1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
|
# mandriva-dit-access.conf
limits group="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>"
limit size=unlimited
limit time=unlimited
limits group="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>"
limit size=unlimited
limit time=unlimited
limits group="cn=Account Admins,ou=System Groups,<%= dc_suffix %>"
limit size=unlimited
limit time=unlimited
# so we don't have to add these to every other acl down there
access to dn.subtree="<%= dc_suffix %>"
by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" write
by group.exact="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" read
by * break
# userPassword access
# Allow account registration to write userPassword of unprivileged users accounts
access to dn.subtree="ou=People,<%= dc_suffix %>"
filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))"
attrs=userPassword
by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +w
by * +0 break
# shadowLastChange is here because it needs to be writable by the user because
# of pam_ldap, which will update this attr whenever the password is changed.
# And this is done with the user's credentials
access to dn.subtree="<%= dc_suffix %>"
attrs=shadowLastChange
by self write
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
access to dn.subtree="<%= dc_suffix %>"
attrs=userPassword
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by self write
by anonymous auth
by * none
# kerberos key access
# "by auth" just in case...
access to dn.subtree="<%= dc_suffix %>"
attrs=krb5Key
by self write
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by anonymous auth
by * none
# password policies
access to dn.subtree="ou=Password Policies,<%= dc_suffix %>"
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
# samba password attributes
# by self not strictly necessary, because samba uses its own admin user to
# change the password on the user's behalf
# openldap also doesn't auth on these attributes, but maybe some day it will
access to dn.subtree="<%= dc_suffix %>"
attrs=sambaLMPassword,sambaNTPassword
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by anonymous auth
by self write
by * none
# password history attribute
# pwdHistory is read-only, but ACL is simplier with it here
access to dn.subtree="<%= dc_suffix %>"
attrs=sambaPasswordHistory,pwdHistory
by self read
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by * none
# pwdReset, so the admin can force an user to change a password
access to dn.subtree="<%= dc_suffix %>"
attrs=pwdReset,pwdAccountLockedTime
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by self read
# group owner can add/remove/edit members to groups
access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
attrs=member,owner
by dnattr=owner write
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by users +scrx
access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
attrs=cn,description,objectClass,gidNumber
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
# registration - allow registrar group to create basic unprivileged accounts
access to dn.subtree="ou=People,<%= dc_suffix %>"
attrs="objectClass"
val="inetOrgperson"
by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
by * +0 break
access to dn.subtree="ou=People,<%= dc_suffix %>"
filter="(!(objectclass=posixAccount))"
attrs=cn,sn,gn,mail,entry,children,preferredLanguage
by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
by * +0 break
# TODO maybe we should use a group instead of a user here
access to dn.subtree="ou=People,<%= dc_suffix %>"
filter="(objectclass=posixAccount)"
attrs=homeDirectory,cn,uid,loginShell,gidNumber,uidNumber
by dn.one="ou=Hosts,<%= dc_suffix %>" read
by * +0 break
# let the user change some of his/her attributes
access to dn.subtree="ou=People,<%= dc_suffix %>"
attrs=cn,sn,givenName,carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage,sshPublicKey
by self write
by users read
access to dn.subtree="ou=People,<%= dc_suffix %>"
attrs=memberOf
by users read
# create new accounts
access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= dc_suffix %>$"
attrs=children,entry
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by * break
# access to existing entries
access to dn.regex="^[^,]+,ou=(People|Hosts|Group),<%= dc_suffix %>$"
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by * break
# sambaDomainName entry
access to dn.regex="^(sambaDomainName=[^,]+,)?<%= dc_suffix %>$"
attrs=children,entry,@sambaDomain,@sambaUnixIdPool
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
# samba ID mapping
access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= dc_suffix %>$"
attrs=children,entry,@sambaIdmapEntry
by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
by group.exact="cn=IDMAP Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
# global address book
# XXX - which class(es) to use?
access to dn.regex="^(.*,)?ou=Address Book,<%= dc_suffix %>"
attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList
by group.exact="cn=Address Book Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
# dhcp entries
# XXX - open up read access to anybody?
access to dn.sub="ou=dhcp,<%= dc_suffix %>"
attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog
by group.exact="cn=DHCP Admins,ou=System Groups,<%= dc_suffix %>" write
by group.exact="cn=DHCP Readers,ou=System Groups,<%= dc_suffix %>" read
by * read
# sudoers
access to dn.regex="^([^,]+,)?ou=sudoers,<%= dc_suffix %>$"
attrs=children,entry,@sudoRole
by group.exact="cn=Sudo Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
# dns
access to dn="ou=dns,<%= dc_suffix %>"
attrs=entry,@extensibleObject
by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
access to dn.sub="ou=dns,<%= dc_suffix %>"
attrs=children,entry,@dNSZone
by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
by group.exact="cn=DNS Readers,ou=System Groups,<%= dc_suffix %>" read
by * none
# MTA
# XXX - what else can we add here? Virtual Domains? With which schema?
access to dn.one="ou=People,<%= dc_suffix %>"
attrs=@inetLocalMailRecipient,mail
by group.exact="cn=MTA Admins,ou=System Groups,<%= dc_suffix %>" write
by users read
# KDE Configuration
access to dn.sub="ou=KDEConfig,<%= dc_suffix %>"
by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= dc_suffix %>" write
by * read
# last one
access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn
by users read
|