Revision

634

Author

misc

Date

2010-12-16 13:49:49 +0100 (Thu, 16 Dec 2010)

Log Message

- do not let user change their own memberOf attribute, ( even if the overlay may prevent it )

Modified Paths

• puppet/modules/openldap/templates/mandriva-dit-access.conf

Modified: puppet/modules/openldap/templates/mandriva-dit-access.conf
===================================================================
--- puppet/modules/openldap/templates/mandriva-dit-access.conf	2010-12-16 11:44:22 UTC (rev 633)
+++ puppet/modules/openldap/templates/mandriva-dit-access.conf	2010-12-16 12:49:49 UTC (rev 634)
@@ -113,10 +113,15 @@
 
 # let the user change some of his/her attributes
 access to dn.subtree="ou=People,<%= dc_suffix %>"
-	attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage,sshPublicKey,memberOf
+	attrs=carLicense,homePhone,homePostalAddress,mobile,pager,telephoneNumber,mail,preferredLanguage,sshPublicKey
 	by self write
 	by users read
 
+access to dn.subtree="ou=People,<%= dc_suffix %>"
+	attrs=memberOf
+	by users read
+
+
 # create new accounts
 access to dn.regex="^([^,]+,)?ou=(People|Group|Hosts),<%= dc_suffix %>$"
 	attrs=children,entry