2 files changed, 304 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/attachments/20101105/eaebe76e/attachment-0001.html b/zarb-ml/mageia-sysadm/attachments/20101105/eaebe76e/attachment-0001.html
new file mode 100644
index 000000000..855e5202b
--- /dev/null
+++ b/zarb-ml/mageia-sysadm/attachments/20101105/eaebe76e/attachment-0001.html
@@ -0,0 +1,152 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
+"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
+<title>[134] Finalise registration ACLs</title>
+</head>
+<body>
+
+<style type="text/css"><!--
+#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
+#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
+#msg dt:after { content:':';}
+#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
+#msg dl a { font-weight: bold}
+#msg dl a:link    { color:#fc3; }
+#msg dl a:active  { color:#ff0; }
+#msg dl a:visited { color:#cc6; }
+h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
+#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
+#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
+#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
+#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
+#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
+#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
+#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
+#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
+#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
+#logmsg pre { background: #eee; padding: 1em; }
+#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
+#logmsg dl { margin: 0; }
+#logmsg dt { font-weight: bold; }
+#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
+#logmsg dd:before { content:'\00bb';}
+#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
+#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
+#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
+#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
+#logmsg table th.Corner { text-align: left; }
+#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
+#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
+#patch { width: 100%; }
+--></style>
+<div id="msg">
+<dl class="meta">
+<dt>Revision</dt> <dd>134</dd>
+<dt>Author</dt> <dd>buchan</dd>
+<dt>Date</dt> <dd>2010-11-05 13:19:23 +0100 (Fri, 05 Nov 2010)</dd>
+</dl>
+
+<h3>Log Message</h3>
+<pre>Finalise registration ACLs
+Restrict anonymous access (to none)
+Add some additional ACLs to put back some access that previously relied on anonymous
+Listen on all IP addresses, and ldapi
+Assign localSSF matching ssf requirement, so we allow ldapi,ldaps,ldap+start_tls</pre>
+
+<h3>Modified Paths</h3>
+<ul>
+<li><a href="#puppetmodulesopenldaptemplatesldapsysconfig">puppet/modules/openldap/templates/ldap.sysconfig</a></li>
+<li><a href="#puppetmodulesopenldaptemplatesmandrivaditaccessconf">puppet/modules/openldap/templates/mandriva-dit-access.conf</a></li>
+<li><a href="#puppetmodulesopenldaptemplatesslapdconf">puppet/modules/openldap/templates/slapd.conf</a></li>
+</ul>
+
+</div>
+<div id="patch"><pre>
+<a id="puppetmodulesopenldaptemplatesldapsysconfig">Modified: puppet/modules/openldap/templates/ldap.sysconfig</a>
+===================================================================
+--- puppet/modules/openldap/templates/ldap.sysconfig	2010-11-05 11:03:31 UTC (rev 133)
++++ puppet/modules/openldap/templates/ldap.sysconfig	2010-11-05 12:19:23 UTC (rev 134)
+@@ -3,7 +3,7 @@
+ SLAPDSYSLOGLOCALUSER=&quot;local4&quot;
+ 
+ # SLAPD URL list 
+-SLAPDURLLIST=&quot;ldap://127.0.0.1/ ldaps://127.0.0.1/&quot;
++SLAPDURLLIST=&quot;ldap:/// ldaps:/// ldapi:///&quot;
+ 
+ # Config file to use for slapd
+ #SLAPDCONF=/etc/openldap/slapd.conf
+
+<a id="puppetmodulesopenldaptemplatesmandrivaditaccessconf">Modified: puppet/modules/openldap/templates/mandriva-dit-access.conf</a>
+===================================================================
+--- puppet/modules/openldap/templates/mandriva-dit-access.conf	2010-11-05 11:03:31 UTC (rev 133)
++++ puppet/modules/openldap/templates/mandriva-dit-access.conf	2010-11-05 12:19:23 UTC (rev 134)
+@@ -85,11 +85,24 @@
+ 	by dnattr=owner write
+ 	by * break
+ 
++# registration - allow registrar group to create basic unprivileged accounts
++access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot; 
++	attrs=&quot;objectClass&quot; 
++	val=&quot;inetOrgperson&quot; 
++	by group/groupOfNames/member.exact=&quot;cn=registrars,ou=system groups,dc=mageia,dc=org&quot; =a
++	by * +0 break
++
++access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot; 
++	filter=&quot;(!(objectclass=posixAccount))&quot;
++	attrs=cn,sn,gn,mail,entry,children
++	by group/groupOfNames/member.exact=&quot;cn=registrars,ou=system groups,dc=mageia,dc=org&quot; =a
++	by * +0 break
++
+ # let the user change some of his/her attributes
+ access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot;
+ 	attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage
+ 	by self write
+-	by * break
++	by * +0 break
+ 
+ # create new accounts
+ access to dn.regex=&quot;^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$&quot;
+@@ -146,17 +159,7 @@
+ 	by group.exact=&quot;cn=DNS Readers,ou=System Groups,dc=mageia,dc=org&quot; read
+ 	by * none
+ 
+-# registration - allow registrar group to create basic unprivileged accounts
+-access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot; 
+-	attrs=&quot;objectClass&quot; 
+-	val=&quot;inetOrgperson&quot; 
+-	by group/groupOfNames/member.exact=&quot;cn=registrars,ou=system groups,dc=mageia,dc=org&quot; write by * +0 break
+ 
+-access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot; 
+-	attrs=&quot;cn,sn,gn,mail,entry,children&quot; 
+-	by group/groupOfNames/member.exact=&quot;cn=registrars,ou=system groups,dc=mageia,dc=org&quot; +a break
+-	by * +0 break
+-
+ # MTA
+ # XXX - what else can we add here? Virtual Domains? With which schema?
+ access to dn.one=&quot;ou=People,dc=mageia,dc=org&quot;
+
+<a id="puppetmodulesopenldaptemplatesslapdconf">Modified: puppet/modules/openldap/templates/slapd.conf</a>
+===================================================================
+--- puppet/modules/openldap/templates/slapd.conf	2010-11-05 11:03:31 UTC (rev 133)
++++ puppet/modules/openldap/templates/slapd.conf	2010-11-05 12:19:23 UTC (rev 134)
+@@ -40,6 +40,14 @@
+ TLSCertificateKeyFile   /etc/ssl/openldap/ldap.pem
+ TLSCACertificateFile    /etc/ssl/openldap/ldap.pem
+ 
++# Give ldapi connection some security
++localSSF 56
++# Require at least this security, so we allow:
++# ldapi
++# ldap+start_tls
++# ldaps
++security ssf=56
++
+ loglevel 256
+ 
+ database	bdb
+
+</pre></div>
+
+</body>
+</html>
+\ No newline at end of file
diff --git a/zarb-ml/mageia-sysadm/attachments/20101105/eaebe76e/attachment.html b/zarb-ml/mageia-sysadm/attachments/20101105/eaebe76e/attachment.html
new file mode 100644
index 000000000..855e5202b
--- /dev/null
+++ b/zarb-ml/mageia-sysadm/attachments/20101105/eaebe76e/attachment.html
@@ -0,0 +1,152 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
+"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
+<title>[134] Finalise registration ACLs</title>
+</head>
+<body>
+
+<style type="text/css"><!--
+#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
+#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
+#msg dt:after { content:':';}
+#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
+#msg dl a { font-weight: bold}
+#msg dl a:link    { color:#fc3; }
+#msg dl a:active  { color:#ff0; }
+#msg dl a:visited { color:#cc6; }
+h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
+#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
+#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
+#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
+#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
+#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
+#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
+#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
+#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
+#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
+#logmsg pre { background: #eee; padding: 1em; }
+#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
+#logmsg dl { margin: 0; }
+#logmsg dt { font-weight: bold; }
+#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
+#logmsg dd:before { content:'\00bb';}
+#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
+#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
+#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
+#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
+#logmsg table th.Corner { text-align: left; }
+#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
+#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
+#patch { width: 100%; }
+--></style>
+<div id="msg">
+<dl class="meta">
+<dt>Revision</dt> <dd>134</dd>
+<dt>Author</dt> <dd>buchan</dd>
+<dt>Date</dt> <dd>2010-11-05 13:19:23 +0100 (Fri, 05 Nov 2010)</dd>
+</dl>
+
+<h3>Log Message</h3>
+<pre>Finalise registration ACLs
+Restrict anonymous access (to none)
+Add some additional ACLs to put back some access that previously relied on anonymous
+Listen on all IP addresses, and ldapi
+Assign localSSF matching ssf requirement, so we allow ldapi,ldaps,ldap+start_tls</pre>
+
+<h3>Modified Paths</h3>
+<ul>
+<li><a href="#puppetmodulesopenldaptemplatesldapsysconfig">puppet/modules/openldap/templates/ldap.sysconfig</a></li>
+<li><a href="#puppetmodulesopenldaptemplatesmandrivaditaccessconf">puppet/modules/openldap/templates/mandriva-dit-access.conf</a></li>
+<li><a href="#puppetmodulesopenldaptemplatesslapdconf">puppet/modules/openldap/templates/slapd.conf</a></li>
+</ul>
+
+</div>
+<div id="patch"><pre>
+<a id="puppetmodulesopenldaptemplatesldapsysconfig">Modified: puppet/modules/openldap/templates/ldap.sysconfig</a>
+===================================================================
+--- puppet/modules/openldap/templates/ldap.sysconfig	2010-11-05 11:03:31 UTC (rev 133)
++++ puppet/modules/openldap/templates/ldap.sysconfig	2010-11-05 12:19:23 UTC (rev 134)
+@@ -3,7 +3,7 @@
+ SLAPDSYSLOGLOCALUSER=&quot;local4&quot;
+ 
+ # SLAPD URL list 
+-SLAPDURLLIST=&quot;ldap://127.0.0.1/ ldaps://127.0.0.1/&quot;
++SLAPDURLLIST=&quot;ldap:/// ldaps:/// ldapi:///&quot;
+ 
+ # Config file to use for slapd
+ #SLAPDCONF=/etc/openldap/slapd.conf
+
+<a id="puppetmodulesopenldaptemplatesmandrivaditaccessconf">Modified: puppet/modules/openldap/templates/mandriva-dit-access.conf</a>
+===================================================================
+--- puppet/modules/openldap/templates/mandriva-dit-access.conf	2010-11-05 11:03:31 UTC (rev 133)
++++ puppet/modules/openldap/templates/mandriva-dit-access.conf	2010-11-05 12:19:23 UTC (rev 134)
+@@ -85,11 +85,24 @@
+ 	by dnattr=owner write
+ 	by * break
+ 
++# registration - allow registrar group to create basic unprivileged accounts
++access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot; 
++	attrs=&quot;objectClass&quot; 
++	val=&quot;inetOrgperson&quot; 
++	by group/groupOfNames/member.exact=&quot;cn=registrars,ou=system groups,dc=mageia,dc=org&quot; =a
++	by * +0 break
++
++access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot; 
++	filter=&quot;(!(objectclass=posixAccount))&quot;
++	attrs=cn,sn,gn,mail,entry,children
++	by group/groupOfNames/member.exact=&quot;cn=registrars,ou=system groups,dc=mageia,dc=org&quot; =a
++	by * +0 break
++
+ # let the user change some of his/her attributes
+ access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot;
+ 	attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage
+ 	by self write
+-	by * break
++	by * +0 break
+ 
+ # create new accounts
+ access to dn.regex=&quot;^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$&quot;
+@@ -146,17 +159,7 @@
+ 	by group.exact=&quot;cn=DNS Readers,ou=System Groups,dc=mageia,dc=org&quot; read
+ 	by * none
+ 
+-# registration - allow registrar group to create basic unprivileged accounts
+-access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot; 
+-	attrs=&quot;objectClass&quot; 
+-	val=&quot;inetOrgperson&quot; 
+-	by group/groupOfNames/member.exact=&quot;cn=registrars,ou=system groups,dc=mageia,dc=org&quot; write by * +0 break
+ 
+-access to dn.subtree=&quot;ou=People,dc=mageia,dc=org&quot; 
+-	attrs=&quot;cn,sn,gn,mail,entry,children&quot; 
+-	by group/groupOfNames/member.exact=&quot;cn=registrars,ou=system groups,dc=mageia,dc=org&quot; +a break
+-	by * +0 break
+-
+ # MTA
+ # XXX - what else can we add here? Virtual Domains? With which schema?
+ access to dn.one=&quot;ou=People,dc=mageia,dc=org&quot;
+
+<a id="puppetmodulesopenldaptemplatesslapdconf">Modified: puppet/modules/openldap/templates/slapd.conf</a>
+===================================================================
+--- puppet/modules/openldap/templates/slapd.conf	2010-11-05 11:03:31 UTC (rev 133)
++++ puppet/modules/openldap/templates/slapd.conf	2010-11-05 12:19:23 UTC (rev 134)
+@@ -40,6 +40,14 @@
+ TLSCertificateKeyFile   /etc/ssl/openldap/ldap.pem
+ TLSCACertificateFile    /etc/ssl/openldap/ldap.pem
+ 
++# Give ldapi connection some security
++localSSF 56
++# Require at least this security, so we allow:
++# ldapi
++# ldap+start_tls
++# ldaps
++security ssf=56
++
+ loglevel 256
+ 
+ database	bdb
+
+</pre></div>
+
+</body>
+</html>
+\ No newline at end of file