDEConfig,dc=mageia,dc=org"
@@ -178,5 +180,5 @@ access to dn.sub="ou=KDEConfig,dc=mageia,dc=org"
 
 # last one
 access to dn.subtree="dc=mageia,dc=org" attrs=entry,uid,cn
-	by * read
+	by users read
 
-- 
cgit v1.2.1