diff options
Diffstat (limited to 'zarb-ml/mageia-sysadm/2010-November/000750.html')
| -rw-r--r-- | zarb-ml/mageia-sysadm/2010-November/000750.html | 320 |
1 files changed, 320 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/2010-November/000750.html b/zarb-ml/mageia-sysadm/2010-November/000750.html new file mode 100644 index 000000000..e36b70cca --- /dev/null +++ b/zarb-ml/mageia-sysadm/2010-November/000750.html @@ -0,0 +1,320 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-sysadm] [375] - do not hardcode mageia.org in acl + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B375%5D%20-%20do%20not%20hardcode%20mageia.org%20in%20acl&In-Reply-To=%3C20101122020402.A02B43FC6F%40valstar.mageia.org%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="000747.html"> + <LINK REL="Next" HREF="000748.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-sysadm] [375] - do not hardcode mageia.org in acl</H1> + <B>root at mageia.org</B> + <A HREF="mailto:mageia-sysadm%40mageia.org?Subject=Re%3A%20%5BMageia-sysadm%5D%20%5B375%5D%20-%20do%20not%20hardcode%20mageia.org%20in%20acl&In-Reply-To=%3C20101122020402.A02B43FC6F%40valstar.mageia.org%3E" + TITLE="[Mageia-sysadm] [375] - do not hardcode mageia.org in acl">root at mageia.org + </A><BR> + <I>Mon Nov 22 03:04:02 CET 2010</I> + <P><UL> + <LI>Previous message: <A HREF="000747.html">[Mageia-sysadm] [374] - ldaps is required ( ie no unencrypted connection ) +</A></li> + <LI>Next message: <A HREF="000748.html">[Mageia-sysadm] [376] - add proper access to nss_ldap user so pam_ldap auth can work +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#750">[ date ]</a> + <a href="thread.html#750">[ thread ]</a> + <a href="subject.html#750">[ subject ]</a> + <a href="author.html#750">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>Revision: 375 +Author: misc +Date: 2010-11-22 03:04:02 +0100 (Mon, 22 Nov 2010) +Log Message: +----------- +- do not hardcode mageia.org in acl + +Modified Paths: +-------------- + puppet/modules/openldap/templates/mandriva-dit-access.conf + +Modified: puppet/modules/openldap/templates/mandriva-dit-access.conf +=================================================================== +--- puppet/modules/openldap/templates/mandriva-dit-access.conf 2010-11-22 02:03:58 UTC (rev 374) ++++ puppet/modules/openldap/templates/mandriva-dit-access.conf 2010-11-22 02:04:02 UTC (rev 375) +@@ -1,184 +1,184 @@ + # mandriva-dit-access.conf + +-limits group="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" ++limits group="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" + limit size=unlimited + limit time=unlimited + +-limits group="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" ++limits group="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" + limit size=unlimited + limit time=unlimited + +-limits group="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" ++limits group="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" + limit size=unlimited + limit time=unlimited + + # so we don't have to add these to every other acl down there +-access to dn.subtree="dc=mageia,dc=org" +- by group.exact="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" write +- by group.exact="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" read ++access to dn.subtree="<%= dc_suffix %>" ++ by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" write ++ by group.exact="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" read + by * break + + # userPassword access + # Allow account registration to write userPassword of unprivileged users accounts +-access to dn.subtree="ou=People,dc=mageia,dc=org" ++access to dn.subtree="ou=People,<%= dc_suffix %>" + filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))" + attrs=userPassword,pwdReset +- by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" +a ++ by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +a + by * +0 break + + # shadowLastChange is here because it needs to be writable by the user because + # of pam_ldap, which will update this attr whenever the password is changed. + # And this is done with the user's credentials +-access to dn.subtree="dc=mageia,dc=org" ++access to dn.subtree="<%= dc_suffix %>" + attrs=shadowLastChange + by self write +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by users read +-access to dn.subtree="dc=mageia,dc=org" ++access to dn.subtree="<%= dc_suffix %>" + attrs=userPassword +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by self write + by anonymous auth + by * none + + # kerberos key access + # "by auth" just in case... +-access to dn.subtree="dc=mageia,dc=org" ++access to dn.subtree="<%= dc_suffix %>" + attrs=krb5Key + by self write +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by anonymous auth + by * none + + # password policies +-access to dn.subtree="ou=Password Policies,dc=mageia,dc=org" +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++access to dn.subtree="ou=Password Policies,<%= dc_suffix %>" ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by users read + + # samba password attributes + # by self not strictly necessary, because samba uses its own admin user to + # change the password on the user's behalf + # openldap also doesn't auth on these attributes, but maybe some day it will +-access to dn.subtree="dc=mageia,dc=org" ++access to dn.subtree="<%= dc_suffix %>" + attrs=sambaLMPassword,sambaNTPassword +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by anonymous auth + by self write + by * none + # password history attribute + # pwdHistory is read-only, but ACL is simplier with it here +-access to dn.subtree="dc=mageia,dc=org" ++access to dn.subtree="<%= dc_suffix %>" + attrs=sambaPasswordHistory,pwdHistory + by self read +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by * none + + # pwdReset, so the admin can force an user to change a password +-access to dn.subtree="dc=mageia,dc=org" ++access to dn.subtree="<%= dc_suffix %>" + attrs=pwdReset,pwdAccountLockedTime +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by self read + + # group owner can add/remove/edit members to groups +-access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$" ++access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$" + attrs=member + by dnattr=owner write +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by users +sx + +-access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$" ++access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$" + attrs=cn,description,objectClass,gidNumber +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by users read + + # registration - allow registrar group to create basic unprivileged accounts +-access to dn.subtree="ou=People,dc=mageia,dc=org" ++access to dn.subtree="ou=People,<%= dc_suffix %>" + attrs="objectClass" + val="inetOrgperson" +- by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =asrx ++ by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx + by * +0 break + +-access to dn.subtree="ou=People,dc=mageia,dc=org" ++access to dn.subtree="ou=People,<%= dc_suffix %>" + filter="(!(objectclass=posixAccount))" + attrs=cn,sn,gn,mail,entry,children,preferredLanguage +- by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =asrx ++ by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx + by * +0 break + + # let the user change some of his/her attributes +-access to dn.subtree="ou=People,dc=mageia,dc=org" ++access to dn.subtree="ou=People,<%= dc_suffix %>" + attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage + by self write + by users read + + # create new accounts +-access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$" ++access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= dc_suffix %>$" + attrs=children,entry +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by * break + # access to existing entries +-access to dn.regex="^[^,]+,ou=(People|Hosts|Group),dc=mageia,dc=org$" +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++access to dn.regex="^[^,]+,ou=(People|Hosts|Group),<%= dc_suffix %>$" ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by * break + + # sambaDomainName entry +-access to dn.regex="^(sambaDomainName=[^,]+,)?dc=mageia,dc=org$" ++access to dn.regex="^(sambaDomainName=[^,]+,)?<%= dc_suffix %>$" + attrs=<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">children,entry, at sambaDomain</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at sambaUnixIdPool</A> +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by users read + + # samba ID mapping +-access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,dc=mageia,dc=org$" ++access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= dc_suffix %>$" + attrs=<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">children,entry, at sambaIdmapEntry</A> +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write +- by group.exact="cn=IDMAP Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write ++ by group.exact="cn=IDMAP Admins,ou=System Groups,<%= dc_suffix %>" write + by users read + + # global address book + # XXX - which class(es) to use? +-access to dn.regex="^(.*,)?ou=Address Book,dc=mageia,dc=org" ++access to dn.regex="^(.*,)?ou=Address Book,<%= dc_suffix %>" + attrs=<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">children,entry, at inetOrgPerson</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at evolutionPerson</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at evolutionPersonList</A> +- by group.exact="cn=Address Book Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Address Book Admins,ou=System Groups,<%= dc_suffix %>" write + by users read + + # dhcp entries + # XXX - open up read access to anybody? +-access to dn.sub="ou=dhcp,dc=mageia,dc=org" ++access to dn.sub="ou=dhcp,<%= dc_suffix %>" + attrs=<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">children,entry, at dhcpService</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at dhcpServer</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at dhcpSharedNetwork</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at dhcpSubnet</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at dhcpPool</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at dhcpGroup</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at dhcpHost</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at dhcpClass</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at dhcpSubClass</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at dhcpOptions</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at dhcpLeases</A><A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">, at dhcpLog</A> +- by group.exact="cn=DHCP Admins,ou=System Groups,dc=mageia,dc=org" write +- by group.exact="cn=DHCP Readers,ou=System Groups,dc=mageia,dc=org" read ++ by group.exact="cn=DHCP Admins,ou=System Groups,<%= dc_suffix %>" write ++ by group.exact="cn=DHCP Readers,ou=System Groups,<%= dc_suffix %>" read + by * read + + # sudoers +-access to dn.regex="^([^,]+,)?ou=sudoers,dc=mageia,dc=org$" ++access to dn.regex="^([^,]+,)?ou=sudoers,<%= dc_suffix %>$" + attrs=<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">children,entry, at sudoRole</A> +- by group.exact="cn=Sudo Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Sudo Admins,ou=System Groups,<%= dc_suffix %>" write + by users read + + # dns +-access to dn="ou=dns,dc=mageia,dc=org" ++access to dn="ou=dns,<%= dc_suffix %>" + attrs=<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">entry, at extensibleObject</A> +- by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write + by users read +-access to dn.sub="ou=dns,dc=mageia,dc=org" ++access to dn.sub="ou=dns,<%= dc_suffix %>" + attrs=<A HREF="https://www.mageia.org/mailman/listinfo/mageia-sysadm">children,entry, at dNSZone</A> +- by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write +- by group.exact="cn=DNS Readers,ou=System Groups,dc=mageia,dc=org" read ++ by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write ++ by group.exact="cn=DNS Readers,ou=System Groups,<%= dc_suffix %>" read + by * none + + + # MTA + # XXX - what else can we add here? Virtual Domains? With which schema? +-access to dn.one="ou=People,dc=mageia,dc=org" ++access to dn.one="ou=People,<%= dc_suffix %>" + attrs=@inetLocalMailRecipient,mail +- by group.exact="cn=MTA Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=MTA Admins,ou=System Groups,<%= dc_suffix %>" write + by users read + + # KDE Configuration +-access to dn.sub="ou=KDEConfig,dc=mageia,dc=org" +- by group.exact="cn=KDEConfig Admins,ou=System Groups,dc=mageia,dc=org" write ++access to dn.sub="ou=KDEConfig,<%= dc_suffix %>" ++ by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= dc_suffix %>" write + by * read + + # last one +-access to dn.subtree="dc=mageia,dc=org" attrs=entry,uid,cn ++access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn + by users read + +-------------- next part -------------- +An HTML attachment was scrubbed... +URL: </pipermail/mageia-sysadm/attachments/20101122/87e3ed06/attachment-0001.html> +</PRE> + + + + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="000747.html">[Mageia-sysadm] [374] - ldaps is required ( ie no unencrypted connection ) +</A></li> + <LI>Next message: <A HREF="000748.html">[Mageia-sysadm] [376] - add proper access to nss_ldap user so pam_ldap auth can work +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#750">[ date ]</a> + <a href="thread.html#750">[ thread ]</a> + <a href="subject.html#750">[ subject ]</a> + <a href="author.html#750">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-sysadm">More information about the Mageia-sysadm +mailing list</a><br> +</body></html> |