Modified: puppet/modules/openldap/templates/mandriva-dit-access.conf
===================================================================
--- puppet/modules/openldap/templates/mandriva-dit-access.conf 2010-11-09 02:21:57 UTC (rev 211)
+++ puppet/modules/openldap/templates/mandriva-dit-access.conf 2010-11-09 14:25:10 UTC (rev 212)
@@ -33,7 +33,7 @@
attrs=shadowLastChange
by self write
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
access to dn.subtree="dc=mageia,dc=org"
attrs=userPassword
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
@@ -53,7 +53,7 @@
# password policies
access to dn.subtree="ou=Password Policies,dc=mageia,dc=org"
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
# samba password attributes
# by self not strictly necessary, because samba uses its own admin user to
@@ -77,16 +77,18 @@
access to dn.subtree="dc=mageia,dc=org"
attrs=pwdReset,pwdAccountLockedTime
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by self read
# group owner can add/remove/edit members to groups
access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
attrs=member
by dnattr=owner write
+ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
by users +sx
access to dn.regex="^cn=[^,]+,ou=(System Groups|Group),dc=mageia,dc=org$"
attrs=cn,description,objectClass,gidNumber
+ by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
by users read
# registration - allow registrar group to create basic unprivileged accounts
@@ -106,7 +108,7 @@
access to dn.subtree="ou=People,dc=mageia,dc=org"
attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage
by self write
- by users +sx
+ by users read
# create new accounts
access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),dc=mageia,dc=org$"
@@ -122,21 +124,21 @@
access to dn.regex="^(sambaDomainName=[^,]+,)?dc=mageia,dc=org$"
attrs=children,entry,@sambaDomain,@sambaUnixIdPool
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
# samba ID mapping
access to dn.regex="^(sambaSID=[^,]+,)?ou=Idmap,dc=mageia,dc=org$"
attrs=children,entry,@sambaIdmapEntry
by group.exact="cn=Account Admins,ou=System Groups,dc=mageia,dc=org" write
by group.exact="cn=IDMAP Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
# global address book
# XXX - which class(es) to use?
access to dn.regex="^(.*,)?ou=Address Book,dc=mageia,dc=org"
attrs=children,entry,@inetOrgPerson,@evolutionPerson,@evolutionPersonList
by group.exact="cn=Address Book Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
# dhcp entries
# XXX - open up read access to anybody?
@@ -150,13 +152,13 @@
access to dn.regex="^([^,]+,)?ou=sudoers,dc=mageia,dc=org$"
attrs=children,entry,@sudoRole
by group.exact="cn=Sudo Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
# dns
access to dn="ou=dns,dc=mageia,dc=org"
attrs=entry,@extensibleObject
by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
access to dn.sub="ou=dns,dc=mageia,dc=org"
attrs=children,entry,@dNSZone
by group.exact="cn=DNS Admins,ou=System Groups,dc=mageia,dc=org" write
@@ -169,7 +171,7 @@
access to dn.one="ou=People,dc=mageia,dc=org"
attrs=@inetLocalMailRecipient,mail
by group.exact="cn=MTA Admins,ou=System Groups,dc=mageia,dc=org" write
- by * read
+ by users read
# KDE Configuration
access to dn.sub="ou=KDEConfig,dc=mageia,dc=org"
@@ -178,5 +180,5 @@
# last one
access to dn.subtree="dc=mageia,dc=org" attrs=entry,uid,cn
- by * read
+ by users read