diff options
Diffstat (limited to 'zarb-ml/mageia-sysadm/attachments/20101122/87e3ed06/attachment.html')
| -rw-r--r-- | zarb-ml/mageia-sysadm/attachments/20101122/87e3ed06/attachment.html | 310 |
1 files changed, 310 insertions, 0 deletions
diff --git a/zarb-ml/mageia-sysadm/attachments/20101122/87e3ed06/attachment.html b/zarb-ml/mageia-sysadm/attachments/20101122/87e3ed06/attachment.html new file mode 100644 index 000000000..d0699b527 --- /dev/null +++ b/zarb-ml/mageia-sysadm/attachments/20101122/87e3ed06/attachment.html @@ -0,0 +1,310 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" +"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head><meta http-equiv="content-type" content="text/html; charset=utf-8" /> +<title>[375] - do not hardcode mageia.org in acl</title> +</head> +<body> + +<style type="text/css"><!-- +#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; } +#msg dl.meta dt { float: left; width: 6em; font-weight: bold; } +#msg dt:after { content:':';} +#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; } +#msg dl a { font-weight: bold} +#msg dl a:link { color:#fc3; } +#msg dl a:active { color:#ff0; } +#msg dl a:visited { color:#cc6; } +h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; } +#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; } +#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; } +#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; } +#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; } +#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; } +#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; } +#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; } +#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; } +#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; } +#logmsg pre { background: #eee; padding: 1em; } +#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;} +#logmsg dl { margin: 0; } +#logmsg dt { font-weight: bold; } +#logmsg dd { margin: 0; padding: 0 0 0.5em 0; } +#logmsg dd:before { content:'\00bb';} +#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; } +#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; } +#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; } +#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; } +#logmsg table th.Corner { text-align: left; } +#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; } +#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; } +#patch { width: 100%; } +--></style> +<div id="msg"> +<dl class="meta"> +<dt>Revision</dt> <dd>375</dd> +<dt>Author</dt> <dd>misc</dd> +<dt>Date</dt> <dd>2010-11-22 03:04:02 +0100 (Mon, 22 Nov 2010)</dd> +</dl> + +<h3>Log Message</h3> +<pre>- do not hardcode mageia.org in acl</pre> + +<h3>Modified Paths</h3> +<ul> +<li><a href="#puppetmodulesopenldaptemplatesmandrivaditaccessconf">puppet/modules/openldap/templates/mandriva-dit-access.conf</a></li> +</ul> + +</div> +<div id="patch"><pre> +<a id="puppetmodulesopenldaptemplatesmandrivaditaccessconf">Modified: puppet/modules/openldap/templates/mandriva-dit-access.conf</a> +=================================================================== +--- puppet/modules/openldap/templates/mandriva-dit-access.conf 2010-11-22 02:03:58 UTC (rev 374) ++++ puppet/modules/openldap/templates/mandriva-dit-access.conf 2010-11-22 02:04:02 UTC (rev 375) +@@ -1,184 +1,184 @@ + # mandriva-dit-access.conf + +-limits group="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" ++limits group="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" + limit size=unlimited + limit time=unlimited + +-limits group="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" ++limits group="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" + limit size=unlimited + limit time=unlimited + +-limits group="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" ++limits group="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" + limit size=unlimited + limit time=unlimited + + # so we don't have to add these to every other acl down there +-access to dn.subtree="dc=mageia,dc=org" +- by group.exact="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" write +- by group.exact="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" read ++access to dn.subtree="<%= dc_suffix %>" ++ by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" write ++ by group.exact="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" read + by * break + + # userPassword access + # Allow account registration to write userPassword of unprivileged users accounts +-access to dn.subtree="ou=People,dc=mageia,dc=org" ++access to dn.subtree="ou=People,<%= dc_suffix %>" + filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))" + attrs=userPassword,pwdReset +- by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" +a ++ by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +a + by * +0 break + + # shadowLastChange is here because it needs to be writable by the user because + # of pam_ldap, which will update this attr whenever the password is changed. + # And this is done with the user's credentials +-access to dn.subtree="dc=mageia,dc=org" ++access to dn.subtree="<%= dc_suffix %>" + attrs=shadowLastChange + by self write +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by users read +-access to dn.subtree="dc=mageia,dc=org" ++access to dn.subtree="<%= dc_suffix %>" + attrs=userPassword +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by self write + by anonymous auth + by * none + + # kerberos key access + # "by auth" just in case... +-access to dn.subtree="dc=mageia,dc=org" ++access to dn.subtree="<%= dc_suffix %>" + attrs=krb5Key + by self write +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by anonymous auth + by * none + + # password policies +-access to dn.subtree="ou=Password Policies,dc=mageia,dc=org" +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++access to dn.subtree="ou=Password Policies,<%= dc_suffix %>" ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by users read + + # samba password attributes + # by self not strictly necessary, because samba uses its own admin user to + # change the password on the user's behalf + # openldap also doesn't auth on these attributes, but maybe some day it will +-access to dn.subtree="dc=mageia,dc=org" ++access to dn.subtree="<%= dc_suffix %>" + attrs=sambaLMPassword,sambaNTPassword +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by anonymous auth + by self write + by * none + # password history attribute + # pwdHistory is read-only, but ACL is simplier with it here +-access to dn.subtree="dc=mageia,dc=org" ++access to dn.subtree="<%= dc_suffix %>" + attrs=sambaPasswordHistory,pwdHistory + by self read +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by * none + + # pwdReset, so the admin can force an user to change a password +-access to dn.subtree="dc=mageia,dc=org" ++access to dn.subtree="<%= dc_suffix %>" + attrs=pwdReset,pwdAccountLockedTime +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by self read + + # group owner can add/remove/edit members to groups +-access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$" ++access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$" + attrs=member + by dnattr=owner write +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by users +sx + +-access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$" ++access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$" + attrs=cn,description,objectClass,gidNumber +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by users read + + # registration - allow registrar group to create basic unprivileged accounts +-access to dn.subtree="ou=People,dc=mageia,dc=org" ++access to dn.subtree="ou=People,<%= dc_suffix %>" + attrs="objectClass" + val="inetOrgperson" +- by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =asrx ++ by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx + by * +0 break + +-access to dn.subtree="ou=People,dc=mageia,dc=org" ++access to dn.subtree="ou=People,<%= dc_suffix %>" + filter="(!(objectclass=posixAccount))" + attrs=cn,sn,gn,mail,entry,children,preferredLanguage +- by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =asrx ++ by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx + by * +0 break + + # let the user change some of his/her attributes +-access to dn.subtree="ou=People,dc=mageia,dc=org" ++access to dn.subtree="ou=People,<%= dc_suffix %>" + attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage + by self write + by users read + + # create new accounts +-access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$" ++access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= dc_suffix %>$" + attrs=children,entry +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by * break + # access to existing entries +-access to dn.regex="^[^,]+,ou=(People|Hosts|Group),dc=mageia,dc=org$" +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++access to dn.regex="^[^,]+,ou=(People|Hosts|Group),<%= dc_suffix %>$" ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by * break + + # sambaDomainName entry +-access to dn.regex="^(sambaDomainName=[^,]+,)?dc=mageia,dc=org$" ++access to dn.regex="^(sambaDomainName=[^,]+,)?<%= dc_suffix %>$" + attrs=children,entry,@sambaDomain,@sambaUnixIdPool +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write + by users read + + # samba ID mapping +-access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,dc=mageia,dc=org$" ++access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= dc_suffix %>$" + attrs=children,entry,@sambaIdmapEntry +- by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write +- by group.exact="cn=IDMAP Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write ++ by group.exact="cn=IDMAP Admins,ou=System Groups,<%= dc_suffix %>" write + by users read + + # global address book + # XXX - which class(es) to use? +-access to dn.regex="^(.*,)?ou=Address Book,dc=mageia,dc=org" ++access to dn.regex="^(.*,)?ou=Address Book,<%= dc_suffix %>" + attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList +- by group.exact="cn=Address Book Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Address Book Admins,ou=System Groups,<%= dc_suffix %>" write + by users read + + # dhcp entries + # XXX - open up read access to anybody? +-access to dn.sub="ou=dhcp,dc=mageia,dc=org" ++access to dn.sub="ou=dhcp,<%= dc_suffix %>" + attrs=children,entry,@dhcpService,@dhcpServer,@dhcpSharedNetwork,@dhcpSubnet,@dhcpPool,@dhcpGroup,@dhcpHost,@dhcpClass,@dhcpSubClass,@dhcpOptions,@dhcpLeases,@dhcpLog +- by group.exact="cn=DHCP Admins,ou=System Groups,dc=mageia,dc=org" write +- by group.exact="cn=DHCP Readers,ou=System Groups,dc=mageia,dc=org" read ++ by group.exact="cn=DHCP Admins,ou=System Groups,<%= dc_suffix %>" write ++ by group.exact="cn=DHCP Readers,ou=System Groups,<%= dc_suffix %>" read + by * read + + # sudoers +-access to dn.regex="^([^,]+,)?ou=sudoers,dc=mageia,dc=org$" ++access to dn.regex="^([^,]+,)?ou=sudoers,<%= dc_suffix %>$" + attrs=children,entry,@sudoRole +- by group.exact="cn=Sudo Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=Sudo Admins,ou=System Groups,<%= dc_suffix %>" write + by users read + + # dns +-access to dn="ou=dns,dc=mageia,dc=org" ++access to dn="ou=dns,<%= dc_suffix %>" + attrs=entry,@extensibleObject +- by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write + by users read +-access to dn.sub="ou=dns,dc=mageia,dc=org" ++access to dn.sub="ou=dns,<%= dc_suffix %>" + attrs=children,entry,@dNSZone +- by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write +- by group.exact="cn=DNS Readers,ou=System Groups,dc=mageia,dc=org" read ++ by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write ++ by group.exact="cn=DNS Readers,ou=System Groups,<%= dc_suffix %>" read + by * none + + + # MTA + # XXX - what else can we add here? Virtual Domains? With which schema? +-access to dn.one="ou=People,dc=mageia,dc=org" ++access to dn.one="ou=People,<%= dc_suffix %>" + attrs=@inetLocalMailRecipient,mail +- by group.exact="cn=MTA Admins,ou=System Groups,dc=mageia,dc=org" write ++ by group.exact="cn=MTA Admins,ou=System Groups,<%= dc_suffix %>" write + by users read + + # KDE Configuration +-access to dn.sub="ou=KDEConfig,dc=mageia,dc=org" +- by group.exact="cn=KDEConfig Admins,ou=System Groups,dc=mageia,dc=org" write ++access to dn.sub="ou=KDEConfig,<%= dc_suffix %>" ++ by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= dc_suffix %>" write + by * read + + # last one +-access to dn.subtree="dc=mageia,dc=org" attrs=entry,uid,cn ++access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn + by users read + + +</pre></div> + +</body> +</html>
\ No newline at end of file |