aboutsummaryrefslogtreecommitdiffstats
path: root/modules/openldap/templates/mandriva-dit-access.conf
blob: d6a8a49c4facce319d37fd8adebf7f9cb50ca737 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
# mandriva-dit-access.conf

limits group="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>"
	limit size=unlimited
	limit time=unlimited

limits group="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>"
	limit size=unlimited
	limit time=unlimited

limits group="cn=Account Admins,ou=System Groups,<%= dc_suffix %>"
	limit size=unlimited
	limit time=unlimited

# so we don't have to add these to every other acl down there
access to dn.subtree="<%= dc_suffix %>"
	by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" write
	by group.exact="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" read
	by * break

# userPassword access
# Allow account registration to write userPassword of unprivileged users accounts
access to dn.subtree="ou=People,<%= dc_suffix %>" 
	filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))"
	attrs=userPassword
	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +w
	by * +0 break

# shadowLastChange is here because it needs to be writable by the user because
# of pam_ldap, which will update this attr whenever the password is changed.
# And this is done with the user's credentials
access to dn.subtree="<%= dc_suffix %>"
        attrs=shadowLastChange
        by self write
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by users read
access to dn.subtree="<%= dc_suffix %>"
	attrs=userPassword
	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
	by self write
	by anonymous auth
	by * none

# kerberos key access
# "by auth" just in case...
access to dn.subtree="<%= dc_suffix %>"
        attrs=krb5Key
        by self write
        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
        by anonymous auth
        by * none

# password policies
access to dn.subtree="ou=Password Policies,<%= dc_suffix %>"
	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
	by users read

# samba password attributes
# by self not strictly necessary, because samba uses its own admin user to
# change the password on the user's behalf
# openldap also doesn't auth on these attributes, but maybe some day it will
access to dn.subtree="<%= dc_suffix %>"
	attrs=sambaLMPassword,sambaNTPassword
	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
	by anonymous auth
	by self write
	by * none
# password history attribute
# pwdHistory is read-only, but ACL is simplier with it here
access to dn.subtree="<%= dc_suffix %>"
	attrs=sambaPasswordHistory,pwdHistory
	by self read
	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
	by * none

# pwdReset, so the admin can force an user to change a password
access to dn.subtree="<%= dc_suffix %>"
	attrs=pwdReset,pwdAccountLockedTime
	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
	by self read

# group owner can add/remove/edit members to groups
access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
	attrs=member
	by dnattr=owner write
	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
	by users +srx

access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
	attrs=cn,description,objectClass,gidNumber
	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
	by users read

# registration - allow registrar group to create basic unprivileged accounts
access to dn.subtree="ou=People,<%= dc_suffix %>" 
	attrs="objectClass" 
	val="inetOrgperson" 
	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
	by * +0 break

access to dn.subtree="ou=People,<%= dc_suffix %>" 
	filter="(!(objectclass=posixAccount))"
	attrs=cn,sn,gn,mail,entry,children,preferredLanguage
	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
	by * +0 break

# TODO maybe we should use a group instead of a user here
access to dn.subtree="ou=People,<%= dc_suffix %>" 
	filter="(objectclass=posixAccount)"
	attrs=homeDirectory,cn,uid,loginShell,gidNumber,uidNumber
	by dn.one="ou=Hosts,<%= dc_suffix %>" read
	by * +0 break

# let the user change some of his/her attributes
access to dn.subtree="ou=People,<%= dc_suffix %>"
	attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage,sshPublicKey
	by self write
	by users read

access to dn.subtree="ou=People,<%= dc_suffix %>"
	attrs=memberOf
	by users read


# create new accounts
access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= dc_suffix %>$"
	attrs=children,entry
	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
	by * break
# access to existing entries
access to dn.regex="^[^,]+,ou=(People|Hosts|Group),<%= dc_suffix %>$"
	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
	by * break

# sambaDomainName entry
access to dn.regex="^(sambaDomainName=[^,]+,)?<%= dc_suffix %>$"
	attrs=children,entry,@sambaDomain,@sambaUnixIdPool
	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
	by users read

# samba ID mapping
access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= dc_suffix %>$"
	attrs=children,entry,@sambaIdmapEntry
	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
	by group.exact="cn=IDMAP Admins,ou=System Groups,<%= dc_suffix %>" write
	by users read

# global address book
# XXX - which class(es) to use?
access to dn.regex="^(.*,)?ou=Address Book,<%= dc_suffix %>"
	attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList
	by group.exact="cn=Address Book Admins,ou=System Groups,<%= dc_suffix %>" write
	by users read

# dhcp entries
# XXX - open up read access to anybody?
access to dn.sub="ou=dhcp,<%= dc_suffix %>"
	attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog
	by group.exact="cn=DHCP Admins,ou=System Groups,<%= dc_suffix %>" write
	by group.exact="cn=DHCP Readers,ou=System Groups,<%= dc_suffix %>" read
	by * read

# sudoers
access to dn.regex="^([^,]+,)?ou=sudoers,<%= dc_suffix %>$"
	attrs=children,entry,@sudoRole
	by group.exact="cn=Sudo Admins,ou=System Groups,<%= dc_suffix %>" write
	by users read

# dns
access to dn="ou=dns,<%= dc_suffix %>"
	attrs=entry,@extensibleObject
	by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
	by users read
access to dn.sub="ou=dns,<%= dc_suffix %>"
	attrs=children,entry,@dNSZone
	by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
	by group.exact="cn=DNS Readers,ou=System Groups,<%= dc_suffix %>" read
	by * none


# MTA
# XXX - what else can we add here? Virtual Domains? With which schema?
access to dn.one="ou=People,<%= dc_suffix %>"
	attrs=@inetLocalMailRecipient,mail
	by group.exact="cn=MTA Admins,ou=System Groups,<%= dc_suffix %>" write
	by users read

# KDE Configuration
access to dn.sub="ou=KDEConfig,<%= dc_suffix %>"
	by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= dc_suffix %>" write
	by * read

# last one
access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn
	by users read