aboutsummaryrefslogtreecommitdiffstats
path: root/modules/openldap/templates/mandriva-dit-access.conf
blob: 0cbeb746de54255faee8727d00ee0bf3e455084c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
# mandriva-dit-access.conf

limits group="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org"
	limit size=unlimited
	limit time=unlimited

limits group="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org"
	limit size=unlimited
	limit time=unlimited

limits group="cn=Account Admins,ou=System Groups,dc=mageia,dc=org"
	limit size=unlimited
	limit time=unlimited

# so we don't have to add these to every other acl down there
access to dn.subtree="dc=mageia,dc=org"
	by group.exact="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" write
	by group.exact="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" read
	by * break

# userPassword access
# shadowLastChange is here because it needs to be writable by the user because
# of pam_ldap, which will update this attr whenever the password is changed.
# And this is done with the user's credentials
access to dn.subtree="dc=mageia,dc=org"
        attrs=shadowLastChange
        by self write
        by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
        by * read
access to dn.subtree="dc=mageia,dc=org"
	attrs=userPassword
	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
	by self write
	by anonymous auth
	by * none

# kerberos key access
# "by auth" just in case...
access to dn.subtree="dc=mageia,dc=org"
        attrs=krb5Key
        by self write
        by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
        by anonymous auth
        by * none

# password policies
access to dn.subtree="ou=Password Policies,dc=mageia,dc=org"
	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
	by * read

# samba password attributes
# by self not strictly necessary, because samba uses its own admin user to
# change the password on the user's behalf
# openldap also doesn't auth on these attributes, but maybe some day it will
access to dn.subtree="dc=mageia,dc=org"
	attrs=sambaLMPassword,sambaNTPassword
	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
	by anonymous auth
	by self write
	by * none
# password history attribute
# pwdHistory is read-only, but ACL is simplier with it here
access to dn.subtree="dc=mageia,dc=org"
	attrs=sambaPasswordHistory,pwdHistory
	by self read
	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
	by * none

# pwdReset, so the admin can force an user to change a password
access to dn.subtree="dc=mageia,dc=org"
	attrs=pwdReset
	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
	by * read

# group owner can add/remove/edit members to groups
access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
	attrs=member
	by dnattr=owner write
	by * break

# let the user change some of his/her attributes
access to dn.subtree="ou=People,dc=mageia,dc=org"
	attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber
	by self write
	by * break

# create new accounts
access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$"
	attrs=children,entry
	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
	by * break
# access to existing entries
access to dn.regex="^[^,]+,ou=(People|Hosts|Group),dc=mageia,dc=org$"
	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
	by * break

# sambaDomainName entry
access to dn.regex="^(sambaDomainName=[^,]+,)?dc=mageia,dc=org$"
	attrs=children,entry,@sambaDomain,@sambaUnixIdPool
	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
	by * read

# samba ID mapping
access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,dc=mageia,dc=org$"
	attrs=children,entry,@sambaIdmapEntry
	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
	by group.exact="cn=IDMAP Admins,ou=System Groups,dc=mageia,dc=org" write
	by * read

# global address book
# XXX - which class(es) to use?
access to dn.regex="^(.*,)?ou=Address Book,dc=mageia,dc=org"
	attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList
	by group.exact="cn=Address Book Admins,ou=System Groups,dc=mageia,dc=org" write
	by * read

# dhcp entries
# XXX - open up read access to anybody?
access to dn.sub="ou=dhcp,dc=mageia,dc=org"
	attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog
	by group.exact="cn=DHCP Admins,ou=System Groups,dc=mageia,dc=org" write
	by group.exact="cn=DHCP Readers,ou=System Groups,dc=mageia,dc=org" read
	by * read

# sudoers
access to dn.regex="^([^,]+,)?ou=sudoers,dc=mageia,dc=org$"
	attrs=children,entry,@sudoRole
	by group.exact="cn=Sudo Admins,ou=System Groups,dc=mageia,dc=org" write
	by * read

# dns
access to dn="ou=dns,dc=mageia,dc=org"
	attrs=entry,@extensibleObject
	by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
	by * read
access to dn.sub="ou=dns,dc=mageia,dc=org"
	attrs=children,entry,@dNSZone
	by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
	by group.exact="cn=DNS Readers,ou=System Groups,dc=mageia,dc=org" read
	by * none

# MTA
# XXX - what else can we add here? Virtual Domains? With which schema?
access to dn.one="ou=People,dc=mageia,dc=org"
	attrs=@inetLocalMailRecipient,mail
	by group.exact="cn=MTA Admins,ou=System Groups,dc=mageia,dc=org" write
	by * read

# KDE Configuration
access to dn.sub="ou=KDEConfig,dc=mageia,dc=org"
	by group.exact="cn=KDEConfig Admins,ou=System Groups,dc=mageia,dc=org" write
	by * read

# last one
access to dn.subtree="dc=mageia,dc=org" attrs=entry,uid,cn
	by * read