[Mageia-sysadm] [375] - do not hardcode mageia.org in acl

Mon Nov 22 03:04:02 CET 2010

Revision: 375
+Author:   misc
+Date:     2010-11-22 03:04:02 +0100 (Mon, 22 Nov 2010)
+Log Message:
+-----------
+- do not hardcode mageia.org in acl
+
+Modified Paths:
+--------------
+    puppet/modules/openldap/templates/mandriva-dit-access.conf
+
+Modified: puppet/modules/openldap/templates/mandriva-dit-access.conf
+===================================================================
+--- puppet/modules/openldap/templates/mandriva-dit-access.conf	2010-11-22 02:03:58 UTC (rev 374)
++++ puppet/modules/openldap/templates/mandriva-dit-access.conf	2010-11-22 02:04:02 UTC (rev 375)
+@@ -1,184 +1,184 @@
+ # mandriva-dit-access.conf
+ 
+-limits group="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org"
++limits group="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>"
+ 	limit size=unlimited
+ 	limit time=unlimited
+ 
+-limits group="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org"
++limits group="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>"
+ 	limit size=unlimited
+ 	limit time=unlimited
+ 
+-limits group="cn=Account Admins,ou=System Groups,dc=mageia,dc=org"
++limits group="cn=Account Admins,ou=System Groups,<%= dc_suffix %>"
+ 	limit size=unlimited
+ 	limit time=unlimited
+ 
+ # so we don't have to add these to every other acl down there
+-access to dn.subtree="dc=mageia,dc=org"
+-	by group.exact="cn=LDAP Admins,ou=System Groups,dc=mageia,dc=org" write
+-	by group.exact="cn=LDAP Replicators,ou=System Groups,dc=mageia,dc=org" read
++access to dn.subtree="<%= dc_suffix %>"
++	by group.exact="cn=LDAP Admins,ou=System Groups,<%= dc_suffix %>" write
++	by group.exact="cn=LDAP Replicators,ou=System Groups,<%= dc_suffix %>" read
+ 	by * break
+ 
+ # userPassword access
+ # Allow account registration to write userPassword of unprivileged users accounts
+-access to dn.subtree="ou=People,dc=mageia,dc=org" 
++access to dn.subtree="ou=People,<%= dc_suffix %>" 
+ 	filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))"
+ 	attrs=userPassword,pwdReset
+-	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" +a
++	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +a
+ 	by * +0 break
+ 
+ # shadowLastChange is here because it needs to be writable by the user because
+ # of pam_ldap, which will update this attr whenever the password is changed.
+ # And this is done with the user's credentials
+-access to dn.subtree="dc=mageia,dc=org"
++access to dn.subtree="<%= dc_suffix %>"
+         attrs=shadowLastChange
+         by self write
+-        by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
++        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
+         by users read
+-access to dn.subtree="dc=mageia,dc=org"
++access to dn.subtree="<%= dc_suffix %>"
+ 	attrs=userPassword
+-	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
++	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
+ 	by self write
+ 	by anonymous auth
+ 	by * none
+ 
+ # kerberos key access
+ # "by auth" just in case...
+-access to dn.subtree="dc=mageia,dc=org"
++access to dn.subtree="<%= dc_suffix %>"
+         attrs=krb5Key
+         by self write
+-        by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
++        by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
+         by anonymous auth
+         by * none
+ 
+ # password policies
+-access to dn.subtree="ou=Password Policies,dc=mageia,dc=org"
+-	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
++access to dn.subtree="ou=Password Policies,<%= dc_suffix %>"
++	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
+ 	by users read
+ 
+ # samba password attributes
+ # by self not strictly necessary, because samba uses its own admin user to
+ # change the password on the user's behalf
+ # openldap also doesn't auth on these attributes, but maybe some day it will
+-access to dn.subtree="dc=mageia,dc=org"
++access to dn.subtree="<%= dc_suffix %>"
+ 	attrs=sambaLMPassword,sambaNTPassword
+-	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
++	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
+ 	by anonymous auth
+ 	by self write
+ 	by * none
+ # password history attribute
+ # pwdHistory is read-only, but ACL is simplier with it here
+-access to dn.subtree="dc=mageia,dc=org"
++access to dn.subtree="<%= dc_suffix %>"
+ 	attrs=sambaPasswordHistory,pwdHistory
+ 	by self read
+-	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
++	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
+ 	by * none
+ 
+ # pwdReset, so the admin can force an user to change a password
+-access to dn.subtree="dc=mageia,dc=org"
++access to dn.subtree="<%= dc_suffix %>"
+ 	attrs=pwdReset,pwdAccountLockedTime
+-	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
++	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
+ 	by self read
+ 
+ # group owner can add/remove/edit members to groups
+-access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
++access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
+ 	attrs=member
+ 	by dnattr=owner write
+-	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
++	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
+ 	by users +sx
+ 
+-access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
++access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),<%= dc_suffix %>$"
+ 	attrs=cn,description,objectClass,gidNumber
+-	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
++	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
+ 	by users read
+ 
+ # registration - allow registrar group to create basic unprivileged accounts
+-access to dn.subtree="ou=People,dc=mageia,dc=org" 
++access to dn.subtree="ou=People,<%= dc_suffix %>" 
+ 	attrs="objectClass" 
+ 	val="inetOrgperson" 
+-	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =asrx
++	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
+ 	by * +0 break
+ 
+-access to dn.subtree="ou=People,dc=mageia,dc=org" 
++access to dn.subtree="ou=People,<%= dc_suffix %>" 
+ 	filter="(!(objectclass=posixAccount))"
+ 	attrs=cn,sn,gn,mail,entry,children,preferredLanguage
+-	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,dc=mageia,dc=org" =asrx
++	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" =asrx
+ 	by * +0 break
+ 
+ # let the user change some of his/her attributes
+-access to dn.subtree="ou=People,dc=mageia,dc=org"
++access to dn.subtree="ou=People,<%= dc_suffix %>"
+ 	attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage
+ 	by self write
+ 	by users read
+ 
+ # create new accounts
+-access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$"
++access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= dc_suffix %>$"
+ 	attrs=children,entry
+-	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
++	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
+ 	by * break
+ # access to existing entries
+-access to dn.regex="^[^,]+,ou=(People|Hosts|Group),dc=mageia,dc=org$"
+-	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
++access to dn.regex="^[^,]+,ou=(People|Hosts|Group),<%= dc_suffix %>$"
++	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
+ 	by * break
+ 
+ # sambaDomainName entry
+-access to dn.regex="^(sambaDomainName=[^,]+,)?dc=mageia,dc=org$"
++access to dn.regex="^(sambaDomainName=[^,]+,)?<%= dc_suffix %>$"
+ 	attrs=children,entry, at sambaDomain, at sambaUnixIdPool
+-	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
++	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
+ 	by users read
+ 
+ # samba ID mapping
+-access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,dc=mageia,dc=org$"
++access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,<%= dc_suffix %>$"
+ 	attrs=children,entry, at sambaIdmapEntry
+-	by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
+-	by group.exact="cn=IDMAP Admins,ou=System Groups,dc=mageia,dc=org" write
++	by group.exact="cn=Account Admins,ou=System Groups,<%= dc_suffix %>" write
++	by group.exact="cn=IDMAP Admins,ou=System Groups,<%= dc_suffix %>" write
+ 	by users read
+ 
+ # global address book
+ # XXX - which class(es) to use?
+-access to dn.regex="^(.*,)?ou=Address Book,dc=mageia,dc=org"
++access to dn.regex="^(.*,)?ou=Address Book,<%= dc_suffix %>"
+ 	attrs=children,entry, at inetOrgPerson, at evolutionPerson, at evolutionPersonList
+-	by group.exact="cn=Address Book Admins,ou=System Groups,dc=mageia,dc=org" write
++	by group.exact="cn=Address Book Admins,ou=System Groups,<%= dc_suffix %>" write
+ 	by users read
+ 
+ # dhcp entries
+ # XXX - open up read access to anybody?
+-access to dn.sub="ou=dhcp,dc=mageia,dc=org"
++access to dn.sub="ou=dhcp,<%= dc_suffix %>"
+ 	attrs=children,entry, at dhcpService, at dhcpServer, at dhcpSharedNetwork, at dhcpSubnet, at dhcpPool, at dhcpGroup, at dhcpHost, at dhcpClass, at dhcpSubClass, at dhcpOptions, at dhcpLeases, at dhcpLog
+-	by group.exact="cn=DHCP Admins,ou=System Groups,dc=mageia,dc=org" write
+-	by group.exact="cn=DHCP Readers,ou=System Groups,dc=mageia,dc=org" read
++	by group.exact="cn=DHCP Admins,ou=System Groups,<%= dc_suffix %>" write
++	by group.exact="cn=DHCP Readers,ou=System Groups,<%= dc_suffix %>" read
+ 	by * read
+ 
+ # sudoers
+-access to dn.regex="^([^,]+,)?ou=sudoers,dc=mageia,dc=org$"
++access to dn.regex="^([^,]+,)?ou=sudoers,<%= dc_suffix %>$"
+ 	attrs=children,entry, at sudoRole
+-	by group.exact="cn=Sudo Admins,ou=System Groups,dc=mageia,dc=org" write
++	by group.exact="cn=Sudo Admins,ou=System Groups,<%= dc_suffix %>" write
+ 	by users read
+ 
+ # dns
+-access to dn="ou=dns,dc=mageia,dc=org"
++access to dn="ou=dns,<%= dc_suffix %>"
+ 	attrs=entry, at extensibleObject
+-	by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
++	by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
+ 	by users read
+-access to dn.sub="ou=dns,dc=mageia,dc=org"
++access to dn.sub="ou=dns,<%= dc_suffix %>"
+ 	attrs=children,entry, at dNSZone
+-	by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
+-	by group.exact="cn=DNS Readers,ou=System Groups,dc=mageia,dc=org" read
++	by group.exact="cn=DNS Admins,ou=System Groups,<%= dc_suffix %>" write
++	by group.exact="cn=DNS Readers,ou=System Groups,<%= dc_suffix %>" read
+ 	by * none
+ 
+ 
+ # MTA
+ # XXX - what else can we add here? Virtual Domains? With which schema?
+-access to dn.one="ou=People,dc=mageia,dc=org"
++access to dn.one="ou=People,<%= dc_suffix %>"
+ 	attrs=@inetLocalMailRecipient,mail
+-	by group.exact="cn=MTA Admins,ou=System Groups,dc=mageia,dc=org" write
++	by group.exact="cn=MTA Admins,ou=System Groups,<%= dc_suffix %>" write
+ 	by users read
+ 
+ # KDE Configuration
+-access to dn.sub="ou=KDEConfig,dc=mageia,dc=org"
+-	by group.exact="cn=KDEConfig Admins,ou=System Groups,dc=mageia,dc=org" write
++access to dn.sub="ou=KDEConfig,<%= dc_suffix %>"
++	by group.exact="cn=KDEConfig Admins,ou=System Groups,<%= dc_suffix %>" write
+ 	by * read
+ 
+ # last one
+-access to dn.subtree="dc=mageia,dc=org" attrs=entry,uid,cn
++access to dn.subtree="<%= dc_suffix %>" attrs=entry,uid,cn
+ 	by users read
+ 
+-------------- next part --------------
+An HTML attachment was scrubbed...
+URL: </pipermail/mageia-sysadm/attachments/20101122/87e3ed06/attachment-0001.html>
+